| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management Oracle Solaris 11.1 Information Library |
Part I Oracle Solaris Resource Management
1. Introduction to Resource Management
2. Projects and Tasks (Overview)
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Introduction to Oracle Solaris Zones
16. Non-Global Zone Configuration (Overview)
17. Planning and Configuring Non-Global Zones (Tasks)
18. About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)
19. Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
20. Non-Global Zone Login (Overview)
21. Logging In to Non-Global Zones (Tasks)
22. About Zone Migrations and the zonep2vchk Tool
23. Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)
24. About Automatic Installation and Packages on an Oracle Solaris 11.1 System With Zones Installed
25. Oracle Solaris Zones Administration (Overview)
Global Zone Visibility and Access
Process ID Visibility in Zones
Reporting Active Zone Statistics with the zonestat Utility
Monitoring Non-Global Zones Using the fsstat Utility
Running an NFS Server in a Zone
File Systems and Non-Global Zones
Mounting File Systems in Zones
Unmounting File Systems in Zones
Security Restrictions and File System Behavior
Non-Global Zones as NFS Clients
Use of mknod Prohibited in a Zone
Restriction on Accessing A Non-Global Zone From the Global Zone
Networking in Shared-IP Non-Global Zones
IP Traffic Between Shared-IP Zones on the Same Machine
Networking in Exclusive-IP Non-Global Zones
Exclusive-IP Zone Partitioning
Exclusive-IP Data-Link Interfaces
IP Traffic Between Exclusive-IP Zones on the Same Machine
Oracle Solaris IP Filter in Exclusive-IP Zones
IP Network Multipathing in Exclusive-IP Zones
Device Use in Non-Global Zones
/dev and the /devices Namespace
Utilities That Do Not Work or Are Modified in Non-Global Zones
Utilities That Do Not Work in Non-Global Zones
SPARC: Utility Modified for Use in a Non-Global Zone
Allowed Utilities With Security Implications
Running Applications in Non-Global Zones
Resource Controls Used in Non-Global Zones
Fair Share Scheduler on a System With Zones Installed
FSS Share Division in a Global or Non-Global Zone
Extended Accounting on a System With Zones Installed
Privileges in a Non-Global Zone
Using IP Security Architecture in Zones
IP Security Architecture in Shared-IP Zones
IP Security Architecture in Exclusive-IP Zones
Using Oracle Solaris Auditing in Zones
Running DTrace in a Non-Global Zone
About Backing Up an Oracle Solaris System With Zones Installed
Backing Up Loopback File System Directories
Backing Up Your System From the Global Zone
Backing Up Individual Non-Global Zones on Your System
Creating Oracle Solaris ZFS Backups
Determining What to Back Up in Non-Global Zones
Backing Up Application Data Only
General Database Backup Operations
About Restoring Non-Global Zones
Commands Used on a System With Zones Installed
26. Administering Oracle Solaris Zones (Tasks)
27. Configuring and Administering Immutable Zones
28. Troubleshooting Miscellaneous Oracle Solaris Zones Problems
Part III Oracle Solaris 10 Zones
29. Introduction to Oracle Solaris 10 Zones
30. Assessing an Oracle Solaris 10 System and Creating an Archive
31. (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone
32. Configuring the solaris10 Branded Zone
33. Installing the solaris10 Branded Zone
On an Oracle Solaris system with zones installed, the zones can communicate with each other over the network. The zones all have separate bindings, or connections, and the zones can all run their own server daemons. These daemons can listen on the same port numbers without any conflict. The IP stack resolves conflicts by considering the IP addresses for incoming connections. The IP addresses identify the zone.
To use the shared-IP type, networking configuration in the global zone must be done through ipadm, not automatic network configuration. The following command should return DefaultFixed if ipadm is in use.
# svcprop -p netcfg/active_ncp svc:/network/physical:default DefaultFixed
Shared-IP is not the default, but this type is supported.
The IP stack in a system supporting zones implements the separation of network traffic between zones. Applications that receive IP traffic can only receive traffic sent to the same zone.
Each logical interface on the system belongs to a specific zone, the global zone by default. Logical network interfaces assigned to zones though the zonecfg utility are used to communicate over the network. Each stream and connection belongs to the zone of the process that opened it.
Bindings between upper-layer streams and logical interfaces are restricted. A stream can only establish bindings to logical interfaces in the same zone. Likewise, packets from a logical interface can only be passed to upper-layer streams in the same zone as the logical interface.
Each zone has its own set of binds. Each zone can be running the same application listening on the same port number without binds failing because the address is already in use. Each zone can run its own version of various networking service such as the followings:
Internet services daemon with a full configuration file (see the inetd(1M) man page)
sendmail (see the sendmail(1M) man page)
apache
Zones other than the global zone have restricted access to the network. The standard TCP and UDP socket interfaces are available, but SOCK_RAW socket interfaces are restricted to Internet Control Message Protocol (ICMP). ICMP is necessary for detecting and reporting network error conditions or using the ping command.
Each non-global zone that requires network connectivity has one or more dedicated IP addresses. These addresses are associated with logical network interfaces that can be placed in a zone. Zone network interfaces configured by zonecfg will automatically be set up and placed in the zone when it is booted. The ipadm command can be used to add or remove logical interfaces when the zone is running. Only the global administrator or a user granted the appropriate authorizations can modify the interface configuration and the network routes.
Within a non-global zone, only that zone's interfaces are visible to the ipadm command.
For more information, see the ipadm(1M) and if_tcp(7P) man pages.
A shared-IP zone can reach any given IP destination if there is a usable route for that destination in its forwarding table. To view the forwarding table, use the netstat command with the -r option from within the zone. The IP forwarding rules are the same for IP destinations in other zones or on other systems.
Oracle Solaris IP Filter provides stateful packet filtering and network address translation (NAT). A stateful packet filter can monitor the state of active connections and use the information obtained to determine which network packets to allow through the firewall. Oracle Solaris IP Filter also includes stateless packet filtering and the ability to create and manage address pools. See Chapter 4, IP Filter in Oracle Solaris (Overview), in Securing the Network in Oracle Solaris 11.1 for additional information.
Oracle Solaris IP Filter can be enabled in non-global zones by turning on loopback filtering as described in Chapter 5, IP Filter (Tasks), in Securing the Network in Oracle Solaris 11.1.
Oracle Solaris IP Filter is derived from open source IP Filter software.
IP network multipathing (IPMP) provides physical interface failure detection and transparent network access failover for a system with multiple interfaces on the same IP link. IPMP also provides load spreading of packets for systems with multiple interfaces.
All network configuration is done in the global zone. You can configure IPMP in the global zone, then extend the functionality to non-global zones. The functionality is extended by placing the zone's address in an IPMP group when you configure the zone. Then, if one of the interfaces in the global zone fails, the non-global zone addresses will migrate to another network interface card.
In a given non-global zone, only the interfaces associated with the zone are visible through the ipadm command.
See How to Extend IP Network Multipathing Functionality to Shared-IP Non-Global Zones. The zones configuration procedure is covered in How to Configure the Zone. For information on IPMP features, components, and usage, see Chapter 5, Introduction to IPMP, in Managing Oracle Solaris 11.1 Network Performance.
|