P. 1


|Views: 780|Likes:
Published by tashtiot
solaris zones
solaris zones

More info:

Published by: tashtiot on Jun 21, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Originally, Solaris Zones supported what is now called shared IP networking. In the

shared IP model, each non-global zone is assigned its own IP address(es). However, the

rest of the TCP/IP infrastructure is managed by the global zone and shared across all

zones on the system. Each shared IP zone can have a process listening on a given TCP or

User Datagram Protocol (UDP) port because each shared IP zone has distinct IP

addresses, allowing traffic to be dispatched to the correct zone.

The Solaris 10 OS 8/07 release introduced the exclusive IP model. In this model, zones

have separate IP instances, and separation reaches down to the data link layer. The

global administrator assigns one or more data link names, which can be a network

interface card (NIC) or a virtual LAN (VLAN) on a NIC, to an exclusive IP zone. The zone

administrator can configure IP on those data links with the same flexibility and options

as in the global zone.

The zonecfg command can be used to determine whether a zone is using shared or

exclusive IP. The command reports either shared or exclusive depending on the

configuration of the zone. While a number of factors drive the decision toward either

shared or exclusive IP configurations, it is important to understand a few of the security

tradeoffs of these models.

web# rm /dev/zero
rm: /dev/zero not removed: Operation not supported

web# mount -F nfs nfs_server:/tmp/dev /mnt

web$ ls -l /mnt
total 0
crw-r--r-- 1 root root 13, 1 Aug 11 10:38 kmem

web$ mount -p | grep tmp/dev
nfs_server:/tmp/dev - /mnt nfs - no rw,nodevices,xattr,zone=web


Understanding the Security Capabilities of Solaris Zones Software

Sun Microsystems, Inc.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->