System Administration Guide: Virtualization Using the Solaris Operating System
Previous Next

Document Information

Preface

Solaris Virtualization Product Overview

Part I Resource Management

1.  Introduction to Solaris Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

15.  Resource Control Functionality in the Solaris Management Console

Part II Zones

16.  Introduction to Solaris Zones

17.  Non-Global Zone Configuration (Overview)

18.  Planning and Configuring Non-Global Zones (Tasks)

19.  About Installing, Halting, Cloning, and Uninstalling Non-Global Zones (Overview)

20.  Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

21.  Non-Global Zone Login (Overview)

22.  Logging In to Non-Global Zones (Tasks)

23.  Moving and Migrating Non-Global Zones (Tasks)

24.  About Packages and Patches on a Solaris System With Zones Installed (Overview)

25.  Adding and Removing Packages and Patches on a Solaris System With Zones Installed (Tasks)

26.  Solaris Zones Administration (Overview)

Global Zone Visibility and Access

Process ID Visibility in Zones

System Observability in Zones

Non-Global Zone Node Name

File Systems and Non-Global Zones

Networking in Shared-IP Non-Global Zones

Networking in Exclusive-IP Non-Global Zones

Device Use in Non-Global Zones

Running Applications in Non-Global Zones

Resource Controls Used in Non-Global Zones

Fair Share Scheduler on a Solaris System With Zones Installed

Extended Accounting on a Solaris System With Zones Installed

Privileges in a Non-Global Zone

Using IP Security Architecture in Zones

Using Solaris Auditing in Zones

Core Files in Zones

Running DTrace in a Non-Global Zone

About Backing Up a Solaris System With Zones Installed

Determining What to Back Up in Non-Global Zones

About Restoring Non-Global Zones

Commands Used on a Solaris System With Zones Installed

27.  Administering Solaris Zones (Tasks)

28.  Troubleshooting Miscellaneous Solaris Zones Problems

Part III Branded Zones

29.  About Branded Zones and the Linux Branded Zone

30.  Planning the lx Branded Zone Configuration (Overview)

31.  Configuring the lx Branded Zone (Tasks)

32.  About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview)

33.  Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks)

34.  Logging In to lx Branded Zones (Tasks)

35.  Moving and Migrating lx Branded Zones (Tasks)

36.  Administering and Running Applications in lx Branded Zones (Tasks)

Part IV Sun xVM

37.  Sun xVM Hypervisor System Requirements

38.  Booting and Running the Sun xVM Hypervisor

39.  Xvnc

40.  Using virt-install to Install a Domain

41.  xVM System Administration

42.  Troubleshooting Miscellaneous Sun xVM Problems

Glossary

Index

Device Use in Non-Global Zones

The set of devices available within a zone is restricted to prevent a process in one zone from interfering with processes running in other zones. For example, a process in a zone cannot modify kernel memory or modify the contents of the root disk. Thus, by default, only certain pseudo-devices that are considered safe for use in a zone are available. Additional devices can be made available within specific zones by using the zonecfg utility.

/dev and the /devices Namespace

The devfs file system described in the devfs(7FS) man page is used by the Solaris system to manage /devices. Each element in this namespace represents the physical path to a hardware device, pseudo-device, or nexus device. The namespace is a reflection of the device tree. As such, the file system is populated by a hierarchy of directories and device special files.

Devices are grouped according to the relative /dev hierarchy. For example, all of the devices under /dev in the global zone are grouped as global zone devices. For a non-global zone, the devices are grouped in a /dev directory under the zone's root path. Each group is a mounted /dev file system instance that is mounted under the /dev directory. Thus, the global zone devices are mounted under /dev, while the devices for a non-global zone named my-zone are mounted under /my-zone_rootpath/dev.

The /dev file hierarchy is managed by the dev file system described in the dev(7FS) man page.

Caution - Subsystems that rely on /devices path names are not able to run in non-global zones. The subsystems must be updated to use /dev path names.

Exclusive-Use Devices

You might have devices that you want to assign to specific zones. Allowing unprivileged users to access block devices could permit those devices to be used to cause system panic, bus resets, or other adverse effects. Before making such assignments, consider the following issues:

  • Before assigning a SCSI tape device to a specific zone, consult the sgen(7D) man page.

  • Placing a physical device into more than one zone can create a covert channel between zones. Global zone applications that use such a device risk the possibility of compromised data or data corruption by a non-global zone.

Device Driver Administration

In a non-global zone, you can use the modinfo command described in the modinfo(1M) man page to examine the list of loaded kernel modules.

Most operations concerning kernel, device, and platform management will not work inside a non-global zone because modifying platform hardware configurations violates the zone security model. These operations include the following:

  • Adding and removing drivers

  • Explicitly loading and unloading kernel modules

  • Initiating dynamic reconfiguration (DR) operations

  • Using facilities that affect the state of the physical platform

Utilities That Do Not Work or Are Modified in Non-Global Zones

Utilities That Do Not Work in Non-Global Zones

The following utilities do not work in a zone because they rely on devices that are not normally available:

SPARC: Utility Modified for Use in a Non-Global Zone

The eeprom utility can be used in a zone to view settings. The utility cannot be used to change settings. For more information, see the eeprom(1M) and openprom(7D) man pages.
Previous Next