System Administration Guide: Solaris Containers-Resource Management and Solaris Zones

Non-Global Zone State Model

A non-global zone can be in one of the following six states:

Configured	The zone's configuration is complete and committed to stable storage. However, those elements of the zone's application environment that must be specified after initial boot are not yet present.
Incomplete	During an install or uninstall operation, `zoneadm` sets the state of the target zone to incomplete. Upon successful completion of the operation, the state is set to the correct state. A damaged installed zone can be marked incomplete by using the `mark` subcommand of `zoneadm`. Zones in the incomplete state are shown in the output of `zoneadm` `list` `-iv`.
Installed	The zone's configuration is instantiated on the system. The `zoneadm` command is used to verify that the configuration can be successfully used on the designated Solaris system. Packages are installed under the zone's root path. In this state, the zone has no associated virtual platform.
Ready	The virtual platform for the zone is established. The kernel creates the `zsched` process, network interfaces are plumbed, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system. At this stage, no processes associated with the zone have been started.
Running	User processes associated with the zone application environment are running. The zone enters the running state as soon as the first user process associated with the application environment (`init`) is created.
Shutting down and Down	These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states.

Chapter 20, Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks) and the zoneadm(1M) man page describe how to use the zoneadm command to initiate transitions between these states.

Table 16-1 Commands That Affect Zone State

Current Zone State	Applicable Commands
Configured	`zonecfg` `-z` zonename `verify` `zonecfg` `-z` zonename `commit` `zonecfg` `-z` zonename `delete` `zoneadm` `-z` zonename `attach` `zoneadm` `-z` zonename `verify` `zoneadm` `-z` zonename `install` `zoneadm` `-z` zonename `clone` You can also use `zonecfg` to rename a zone in the configured or installed state.
Incomplete	`zoneadm` `-z` zonename `uninstall`
Installed	`zoneadm` `-z` zonename `ready` (optional) `zoneadm` `-z` zonename `boot` `zoneadm` `-z` zonename `uninstall` uninstalls the configuration of the specified zone from the system. `zoneadm` `-z` zonename `move` path `zoneadm` `-z` zonename `detach` `zonecfg` `-z` zonename can be used to add or remove a `fs`, `dataset`, `device`, `net`, `attr`, or `rctl` property. You can also rename a zone in the installed state. The `zonepath` and `inherit-pkg-dir` resources cannot be changed.
Ready	`zoneadm` `-z` zonename `boot` `zoneadm` `halt` and system reboot return a zone in the ready state to the installed state. `zonecfg` `-z` zonename can be used to add or remove a `fs`, `dataset`, `device`, `net`, `attr`, or `rctl` property. The `zonepath` and `inherit-pkg-dir` resources cannot be changed.
Running	`zlogin` options `zonename` `zoneadm` `-z` zonename `reboot` `zoneadm` `-z` zonename `halt` returns a ready zone to the installed state. `zoneadm` `halt` and system reboot return a zone in the running state to the installed state. `zonecfg` `-z` zonename can be used to add or remove a `fs`, `dataset`, `device`, `net`, `attr`, or `rctl` property. The `zonepath` and `inherit-pkg-dir` resources cannot be changed.

Note - Parameters changed through zonecfg do not affect a running zone. The zone must be rebooted for the changes to take effect.

Non-Global Zone Characteristics

A zone provides isolation at almost any level of granularity you require. A zone does not need a dedicated CPU, a physical device, or a portion of physical memory. These resources can either be multiplexed across a number of zones running within a single domain or system, or allocated on a per-zone basis using the resource management features available in the operating system.

Each zone can provide a customized set of services. To enforce basic process isolation, a process can see or signal only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone at least one logical network interface. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.

Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.

Files used by naming services reside within a zone's own root file system view. Thus, naming services in different zones are isolated from one other and the services can be configured differently.

Using Resource Management Features With Non-Global Zones

If you use resource management features, you should align the boundaries of the resource management controls with those of the zones. This alignment creates a more complete model of a virtual machine, where namespace access, security isolation, and resource usage are all controlled.

Any special requirements for using the various resource management features with zones are addressed in the individual chapters of this manual that document those features.

Features Provided by Non-Global Zones

Non-global zones provide the following features:

Security	Once a process has been placed in a zone other than the global zone, neither the process nor any of its subsequent children can change zones. Network services can be run in a zone. By running network services in a zone, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software running within a zone is confined to the restricted set of actions possible within that zone. The privileges available within a zone are a subset of those available in the system as a whole.
Isolation	Zones allow the deployment of multiple applications on the same machine, even if those applications operate in different trust domains, require exclusive access to a global resource, or present difficulties with global configurations. For example, multiple applications running in different zones on the same system can bind to the same network port by using the distinct IP addresses associated with each zone or by using the wildcard address. The applications are also prevented from monitoring or intercepting each other's network traffic, file system data, or process activity.
Virtualization	Zones provide a virtualized environment that can hide details such as physical devices and the system's primary IP address and host name from applications. The same application environment can be maintained on different physical machines. The virtualized environment allows separate administration of each zone. Actions taken by a zone administrator in a non-global zone do not affect the rest of the system.
Granularity	A zone can provide isolation at almost any level of granularity. See Non-Global Zone Characteristics for more information.
Environment	Zones do not change the environment in which applications execute except when necessary to achieve the goals of security and isolation. Zones do not present a new API or ABI to which applications must be ported. Instead, zones provide the standard Solaris interfaces and application environment, with some restrictions. The restrictions primarily affect applications that attempt to perform privileged operations. Applications in the global zone run without modification, whether or not additional zones are configured.

Setting Up Zones on Your System (Task Map)

The following table provides a basic overview of the tasks that are involved in setting up zones on your system for the first time.

Task	Description	For Instructions
Identify the applications that you would like to run in zones.	Review the applications running on your system: Determine which applications are critical to your business goals. Assess the system needs of the applications you are running.	Refer to your business goals and to your system documentation if necessary.
Determine how many zones to configure.	Assess: The performance requirements of the applications you intend to run in zones The availability of the recommended 100 MB of free disk space per zone to be installed	See Evaluating the Current System Setup.
Determine whether you will use resource management features such as resource pools with your zone to create a container.	If you are also using resource management features on your system, align the zones with the resource management boundaries. Create projects and configure resource management features, such as resource pools, before you configure zones. Note that you can add zone-wide resource controls and pool functionality to a zone quickly by using `zonecfg` properties.	See How to Configure the Zone, Chapter 1, Introduction to Solaris Resource Manager, and Chapter 13, Creating and Administering Resource Pools (Tasks).
Perform the preconfiguration tasks.	Determine the zone name and the zone path, obtain IP addresses, and determine the required file systems and devices for each zone. Determine the scheduling class for the zone. Determine the set of privileges that processes inside the zone should be limited to, if the standard default set is not sufficient.	For information on the zone name and path, IP addresses, file systems, devices, scheduling class, and privileges, see Chapter 17, Non-Global Zone Configuration (Overview) and Evaluating the Current System Setup. For a listing of default privileges and privileges that can be configured in a non-global zone, see Privileges in a Non-Global Zone.
Develop configurations.	Configure non-global zones.	See Configuring, Verifying, and Committing a Zone and the `zonecfg`(1M) man page.
As global administrator, verify and install configured zones.	Zones must be verified and installed prior to login.	See Chapter 19, About Installing, Halting, and Uninstalling Non-Global Zones (Overview) and Chapter 20, Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks).
As global administrator, boot the non-global zones.	Boot each zone to place the zone in the running state.	See Chapter 19, About Installing, Halting, and Uninstalling Non-Global Zones (Overview) and Chapter 20, Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks).
As global administrator, perform the initial internal configuration of the zone.	Place a `sysidcfg` file in the zone's `/etc` directory or log in to each non-global zone using the `zlogin` command with the `-C` option and enter the requested information, including assigning the zone root password.	See Chapter 21, Non-Global Zone Login (Overview) and Chapter 22, Logging In to Non-Global Zones (Tasks).
Prepare the new zone for production use.	Create user accounts, add additional software, and customize the zone's configuration.	Refer to the documentation you use to set up a newly installed machine. Special considerations applicable to a system with zones installed are covered in this guide.