J.E.D.I.

1 Solaris Zones
1.1

Objectives

In this section, we will discuss Solaris Zones. We begin with a discussion of what Solaris Zones
are and what advantages zone usage has on a service providing system. This chapter then
provides a walkthrough by showing what commands are needed to create a basic zone. Finally
we end this chapter with a discussion of some of the commonly used options for zones.
At the end of the lesson, the student should be able to:

explain what Solaris Zones are

create a basic zone

be familiar with some advanced commands for zone creation

1.2

Introduction

1.2.1

Definition

A zone is a virtualized operating system environment created in a single instance of the Solaris
OS. In essence, it creates a "computer within in a computer", a totally complete virtual
working system that exists on top of the physical system.

1.2.2

Typical use of Zones

Zones allow for multiple separate instances of Solaris OS existing independently of one another
on a single computer, which can be very advantageous in certain situations. Consider an office
that requires a web server, a database server, a development server, a mail server and a file
server. This company usually has two options:

Option 1: One computer per service. A company running this option would have no
choice but to procure five computers.

Option 2: Have all of these services on a single computer or more than one service per
computer. With this option, there's bound to be some configuration problems,
particularly if some of these services conflict with one another.

Zones allow for a third option. Services can be installed each in their own standalone Solaris
instances, all of them running on a single physical computer. This combines the best of both
worlds. First, there is no longer any need to buy multiple computers as zones allow for virtual
computers running on a single system. Second, as each service exists on its own standalone
system, there is no longer any need to worry about configuration conflicts. A service can be
installed on a zone that is configured precisely to that service's needs.

1.2.3

Advantages

Zones provide the following advantages:

1.2.3.1

Security

If a network service is made to run within a zone, attackers who manage to use that service's
vulnerabilities to gain access to the system will only be able to access that zone. Any damage
they cause will be limited to that zone. Accessing another zone more or less means breaking
Operating Systems

J.E.D.I.

into a second computer altogether, despite the fact that these zones actually run on a single
physical computer.
A zone can have different users than other zones. The global system administrator could
choose to give users access only to specific services and not to the entire system.
Using zones allows a second level of administration, the zone superuser. The zone superuser
has administration rights only to a specific zone. This allows the global system administrator
(the superuser of the main global zone) to delegate zone administrative tasks to other users
while still maintaining the ability to do systemwide changes.

1.2.3.2

Isolation

Zones work, in isolation , are not aware of the existence of other zones. This way, processes
working in a zone are unable to influence processes in other zones. Zone configuration is
relevant only to that zone and does not affect other zones. An application running in a zone
can have the benefit of running in an environment designed specifically for them, without the
need to worry about configuration details.

1.2.3.3

Virtualization

The configuration of the global system is irrelevant to a zone. Zones can have their own
custom virtual environment. This environment can even be copied on different machines, thus
allowing a zone to have the same virtual environment even on machines with different
configurations.

1.2.3.4

Granularity

There are many options available to set the isolation level of a zone. A zone can have its own
CPU, memory, hard disk space, or have these resources shared among different zones while
being unaware of any sharing being done.

1.2.3.5

Environment

An application does not need to be recompiled to work in a zone. Solaris provides the same
libraries and interfaces for all zones. There are only a few restrictions that prevent programs
from performing systemwide changes while inside a zone.
In addition, an application is unaffected by the existence of other zones, and is practically
unaware of these other zones. Zones are designed so that an application is running on a
standalone basic install of Solaris all by itself.

1.2.4

Two types of zones

There are two types of zones in Solaris: global zones and non-global zones.
The Global Zone is the default installation and setup of Solaris. All systemwide administration
is run from this zone. This is the only zone that is aware of all of the other zones running on
the system. It is from this zone that zone administration is done.
Non-global zones are the additional zones that are setup from the global zone. These are the
zones that run on top of the global zone. Non-global zones are unaware that they are zones,
and are unaware of the existence of other zones. Thus, zone management is not possible from
a non-global zone.
The superuser in the global zone can be considered the global superuser, which is able to
enact systemwide changes, including changes that affect other zones. The superuser in a nonglobal zone can only administer that specific zone .
Operating Systems

J.E.D.I.

1.2.5

Zoning Taskmap

If you want to setup zones for your computer, you need to do the following tasks:
1. Identify the applications you want to run in a zone
2. Determine how many zones to configure (you can have a maximum of 8192 zones but
fewer is better)
3. Determine if a zone requires advanced resource management features.
4. Perform pre-configuration steps such as determining a zone's IP address, hostname,
users for that zone, etc.
5. Write the zone configuration using the zonecfg command.
6. Setup and install the zone.
7. Boot the zone using the zoneadm command.
8. Login to the zone using zlogin and customize each according to your initial setup plan.

1.3

Configuring a Basic Zone

This section provides a walkthrough on how to configure a basic Solaris zone. We will show the
commands necessary to do this as well as provide more information about zones as the setup
proceeds.

1.3.1

Staring up zonecfg

Zone configuration involves running the zonecfg command. To run the zonecfg command, you
first have to login as the superuser and run it with the following options:
# zonecfg -z myfirstzone
The -z option indicates the name of the zone you want to configure (in this case, myfirstzone)
After running this command, the screen will now show the zonecfg prompt
zonecfg:myfirstzone>
This means that zonecfg is now running and is now ready to accept commands. Configuring a
zone means running zonecfg commands. As the prompt indicates, these commands will be
used to setup myfirstzone.
There are two zonecfg modes:
1. Global mode Zonecfg commands that are run in global mode are commands which set
zone attributes such as where the zone is to be installed or whether or not a zone is to
be automatically booted on startup.
2. Resource mode means that the next commands are used to describe a resource in the
zone, such as the filesystem or network
Setting up a zone means switching between these two modes, running commands that indicate
zone attributes and running commands that describe zone resources. When zonecfg starts, it is
automatically in global mode.

1.3.2

Basic zone configuration

The following figure shows the different commands needed in order to setup myfirstzone. The
succeeding sections will discuss these commands part by part.

Operating Systems

J.E.D.I.

zonecfg:myfirstzone> create
zonecfg:myfirstzone> set zonepath=/export/home/myfirstzone
zonecfg:myfirstzone> set autoboot=true
zonecfg:myfirstzone> add fs
zonecfg:myfirstzone:fs> set dir=/usr/local
zonecfg:myfirstzone:fs> set special=/opt/local
zonecfg:myfirstzone:fs> set type=lofs
zonecfg:myfirstzone:fs> end
zonecfg:myfirstzone> add net
zonecfg:myfirstzone:net> set address=192.168.0.1/24
zonecfg:myfirstzone:net> set physical=hme0
zonecfg:myfirstzone:net> end
zonecfg:myfirstzone> add attr
zonecfg:myfirstzone:attr> set type=string
zonecfg:myfirstzone:attr> set value="my first zone"
zonecfg:myfirstzone:attr> end
zonecfg:myfirstzone> verify
zonecfg:myfirstzone> commit
zonecfg:myfirstzone> exit

1.3.3

Creating a zone configuration

You start creating a zone configuration with the create command:

zonecfg:myfirstzone> create
If you have entered a non-existent zone name in zonecfg, you would be prompted by the
system to run the create command.

1.3.4

Setting the zone's root directory

The root directory of a zone exists in a subfolder of the global zone's file system. You can
specify this via the set zonepath command
zonecfg:myfirstzone> set zonepath=/export/home/myfirstzone
The above command tells zonecfg that the root directory of myfirstzone will be placed in
/export/home/myfirstzone. Note that this directory should be an existing directory.

1.3.5

Autoboot

The set autoboot command specifies whether or not the zone is to automatically start when
the global zone starts.
zonecfg:myfirstzone> set autoboot=true
If this option is not set, then the zone would have to be manually booted using the zoneadm
command which will be discussed later.

1.3.6

Zone filesystem

By default, certain directories of the global zone are inherited by the non-global zones in order
to provide a working system to the zone. The inherit-pkg-dir directories (/lib, /platform, /sbin,
and /usr) are not copied into the zone. What the zone gets is a read-only link to these
directories in the global zone. This allows the zone to save filespace. Also, any changes to the
global zone particularly to these directories will also be reflected in the non-global zone's
Operating Systems

J.E.D.I.

filesystem.
To add additional file systems, you can use the add fs command:
zonecfg:myfirstzone> add fs
The add fs command switches mode from global mode to resource mode. As was stated
before, resource mode means that additional commands specified here are used to describe a
resource for the zone. The zonecfg prompt also changes to show that you are currently editing
a file system resource.
zonecfg:myfirstzone> add fs
zonecfg:myfirstzone:fs>

1.3.7

Add filesystem

The following are the commands to set a filesystem resource for myfirstzone:
zonecfg:myfirstzone> add fs
zonecfg:myfirstzone:fs> set dir=/usr/local
zonecfg:myfirstzone:fs> set special=/opt/local
zonecfg:myfirstzone:fs> set type=lofs
zonecfg:myfirstzone:fs> end
The set special command specifies what directory in the global zone is to be added. This
directory is placed in the zone's filesystem in the directory specified by set dir. In our
example, /opt/local, located in the global zone, is placed in /usr/local in myfirstzone.
The set type command indicates what file system type the directory is to be mounted. The file
system type tells how the kernel is to handle this directory. The loopback virtual file system
(lofs) indicates that the mounted directory is the same directory as in the global file system
but accessed via a different path. This is similar to the inherit-pkg-directories.
Because of this, any changes made to the global directory also reflect in the zone directory. For
our example, if a file were added to /opt/local in the global zone, then /usr/local in myfirstzone
would also change.
Note that /opt/local in the global zone must be an existing directory.
To end the file system configuration, we have the end command:
zonecfg:myfirstzone:fs> end
zonecfg:myfirstzone>
This changes zonecfg back to global mode as indicated by the prompt change. You can now set
additional configurations. You can even add additional file systems via more add fs commands.

1.3.8

Adding a network

A zone can have its own individual IP Address. There is no need for additional network
interfaces for every new IP Address you set; the global zone automatically handles routing.
You can set this via the add net command.
The following is the sequence of instructions to setup myfirstzone's network.

Operating Systems

J.E.D.I.

zonecfg:myfirstzone> add
zonecfg:myfirstzone:net>
zonecfg:myfirstzone:net>
zonecfg:myfirstzone:net>

net
set address=192.168.0.1/24
set physical=hme0
end

Our example sets myfirstzone's IP Address to 192.168.0.1 with a /24 netmask

(255.255.255.0). This IP Address is bound to the firat network card hme0 (this could be
different on certain systems).

1.3.9

Zone Description

The last resource specification we have is the add attr command, which we use to add a
comment to our zone.
zonecfg:myfirstzone> add attr
zonecfg:myfirstzone:attr> set type=string
zonecfg:myfirstzone:attr> set value="my first zone"
zonecfg:myfirstzone:attr> end

1.3.10

Finalizing our configuration

The last commands are used to finish our configuration.

zonecfg:myfirstzone> verify
zonecfg:myfirstzone> commit
zonecfg:myfirstzone> exit
The verify command checks if our zone configuration was entered correctly. This command
may output errors. The commit command saves the zone configuration. Note that the zone is
still not installed, only the configuration is stored. Finally the exit command exits zonecfg.

1.3.11

Removing attributes

If you made mistakes in the configuration of a zone, you can use the remove command. It has
two modes depending on the current zonecfg mode.
On the global mode, remove <resource-type> specifies that you will remove a particular
resource. For example, the following command removes our comment:
zonecfg:myfirstzone> remove attr
In the resource mode, remove <property-name> <property-value> removes an element of
that resource description.
For example, we can remove our IP address with the following command. Note that you have
to be in the net resource to do this.
zonecfg:myfirstzone:net> remove address=192.168.0.1/24
This is the same format for remove when you want to remove any of the global attributes. The
following example removes the autoboot attribute:
zonecfg:myfirstzone> remove autoboot=true
Any changes made to the configuration have to be recommitted.
Operating Systems

J.E.D.I.

1.3.12

Additional zonecfg commands

To view the configuration of a zone, you can use the export command.
Zonecfg includes a help command, which you can use to ask for additional information about
the command. Typing help displays all the commands, while typing help <command> displays
help information about the specified command.

1.4

Zoneadm

The zoneadm command is used to administer zones. Zoneadm comes with subcommands
which are used to indicate what to do with the specified zone (via the -z option). This section
discusses these commands, and what commands to use to continue our basic zone setup.

1.4.1

Installing and booting

Once a zone has been properly configured, we can now install the zone via the zoneadm
command:
# zoneadm -z myfirstzone install
The system will now begin to install myfirstzone. The screen will show what packages are
being copied into the new zone.
After the install has finished, you can now boot the zone via the following zoneadm command:
# zoneadm -z myfirstzone boot
If you did not set the zone property to autoboot, this is the same command you use to boot a
zone.

1.4.2

Listing zones

Listing zones is done with the list subcommand of zoneadm:

#zoneadm list -v
ID
NAME
STATUS
0
global
running
1
myfirstzone installed
Status can be one of the following values:

Configured Zone has been properly configured with zonecfg but has not been installed
yet.

Incomplete Zone during installation process.

Installed Zone has been installed but is not running (no virtual platform assigned to
the zone).

Ready Zone has been assigned a virtual platform and is ready to accept user
processes.

Running Zone is running with user processes.

Shutting down Zone is currently being shut down.

Operating Systems

J.E.D.I.

1.4.3

Additional zoneadm commands

zoneadm -z myfirstzone halt stops the zone from running (puts it in the ready state)

zoneadm -z myfirstzone reboot reboots the zone

zoneadm -z myfirstzone uninstall removes installation of zone

zoneadm -z myfirstzone delete removes zone configuration

1.5

Logging in

At this stage, myfirstzone's installation is still not complete. To complete the installation, login
to the zone with the command
# zlogin -C myfirstzone
-C is the only way to login into a zone that is not in the running state. Later on, once
installation has been completed, you can remove the -C option.
On your first time login, you will be asked to enter information about the system, similar to the
dialog boxes you encountered during Solaris installation. Questions such as system language,
zone host name, root password (for the zone administrator) are asked. Once this dialog has
been completed, the zone will now enter the running state and can accept user processes.
At this stage, you should logon into the zone and allow for additional customization of the
zone. You might want to add zone users, install additional programs, and setup the required
services for that zone.

1.6

Removing a zone

You would have to run the following commands in sequence to totally delete a zone.
Shutdown the zone:
# zlogin myfirstzone shutdown
Remove the zone installation (-F stands for force uninstallation):
# zoneadm -z myfirstzone uninstall -F
Finally, delete the zone configuration:
# zoneadm -z myfirstzone delete -F

Operating Systems