Zones and Containers FAQ

Edit

Last Updated: April 2010

Maintained by Jeff Victor, Penny Cotten, et al.
Dozens of contributors

This page is a list of Questions, some Frequently Asked, some Not So. It also includes Frequently Requested Web Links. It is
intended for use by anyone interested in learning more about Oracle Solaris Zones and Oracle Solaris Containers.

If you would like to provide feedback on this FAQ, please send it to zones-discuss AT opensolaris DOT org.

A date appearing after an answer provides the most recent date the answer has been updated. Answers with old dates, or no date
at all, might not provide the most recent information. All answers without dates were current on June 14, 2005.

Topics in this FAQ

o Section 1: Basics
o Section 2: Configuration (non-I/O)
o Section 2B: I/O Configuration
o Section 2C: What Services can a Zone Provide?
o Section 3: Resource Management, Performance
o Section 4: System Administration
o Section 5: Security
o Section 6: Application-specific Information
o Section 7: Other Server Virtualization Solutions
o Section 8: Zones in OpenSolaris
o Section 9: Common but Non-Obvious Problems

Questions:

Edit

o Section 1: Basics
o Q: What is a zone?
o Q: What is a container?
o Q: What types of zones are available?
o Q: What is a global zone? Sparse-root zone? Whole-root zone? Local
zone?
o Q: Can I create a zone which shares ("inherits") some, but not all of
/usr, /lib, /platform, /sbin?
o Q: How do I get zones or containers?
o Q: What hardware can utilize zones or containers?
o Q: Will my software run in a zone or container?
o Q: How can I test my software for use in a container?
 o Q: What applications are certified to run in zones or containers?
o Q: How can I use the Solaris Explorer program to collect information
on my zone(s)?
o Q: What changes have happened to zones since it was first released?
o Q: What features are new in Oracle Solaris 10 10/09?
o Section 2: Configuration (non-I/O)
o Q: How "big" is a zone?
o Q: How many containers can one copy of Solaris have?
o Q: Can each zone run a different Solaris version?
o Q: What types of re-configurations require a non-global zone re-boot?
 A:
o Q: What types of re-configurations require a complete system re-boot?
o Q: Can containers be clustered?
o Q: Can I use SysV shared memory between containers?
o Q: Can a zone include multiple zones (aka "is the containment model
hierarchical")?
o Q: Can I automate the process of entering system information, e.g. with
sysidcfg?
o Q: Can some local zones be in different time zones?
o Q: Can some non-global zones have different date and/or time settings
(i.e. different clocks)?
o Q: Can I label my terminal windows with the name of the zone I’m
logged into?
o Section 2B: I/O Configuration
o Q: How can I learn more about using zones with IPMP or iSCS?
o Q: How can I add a file system to an existing zone?
o Q: How can I make a writable /usr/local in a sparse-root zone?
o Q: Can I assign a ZFS volume (zvol), an SVM meta-device, or a
Veritas Volume, to a non-global zone?
o Q: Can I, and should I, import raw devices into a non-global zone?
o Q: Can I share an I/O resource (e.g. NIC, HBA) between containers?
o Q: Can zones in one computer communicate via the network?
o Q: How do I modify the network configuration of a running zone?
o Q: Can IP Multipathing (IPMP) be used with zones?
o Q: Can IP Filter be used with zones?
o Q: Can I prevent a zone from using the network?
o Q: Are VLANs supported in zones?
o Q: How do I configure a default route in a container?
o Q: How can I restrict a zone (or a few zones) to one NIC (network
connector)?
o Q: When I tried to mount a file system into a non-global zone, an error
message displayed stating that the mount point was busy. Why?
o Q: How can I mount a file system into two or more different zones
safely?
 o Q: How can I create a zone with its own /usr or root file system (a
’whole root file system’)?
o Q: How can I restrict a zone (or a few zones) to one HBA (storage
connector)?
o Q: Can a non-global zone NFS-mount a file system that has been
shared from its own global zone?
o Q: Can a zone’s root directory be on a ZFS file system?
o Section 2C: What Services can a Zone Provide?
o Q: Can a zone be an NFS server?
o Q: Can a zone be a DHCP server?
o Q: Can a zone be a DNS server?
o Q: Can a zone be an NTP client or server?
o Q: Can a zone be a NIS (aka yp), NIS+, or LDAP server?
o Q: Can a zone provide network login via telnet, rlogin, rsh or ssh?
o Q: Can a zone be an ftp server?
o Q: Can a zone run sendmail?
o Q: Can I use X windows in a zone?
o Section 3: Resource Management, Performance
o Q: How can I prevent one container from consuming all of the CPU
capacity, preventing other workloads from running properly?
o Q: What is the resource granularity for CPU assignment to a container?
o Q: How can I limit the memory used by a container?
o Q: Can I dynamically change the quantity of a resource (CPU,
memory, network bandwidth) assigned to a container?

 A: To change the number of CPU shares associated with a container

without re-booting it, use the prctl command, e.g.
o Q: Can swap space usage be managed?
o Q: Can I limit the network bandwidth used by a zone?
o Q: Do Containers use up a lot of CPU power?
o Q: Can the share value for a running project or zone be changed?
o Q: Can I bind a zone to a pool?
o Q: Can projects/zones be reassigned to a different resource pool while
they are running?
o Q: Can you move processors between processor sets while the system
is running?
o Q: How can I prevent one zone from using all the swap space by filling
up /tmp?
o Q: Do I need to set a locked memory cap for a zone? If so, what value
should I set?
o Section 4: System Administration
o Q: What software can manage zones?
o Q: How do I create a zone?
o Q: How do I remove a zone?
 o Q: Is the maximum number of exclusive-IP zones limited to the
number of physical ethernet ports?
o Q: Is it still necessary to set the NFSv4 domain parameter?
o Q: How do I patch zones?
o Q: Can each container be a different Solaris patch level, so I can test
patches in a "test" container before applying them to a "production"
container?
o Q: Can I move a zone from one computer/domain to another?
o Q: Is there a way to correlate audit records from multiple containers?
o Q: Can I add packages to just the global zone (for example, SRS
netConnect)?
o Q: Can I add a package to one non-global zone without adding it to the
global zone?
o Q: What commands don’t work, or behave differently, inside a zone?
o Q: Do zones boot automatically, or must I boot each one manually
every time the system (re)boots?
o Q: Should I halt a system’s zones before applying patches?
o Q: Where does a zone’s syslog output go?
o Q: I removed a device from a zone, but it’s still there. Why, and how
do I get rid of it?
o Q: How do I upgrade a system with zones installed? Does Live
Upgrade work?
o Q: Are there any special guidelines for using Live Upgrade with
zones?
o Q: Are Solaris 10 zones configured on ZFS prior to the Solaris 10
10/08 release upgradeable using Live Upgrade?
o Q: What is the default networking service configuration of a non-
global zone when it is installed?
o Q: Can the patch levels between a zone migrated to the target machine
using update on attach and a zone created on the target machine be
different?
o Q: I tried to halt my zone but it is stuck in the 'shutting down' or 'down'
state and won't halt. What should I do?
o Section 5: Security
o Q: Can I access one zone from another zone?
o Q: Can I ’su’ from one zone to another?
o Q: Can I prevent the root account in one zone from affecting other
zones?
o Q: Can programs running in one zone change the operation of
programs running in another container?
o Q: How do I prevent a ’fork bomb’ from affecting all of the zones?
o Section 6: Application-specific Information
o Q: Can Oracle use shared memory in a Container?
o Q: Can I use the Solaris 10 FSS (Fair Share Scheduler) with Oracle in a
Solaris Container?
 o Q: Can I use Oracle RAC in a Container?
o Q: Are there any third-party documents that address using applications
with zones?
o Section 7: Other Server Virtualization Solutions
o Q: What are zone’s strengths compared to other server virtualization
solutions?
o Q: Are containers like VMware?
o Q: Are containers like HP vPars or nPars?
o Q: Are containers like IBM Micro-Partitions?
o Q: Are containers like Linux vServers?
o Section 8: Zones in OpenSolaris
o Q: How are zones different on OpenSolaris 2009.06?
o Q: Why are zones so different on OpenSolaris?
o Q: Why can’t I use sparse root zones?
o Q: Are zones on OpenSolaris done? Will zones continue to look like
they do on 2009.06?
o Q: How do I control what software is installed in the zone?
o Q: Why is zone root its own dataset?
o Q: Why isn’t the zone root available when the zone is halted? How do I
set up the zone’s sysidcfg file?
o Q: I created a zone in OpenSolaris 2009.06, and tried to add an
/etc/sysidcfg file - but <zonepath>/root/etc doesn't exist! Where did it
go?
o Q: Can I continue to use zones created on OpenSolaris 2008.05?
o Section 9: Common but Non-Obvious Problems
o Q: I created a zone and booted it, but it doesn’t work. What should I
do?
o Q: I added some privileges to a user in a zone, and now the user can’t
login. What should I do?
o Q: I tried to upgrade to Solaris 10 11/06 and it told me the upgrade
failed and I need to restore from backup. Now what?

Answers:

Edit

Section 1: Basics

Q: What is a zone?

A: A zone is a virtual operating system abstraction that provides a protected environment in which applications run. The
applications are protected from each other to provide software fault isolation. To ease the labor of managing multiple applications
and their environments, they co-exist within one operating system instance, and are usually managed as one entity.
The original operating environment, before any zones are created, is also called the "global zone" to distinguish it from non-
global zones, The global zone is the operating system instance.

Q: What is a container?

A: A native, default zone on the Oracle Solaris 10 OS is called a container. The other containers that run on Oracle Solaris 10
include Oracle Solaris 8 Containers and Oracle Solaris 9 Containers. Many people use the terms "zone" and "container"
interchangeably.

Q: What types of zones are available?

A: It is possible to create non-global zones that run the same OS as the global zone, which is the OS running on the system. It is
also possible to create a non-global zone that runs a different operating environment from the global zone. The branded zone
(BrandZ) framework extends the zones infrastructure to include the creation of brands that contain alternative sets of runtime
behaviors. The following types of non-global zones are available:

o native:
A default Oracle Solaris Container non-global zone is called a native zone. It
has the same characteristics as the Oracle Solaris 10 Operating System release
that is running in the global zone.
If you have configured your system with Oracle Solaris Trusted Extensions,
each non-global zone is associated with a level of security, or label. Labeled
zones can be configured starting with the Oracle Solaris 10 11/06 release. For
more information, see  Solaris Trusted Extensions Installation and
Configuration.
o ipkg:
The ipkg non-global zone is the default non-global zone on the OpenSolaris
release. It has the same characteristics as the release that is running in the
global zone. Each ipkg zone manages its own software packages.
o Branded zones that run an environment different that the OS release on
the system  
o The lx branded zone introduced in the Solaris 10 8/07 release provides
a Linux environment for your applications and runs on x86 and x64
machines on the Oracle Solaris 10 OS. For more information, visit the
OpenSolaris Community: BrandZ.
o The solaris8 and solaris9 branded zones enable you to migrate an
Oracle Solaris 8 or Oracle Solaris 9 system to an Oracle Solaris 8 or
Oracle Solaris 9 Container on a host running the Oracle Solaris 10 8/07
Operating System or later Oracle Solaris 10 release. A solaris8 branded
zone is an environment for Oracle Solaris 8 applications on SPARC
machines. A solaris9 branded zone is an environment for Oracle
Solaris 9 applications on SPARC machines. Now named Oracle Solaris
8 Containers and Oracle Solaris 9 Containers, these products were
 introduced through a product called the Solaris 8 Migration Assistant
1.0, on October 22, 2007. For more information, see  System
Administration Guide:  Solaris 8 Containers and  System
Administration Guide:  Solaris 9 Containers. To download, go to
Solaris Containers. [May 2008] 
o The Oracle Solaris 10 Container brand is available in OpenSolaris
build 127. These branded zones host Oracle Solaris 10 user
environments. [August 2010]

Q: What is a global zone? Sparse-root zone? Whole-root zone? Local zone?

A: After installing Oracle Solaris 10 on a system, but before creating any zones, all processes run in the global zone. After you
create a zone, it has processes that are associated with that zone and no other zone. Any process created by a process in a non-
global zone is also associated with that non-global zone.

Any zone which is not the global zone is called a non-global zone. Most people call non-global zones simply "zones." Some
people call them "local zones" but this is discouraged.

The default native zone file system model on Oracle Solaris 10 is called "sparse-root." This model emphasizes efficiency and
security at the cost of some configuration flexibility. Sparse-root zones optimize physical memory and disk space usage by
sharing some directories, like /usr and /lib. Sparse-root zones have their own private file areas for directories like /etc and /var.
Whole-root zones increase configuration flexibility but increase resource usage. They do not use shared file systems for /usr, /lib,
and a few others.
There is no supported way to convert an existing sparse-root zone to a whole-root zone. Creating a new zone is required. [August
2010]

Q: Can I create a zone which shares ("inherits") some, but not all of /usr, /lib, /platform, /sbin?

A: The original design of Solaris Containers assumes that those four directories are either all shared ("inherited") or all not
shared. Sharing some and not others will lead to undefined and/or unpredictable behavior. [August 2010]

Q: How do I get zones or containers?

A: Oracle Solaris 10 includes all of the programs and files needed to use zones (and Containers). Operating systems based on the
OpenSolaris code base, including OpenSolaris 2009.06, may elect to include support for zones. [August 2010]

Q: What hardware can utilize zones or containers?

A: Zones and resource management are all software features of Oracle Solaris and other operating systems based on the
OpenSolaris code base. As software features, they do not depend upon any specific hardware platform. Any hardware that runs a
Solaris distro (Oracle Solaris 10, OpenSolaris, or another) will be able to have these features.
Q: Will my software run in a zone or container?

A: Most Oracle Solaris software will run unmodified in a zone, without needing to re-compile. Unprivileged software (programs
that do not run as root nor with specific non-default privileges) typically run unmodified in a zone once they can be successfully
installed. Installation software must not assume that it can write into shared, read-only file systems, e.g. /usr. This can be
circumvented by adding a writable file system to the zone (e.g. at /usr/local) or using a whole-root zone.
However, there are a few applications which need non-default privileges to run - privileges not normally available in a zone, such
as the ability to set the system?s time-of-day clock. For these situations, the feature named "configurable privileges" has been
added. This feature allows the global zone administrator - the person who manages zones on a system - to assign additional, non-
default privileges to a zone. The zone?s administrator can then allow individual users to use those non-default privileges.
An application that requires privileges that cannot be added to a zone might need modification to run properly in a zone.
Here are some guidelines:

o An application that accesses the network and files, and performs no other I/O,
should work correctly.
o Applications that require direct access to certain devices, e.g., a disk partition,
will usually work if the zone is configured correctly. However, in some cases
this may increase security risks.
o Applications which require direct access to these devices must run in the
global zone, or must be modified to work correctly:
o /dev/kmem
o a network device
1. Starting with OpenSolaris build 37 and Oracle Solaris 10 8/07, a
default zone can be configured as an "exclusive-IP zone" which
gives it exclusive access to the NIC(s) that the zone has been
assigned. Applications in such a zone can communicate directly
with the NIC(s) available to the zone.
2. Applications running in shared-IP zones should instead use one
of the many IP services.

For more details, read the white paper "Bringing Your Application Into the Zone". Note that changes have been made to
privileges, IP types, and other areas used with zones since this paper was published. For current information, also see the
administration guide. [November 2007]

Q: How can I test my software for use in a container?

A: See the document Qualification Best Practices for Application Support in Non-Global Zones." [March 2006]

Q: What applications are certified to run in zones or containers?

A: Supportability of an application running in a container is evaluated by the ISV. Some software vendors treat zones as just
another feature set of Oracle Solaris, and do not feel a need to specifically certify their software to use zones. Others have
specifically certified their software to use zones. Applications that have been reported to be officially supported include those in
the following list. For more details see the section "Application-specific Information"

o BEA WebLogic Server 8.1 SP4

o Veritas Storage Foundation 5.0 (MP3)
o Oracle's pricing policy regarding containers
o Veritas NetBackup 5.0 (MP4) and 5.1 (MP2)
o Sun N1 Grid Engine 6 (Update 4)
o CA Ingres
o IBM DB2 8.2
o IBM Websphere
o Oracle TimesTen
o Oracle Ebusiness Suite 11
o SAP R/3
o Veritas VCS - see " Implementing Solaris? Zones with Veritas? Cluster
Server by Symantec"

Q: How can I use the Solaris Explorer program to collect information on my zone(s)?

A: Explorer 5.0 can be run on Oracle Solaris 10 in a global zone. It can be used to collect information on containers (non-global
zones) with the -w option.

Q: What changes have happened to zones since it was first released?

A: See the OpenSolaris  project page for changes made since the initial release. [September 2006]

Q: What features are new in Oracle Solaris 10 10/09?

A: New features include the following:

o Support has been added for zones parallel patching to reduce patching time, a
fast
patching solution that utilizes the patchadd utility. For releases prior to Oracle
Solaris 10 10/09, the patch is delivered in the patch utilities patch, 119254-66
or later revision (SPARC) and 119255-66 or later revision (x86). 

o For a zone that cannot be halted, as of the Oracle Solaris 10 10/09 release,
you can migrate a zone that has not been detached by using the zoneadm
attach -F option to force the attach without a validation. The target system
must be properly configured to host the zone. An incorrect configuration
could result in undefined behavior. Moreover, there is no way to know the
state of the files within the zone.
[Oct 2008]

Back to Top

Section 2: Configuration (non-I/O)

Q: How "big" is a zone?

 A: If configured with default parameters, a zone requires about 100MB of free disk space per zone when the global zone has
been installed with the "All" metacluster of Oracle Solaris 10 packages. Additional packages installed in the global zone will
require additional space in the non-global zones. ZFS quotas or SVM soft partitions can be used to enforce per-zone disk space
constraints. When performing capacity planning, 100MB of additional RAM per zone is suggested (in addition to the needs of its
workload). An application does not use any "extra" RAM because it is running in a zone.
 A zone installed using the "full-root model" will take up as much space as the initial Oracle Solaris 10 installation, which will be
more than 500MB in most cases. [August 2010]

Q: How many containers can one copy of Solaris have?

 A: While the theoretical limit is over 8,000, the practical limit depends on:

o The amount of hardware resources used by the applications versus the amount
available in the system. This includes the number and processing power of
CPUs, memory size, NICs, HBAs, etc.
o What portion of the installed zones are actually in use. For example, you can
create 100 zones, each ready to offer a web service, but only boot the 10 that
you need this month. The unbooted zones take up disk space, but do not cause
the use of any extra CPU power, RAM, or I/O. [August 2010]

 Consider these examples which worked:

o 40 zones, each running five copies of the Apache web service, on an E250
with two 300MHz CPUs, 512MB RAM, and three hard disk drives totalling
40GB. With all zones running and a load consisting of multiple simultaneous
HTTP requests to each zone, the overhead of using zones was so small it
wasn’t measurable (<5%).

Q: Can each zone run a different Solaris version?

 A: All of the zones use a single underlying kernel. The version of the kernel determines the version of every container in that
domain. However, the Oracle Solaris 8 Containers and Oracle Solaris 9 Containers products provide the appropriate system calls
so that binaries compiled for Oracle Solaris 8 or Oracle Solaris 9 work correctly. [August 2010]
Q: What types of re-configurations require a non-global zone re-boot?
 A:

o Adding a device to a non-global zone.

o Binding a zone to a pool.
o Modifying a zone's privilege set.
[August 2010]

Q: What types of re-configurations require a complete system re-boot?

 A: We are not aware of any. [August 2010]

Q: Can containers be clustered?

 A: Yes, but not without adding additional cluster management software. As of this writing, Sun is developing extensions to its
Sun Cluster software, so that Resource Groups can be placed within non-global zones. <Veritas/Symantec> has also announced
support for Zones in the Veritas Cluster product.

Q: Can I use SysV shared memory between containers?

 A: No, this is prohibited. This would violate several security principles. [August 2010]

Q: Can a zone include multiple zones (aka "is the containment model hierarchical")?

 A: No, the model is strictly two-level: one global zone and zero or more non-global zones. Only the global zone can create non-
global zones, and each non-global zone must be contained within the global zone. [August 2010]

Q: Can I automate the process of entering system information, e.g. with sysidcfg?

 A: Yes, after a zone has been installed, copy a sysidcfg(4) file to the zone’s /etc/sysidcfg before the first boot of that zone.
[August 2010]

Q: Can some local zones be in different time zones?

 A: Yes. Each non-global zone has its own copy of /etc/default/init, which contains the timezone setting. You can change the line
starting with "TZ=". The recognized names of timezones are in /usr/share/lib/zoneinfo. For example, Eastern Standard Time in
the USA is defined in the file /usr/share/lib/zoneinfo/US/Eastern. To set a non-global zone’s timezone to that timezone, the line
in /etc/default/init would look like this:
TZ=US/Eastern
[August 2010]
Q: Can some non-global zones have different date and/or time settings (i.e. different clocks)?

 A: Although different zones can ’be’ in different time zones, each zone gets its date and time clock from the same source. This
means that the time zone setting gets applied after the current time data is obtained from the kernel.
 If you would like the ability to have different clock sources per zone, please add a call record to RFE 5033497. [August 2010]

Q: Can I label my terminal windows with the name of the zone I’m logged into?

 A: Yes. After logging into the zone, enter this command:

zone% /bin/echo "\033]0;Zone `/bin/zonename`\007\c"

[August 2010]

Back to Top 

Section 2B: I/O Configuration

Q: How can I learn more about using zones with IPMP or iSCS?

 A:See Jeff’s Blog for step-by-step instructions. [May 2008]

Q: How can I add a file system to an existing zone?

 A: There are four methods. The following list uses UFS examples, but other types of file systems, such as ZFS, HSFS and VxFS,
can be used in the zonecfg "fs" resource type property or attached by mount(1M).

1. Create and mount the file system in the global zone and use LOFS to mount it
into the non-global zone (very safe)
2. Create the file system in the global zone and use zonecfg to mount the file
system into the zone as a UFS file system (very safe)
3. Export the device associated with the disk partition to the non-global zone,
create the file system in the non-global zone and mount it. Security
consideration: If a _block_ device is present in the zone, a malicious user
could create a corrupt file system image on that device, and mount a file
system. This might cause the system to panic. The problem is less acute with
raw (character) devices. Disk devices should only be placed into a zone that is
part of a relatively trusted infrastructure.
4. Mount a UFS file system directly into the non-global zone’s directory
structure (allows dynamic modifications to the mount without rebooting the
non-global zone)
 See the administration guide for instructions to use these methods. [September 2006]

Q: How can I make a writable /usr/local in a sparse-root zone?

 A: Use one of the methods above, for example:

global# mkdir -p /path/to/some/storage/local/twilight

global# zonecfg -z twilight
zonecfg:twilight> add fs
zonecfg:twilight:fs> set dir=/usr/local
zonecfg:twilight:fs> set special=/path/to/some/storage/local/twilight
zonecfg:twilight:fs> set type=lofs
zonecfg:twilight:fs> end
zonecfg:twilight> commit
zonecfg:twilight> exit
global#

[August 2010]

Q: Can I assign a ZFS volume (zvol), an SVM meta-device, or a Veritas Volume, to a non-global
zone?

 A: With Solaris 10 1/06, you can directly assign an SVM meta-device into a non-global zone, using the same method you would
with most other devices. However, see the answer to the next question.
 Symantec supports the assignment of a Veritas Volume into a non-global zone. For more information, see this guide. [June
2009]

Q: Can I, and should I, import raw devices into a non-global zone?

 A: The Solaris Zones feature set provides the global zone administrator with the ability to allow a non-global zone to access a
raw device. There are many situations where this will be the best approach to solve a problem. There are even situations which
require such use.

 First, however, it is important to stress that there are usually other solutions that do not require direct device access. Let’s discuss
this first.

 With regard to importing VxVM devices into a zone: this is possible with VxVM 5.0MP3 and up. For earlier versions, your
options depend on the goal. If the goal is to make a file system available in the zone, the solution is to create the file system in the
global zone, and LOFS or direct mount the file system in the zone. On the other hand, if the goal is to make a mirrored block
device available in the zone, the only solution is to upgrade to VxVM 5.0MP3 or higher.
 If you want to make a file system available in the zone, create the file system in the global zone, and use LOFS to make the file
system available in the zone. On the other hand, if the goal is to make a mirrored block device available in the zone, another
solution must be found.

 In any situation, if direct device access is required within a zone, you must perform careful failure analysis and evaluation of the
possible outcomes of "catastrophic application failure. If the non-global zone will use COTS software, and will be managed by
trustworthy people, then the risks will be small. Fortunately, in most cases there are also other solutions which do not use direct
device access from a zone.

 Here are two extreme examples:

1. A zone will be created for the purpose of training students on basic Unix
commands. The root account will only be used by the global zone
administrator. The system will be attached to a LAN which is not connected
to any other networks. The instructor needs access to the sound device. There
are very few risks associated with such access - it would be very difficult for
the sound device to suffer a failure, and even if it did it would be unlikely to
affect other zones.
 The zone can be given access to this via the zonecfg sub-commands:

global# zonecfg -z zonename

zonecfg:zonename> add device
zonecfg:zonename:device> set match=/dev/sound/*
zonecfg:zonename:device> end
zonecfg:zonename> exit

 The zone will have access to sound devices, but will not have access to any other devices.
2. A zone will be created for the purpose of teaching students about a database program that requires access to raw disk
partitions. The instructor knows how to use Unix, but does not have a background in Unix system administration. Further, the
instructor will require use of the root account to assist students. It is possible that the instructor could make a mistake, or a
malicious student could abuse the raw disk access, leading to a crash of the kernel. This would also stop all of the other non-
global zones, as well as the global zone. If the other zones are running production software, this request for raw disk access in a
zone should not be fulfilled. Other solutions should be pursued, such as creating an RBAC role for the instructor which only
gives the necessary privileges to the isntructor’s Unix account.

 Other examples must be judged by their particulars, e.g. a production database program which needs raw access. Factors to
consider include:

o Who will login to the zone? How trustworthy are they?

o Is this system protected from unauthorized access by a firewall?
o What level of availability is required by applications running in this zone and
in other zones?
 For more information on this topic, see the section "SECURITY AND DATA INTEGRITY" of the man page for sgen(7d).
[August 2010]

Q: Can I share an I/O resource (e.g. NIC, HBA) between containers?

 A: Yes, in fact, that is the default model. Each container is assigned its own IP address, but usually multiple containers will share
one NIC. Further, multiple zones may be assigned separate file systems accessed through one HBA. [August 2010]

Q: Can zones in one computer communicate via the network?

 A: Both shared-IP and exclusive-IP zones can communicate via the network. In general, a zone is assigned to use one or more
network ports (aka NICs), and network traffic to or from other computers uses the assigned NIC(s), following standard IP rules.
 Network traffic between two zones on the same system may require extra planning. If a zone is an "exclusive-IP" zone, its
network packets will always leave the computer, and inbound packets will always come from outside the computer. Further, an
exclusive-IP zone performs all of its own network configuration, including routing and IP filtering.
 Before Solaris 10 10/08, network traffic between two shared-IP zones always stayed in the computer, i.e. it didn’t traverse the
physical network. This provided very high bandwidth, low latency transmission. However, starting with Solaris 10 10/08, traffic
between two shared-IP zones stays in the computer unless a default router is used for one or both zones. Traffic from a zone with
a default router will go out to the router before coming back to the destination zone. For more information on default routers for
zones, see the documentation and Steffen’s blog.
 Full IP-level functionality is available in an exclusive-IP zone. Exclusive-IP zones always communicate with each other over the
physical network. That communication can be restriced using IP Filter from within such zones, just as it can for a separate
system.

 For shared-IP zones in one computer that communicate using IP networking,the following applies:

o Inter-zone network latency is extremely small, and bandwidth is extremely

large
o Solaris IP Filter can be enabled in non-global zones by turning on loopback
filtering as described in System Administration Guide: IP Services. Filter
rules are still configured in the global zone.

 It is possible to configure routing to block traffic between specific zones completely.
 For more information on IP types, see the System Administration Guide: Solaris Containers-Resource Management and Solaris
Zones.

Further, OpenSolaris 2009.06 added the features "virtual NICs" and "virtual switches" - part of "Project Crossbow." They allow
you to configure an entire internetwork in a system, using VNICs, vSwitches, and zones that are configured as routers. [August
2010]

Q: How do I modify the network configuration of a running zone?

 A: For shared-IP zones, the ifconfig(1M) command can be used in the global zone to modify that zone’s existing network
configuration or to add new logical interfaces to a zone. Here are some examples that add, and then delete a logical interface
assigned to a zone:

global# ifconfig bge0 addif 192.168.200.202 zone myzone

global# ifconfig bge0 removeif 192.168.200.202

 [August 2010]

Q: Can IP Multipathing (IPMP) be used with zones?

 A: Yes.
Exclusive-IP zones can use IPMP. IPMP is configured the same way in an exclusive-IP zone as it is on a system not using zones.
 For shared-IP zones, IPMP can be configured in the global zone. Failover of a network link (e.g. hme0) that is protected by
IPMP will bring the associated logical interfaces (e.g. hme0:3) for the zones over to the secondary link (e.g. bge0).
 For more information, see the section "Using IP Network Multipathing on a Solaris System With Zones Installed" in System
Administration Guide: Solaris Containers-Resource Management and Solaris Zones.
 Take extra care with IPMP and the defrouter setting. See this blog entry. [August 2010]

Q: Can IP Filter be used with zones?

 A: Yes. The global zone can configure IP Filter rules for shared-IP zones. An exclusive-IP zone can configure IP Filter rules for
itself.

 For shared-IP zones, the IPFilter features in Solaris 10 can be used to filter traffic passing between one non-global zone and
other computers on the network. This includes the ability to use NAT features, i.e., redirect traffic destined for the global zone to
non-global zones.
 [August 2010]

Q: Can I prevent a zone from using the network?

 A: Yes. A zone does not need a network interface in order to operate. If you don’t specify a network interface when you create
the zone, it will still boot correctly. If an existing zone has been given access to a network interface, you can use zonecfg(1M) to
remove that access, but if the zone is running you must also either re-boot the zone or use ifconfig(1M) to remove access until the
next re-boot.
 It is also possible to allow a shared-IP zone to access the network, but not communicate with other zones on the same system.
One method is to set up a pair of routes using the "-reject" argument to the route(1) command. For example, if one zone has an IP
address of <Addr1> and the second zone has an address of <Addr2>, then the following commands will prevent network traffic
from passing between the two zones. [August 2010]
global# route add <Addr1> <Addr2> -interface -reject
global# route add <Addr2> <Addr1> -interface -reject

Q: Are VLANs supported in zones?

 A: Yes. For a shared-IP zone, the VLAN interface must be plumbed in the global zone. LAN and VLAN separation are available
in an exclusive-IP non-global zone.

Q: How do I configure a default route in a container?

 A: For a shared-IP configuration: All routes, including default routes, must be configured by the global zone administrator. By
default, such zones use the global zone’s default router. Starting with Solaris 10 10/08, each shared-IP zone can be assigned its
own default router with the "defrouter" setting in zonecfg. For more information on default routers for zones, see the
documentation and Steffen’s blog.
For an exclusive-IP configuration: The zone administrator can configure IP on those data-links with the same flexibility and
options as in the global zone.
 [August 2010]

Q: How can I restrict a zone (or a few zones) to one NIC (network connector)?

 A: The global zone administrator configures each zone’s access to zero or more NICs. A shared-IP zone can be the only zone
using a NIC.
 Exclusive-IP zones have more separation which reaches down to the data-link layer. One or more data-link names, which can be
a NIC or a VLAN on a NIC, are assigned to an exclusive-IP zone by the global administrator. The zone administrator can
configure IP on those data-links with the same options as in the global zone. [August 2010]

Q: When I tried to mount a file system into a non-global zone, an error message displayed
stating that the mount point was busy. Why?

 A: All accesses to entries in lofs mounted file systems map to their underlying file system. Therefore, if a mount point is made
available in multiple locations via lofs and it is in use in any of those locations (as a mount point, a current working directory,
etc.), an attempt to mount a file system at that mount point will fail unless the overlay flag has been specified. [November 2007]

Q: How can I mount a file system into two or more different zones safely?

 A: Create a directory in the global zone, and remount it into each non-global zone using lofs. This will allow reading and writing
from both zones without corrupting. It’s the same mechanism used by the automounter in certain cases.

Q: How can I create a zone with its own /usr or root file system (a ’whole root file system’)?
 A: By default a zone shares /usr and a few other directories with the global zone. If a zone needs its own separate copy of /usr, et
al., you must tell zonecfg to not use the default configuration. To do this, use the "-b" option on the "create" sub-command of the
zonecfg(2) command.
 If you do this, you must specify each existing file system that you do want to share with this new zone. [August 2010]

Q: How can I restrict a zone (or a few zones) to one HBA (storage connector)?

 Each zone uses space in at least one disk partition - its root directory and several others (e.g. /etc) live there. All of these files are
part of Solaris. In addition, each zone can be given access to one or more file systems and/or one or more raw disks. By planning
carefully, you can configure one zone so that all of its files and devices are accessible through one HBA, and all of the storage of
another zone is accessible through a different HBA. [August 2010]

Q: Can a non-global zone NFS-mount a file system that has been shared from its own global
zone?

 A: No. This may be addressed in the future. However, the shared file system can also be LOFS-mounted into the local zone, and,
if necessary, the global zone can export the same file system via NFS so that other computers can also access those files. [August
2010]

Q: Can a zone’s root directory be on a ZFS file system?

 A: Solaris 10 release:

 Placing a zone’s root directory (i.e. its PATHNAME) on ZFS is supported starting with Solaris 10 10/08, and you can then
upgrade with Live Upgrade going forward. There are still issues with placing a zone on ZFS on a release prior to Solaris 10 10/08
and then trying to upgrade.
[August 2010]

Back to Top 

Section 2C: What Services can a Zone Provide?

Q: Can a zone be an NFS server?

 A: A global zone can be an NFS server. A non-global zone cannot use the Solaris NFS server features. However, non-Solaris
NFS server software (i.e. "userland" NFS server software) has been shown to work correctly in a non-global zone. Such software
works because it does not run in the kernel, unlike the Solaris NFS server software which runs in the Solaris kernel in order to
maximize performance.
[August 2010]

Q: Can a zone be a DHCP server?

 A: A global zone can be a DHCP server.

 Starting with Solaris 10 11/06, a non-global zone can be a DHCP server. This ability became more flexible with Solaris 10 8/07,
which added a feature called IP Instances. [August 2010]

Q: Can a zone be a DNS server?

 A: Yes.

Q: Can a zone be an NTP client or server?

 A1: A zone can be an NTP server.

 A2: The NTP client software sets the system time clock shared by all zones, including the global zone. By default, non-global
zones cannot do this. However, the global zone administrator can give a zone the ability to change the system time clock with the
"sys_time" privilege. Be aware that this changes the time clock for all zones.

See http://blogs.sun.com/JeffV/entry/shrink_wrap_security1 for an example. (August 2010)

Q: Can a zone be a NIS (aka yp), NIS+, or LDAP server?

 A: Yes, yes, and yes.

Q: Can a zone provide network login via telnet, rlogin, rsh or ssh?

 A: Yes, yes, and yes.

Q: Can a zone be an ftp server?

 A: A zone can be an ftp server, but it is not possible to use ftpconfig(1M) to set up a zone to be an anonymous ftp server. This is
because ftpconfig attempts to set up certain device special files, and a zone does not have the necessary privileges. [December
2005]

Q: Can a zone run sendmail?

 A: Yes.

Q: Can I use X windows in a zone?

 A: There are a few different methods to use X windows with zones:

1. On the system console: at the login screen, you can choose "Remote Host"
and enter the hostname of the zone. The X windows login screen should be
 replaced with an X windows remote login screen.
2. At the console, logged into the global zone: you can tell X to allow remote
connections from the non-global zone, telnet to that zone, and set the
appropriate environment variable so that X sessions go to the global zone’s X
windows session, e.g. "setenv DISPLAY my-global-zone".
3. At another system, you can login directly to the non-global zone, and
perform steps similar to the previous method.

Back to Top 

Section 3: Resource Management, Performance

Q: How can I prevent one container from consuming all of the CPU capacity, preventing other
workloads from running properly?

 A: Use the resource management features of Solaris. This requires using some combination of the Fair Share Scheduler, CPU
caps, assigned (’dedicated’) CPUs, and/or [Dynamic] Resource Pools features.

Fair Share Scheduler: FSS guarantees a minimum amount of CPU utilization, so it doesn’t waste CPU cycles. Excessive CPU
use is only prevented if there is contention for CPU resources. Minima are specified by "shares" and enforced by the Fair Share
Scheduler. You can assign 100 shares to each of two workloads, 200 shares to a third workload, and 400 shares to the global
zone. The first two workloads will get at least 1/8 of the CPUs' capacity, if they need it, and the global zone will get at least 1/2 of
the CPUs' capacity, if it needs it. If only one Container wants to use the CPUs, it will be able to use all of the processing capacity
of the system.
You should give the global zone a quantity of shares similar to the largest quantity given to any Container, to ensure that you can
manage the Containers.

Starting with Solaris 10 5/08, you can use the capped-cpu resource type. Starting with Solaris 10 8/07, you can use the
dedicated-cpu resource type to automatically create a temporary pool when the zone boots. See Non-Global Zone Configuration
(Overview).

 Alternatively, you can create a processor set with one or more CPUs and bind it to a resource pool. Then create a zone and bind
it to the same resource pool. Run the application in that zone. The application will only "see" that set of processors. For more
information, see  Resource Pools (Overview) and Resource Pools (Tasks).
Web Links:
Non-Global Zone Configuration (Overview)
Fair Share Scheduler (Overview)
CPU Caps
Dynamic Resource Pools (Overview)

 [January 2010]

Q: What is the resource granularity for CPU assignment to a container?

 A: Fair Share Scheduler: Arbitrary, i.e. one-thousandth of a CPU or smaller. For example, CPU share assignments could be 1,
1000, 999, resulting in utilization minima of 0.05%, 50%, and (practically speaking) 50%.
CPU Cap: number of CPUs, in hundredths of a CPU. One zone can be capped at 4.01 CPUs, and another can be capped at 4.02
CPUs. Dedicated CPU: CPU range, in integer number of CPUs. For systems with multiple hardware threads per CPU core,
Solaris considers each core to be a "CPU." For systems with multiple threads per CPU core (including Nehalem, SPARC CMT
and SPARC64-VII) Solaris considers each hardware thread to be a "CPU." August 2010

Q: How can I limit the memory used by a container?

 A: You can use the Resource Capping Daemon (rcapd) for all Solaris 10 releases. Starting with Solaris 10 8/07, you can use the
capped-memory resource to set limits for physical, swap, and locked memory. Determine values for this resource if you plan to
cap memory for the zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by
rcapd as the max-rss value for the zone.

Web Links:
Non-Global Zone Configuration (Overview)
Administering the Resource Capping Daemon

 [January 2009]

Q: Can I dynamically change the quantity of a resource (CPU, memory, network bandwidth)
assigned to a container?

 A: To change the number of CPU shares associated with a container without re-booting it, use
the prctl command, e.g.

prctl -n zone.cpu-shares -r -v $SHARES `pgrep -z $ZONENAME init`

 where $SHARES is the new number of shares and $ZONENAME is the name of the zone.
 In Solaris 10, starting with 5/08, similar methods can be used to change the CPU cap, RAM cap, VM cap and shared memory
cap.

Web Links:
Resource Controls
Using the prctl Command
Fair Share Scheduler (Overview)
prctl(1) 

 [August 2010]

Q: Can swap space usage be managed?

 A: The entire swap partition is treated as a single global resource to processes running in both global and non-global zones.
Before Solaris 10 8/07, you couldn’t limit the amount of swap used by a zone on a per-zone basis. You can globally limit the size
of the swap-based file systems (e.g. /tmp) by using the "size" mount option in the container’s /etc/vfstab file, e.g. "size=200m".
This allows you to decrease the effect of many and/or large files created in /tmp.
 Starting with Solaris 10 8/07, you can use the 'swap' property of the capped-memory resource to cap the amount of virtual
memory (VM) that a zone uses. This can also be set dynamically with the resource control zone.max-swap.
 [August 2010]

Q: Can I limit the network bandwidth used by a zone?

 A: Yes, use the IPQoS features in Solaris 10. You must manage this from the global zone for the containers.

Q: Do Containers use up a lot of CPU power?

 A: CPU overhead of containers is hardly measurable (i.e. <1%) for a few zones or even dozens of zones, depending somewhat
on the applications.

Q: Can the share value for a running project or zone be changed?

 A: Yes.  Here is an example:

prctl -n project.cpu-shares -v 10 -r -i project group.staff 

The prctl utility allows the examination and modification of the resource controls associated with an active process, task or
project on the system. It allows access to the basic and privileged limits on the specified entity.

-n specifies the name of the resource to get or set

-r specifies a replace operation
-v specifies the new value for the resource
-i specifies the owning process, task or project of the resource.

Q: Can I bind a zone to a pool?

 A: Yes, but in Solaris 10 8/07 and later, it’s much easier to use the ’dedicated-cpus’ feature.
 To bind a zone’s processes to a pool, first create the pool, then use zonecfg(1M) to bind a zone to it.

1. Enable resource pools on your system using either svcadm or pooladm -e.
 2. Use pooladm -s to create the pool configuration.
 3. Use pooladm -c to commit the configuration at /etc/pooladm.conf.
 4. Use poolcfg -c to modify the configuration.
poolcfg -c ’create pset pset_zone (uint pset.min = 3; uint pset.max = 3)’
 poolcfg -c ’create pool pool_zone (string pool.scheduler="FSS")’
 poolcfg -c ’associate pool pool_zone (pset pset_zone)’

 5. Use pooladm -c to commit the configuration at /etc/pooladm.conf.

 See the administration guide.
 The command to perform the binding, from the global zone, would be:

zonecfg -z zone1 set pool=pool_zone

 If the zone was running, you must re-boot it for the binding to take effect, unless you also dynamically assign the zone to the
pool, as described in the question "Can projects/zones be reassigned to a different resource pool while they are running?".
[August 2010]

Q: Can projects/zones be reassigned to a different resource pool while they are running?

 A: Yes. Here is an example:

poolbind -p web_app -i zoneid  myzone 

The poolbind command binds zones, projects, tasks and processes to a pool.

 -p is the name of the pool to bind

 -i specifies the process id, zone id, task id or project id to be bound to the pool.

Q: Can you move processors between processor sets while the system is running?

 A: Yes, you can. Here is the command(s) you would use:

o If you don’t care which CPUs you move from a processor set the command
would be:
poolcfg -dc "transfer 2 from pset pset1 to pset2"
 which will move any two processors from pset1 to pset2
 -d operate directly on the kernel state
 -c this signifies the command

 If you want to move a specific CPU(s) here is the command:

poolcfg -dc "transfer to pset pset2 (CPU 0, CPU 1)"
 which will move CPUs 0 and 1 to pset2.

Q: How can I prevent one zone from using all the swap space by filling up /tmp?
 A: For manual mounts, use the option "-o size=sz" where sz is the size limit you want. Ending the size in ’k’ means kilobytes,
ending it in ’m’ means megabytes. Example: "-o size=500m". This option can also be added into /etc/vfstab. For more details,
view the man pages for mount_tmpfs(1M) and vfstab(4).

 With Solaris 10 8/07, you can use the resource control, zone.max-swap. (The swap property of the capped-memory resource is
the preferred way to set this control.)

Q: Do I need to set a locked memory cap for a zone? If so, what value should I set?

 A: A locked memory cap in a zone can be set using the 'locked' property of the zonecfg capped-memory resource. Applications
generally do not lock significant amounts of memory, but you might decide to set locked memory if the zone’s applications are
known to lock memory.

If a Container locks down enough memory, it can cause other Containers to page excessively. For that reason, setting the 'locked'
property is recommended, because each Container can use locked memory.
If the zone administrator is less than trusted or if DOS exploits are of concern, you can also consider setting the locked memory
cap to 10% of the system’s physical memory or to the zone’s physical memory cap.
[August 2010]

Back to Top 

Section 4: System Administration

Q: What software can manage zones?

 A: Here are just a few of the software tools - some free, some not free - which will help you manage Solaris Zones:

o Oracle Enterprise Manager Ops Center (Sun Management Center) can create
and manage Solaris Containers
o WebMin GUI has a Solaris Zones module
o Xone Control GUI
o The Zone Manager Command
o Zonestat command reports on resource usage and caps

 [August 2010]

Q: How do I create a zone?

 A: First gather some information, then use the Solaris Container Manager GUI or the commands shown below. This is the
simplest possible creation of a zone that has network access. You will need this information (example values in parentheses):

1. Name that you choose for the zone (my-zone)

2. Hostname that choose for the zone (my-zone)
 3. Name of the directory in the global zone where all of the zone’s operating
system files will be (/zones/zone_roots/my-zone)
4. IP address of the zone (10.1.1.1)
5. Name of the network device that the zone should use (hme0)

Using the sample information in the appropriate commands, which will take about 10 minutes on a small system with a new
installation of OpenSolaris or Solaris 10:

global# zonecfg -z my-zone

zonecfg:my-zone> create
zonecfg:my-zone> set zonepath=/zones/zone_roots/my-zone
zonecfg:my-zone> add net
zonecfg:my-zone:net> set address=10.1.1.1
zonecfg:my-zone:net> set physical=hm0
zonecfg:my-zone:net> end
zonecfg:my-zone> commit
zonecfg:my-zone> exit
global# zoneadm -z my-zone install
global# zoneadm -z my-zone boot

Also, see the two chapters on installing and uninstalling zones at docs.sun.com. [August 2010]

Q: How do I remove a zone?

 A: Use these commands, substituting the correct names for <bracketed> text.

global# zoneadm -z <zonename> uninstall

global# zonecfg -z <zonename> delete

 Also, see the two chapters on installing and uninstalling zones at docs.sun.com. [August 2010]

Q: Is the maximum number of exclusive-IP zones limited to the number of physical ethernet
ports?

 A: No, if you use VLANs you can have one per VLAN per port. To use the same base ’bge0’ for multiple dhcp zones, in the
case of VLANs you would assign bge1000 to zoneA, bge2000 to zoneB, etc. The VNIC component of Crossbow allows multiple
virtual NICs on a port without any VLANs. You can try this out at Crossbow project.  [August 2010]

Q: Is it still necessary to set the NFSv4 domain parameter?

 A: The new keyword nfs4_domain was added to the sysidcfg file to allow "no-hands" reboot in SX CE and Solaris 10 8/07.
Q: How do I patch zones?

 A: See the Patching and Packaging sections in the guide at docs.sun.com. Note that a recent (2009) zones parallel patching
enhancement to the standard Solaris 10 patch utilities increases the patching tools performance on systems with multiple zones by
allowing parallel patching of the non-global zones. See "Zones Parallel Patching" on the Solaris Containers (Zones) page on
OTN: http://www.oracle.com/technetwork/systems/containers/index.html

Q: Can each container be a different Solaris patch level, so I can test patches in a "test"
container before applying them to a "production" container?

 A: There are two parts to the answer: 1) There is only one kernel running on the system, so all zones must be at the same patch
level with respect to the kernel and other Solaris system components. Such patches can only be applied from the global zone, and
they affect the global and all local zones equally. The KU is an example of such a patch.
 2) Software which is not part of Solaris can be patched on a per-zone basis. If the software can be installed in the non-global
zone then it must be patchable from the local zone as well, regardless of the zone type, whole-root or sparse-root.

Q: Can I move a zone from one computer/domain to another?

 A: Yes. See Migrating a Non-Global Zone to a Different Machine. For information on migrating a Solaris 8 or Solaris 9
container, see  System Administration Guide: Solaris 8 Containers and  System Administration Guide: Solaris 9 Containers.
 [August 2010]

Q: Is there a way to correlate audit records from multiple containers?

 A: Yes, the global zone sees all audit records. Each non-global zone only sees its own audit records.

Q: Can I add packages to just the global zone (for example, SRS netConnect)?

 A: Yes, use pgkadd -G. Note that if the SUNW_PKG_THISZONE package parameter is set to true, you do not have to use the
-G option. See packaging and patching chapters 
 [September 2010]

Q: Can I add a package to one non-global zone without adding it to the global zone?

 A: That depends on the settings used when the package was created. See the  Packaging sections at docs.sun.com.

Q: What commands don’t work, or behave differently, inside a zone?

 A: Most Unix commands and programs work correctly, without alteration or re-compilation. 
However, the implementation of the security isolation boundary limits the functionality of several system calls and libraries.
That, in turn, limits the functionality of several system commands. In other words, some Solaris commands behave differently
when run inside a zone, or do not work at all inside a zone.
 See the sections 6.1 System Calls, 6.2 Library Functions, 6.3 Commands, and 6.4 Device and Interface Special Files in
http://www.sun.com/bigadmin/features/articles/zones_partition.html#limitations.
 For information on the status of privileges in zones, see Table 26-1 Status of Privileges in Zones
 [November 2006]

Q: Do zones boot automatically, or must I boot each one manually every time the system
(re)boots?

 A: The zones autoboot property determines whether the zone is booted when the system boots. The global zone adminstrator can
set the autoboot property to "true" or "false." The zones service svc:/system/zones:default must also be enabled. [August 2010]

Q: Should I halt a system’s zones before applying patches?

 A: There is no need to do this. In fact, the package and patch tools will perform their operations on all zones that are running, as
well as all zones that are not currently running but are capable of being booted (e.g. they are at least in the "installed" state). The
running zones are operated on first, and then for each zone that is not running but can be booted, the zone is booted, the operation
is performed, and the zone is then halted.

Q: Where does a zone’s syslog output go?

 A: By default the syslog output from a zone goes only into the zone’s syslog file. If you would like the output to also appear in
the global zone’s log files, configure the non-global zone’s loghost to be the global zone.

Q: I removed a device from a zone, but it’s still there. Why, and how do I get rid of it?

 A: This bug (4963368) was corrected in Solaris 10 8/07. For release before that, the workaround is: after using zonecfg to
remove the device, manually remove the corresponding entry in {ZONEPATH}/dev.
 

Q: How do I upgrade a system with zones installed? Does Live Upgrade work?

 A: Information about how to upgrade your Solaris 10 system to a later release if you are running zones is available in the System
Administration Guide: Solaris Containers--Resource Management and Solaris Zones, Chapter 27 Upgrading a Solaris 10 System
That Has Installed Non-Global Zones.

 Full upgrade for a Solaris 10 system that has zones installed began in Solaris 10 8/07. You can use Solaris Live Upgrade, the
standard Solaris interactive installation program, or the custom JumpStart installation program to upgrade your Solaris system
with zones installed. See the installation documentation. Limited upgrade via standard upgrade with limitations and limited
JumpStart keywords was available in Solaris 10 11/06.

Solaris Release Traditional Upgrade w/ Zones Live Upgrade w/ Zones

Solaris 10 3/05 N/A N/A

Solaris 10 1/06 Yes No

Solaris 10 6/06 Yes No

Solaris 10 11/06 Yes* No

Solaris 10 8/07 onward Yes* Yes

o Note, however, that there are two limitations regarding the process of
upgrading Solaris 10 if there are zones that use ZFS or LOFS. Note that the
LOFS problem has been fixed in Solaris 10 8/07.

1. Solaris 10 6/06 supports the use of ZFS file systems. It is possible to install a
zone into a ZFS fs, but the installer/upgrader program does not yet understand
ZFS well enough to upgrade zones that ’live’ on a ZFS file system. Because
of this, upgrading a system that has a zone installed on a ZFS file system is
not yet supported.
2. If all non-global zones that are configured with "lofs" fs resources are
mounting directories that exist in the miniroot, the system can be upgraded
from a previous release of Solaris 10 to the Solaris 10 11/06 release using
standard upgrade. For example, a lofs mounted /opt directory presents no
issues for upgrade.
 However, if any of your non-global zones are configured with a non-standard
lofs mount, such as a lofs mounted /usr/local directory, the following error
message is displayed:

The zones upgrade failed and the system needs to be restored

from backup. More details can be found in the file
/var/sadm/install_data/upgrade_log on the upgrade root file
system.

The error message is incorrect: although this error message states that the system must be restored from backup, the system is
actually fine, and it can be upgraded successfully using the workaround.

Workaround:
1. Reboot your system with the installed OS.
2. Reconfigure the zones, removing the "fs" resources defined with a
type of "lofs."
3. After removing these resources, upgrade the system to Solaris 10 11/06.
4. Following the upgrade, you can again reconfigure your zones to
restore the additional "fs" resources that you removed.
 This problem is being tracked as CR 6454140: "Zones With an "fs" Resource Defined With a Type of "lofs" Cannot Be
Upgraded to Solaris 10 11/06" and is also described in the Solaris 10 11/06 Release Notes.
 [November 2006]

Q: Are there any special guidelines for using Live Upgrade with zones?

 A: There are a number of considerations when using Live Upgrade (LU) on a system with zones installed. It is critical to avoid
zone state transitions during lucreate and lumount operations.

o When you lucreate an alternate boot environment (ABE), if a zone is not

running, then it cannot be booted until the lucreate has completed.
o When you lucreate an ABE, if a zone is running, it should not be halted or
rebooted until the lucreate has completed.
o When an ABE is lumounted, you cannot boot zones or reboot them, although
zones that were running before the lumount can continue to run.

 Because a non-global zone can be controlled by a non-global zone administrator as well as the global zone administrator, it is
best to have all zones halted during lucreate or lumount.

 It is important to note that when LU operations are underway, non-global zone administrator involvement is critical. The
upgrade affects their work as administrators, and they will be dealing with the changes that occur as a result of the upgrade. They
should make sure that any local packages are stable throughout the sequence, handle any post-upgrade tasks (such as
configuration file tweaking), and generally schedule around the system outage.

 Here is an example of a problem that could occur if these guidelines are not followed. If this sequence of actions takes place:

1. In global zone: lucreate -n new

2. In non-global zone: pkgadd FooBar
3. In global zone: luupgrade -n new, luactivate -n new, init 6

 When the system comes back up, the non-global zone users will notice that they no longer have the FooBar feature added by the
package.
 [January 2008]

Q: Are Solaris 10 zones configured on ZFS prior to the Solaris 10 10/08 release upgradeable
using Live Upgrade?

 A: Not yet, but it is being investigated. Live Upgrade can be used on Solaris 10 10/08 systems that have zones configured with
the zonepath on ZFS.
[November 2008]
Q: What is the default networking service configuration of a non-global zone when it is
installed?

 A: On Solaris 10 systems, the traditional open configuration is installed.

 You can switch the zone to either networking configuration by using the netservices command, or enable and disable specific
services by using SMF commands. [September 2006]

Q: Can the patch levels between a zone migrated to the target machine using update on attach
and a zone created on the target machine be different?

 A: Yes. It is normal and expected that a migrated zone and a newly installed zone would have different patches. The update on
attach feature looks at the zone you are migrating and determines which packages need to be updated to match the new host. Only
those packages are updated. By definition, the rest of the packages (with their patches) are allowed to vary from zone to zone.
You can think of this as setting up a number of zones and then, over time, the zone administrators for those zones install and
remove packages and apply different patch streams to the packages that they are allowed to change in their zones.
 The update on attach feature for zone migration was added in the Solaris 10 10/08 release.
 [August 2010]

Q: I tried to halt my zone but it is stuck in the 'shutting down' or 'down' state and won't halt.
What should I do?

 A: Collect a system dump and submit it to Oracle for analysis. You can reboot the global zone.
 [August 2010]
Back to Top 

Section 5: Security

Q: Can I access one zone from another zone?

 A: Only through IP connections, e.g. telnet, rlogin.

Q: Can I ’su’ from one zone to another?

 A: No, this would violate the security implementation of zones. In this context, think of zones as separate computers - you can’t
’su’ from one Unix computer to another.
 You can use the zlogin(1) command to login to a non-global zone from the global zone. You must have all privileges(5) to use
zlogin.

Q: Can I prevent the root account in one zone from affecting other zones?
 A: Because each container has its own namespace, each container has its own root account. Each zone’s root account is unable to
access other containers in any way.

Q: Can programs running in one zone change the operation of programs running in another
container?

 A: A great deal of design work was done to prevent containers from affecting each other. By default it is very difficult for one
local zone to affect another zone, but it is possible. It is also easy for the global zone administer to configure containers unsafely.
Consider these factors:

o First, there are no known methods for one user (even root) in one zone to
’break into’ another zone (global or non-global).
 However, a modern computer has many resources, some of them real, some
virtual. Denial of Service attacks often attempt to use all of the instances of a
virtual resource. One early attack on Unix systems was creating so many
processes that all of the PIDs were in use, preventing the creation of new
processes. There are now methods to prevent those attacks, and those
methods automatically apply, or have been applied to, zones. In some cases
the method of prevention includes the manual use of Solaris features, e.g.
projects.
o By default it is difficult to disrupt operation of zones. However, the global
zone administrator can make it easier for a non-global zone user to impact
operation of one or more other zones, even the global zone. Try to avoid
assigning disk devices directly to non-global zones: the root user of that zone
might be able to take advantage of this to cause a SCSI bus reset or even
panic the kernel. Also, avoid assigning the same device or file system to
multiple zones unless needed to achieve a specific goal. If that is necessary,
ensure that all of the software in those two zones will obey a synchronization
mechanism when using the device or file system.

Q: How do I prevent a ’fork bomb’ from affecting all of the zones?

 A: A ’fork bomb’ is a process which creates (forks) as many child processes as possible, attempting to use up all of the virtual
memory or PIDs in a system, resulting in a Denial of Service to other users. If you would like to prevent someone from doing this
in a non-global zone, add this to a zone’s configuration, using zonecfg(1M):

set max-lwps=1000

That will prevent a zone’s processes from having a total of more than 1000 LWPs simultaneously. [August 2010]

Back to Top 
Section 6: Application-specific Information

Q: Can Oracle use shared memory in a Container?

 A: In Solaris, Oracle uses ISM (Intimate Shared Memory) or DISM (Dynamic ISM). DISM is preferred because it provides more
flexibility.

ISM can be used in a Solaris Container, for any release of Solaris 10.

Because we keep improving Containers, there are slightly different answers to the question "can DISM be used," depending on
the particular release of Solaris 10.

1. Solaris 10 8/07 and newer: Yes, Oracle can use DISM in a Container.
Because the Solaris privilege ’proc_lock_memory’ is in a zone’s default set
of privileges, you should limit the amount of RAM that a particular zone can
lock. If you don’t do this, that zone could lock down enough memory that the
global zone - including platform management tools - cannot function
properly.
In Solaris 10 5/08 and later, you should set that limit with the following
command:

global# zonecfg -z myzone

add capped-memory
set locked=4g
end
exit

Note that common memory-size suffixes can be used: k or K (kilobytes), m or M (MB), g or G (GB), etc. See zonecfg(1M) for
more details.
In Solaris 10 8/07 you should set that limit with the following command:

global# zonecfg -z myzone

set max-locked-memory=4g
exit

2. Solaris 10 11/06: Yes, Oracle can use DISM in a Container. To enable the use of DISM, the global zone administrator must
add the privilege "proc_lock_memory" to the Container. To do this, use zonecfg(1M) to add the line

set limitpriv=default,proc_lock_memory

 to the Container’s configuration.

3. Solaris 10, Releases 3/05, 1/06, 6/06: A Container can only use ISM. It cannot use DISM. This is a side-effect of the
implementation of the security boundary which protects zones from each other.

 [September 2008]

Q: Can I use the Solaris 10 FSS (Fair Share Scheduler) with Oracle in a Solaris Container?
 A: There are currently (June 2006) two distinct concerns regarding the use of FSS in a Container when running Oracle
databases:

1. In testing - Oracle processes use internal methods to prioritize themselves to

improve inefficiency. It is possible that these methods might not work well in
conjunction with the Solaris FSS. Although there are no known problems
with non-RAC configurations, Sun and Oracle are testing this type of
configuration to discover any negative interactions. This testing should be
completed soon.
2. It is not possible to use the Solaris FSS with Oracle RAC in a Container. A
Solaris patch is being tested that fixes this problem.

Q: Can I use Oracle RAC in a Container?

 A: This is really three questions: (1) does it work (2) in what configurations does Sun support the Solaris components (3) in what
configurations does Oracle support this? The short answers are:

1. Oracle RAC has been demonstrated consistently using the Solaris OS, the
Solaris Zones Cluster feature of Solaris Cluster software and Oracle RAC
2. Sun supports ’Solaris Zone Clusters" using Solaris Cluster
3. only Oracle can determine the level of support available for Oracle RAC in
Solaris Zones Clusters.

 The Sun BluePrint "Deploying Oracle Real Application Clusters (RAC) on Solaris Zone Clusters" describes the installation and
use of Oracle RAC in Solaris Zone Clusters. [May 2009]

Q: Are there any third-party documents that address using applications with zones?

 A: Yes. To use Veritas Volume Manager Volumes from non-global zones, see this document.

 Sun is not responsible for the availability of third-party web sites mentioned in this FAQ. Sun does not endorse and is not
responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or
resources.

Back to Top 

Section 7: Other Server Virtualization Solutions

Q: What are zone’s strengths compared to other server virtualization solutions?

 A: Solaris Zones have many strengths relative to other server virtualization solutions, including:
 o Cost: zones are a feature of the operating system. There is no extra charge for
using them.
o Integration: Zones are integrated into the operating system, providing
seamless functionality and a smooth upgrade path.
o Portability: Zones are not tied to any one hardware platform. As a device-
independent feature set of OpenSolaris, their functionality is exactly the same
on all hardware to which OpenSolaris has been ported.
o Observability: The Global Zone has visibility into all activity in all zones,
including viewing process and network activity, system-wide accounting and
auditing, etc. This makes it possible to find performance problems and
resolve inter-zone conflicts, both of which are extremely difficult problems
on most other SV solutions. It is even possible to re-host applications
typically found on different systems (e.g. web server and app server) on
different zones in the same system, and then use DTrace to analyze their
interactions.
o Manageability: You can manage all of the zones on one system as one
collection, rather than as separate servers. This includes adding packages and
patches once per system, not once per zone.
o Sun Dynamic System Domains

Q: Are containers like VMware?

 A: They are only vaguely similar. Both technologies are very useful for consolidating servers. However, the basic model is
different: Containers form isolated application environments that share one OS instance, while VMware hosts multiple OS
instances. The differences also include:

o Containers are only available for Solaris 10 and SX Nevada. VMware

supports Solaris, Microsoft Windows and Linux clients, simultaneously.
o VMware uses a great deal of CPU capacity managing the multiple
environments. CPU overhead of containers is hardly measurable (typically
<1%) for a few zones or even dozens of zones, depending somewhat on the
applications.
o Containers do not have any financial cost beyond Solaris license and/or
support costs. VMware for production environments costs thousands of
dollars, and a license is necessary for each Windows or RH instance hosted
on top of VMware.

Q: Are containers like HP vPars or nPars?

 A: Containers are not similar to either except in purpose: server consolidation. However, the differences include:

o HP nPars and Sun’s Dynamic System Domains are similar in that both
provide complete isolation of data, applications, and programs. A complete
comparison of Domains and nPars is outside the scope of this document.
 o vPars are HP’s "soft" partitioning technology. vPars and Containers each
enable multiple applications to co-exist in a set of hardware resources with
some degree of isolation.
o Each vPar is its own instance of an operating system, and must be managed
separately. Each container is a virtual instance of Solaris, but there is only one
copy of Solaris to maintain.
o Containers are only available for Solaris 10. vPars only support HP-UX
(versions ??).
o All vPars share the same root password. Someone who gains root access in
one vPar can do anything to any vPar. Conversely, each Solaris Container has
its own namespace, including its own root account. Someone who gains root
access in one container can damage that container (unless privileges have
been removed) but cannot cause any damage to any other container, including
the global container. However, keep in mind that if a vPar or Container is
configured poorly, the potential for inter-partition damage is increased.

Q: Are containers like IBM Micro-Partitions?

 A: They are only vaguely similar. Both technologies are very useful for consolidating servers. However, the differences include:

o Containers are only available for Solaris 10. MicroPars only support AIX 5.3,
RH.
o Each MicroPartition requires a separate license to run an operating system.
There is a cost associated with each AIX license.
o Containers have almost no overhead, i.e. running 10 applications in 10
Containers is only slightly less efficient than running those 10 applications in
a non-zoned system. The difference is typically <1%. MicroPartitions are
inefficient and have high overhead. According to IBM documentation, 10
MicroPartitions can have a compute overhead of 35%, in addition to the
application workload.
o Containers and MicroPartitions can share I/O resources, but the
implementation is different. MicroPars that want to share an I/O connector
must use an LPAR dedicated to the multiplexing of I/O. This LPAR has extra
costs associated with it: one or more additional Power processors, another
AIX license, etc. [Updated July 2005]

Q: Are containers like Linux vServers?

 A: The basic model used to implement the Solaris 10 Containers feature set and the Linux vServers project are fairly similar.
However, the implementation is different. (More coming soon!) [Updated August 2005]

Back to Top 

Section 8: Zones in OpenSolaris

Q: How are zones different on OpenSolaris 2009.06?

 A:

o The ipkg brand is the default instead of the native brand

o Are whole-root type only; inherit-pkg-dir should not be used
o Have different software management related functionality
o IPS vs SVr4 packaging
o install, detach/attach, p2v
 For attach, you currently have to manually set up the correct dataset
hierarchy, which might cause problems if Not done correctly. Also,
dry-run doesn’t work yet. Engineering is currently fixing these
problems.
o Have different global zone software operations: employ manual syncing, not
patching. Currently, the zones don’t automatically update when you pkg
image-update the system. You must manually update the zones after
rebooting to keep them in sync with the global zone.
o Use boot environments instead of LU
o Integrated with beadm
o Zone root is a dataset
o Host identifiers (hostids) can be emulated on a per-zone basis; see
zonecfg(1M)). (Also available in the community release beginning with
snv_108.)
o Zone software is minimized to start; any additional packages the zone needs
must be added
o Must be on net to install zone; install is from the OpenSolaris Packaging
Repository

 Note that pkg_image-update is not fully supported. You can use detach and attach -u as a workaround. Detach the zone before
running pkg_image-update, and use attach -u after running pkg_image-update. [Added June 2009]

Q: Why are zones so different on OpenSolaris?

 A: IPS is a new model for software management, and zones have to change to utilize this model.[Added June 2009]

Q: Why can’t I use sparse root zones?

 A: The sparse root type of zone describes a fundamental interaction between zones and the package management system, and
IPS doesn’t support this concept. BUT, we’re working on providing the positive attributes of sparse root zones in different ways:

o reduced memory footprint

o reduced disk footprint
o centralized control of zone’s software
 o security due to read-only mounts
o faster install/upgrade times
o fewer bits to migrate across systems

 [Added June 2009]

Q: Are zones on OpenSolaris done? Will zones continue to look like they do on 2009.06?

 A: No, zones are a work in progress and things will continue to evolve as development continues. [Added June 2009]

Q: How do I control what software is installed in the zone?

 A: Use the -e option to zoneadm install. [Added June 2009]

Q: Why is zone root its own dataset?

 A: Eventually, we want to support beadm inside zones for pkg_image-update, just as you can do in the global zone. To
accomplish this, the zone’s root dataset must be controlled inside the zone. [Added June 2009]

Q: Why isn’t the zone root available when the zone is halted? How do I set up the zone’s
sysidcfg file?

 A: Ready the zone, which will mount the correct zone root dataset. [Added June 2009]

Q: I created a zone in OpenSolaris 2009.06, and tried to add an /etc/sysidcfg file - but
<zonepath>/root/etc doesn't exist! Where did it go?

 A: OpenSolaris zones are a little different from Solaris 10 zones. When a zone is in the 'installed' state, its ZFS file system is not
mounted. To mount the zone's root file system before booting the zone, use this command: 

global# zoneadm -z <zonename> ready

Then edit <zonepath>/root/etc/sysidcfg. After that, you can finish booting the zone. If the sysidcfg file was correct, configuration
questions will not be sent to the zone's console, and it will complete the boot process.

Q: Can I continue to use zones created on OpenSolaris 2008.05?

 A: No, existing zones from this release cannot be used. [Added June 2009]

Back to Top 
Section 9: Common but Non-Obvious Problems

Q: I created a zone and booted it, but it doesn’t work. What should I do?

 A: The most common problem is that the zone doesn’t have its system identification information yet. You can determine if this
is the problem by running "ps -fz " in the global zone. If the output only shows zsched, init, and a (3-6) processes related to SMF
(/lib/svc/..., /usr/sbin/svccfg) then system identification is not complete. To complete this, attach to the zone’s console by running
"zlogin -C " in the global zone, pressing  once, and following the instructions. [March 2006]

Q: I added some privileges to a user in a zone, and now the user can’t login. What should I do?

 A: This resulted from a bug that was fixed in Solaris Express 4/06. It will be corrected in Solaris 10 11/06 as well.
 Updated information on privileges and zones has been added to the System Administration Guide: Solaris Containers--Resource
Management and Solaris Zones. See documentation for a list of the Solaris privileges and the status of each privilege with respect
to zones. To alter privileges in zones, use the limitpriv property in zonecfg. [September 2006]

Q: I tried to upgrade to Solaris 10 11/06 and it told me the upgrade failed and I need to restore
from backup. Now what?

 A: Although this error message states that the system must be restored from backup, the system is actually fine, and it can be
upgraded successfully. See "How do I upgrade a system with zones installed? Does Live Upgrade work?" for more information
and a workaround you can use to upgrade your system.

Back to Top 

Tags:
Created by admin on 2009/10/26 12:11