|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
Standards, Environments, and Macros zones(5)
NAME
zones - Solaris application containers
DESCRIPTION
The zones facility in Solaris provides an isolated environ-
ment for running applications. Processes running in a zone
are prevented from monitoring or interfering with other
activity in the system. Access to other processes, network
interfaces, file systems, devices, and inter-process commun-
ication facilities are restricted to prevent interaction
between processes in different zones.
The privileges available within a zone are restricted to
prevent operations with system-wide impact. See
privileges(5).
You can configure and administer zones with the zoneadm(1M)
and zonecfg(1M) utilities. You can specify the configuration
details a zone, install file system contents including
software packages into the zone, and manage the runtime
state of the zone. You can use the zlogin(1) to run commands
within an active zone. You can do this without logging in
through a network-based login server such as in.rlogind(1M)
or sshd(1M).
The autobooting of zones is enabled and disabled by the
zones service, identified by the FMRI:
svc:/system/zones:default
See zoneadm(1M). Note that a zone has an autoboot property,
which can be set to true (always autoboot). However, if the
zones service is disabled, autoboot will not occur, regard-
less of the setting of the autoboot property for a given
zone. See zonecfg(1M).
An alphanumeric name and numeric ID identify each active
zone. Alphanumeric names are configured using the
zonecfg(1M) utility. Numeric IDs are automatically assigned
when the zone is booted. The zonename(1) utility reports the
current zone name, and the zoneadm(1M) utility can be used
to report the names and IDs of configured zones.
A zone can be in one of several states:
CONFIGURED Indicates that the configuration for
the zone has been completely speci-
fied and committed to stable
storage.
SunOS 5.10 Last change: 20 Jan 2006 1
Standards, Environments, and Macros zones(5)
INCOMPLETE Indicates that the zone is in the
midst of being installed or unin-
stalled, or was interrupted in the
midst of such a transition.
INSTALLED Indicates that the zone's configura-
tion has been instantiated on the
system: packages have been installed
under the zone's root path.
READY Indicates that the "virtual plat-
form" for the zone has been esta-
blished. Network interfaces have
been plumbed, file systems have been
mounted, devices have been config-
ured, but no processes associated
with the zone have been started.
RUNNING Indicates that user processes asso-
ciated with the zone application
environment are running.
SHUTTING_DOWN Indicates that the zone is being
DOWN halted. The zone can become stuck in
one of these states if it is unable
to tear down the application
environment state (such as mounted
file systems) or if some portion of
the virtual platform cannot be des-
troyed. Such cases require operator
intervention.
Process Access Restrictions
Processes running inside a zone (aside from the global zone)
have restricted access to other processes. Only processes in
the same zone are visible through /proc (see proc(4) or
through system call interfaces that take process IDs such as
kill(2) and priocntl(2). Attempts to access processes that
exist in other zones (including the global zone) fail with
the same error code that would be issued if the specified
process did not exist.
SunOS 5.10 Last change: 20 Jan 2006 2
Standards, Environments, and Macros zones(5)
Privilege Restrictions
Processes running within a non-global zone are restricted to
a subset of privileges, in order to prevent one zone from
being able to perform operations that might affect other
zones. The set of privileges limits the capabilities of
privileged users (such as the super-user or root user)
within the zone. The list of privileges available within a
zone can be displayed using the ppriv(1) utility. For more
information about privileges, see privileges(5).
Device Restrictions
The set of devices available within a zone is restricted, to
prevent a process in one zone from interfering with
processes in other zones. For example, a process in a zone
should not be able to modify kernel memory using /dev/kmem,
or modify the contents of the root disk. Thus, by default,
only a few pseudo devices considered safe for use within a
zone are available. Additional devices can be made available
within specific zones using the zonecfg(1M) utility.
The device and privilege restrictions have a number of
effects on the utilities that can run in a non-global zone.
For example, the eeprom(1M), prtdiag(1M), and prtconf(1M)
utilities do not work in a zone since they rely on devices
that are not normally available.
File Systems
Each zone has its own section of the file system hierarchy,
rooted at a directory known as the zone root. Processes
inside the zone can access only files within that part of
the hierarchy, that is, files that are located beneath the
zone root. This prevents processes in one zone from corrupt-
ing or examining file system data associated with another
zone. The chroot(1M) utility can be used within a zone, but
can only restrict the process to a root path accessible
within the zone.
In order to preserve file system space, sections of the file
system can be mounted into one or more zones using the
read-only option of the lofs(7FS) file system. This allows
the same file system data to be shared in multiple zones,
while preserving the security guarantees supplied by zones.
NFS and autofs mounts established within a zone are local to
that zone; they cannot be accessed from other zones, includ-
ing the global zone. The mounts are removed when the zone is
halted or rebooted.
Networking
Zones can be assigned logical network interfaces, which can
be used to communicate over the network. These interfaces
are configured using the zonecfg(1M) utility. The interface
SunOS 5.10 Last change: 20 Jan 2006 3
Standards, Environments, and Macros zones(5)
is removed when the zone is halted or rebooted. Only logical
interfaces can be assigned to a zone.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
SEE ALSO
zlogin(1), zonename(1), in.rlogind(1M), sshd(1M),
zoneadm(1M), zonecfg(1M), getzoneid(3C), kill(2),
priocntl(2), ucred_get(3C), getzoneid(3C), proc(4), attri-
butes(5), privileges(5), crgetzoneid(9F)
SunOS 5.10 Last change: 20 Jan 2006 4
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:28:02 GMT 2007
|
Your favourite pages:
No pages logged yet... Top 10 most popular pages:
svn man page (22049 hits)
(FreeBSD 6.2)
netcat man page (8898 hits)
(Suse Linux 10.1)
prstat man page (7960 hits)
(Solaris 10 11_06)
ssh-socks5-proxy-connect man page (7906 hits)
(Solaris 10 11_06)
sqlite3 man page (7640 hits)
(openSUSE 10.2)
signal man page (7127 hits)
(Suse Linux 10.1)
adv_cap_autoneg man page (6826 hits)
(Solaris 10 11_06)
startproc man page (6482 hits)
(Suse Linux 10.1)
CPAN man page (6457 hits)
(Suse Linux 10.1)
ssh man page (5476 hits)
(Suse Linux 10.1)
|
Man Pages 
