To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone
To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.
Using IP Security Architecture in Zones
The Internet Protocol Security Architecture (IPsec), which provides IP datagram protection, is described in Chapter 19, "IP Security Architecture (Overview)," in System Administration Guide: IP Services. The Internet Key Exchange (IKE) protocol is used to manage the required keying material for authentication and encryption automatically.
IPsec can be used in the global zone. However, IPsec in a non-global zone cannot use IKE. Therefore, you must manage the IPsec keys and policy for the non-global zones by running the ipseckey and ipsecconf commands from the global zone. Use the source address that corresponds to the non-global zone that you are configuring.
For more information, see the ipsecconf(1M) and ipseckey(1M) man pages.
Using Solaris Auditing in Zones
Solaris auditing is described in Chapter 27, "Solaris Auditing (Overview)," in System Administration Guide: Security Services. For zones considerations associated with auditing, see the following sections:
Chapter 28, "Planning for Solaris Auditing," in System Administration Guide: Security Services
"Auditing and Solaris Zones" in System Administration Guide: Security Services
An audit record describes an event, such as logging in to a system or writing to a file. The record is composed of tokens, which are sets of audit data. By using the zonename token, you can configure Solaris auditing to identify audit events by zone. Use of the zonename token allows you to produce the following information:
Audit records that are marked with the name of the zone that generated the record
An audit log for a specific zone that the global administrator can make available to the zone administrator
Configuring Audit in the Global Zone
Solaris audit trails are configured in the global zone. Audit policy is set in the global zone and applies to processes in all zones. The audit records can be marked with the name of the zone in which the event occurred. To include zone names in audit records, you must edit the /etc/security/audit_startup file before you install any non-global zones. The zone name selection is case-sensitive.
To configure auditing in the global zone to include all zone audit records, add this line to the /etc/security/audit_startup file:
/usr/sbin/auditconfig -setpolicy +zonename |
As the global administrator in the global zone, execute the auditconfig utility:
global# auditconfig -setpolicy +zonename |
For additional information, see the audit_startup(1M) and auditconfig(1M) man pages and "Configuring Audit Files (Task Map)" in System Administration Guide: Security Services.
Configuring User Audit Characteristics in a Non-Global Zone
When a non-global zone is installed, the audit_control file and the audit_user file in the global zone are copied to the zone's /etc/security directory. These files might require modification to reflect the zone's audit needs.
For example, each zone can be configured to audit some users differently from others. To apply different per-user preselection criteria, both the audit_control and the audit_user files must be edited. The audit_user file in the non-global zone might also require revisions to reflect the user base for the zone if necessary. Because each zone can be configured differently with regard to auditing users, it is possible for the audit_user file to be empty.
For additional information, see the audit_control(4) and audit_user(4) man pages.
Providing Audit Records for a Specific Non-Global Zone
By including the zonename token as described in Configuring Audit in the Global Zone, Solaris audit records can be categorized by zone. Records from different zones can then be collected by using the auditreduce command to create logs for a specific zone.
For more information, see the audit_startup(1M) and auditreduce(1M) man pages.
Core Files in Zones
The coreadm command is used to specify the name and location of core files produced by abnormally terminating processes. Core file paths that include the zonename of the zone in which the process executed can be produced by specifying the %z variable. The path name is relative to a zone's root directory.
For more information, see the coreadm(1M) and core(4) man pages.
Running DTrace in a Non-Global Zone
DTrace programs that only require the dtrace_proc and dtrace_user privileges can be run in a non-global zone. To add these privileges to the set of privileges available in the non-global zone, use the zonecfg limitpriv property. For instructions, see How to Configure the Zone.
The providers supported through dtrace_proc are fasttrap and pid. The providers supported through dtrace_user are profile and syscall. DTrace providers and actions are limited in scope to the zone.
Also see Privileges in a Non-Global Zone for more information.
About Backing Up a Solaris System With Zones Installed
You can perform backups in individual non-global zones, or back up the entire system from the global zone.
Backing Up Loopback File System Directories
Because many non-global zones share files with the global zone through the use of loopback file system read-only mounts (usually /usr, /lib, /sbin, and /platform), you must use a global zone backup method to back up lofs directories.
Caution - Do not back up the lofs file systems in non-global zones. An attempt by the non-global administrator to restore lofs file systems from a non-global zone could cause a serious problem.
Backing Up Your System From the Global Zone
You might choose to perform your backups from the global zone in the following cases:
You want to back up the configurations of your non-global zones as well as the application data.
Your primary concern is the ability to recover from a disaster. If you need to restore everything or almost everything on your system, including the root file systems of your zones and their configuration data as well as the data in your global zone, backups should take place in the global zone.
You want to use the ufsdump command to perform a data backup. Because importing a physical disk device into a non-global zone would change the security profile of the zone, ufsdump should only be used from the global zone.
You have commercial network backup software.
Note - Your network backup software should be configured to skip all inherited lofs file systems if possible. The backup should be performed when the zone and its applications have quiesced the data to be backed up.
Backing Up Individual Non-Global Zones on Your System
You might decide to perform backups within the non-global zones in the following cases.
The non-global zone administrator needs the ability to recover from less serious failures or to restore application or user data specific to a zone.
You want to use programs that back up on a file-by-file basis, such as tar or cpio. See the tar(1) and cpio(1) man pages.
You use the backup software of a particular application or service running in a zone. It might be difficult to execute the backup software from the global zone because application environments, such as directory path and installed software, would be different between the global zone and the non-global zone.
If the application can perform a snapshot on its own backup schedule in each non-global zone and store those backups in a writable directory exported from the global zone, the global zone administrator can pick up those individual backups as part of the backup strategy from the global zone.
Determining What to Back Up in Non-Global Zones
You can back up everything in the non-global zone, or, because a zone's configuration changes less frequently, you can perform backups of the application data only.