Wiki code for Zones and Containers FAQ

Hide Line numbers
1: =Zones and Containers FAQ
2: 
3: //Last Updated: October 2009
4: Maintained by Jeff Victor, Penny Cotten, et al.
5: Dozens of contributors//
6: 
7: This page is a list of Questions, some Frequently Asked, some Not So. It also includes Frequently Requested Web Links. It is intended for use by anyone interested in learning more about Solaris 10 Zones/Containers.
8: 
9: If you would like to provide feedback on this FAQ, please send it to zones-discuss AT opensolaris DOT org.
10: 
11: A date appearing after an answer provides the most recent date the answer has been updated. Answers with old dates, or no date at all, might not provide the most recent information. All answers without dates were current on June 14, 2005.
12: 
13: =====Topics in this FAQ
14: {{toc start="3" depth="3" numbered="false" scope="page"/}}
15: 
16: ==Questions:
17: {{toc start="3" depth="4" numbered="false" scope="page"/}}
18: 
19: ==Answers:
20: 
21: ===Section 1: Basics
22: 
23: ==== //**Q:** What is a zone?//
24: 
25: **A:** A zone is a virtual operating system abstraction that provides a protected environment in which applications run. The applications are protected from each other to provide software fault isolation. To ease the labor of managing multiple applications and their environments, they co-exist within one operating system instance, and are usually managed as one entity.
26: 
27: ==== //**Q:** What is a container?//
28: 
29: **A:** A zone which also uses the operating system?s resource management facility is then called a container. Many people use the two words "zone" and "container" interchangeably.
30: 
31: ==== //**Q:** What types of zones are available?//
32: 
33: **A:** It is possible to create non-global zones that run the same OS as the global zone, which is the OS running on the system. It is also possible to create a non-global zone that runs a different operating environment from the global zone. The branded zone (BrandZ) framework extends the Solaris Zones infrastructure to include the creation of brands that contain alternative sets of runtime behaviors. The following types of non-global zones are available:
34: 
35: * **native**:
36: The default SX CE and Solaris 10 non-global zone is the native zone. It has the same characteristics as the Solaris 10 Operating System or SX release that is running in the global zone.
37: If you have configured your system with Solaris Trusted Extensions, each non-global zone is associated with a level of security, or label. Labeled zones can be configured starting with the Solaris 10 11/06 release. For more information, see [[ Solaris Trusted Extensions Installation and Configuration>>http://docs.sun.com/doc/819-0867/]].
38: * **ipkg**: 
39: The ipkg non-global zone is the default on the OpenSolaris release. It has the same characteristics as the OpenSolaris release that is running in the global zone.  
40: * **Branded zones that run an environment different that the OS release on the system**  
41: ** The lx branded zone introduced in the SX DE and Solaris 10 8/07 releases provides a Linux environment for your applications and runs on x86 and x64 machines. For more information, visit the [[ OpenSolaris Community: BrandZ>>Community Group brandz.WebHome]].
42: ** The solaris8 and solaris9 branded zones enable you to migrate a Solaris 8 or Solaris 9 system to a Solaris 8 or Solaris 9 container on a host running the Solaris 10 8/07 Operating System or later S10 release. The solaris8 zone is an environment for Solaris 8 applications on SPARC machines. The solaris9 zone is an environment for Solaris 9 applications on SPARC machines. Now Solaris 8 Containers and Solaris 9 Containers, this product was introduced through Solaris 8 Migration Assistant 1.0, on October 22, 2007. For more information, see [[ System Administration Guide: Solaris 8 Containers>>http://docs.sun.com/doc/820-2914/]] and [[ System Administration Guide: Solaris 9 Containers>>http://docs.sun.com/doc/820-4490/]]. To download, go to [[ Solaris Containers. [May 2008] >>http://www.sun.com/software/solaris/containers/]]
43: ** The Solaris 10 Container is available on OpenSolaris and SX CE as of build 127. These branded zones host Solaris 10 user environments.
44: 
45: ==== //**Q:** What is a global zone? Sparse-root zone? Whole-root zone? Local zone?//
46: 
47: **A:** After installing Solaris 10 on a system, but before creating any zones, all processes run in the global zone. After you create a zone, it has processes that are associated with that zone and no other zone. Any process created by a process in a non-global zone is also associated with that non-global zone.
48: 
49: Any zone which is not the global zone is called a non-global zone. Some people call non-global zones simply "zones." Others call them "local zones" but this is discouraged.
50: 
51: The default native zone filesystem model is called "sparse-root." This model emphasizes efficiency at the cost of some configuration flexibility. Sparse-root zones optimize physical memory and disk space usage by sharing some directories, like /usr and /lib. Sparse-root zones have their own private file areas for directories like /etc and /var. Whole-root zones increase configuration flexibility but increase resource usage. They do not use shared filesystems for /usr, /lib, and a few others.
52: There is no supported way to convert an existing sparse-root zone to a whole-root zone. Creating a new zone is required.
53: 
54: ==== //**Q:** Can I create a zone which shares ("inherits") some, but not all of /usr, /lib, /platform, /sbin?//
55: 
56: **A:** The original design of Solaris Containers assumes that those four directories are either all shared ("inherited") or all not shared. Sharing some and not others will lead to undefined and/or unpredictable behavior.
57: 
58: ==== //**Q:** How do I get zones or containers?//
59: 
60: **A:** Operating systems based on the OpenSolaris code base may elect to include support for zones. Sun provides Solaris 10 and Solaris Express, each of which include complete support for Zones.
61: 
62: ==== //**Q:** What hardware can utilize zones or containers?//
63: 
64: **A:** Zones and resource management are all software feature of OpenSolaris, and by extension, Solaris and other operating systems based on OpenSolaris. As software features, they do not depend upon any specific hardware platform. Any hardware that runs OpenSolaris or one of its distros, e.g. Solaris 10, will be able to have these features.
65: 
66: ==== //**Q:** Will my software run in a zone or container?//
67: 
68: **A:** Most Solaris software will run unmodified in a zone, without needing to re-compile. Unprivileged software (programs that do not run as root nor with specific privileges) typically run unmodified in a zone once they can be successfully installed. Installation software must not assume that it can write into shared, read-only filesystems, e.g. /usr. This can be circumvented by adding a writable filesystem to the zone (e.g. at /usr/local) or using a whole-root zone.
69: However, there are a few applications which need non-default privileges to run - privileges not normally available in a zone, such as the ability to set the system?s time-of-day clock. For these situations, the feature named "configurable privileges" has been added. This feature allows the global zone administrator - the person who manages zones on a system - to assign additional, non-default privileges to a zone. The zone?s administrator can then allow individual users to use those non-default privileges.
70: An application that requires privileges which cannot be added to a zone may need modification to run properly in a zone.
71: Here are some guidelines:
72: * An application that accesses the network and files, and performs no other I/O, should work correctly.
73: * Applications which require direct access to certain devices, e.g., a disk partition, will usually work if the zone is configured correctly. However, in some cases this may increase security risks.
74: * Applications which require **direct** access to these devices must be modified to work correctly:
75: ** /dev/kmem
76: ** a network device
77: **1. Starting with OpenSolaris build 37 and Solaris 10 8/07, a zone can be configured as an "exclusive-IP zone" which gives it exclusive access to the NIC(s) that the zone has been assigned. Applications in such a zone can communicate directly with the NIC(s) available to the zone.
78: **1. Applications running in shared-IP zones should instead use one of the many IP services.
79: 
80: For more details, read the white paper "[[Bringing Your Application Into the Zone>>http://developers.sun.com/solaris/articles/application_in_zone.html]]". Note that changes have been made to privileges, IP types, and other areas used with zones since this paper was published. For current information, also see the [[administration guide>>http://docs.sun.com/app/docs/doc/819-2450]]. //[November 2007]//
81: 
82: ==== //**Q:** How can I test my software for use in a container?//
83: 
84: **A:** See the document [[Qualification Best Practices for Application Support in Non-Global Zones.">>http://developers.sun.com/solaris/articles/zone_app_qualif.html]] [//March 2006//]
85: 
86: ==== //**Q:** What applications are certified to run in zones or containers?//
87: 
88: **A:** Supportability of an application running in a container is evaluated by the ISV. Some software vendors treat Zones as just another feature set of Solaris, and do not feel a need to specifically certify their software to use zones. Others have specifically certified their software to use zones. Applications which have been reported to be officially supported include those in the following list. For more details see the section "[[Application-specific Information>>#app]]"
89: * [[BEA WebLogic Server 8.1 SP4>>http://e-docs.bea.com/platform/suppconfigs/configs81/solaris10_sparc/81sp4.html]]
90: * [[Veritas Storage Foundation 5.0 (MP3)>>http://seer.entsupport.symantec.com/docs/285063.htm]]
91: * [[Oracle?s pricing policy regarding containers>>http://www.oracle.com/corporate/pricing/partitioning.pdf]]
92: * [[Veritas NetBackup 5.0 (MP4) and 5.1 (MP2)>>http://seer.support.veritas.com/docs/275107.htm]]
93: * [[Sun N1 Grid Engine 6 (Update 4)>>http://www.sun.com/software/gridware]]
94: * CA Ingres
95: * IBM DB2 8.2
96: * IBM Websphere
97: * Oracle TimesTen
98: * Oracle Ebusiness Suite 11
99: * SAP R/3
100: * Veritas VCS - see "[[ Implementing Solaris? Zones with Veritas? Cluster Server by Symantec>>http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_implementing_solaris_zones_06-2007.en-us.pdf]]"
101: 
102: ==== //**Q:** How can I use the Solaris ?Explorer? program to collect information on my zone(s)?//
103: 
104: **A:** Explorer 5.0 can be run on Solaris 10 in a global zone. It can be used to collect information on containers (non-global zones) with the -w option.
105: 
106: ==== //**Q:** What changes have happened to zones since it was first released?//
107: 
108: **A:** See the OpenSolaris [[ project page>>Community Group zones.zones_design_docs]] for changes made since the initial release. [September 2006]
109: 
110: ==== //**Q:** What features are new in Solaris 10 10/08?//
111: 
112: **A:** New features include the following:
113: 1. Support has been added for using ZFS clones when cloning a zone. If the source and the target zonepaths reside on ZFS and both are in the same pool, a snapshot of the source zonepath is taken and zoneadm clone uses ZFS to clone the zone. You can still specify that a ZFS zonepath be copied instead. If neither the source nor the target zonepath is on ZFS, or if one is on ZFS and the other is not on ZFS, the clone process uses the existing copy technique. In all cases, the system copies the data from a source zonepath to a target zonepath if using a ZFS clone is not possible.
114: 1. A new -b option to zoneadm attach has also been added. Use this option to specify official or Interim Diagnostics Relief (IDR) patches to be backed out of a zone during the attach. This option applies only to zone brands that use SVr4 packaging.
115: 
116: [Oct 2008]
117: 
118: [[Back to Top>>faq]]
119: 
120: ===Section 2: Configuration (non-I/O)
121: 
122: ==== //**Q:** How "big" is a zone?//
123: 
124:  A: If configured with default parameters, a zone requires about 85MB of free disk space per zone when the global zone has been installed with the "All" metacluster of Solaris packages. Additional packages installed in the global zone will require additional space in the non-global zones. SVM soft partitions can be used to divide disk slices and enforce per-zone disk space constraints. When performing capacity planning, 40MB of additional RAM per zone is suggested. Applications do not use any "extra" RAM because they are running in a zone.
125:  A zone installed using the "full-root model" will take up as much space as the initial Solaris 10 installation, which will be more than 500MB in most cases.
126: 
127: ==== //**Q:** How many containers can one copy of Solaris have?//
128: 
129:  A: While the theoretical limit is over 8,000, the practical limit depends on:
130: 
131: * The amount of hardware resources used by the applications versus the amount available in the system. This includes the number and processing power of CPUs, memory size, NICs, HBAs, etc.
132: * What portion of the installed zones are actually in use. For example, you can create 100 zones, each ready to offer a web service, but only boot the 10 that you need this month. The unbooted zones [[take up disk space>>#cfg_sizing]], but do not cause the use of any extra CPU power, RAM, or I/O.
133: 
134:  Consider these examples which worked:
135: 
136: * 40 zones, each running five copies of the Apache web service, on an E250 with two 300MHz CPUs, 512MB RAM, and three hard disk drives totalling 40GB. With all zones running and a load consisting of multiple simultaneous HTTP requests to each zone, the overhead of using zones was so small it wasn’t measurable (<5%).
137: 
138: ==== //**Q:** Can each zone run a different Solaris version?//
139: 
140:  A: No. All of the zones use a single underlying kernel. The version of the kernel determines the version of every container in that domain.
141: 
142: ==== //**Q:** What types of re-configurations require a non-global zone re-boot?//
143:  A:
144: 
145: * Adding a device to a non-global zone.
146: * Binding a zone to a pool.
147: 
148: ==== //**Q:** What types of re-configurations require a complete system re-boot?//
149: 
150:  A: We are not aware of any.
151: 
152: ==== //**Q:** Can containers be clustered?//
153: 
154:  A: Yes, but not without adding additional cluster management software. As of this writing, Sun is developing extensions to its Sun Cluster software, so that Resource Groups can be placed within non-global zones. <Veritas/Symantec> has also announced support for Zones in the Veritas Cluster product.
155: 
156: ==== //**Q:** Can I use SysV shared memory between containers?//
157: 
158:  A: No. This would violate several security principles.
159: 
160: ==== //**Q:** Can a zone include multiple zones (aka "is the containment model hierarchical")?//
161: 
162:  A: No, the model is strictly two-level: one global zones and one or more non-global zones. Only the global zone can create non-global zones, and each non-global zone must be contained within the global zone.
163: 
164: ==== //**Q:** Can I automate the process of entering system information, e.g. with sysidcfg?//
165: 
166:  A: Yes, after a zone has been installed, copy a sysidcfg(4) file to the zone’s /etc/sysidcfg before the first boot of that zone.
167: 
168: ==== //**Q:** Can some local zones be in different time zones?//
169: 
170:  A: Yes. Each non-global zone has its own copy of /etc/default/init, which contains the timezone setting. You can change the line starting with "TZ=". The recognized names of timezones are in /usr/share/lib/zoneinfo. For example, Eastern Standard Time in the USA is defined in the file /usr/share/lib/zoneinfo/US/Eastern. To set a non-global zone’s timezone to that timezone, the line in /etc/default/init would look like this:
171: **TZ=US/Eastern**
172: 
173: ==== //**Q:** Can some non-global zones have different date and/or time settings (i.e. different clocks)?//
174: 
175:  A: Although different zones can ’be’ in different time zones, each zone gets its date and time clock from the same source. This means that the time zone setting gets applied after the current time data is obtained from the kernel.
176:  If you would like the ability to have different clock sources per zone, please add a call record to RFE 5033497. [August 2005]
177: 
178: ==== //**Q:** Can I label my terminal windows with the name of the zone I’m logged into?//
179: 
180:  A: Yes. After logging into the zone, enter this command:
181: 
182: {{{
183: 
184: zone% /bin/echo "\033]0;Zone `/bin/zonename`\007\c"
185: 
186: }}}
187: 
188: //[January 2006]//
189: 
190: [[Back to Top>>faq]] 
191: 
192: ===Section 2B: I/O Configuration
193: 
194: ==== //**Q:** How can I learn more about using zones with IPMP or iSCS?//
195: 
196:  A:See [[Jeff’s Blog>>http://blogs.sun.com/JeffV]] for step-by-step instructions. //[May 2008]//
197: 
198: ==== //**Q:** How can I add a filesystem to an existing zone?//
199: 
200:  A: There are four methods. The following list uses UFS examples, but other types of file systems, such as HSFS and VxFS, can be used in the zonecfg "fs" resource type property or attached by mount(1M).
201: 
202: 1. Create and mount the filesystem in the global zone and use LOFS to mount it into the non-global zone (very safe)
203: 1. Create the filesystem in the global zone and use zonecfg to mount the filesystem into the zone as a UFS filesystem (very safe)
204: 1. Export the device associated with the disk partition to the non-global zone, create the filesystem in the non-global zone and mount it. Security consideration: If a _block_ device is present in the zone, a malicious user could create a corrupt filesystem image on that device, and mount a filesystem. This might cause the system to panic. The problem is less acute with raw (character) devices. Disk devices should only be placed into a zone that is part of a relatively trusted infrastructure.
205: 1. Mount a UFS filesystem directly into the non-global zone’s directory structure (allows dynamic modifications to the mount without rebooting the non-global zone)
206: 
207:  See the [[administration guide>>http://docs.sun.com/app/docs/doc/817-1592/]] for instructions to use these methods. [September 2006]
208: 
209: ==== //**Q:** How can I make a writeable /usr/local in a sparse-root zone?//
210: 
211:  A: Use one of the methods above, for example:
212: 
213: {{{
214: 
215: global# mkdir -p /path/to/some/storage/local/twilight
216: global# zonecfg -z twilight
217: zonecfg:twilight> add fs
218: zonecfg:twilight:fs> set dir=/usr/local
219: zonecfg:twilight:fs> set special=/path/to/some/storage/local/twilight
220: zonecfg:twilight:fs> set type=lofs
221: zonecfg:twilight:fs> end
222: zonecfg:twilight> commit
223: zonecfg:twilight> exit
224: global# 
225: 
226: }}}
227: 
228: ==== //**Q:** Can I assign an SVM meta-device, or a Veritas Volume, to a non-global zone?//
229: 
230:  A: With Solaris 10 1/06, you can directly assign an SVM meta-device into a non-global zone, using the same method you would with most other devices.
231:  Symantec supports the assignment of a Veritas Volume into a non-global zone. For more information, see [[this guide>>http://sfdoccentral.symantec.com/sf/5.0MP3/solaris/html/vxvm_admin/apbs07.htm]]. //[June 2009]//
232: 
233: ==== //**Q:** Can I, and should I, import raw devices into a non-global zone?//
234: 
235:  A: The Solaris Zones feature set provides the global zone administrator with the ability to allow a non-global zone to access a raw device. There are many situations where this will be the best approach to solve a problem. There are even situations which require such use.
236: 
237:  First, however, it is important to stress that there are usually other solutions that do not require direct device access. Let’s discuss this first.
238: 
239:  With regard to importing VxVM devices into a zone, this is possible with VxVM 5.0MP3 and up. For earlier versions, your options depend on the goal. If the goal is to make a filesystem available in the zone, the solution is to create the filesystem in the global zone, and LOFS or direct mount the filesystem in the zone. On the other hand, if the goal is to make a mirrored block device available in the zone, the only solution is to upgrade to VxVM 5.0MP3 or higher.
240: 
241:  If you want to make a filesystem available in the zone, create the filesystem in the global zone, and use LOFS to make the filesystem available in the zone. On the other hand, if the goal is to make a mirrored block device available in the zone, another solution must be found.
242: 
243:  In any situation, if direct device access is required within a zone, you must perform careful failure analysis and evaluation of the possible outcomes of "catastrophic application failure. If the non-global zone will use COTS software, and will be managed by trustworthy people, then the risks will be small. Fortunately, in most cases there are also other solutions which do not use direct device access from a zone.
244: 
245:  Here are two extreme examples:
246: 
247: 1. A zone will be created for the purpose of training students on basic Unix commands. The root account will only be used by the global zone administrator. The system will be attached to a LAN which is not connected to any other networks. The instructor needs access to the sound device. There are very few risks associated with such access - it would be very difficult for the sound device to suffer a failure, and even if it did it would be unlikely to affect other zones.
248:  The zone can be given access to this via the zonecfg sub-commands:
249: 
250: {{{
251: global# zonecfg -z zonename
252: zonecfg:zonename> add device
253: zonecfg:zonename:device> set match=/dev/sound/*
254: zonecfg:zonename:device> end
255: zonecfg:zonename> exit
256: }}}
257: 
258:  The zone will have access to sound devices, but will not have access to any other devices.
259: 2. A zone will be created for the purpose of teaching students about a database program that requires access to raw disk partitions. The instructor knows how to use Unix, but does not have a background in Unix system administration. Further, the instructor will require use of the root account to assist students. It is possible that the instructor could make a mistake, or a malicious student could abuse the raw disk access, leading to a crash of the kernel. This would also stop all of the other non-global zones, as well as the global zone. If the other zones are running production software, this request for raw disk access in a zone should not be fulfilled. Other solutions should be pursued, such as creating an RBAC role for the instructor which only gives the necessary privileges to the isntructor’s Unix account.
260: 
261:  Other examples must be judged by their particulars, e.g. a production database program which needs raw access. Factors to consider include:
262: 
263: * Who will login to the zone? How trustworthy are they?
264: * Is this system protected from unauthorized access by a firewall?
265: * What level of availability is required by applications running in this zone and in other zones?
266: 
267:  For more information on this topic, see the section "SECURITY AND DATA INTEGRITY" of the man page for sgen(7d).
268: [June 2009]
269: 
270: ==== //**Q:** Can I share an I/O resource (e.g. NIC, HBA) between containers?//
271: 
272:  A: Yes, in fact, that is the default model. Each container is assigned its own IP address, but usually multiple containers will share one NIC. Further, multiple zones may be assigned separate filesystems accessed through one HBA.
273: 
274: ==== //**Q:** Can zones in one computer communicate via the network?//
275: 
276:  A: Both shared-IP and exclusive-IP zones can communicate via the network. In general, a zone is assigned to use one or more network ports (aka NICs), and network traffic to or from other computers uses the assigned NIC(s), following standard IP rules.
277:  Network traffic between two zones on the same system may require extra planning. If a zone is an "exclusive-IP" zone, its network packets will always leave the computer, and inbound packets will always come from outside the computer. Further, an exclusive-IP zone performs all of its own network configuration, including routing and IP filtering.
278:  Before Solaris 10 10/08, network traffic between two //shared-IP// zones always stayed in the computer, i.e. it didn’t traverse the physical network. This provided very high bandwidth, low latency transmission. However, starting with Solaris 10 10/08, traffic between two shared-IP zones stays in the computer //unless// a default router is used for one or both zones. Traffic from a zone with a default router will go out to the router before coming back to the destination zone. For more information on default routers for zones, see the [[documentation>>http://docs.sun.com/app/docs/doc/817-1592/z.conf.start-85?l=en&a=view&q=default+router]] and [[Steffen’s blog>>http://blogs.sun.com/stw/entry/using_zonecfg_defrouter_with_shared]].
279:  Full IP-level functionality is available in an exclusive-IP zone. Exclusive-IP zones always communicate with each other over the physical network. That communication can be restriced using IP Filter from within such zones, just as it can for a separate system.
280: 
281:  For shared-IP zones in one computer that communicate using IP networking,the following applies:
282: 
283: * Inter-zone network latency is extremely small, and bandwidth is extremely high
284: * Solaris IP Filter can be enabled in non-global zones by turning on loopback filtering as described in [[System Administration Guide: IP Services>>http://docs.sun.com/app/docs/doc/816-4554/6maoq024k?l=en&a=view]]. Filter rules are still configured in the global zone.
285: 
286:  It is possible to configure routing to [[block traffic between specific zones completely>>#cfg_net_reject]].
287:  For more information on IP types, see the [[System Administration Guide: Solaris Containers~-Resource Management and Solaris Zones>>http://docs.sun.com/app/docs/doc/819-2450]].
288:  [January 2009]
289: 
290: ==== //**Q:** How do I modify the network configuration of a running zone?//
291: 
292:  A: For shared-IP zones, the ifconfig(1M) command can be used in the global zone to modify that zone’s existing network configuration or to add new logical interfaces to a zone. Here are some examples that add, and then delete a logical interface assigned to a zone:
293: 
294: {{{
295: 
296: global# ifconfig bge0 addif  192.168.200.202 zone myzone
297: global# ifconfig bge0 removeif 192.168.200.202
298: 
299: }}}
300: 
301:  [January 2009]
302: 
303: ==== //**Q:** Can IP Multipathing (IPMP) be used with zones?//
304: 
305:  A: Yes.
306: Exclusive-IP zones can use IPMP. IPMP is configured the same way in an exclusive-IP zone as it is on a system not using zones.
307:  For shared-IP zones, [[IPMP>>http://docs.sun.com/app/docs/doc/816-4554/]] can be configured in the global zone. Failover of a network link (e.g. hme0) that is protected by IPMP will bring the associated logical interfaces (e.g. hme0:3) for the zones over to the secondary link (e.g. bge0).
308:  For more information, see the section "Using IP Network Multipathing on a Solaris System With Zones Installed" in [[System Administration Guide: Solaris Containers-Resource Management and Solaris Zones>>http://docs.sun.com/app/docs/doc/819-2450/zone?a=view]].
309:  Take extra care with IPMP and the defrouter setting. See [[this blog entry.>>http://blogs.sun.com/stw/entry/using_zonecfg_defrouter_with_shared]] [January 2009]
310: 
311: ==== //**Q:** Can IP Filter be used with zones?//
312: 
313:  A: You have the same IP Filter functionality that you have in the global zone in an exclusive-IP zone. IP Filter is also configured the same way in exclusive-IP zones and the global zone.
314:  For shared-IP zones, the [[IPFilter>>http://docs.sun.com/app/docs/doc/816-4554/6maoq020k?q=%22IP+filter%22#hic]] features in Solaris 10 can be used to filter traffic passing between one non-global zone and other computers on the network. This includes the ability to use NAT features, i.e., redirect traffic destined for the global zone to non-global zones.
315:  [November 2007]
316: 
317: ==== //**Q:** Can I prevent a zone from using the network?//
318: 
319:  A: Yes. A zone does not need a network interface in order to operate. If you don’t specify a network interface when you create the zone, it will still boot correctly. If an existing zone has been given access to a network interface, you can use zonecfg(1M) to remove that access, but if the zone is running you must also either re-boot the zone or use ifconfig(1M) to remove access until the next re-boot.
320:  It is also possible to allow a shared-IP zone to access the network, but not communicate with other zones on the same system. One method is to set up a pair of routes using the "-reject" argument to the route(1) command. For example, if one zone has an IP address of <Addr1> and the second zone has an address of <Addr2>, then the following commands will prevent network traffic from passing between the two zones. [//July 2006//]
321: 
322: {{{
323: 
324: global# route add <Addr1> <Addr2> -interface -reject
325: global# route add <Addr2> <Addr1> -interface -reject
326: 
327: }}}
328: 
329: ==== //**Q:** Are VLANs supported in zones?//
330: 
331:  A: Yes. For a shared-IP zone, the VLAN interface must be plumbed in the global zone. LAN and VLAN separation are available in an exclusive-IP non-global zone.
332: 
333: ==== //**Q:** How do I configure a default route in a container?//
334: 
335:  A: For a shared-IP configuration: All routes, including default routes, must be configured by the global zone administrator. By default, such zones use the global zone’s default router. Starting with Solaris 10 10/08, each shared-IP zone can be assigned its own default router with the "defrouter" setting. For more information on default routers for zones, see the [[documentation>>http://docs.sun.com/app/docs/doc/817-1592/z.conf.start-85?l=en&a=view&q=default+router]] and [[Steffen’s blog>>http://blogs.sun.com/stw/entry/using_zonecfg_defrouter_with_shared]].
336: For an exclusive-IP configuration: The zone administrator can configure IP on those data-links with the same flexibility and options as in the global zone.
337:  [January 2009]
338: 
339: ==== //**Q:** How can I restrict a zone (or a few zones) to one NIC (network connector)?//
340: 
341:  A: The global zone administrator configures each zone’s access to zero or more NICs. A shared-IP zone can be the only zone using a NIC.
342:  Exclusive-IP zones have more separation which reaches down to the data-link layer. One or more data-link names, which can be a NIC or a VLAN on a NIC, are assigned to an exclusive-IP zone by the global administrator. The zone administrator can configure IP on those data-links with the same options as in the global zone.[January 2009]
343: 
344: ==== //**Q:** When I tried to mount a file system into a non-global zone, an error message displayed stating that the mount point was busy. Why?//
345: 
346:  A: All accesses to entries in lofs mounted file systems map to their underlying file system. Therefore, if a mount point is made available in multiple locations via lofs and it is in use in any of those locations (as a mount point, a current working directory, etc.), an attempt to mount a file system at that mount point will fail unless the overlay flag has been specified. [November 2007]
347: 
348: ==== //**Q:** How can I mount a filesystem into two or more different zones safely?//
349: 
350:  A: Create a directory in the global zone, and remount it into each non-global zone using lofs. This will allow reading and writing from both zones without corrupting. It’s the same mechanism used by the automounter in certain cases.
351: 
352: ==== //**Q:** How can I create a zone with its own /usr or  root file system (a ’whole root file system’)?//
353: 
354:  A: By default a zone shares /usr and a few other directories with the global zone. If a zone needs its own separate copy of /usr, et al., you must tell zonecfg to not use the default configuration. To do this, use the "-b" option on the "create" sub-command of the zonecfg(2) command.
355:  If you do this, you must specify each existing file system that you do want to share with this new zone.
356: 
357: ==== //**Q:** How can I restrict a zone (or a few zones) to one HBA (storage connector)?//
358: 
359:  Each zone uses space in at least one disk partition - its root directory and several others (e.g. /etc) live there. All of these files are part of Solaris. In addition, each zone can be given access to one or more file systems and/or one or more raw disks. By planning carefully, you can configure one zone so that all of its files and devices are accessible through one HBA, and all of the storage of another zone is accessible through a different HBA. //[August 2005]//
360: 
361: ==== //**Q:** Can a non-global zone NFS-mount a file system that has been shared from its own global zone?//
362: 
363:  A: No. This may be addressed in the future. However, the filesystem can be LOFS-mounted into the local zone, and, if necessary, the global zone can export the same filesystem via NFS so that other computers can also access those files. //[August 2005]//
364: 
365: ==== //**Q:** Can a zone’s root directory be on a ZFS file system?//
366: 
367:  A: Solaris 10 release:
368:  Placing a zone’s root directory (i.e. it’s PATHNAME) on ZFS is supported starting with Solaris 10 10/08, and you can then upgrade with Live Upgrade going forward. There are still issues with placing a zone on ZFS on a release prior to Solaris 10 10/08 and then trying to upgrade.
369:  Solaris Express Release:
370:  You can place the zonepath of a non-global zone on ZFS. However, see the question [["How do I upgrade a system with zones installed? Does Live Upgrade work?">>#sa_upgrade]] for related issues. //[Sept 2008]//
371: 
372: [[Back to Top>>faq]] 
373: 
374: ===Section 2C: What Services can a Zone Provide?
375: 
376: ==== //**Q:** Can a zone be an NFS server?//
377: 
378:  A: A global zone can be an NFS server. A non-global zone cannot use the Solaris NFS server featuers. This issue may be addressed in the future. See [[RFE 5102011>>http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5102011]].
379:  However, non-Solaris NFS server software (i.e. "userland" NFS server software) has been shown to work correctly in a non-global zone. Such software works because it does not run in the kernel, unlike the Solaris NFS server software which runs in the Solaris kernel.
380: //[January 2009]//
381: 
382: ==== //**Q:** Can a zone be a DHCP server?//
383: 
384:  A: A global zone can be a DHCP server.
385: 
386:  Starting with Solaris 10 11/06, [[a non-global zone can be a DHCP server>>http://www.opensolaris.org/jive/thread.jspa?messageID=197789&tstart=0]]. This ability became more flexible with Solaris 10 8/07, which added [[a feature called IP Instances>>http://blogs.sun.com/JeffV/date/20070905]]. //[January 2008]//
387: 
388: ==== //**Q:** Can a zone be a DNS server?//
389: 
390:  A: Yes.
391: ====  //**Q:** Can a zone be an NTP client or server?//
392: 
393:  A1: A zone can be an NTP server.
394:  A2: The NTP client software sets the system time clock shared by all zones, including the global zone. By default, non-global zones cannot do this. However, the global zone administrator can give a zone the ability to change the system time clock with the "sys_time" privilege. Be aware that this changes the time clock for all zones.
395: 
396: See [[http://blogs.sun.com/JeffV/entry/shrink_wrap_security1>>http://blogs.sun.com/JeffV/entry/shrink_wrap_security1]] for an example. //(February 2009)//
397: 
398: ==== //**Q:** Can a zone be a NIS (aka yp), NIS+, or LDAP server?//
399: 
400:  A: Yes, yes, and yes.
401: 
402: ==== //**Q:** Can a zone provide network login via telnet, rlogin, rsh or ssh?//
403: 
404:  A: Yes, yes, and yes.
405: 
406: ==== //**Q:** Can a zone be an ftp server?//
407: 
408:  A: A zone can be an ftp server, but it is not possible to use ftpconfig(1M) to set up a zone to be an //anonymous// ftp server. This is because ftpconfig attempts to set up certain device special files, and a zone does not have the necessary privileges. [December 2005]
409: 
410: ==== //**Q:** Can a zone run sendmail?//
411: 
412:  A: Yes.
413: 
414: ==== //**Q:** Can I use X windows in a zone?//
415: 
416:  A: There are a few different methods to use X windows with zones:
417: 
418: 1. On the system console: at the login screen, you can choose "Remote Host" and enter the hostname of the zone. The X windows login screen should be replaced with an X windows remote login screen.
419: 2. At the console, logged into the global zone: you can tell X to allow remote connections from the non-global zone, telnet to that zone, and set the appropriate environment variable so that X sessions go to the global zone’s X windows session, e.g. "setenv DISPLAY my-global-zone".
420: 3. At another system, you can login directly to the non-global zone, and perform steps similar to the previous method.
421: 
422: [[Back to Top>>faq]] 
423: 
424: ===Section 3: Resource Management, Performance
425: 
426: ==== //**Q:** How can I prevent one container from consuming all of the CPU power?//
427: 
428:  A: Use the resource management features of Containers. This requires using some combination of the Fair Share Scheduler, CPU caps, assigned (’dedicated’) CPUs, and/or [Dynamic] Resource Pools features.
429: 
430: **Web Links**:
431: [[Non-Global Zone Configuration (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/z.config.ov-1]]
432: [[Fair Share Scheduler (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/rmfss-1]]
433: [[ CPU Caps>>http://docs.sun.com/app/docs/doc/817-1592/ggeji?l=en&a=view]]
434: [[Dynamic Resource Pools (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/rmpool-1]]
435: 
436:  [January 2009]
437: ==== //**Q:** What is the resource granularity for CPU assignment to a container?//
438: 
439:  A: **Fair Share Scheduler:** Arbitrary. FSS guarantees a //minimum// amount of CPU utilization, so it doesn’t waste CPU cycles. Excessive CPU use is only prevented if there is contention for CPU resources. Minima are specified by "shares" and enforced by the Fair Share Scheduler. For example, CPU share assignments could be 1, 1000, 999, resulting in utilization minima of 0.05%, 50%, and (practically speaking) 50%.
440: **CPU Cap: ** number of CPUs, in hundredths of a CPU. One zone can be capped at 4.01 CPUs, and another can be capped at 4.02 CPUs. **Dedicated CPU: ** CPU range, in integer number of CPUs. On an x86 system, Solaris considers every CPU core to be a "CPU." On SPARC CMT systems, every hardware thread is a "CPU" so a four-socket T5440 has 256 "CPUs." On other SPARC systems, every CPU core is a "CPU."
441: ==== //**Q:** How can I limit (cap) the CPU usage of an application?//
442: 
443:  A: In OpenSolaris, and starting with Solaris 10 5/08, use the capped-cpu resource type. In OpenSolaris and starting with Solaris 10 8/07, you can use the dedicated-cpu resource type to automatically create a temporary pool when the zone boots. See [[Non-Global Zone Configuration (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/z.config.ov-1]].
444:  Alternatively, you can create a processor set with one or more CPUs and bind it to a resource pool. Then create a zone and bind it to the same resource pool. Run the application in that zone. The application will only "see" that set of processors. For more information, see [[ Resource Pools (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/rmpool-1]] and [[Resource Pools (Tasks)>>http://docs.sun.com/app/docs/doc/819-2450/rmpool.task-1]]. [January 2009]
445: ==== //**Q:** How can I limit the memory used by a container?//
446: 
447:  A: You can use the Resource Capping Daemon (rcapd) for all releases. In OpenSolaris, and starting with Solaris 10 8/07, you can use the capped-memory resource to set limits for physical, swap, and locked memory. Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone.
448: 
449: **Web Links:**
450: [[Non-Global Zone Configuration (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/z.config.ov-1]]
451: [[Administering the Resource Capping Daemon>>http://docs.sun.com/app/docs/doc/819-2450/rm.rcapd.task-1]]
452: 
453:  [January 2009]
454: ==== //**Q:** Can I dynamically change the quantity of a resource (CPU, memory, network bandwidth) assigned to a container?//
455:  
456: A: To change the number of CPU shares associated with a container without re-booting it, use the prctl command, e.g.
457: 
458: **prctl -n zone.cpu-shares -r -v $SHARES `pgrep -z $ZONENAME init`**
459: 
460:  where $SHARES is the new number of shares and $ZONENAME is the name of the zone.
461:  In OpenSolaris and Solaris 10 (starting with 5/08) similar methods can be used to change the CPU cap, RAM cap, VM cap and shared memory cap.
462: 
463: **Web Links:**
464: [[Resource Controls>>http://docs.sun.com/app/docs/doc/819-2450/rmctrls-1]]
465: [[Using the prctl Command>>http://docs.sun.com/app/docs/doc/819-2450/z.admin.task-1]]
466: [[Fair Share Scheduler (Overview)>>http://docs.sun.com/app/docs/doc/819-2450/rmfss-1]]
467: [[prctl(1) >>http://docs.sun.com/app/docs/doc/819-2239/prctl-1?l=en&a=view&q=prctl]]
468: 
469:  [January 2009]
470: ==== //**Q:** Can swap space usage be managed?//
471: 
472:  A: The entire swap partition is treated as a single global resource to processes running in both global and non-global zones. Before Solaris 10 8/07, you couldn’t limit the amount of swap used by a zone on a per-zone basis. You //can// globally limit the size of the swap-based filesystems (e.g. /tmp) by using the "size" mount option in the container’s /etc/vfstab file, e.g. "size=200m". This allows you to decrease the effect of many and/or large files created in /tmp.
473:  Starting with Solaris 10 8/07, you can use the capped-memory resource to cap the amount of virtual memory (VM) that a zone uses. This can also be set dynamically with the resource control zone.max-swap.
474:  [January 2009]
475: ==== //**Q:** Can I limit the network bandwidth used by a zone?//
476: 
477:  A: Yes, use the IPQoS features in Solaris 10. You must manage this from the global zone for the containers.
478: ==== //**Q:** Do containers use up alot of CPU power?//
479: 
480:  A: CPU overhead of containers is hardly measurable (i.e. <1%) for a few zones or even dozens of zones, depending somewhat on the applications.
481: ==== //**Q:** Can the share value for a running project or zone be changed?//
482: 
483:  A: Yes.  Here is an example:
484: 
485: **prctl -n project.cpu-shares -v 10 -r -i project group.staff **
486: 
487: The prctl utility allows the examination and modification of the resource controls associated with an active process, task or project on the system. It allows access to the basic and privileged limits on the specified entity.
488: 
489: -n specifies the name of the resource to get or set
490: -r specifies a replace operation
491: -v specifies the new value for the resource
492: -i specifies the owning process, task or project of the resource.
493: 
494: ==== //**Q:** Can I bind a zone to a pool?//
495: 
496:  A: Yes, but in OpenSolaris and Solaris 10 8/07 and later, it’s much easier to use the ’dedicated-cpus’ feature.
497:  To bind a zone’s processes to a pool, first create the pool, then use zonecfg(1M) to bind a zone to it.
498: 
499:  1. Enable resource pools on your system using either svcadm or pooladm -e.
500:  2. Use pooladm -s to create the pool configuration.
501:  3. Use pooladm -c to commit the configuration at /etc/pooladm.conf.
502:  4. Use poolcfg -c to modify the configuration.
503: 
504: **poolcfg -c ’create pset pset_zone (uint pset.min = 3; uint pset.max = 3)’
505:  poolcfg -c ’create pool pool_zone (string pool.scheduler="FSS")’
506:  poolcfg -c ’associate pool pool_zone (pset pset_zone)’
507: **
508: 
509:  5. Use pooladm -c to commit the configuration at /etc/pooladm.conf.
510:  See the [[administration guide.>>http://docs.sun.com/app/docs/doc/819-2450]]
511:  The command to perform the binding, from the global zone, would be:
512: 
513: **zonecfg -z zone1 set pool=pool_zone**
514: 
515:  If the zone was running, you must re-boot it for the binding to take effect, unless you also dynamically assign the zone to the pool, as described in the question [["Can projects/zones be reassigned to a different resource pool while they are running?">>#rm_reassign_zone2pool]]. [January 2009]
516: ==== //**Q:** Can projects/zones be reassigned to a different resource pool while they are running?//
517: 
518:  A: Yes. Here is an example:
519: 
520: **poolbind -p web_app -i zoneid  myzone **
521: 
522: The poolbind command binds zones, projects, tasks and processes to a pool.
523: 
524: -p is the name of the pool to bind
525:  -i specifies the process id, zone id, task id or project id to be bound to the pool.
526: 
527: ==== //**Q:** Can you move processors between processor sets while the system is running?//
528: 
529:  A: Yes, you can. Here is the command(s) you would use:
530: 
531: * If you don’t care which CPUs you move from a processor set the command would be:
532: **poolcfg -dc "transfer 2 from pset pset1 to pset2"**
533:  which will move any two processors from pset1 to pset2
534:  -d operate directly on the kernel state
535:  -c this signifies the command
536: 
537:  If you want to move a specific CPU(s) here is the command:
538: **poolcfg -dc "transfer to pset pset2 (CPU 0, CPU 1)"**
539:  which will move CPUs 0 and 1 to pset2.
540: ==== //**Q:** How can I prevent one zone from using all the swap space by filling up /tmp?//
541: 
542:  A: For manual mounts, use the option "-o size=sz" where sz is the size limit you want. Ending the size in ’k’ means kilobytes, ending it in ’m’ means megabytes. Example: "-o size=500m". This option can also be added into /etc/vfstab. For more details, view the man pages for mount_tmpfs(1M) and vfstab(4).
543: 
544:  With Solaris 10 8/07, you can use the resource control, zone.max-swap. (The swap property of the capped-memory resource is the preferred way to set this control.)
545: 
546: Also, note that [[RFE 1177209>>http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=1177209]] will give the global zone administrator the ability to control the amount of swap space used by one zone.
547: ==== //**Q:** Do I need to set a locked memory cap for a zone? If so, what value should I set?//
548: 
549:  A: A locked memory cap in a zone can be set using the zonecfg capped-memory resource. Applications generally do not lock significant amounts of memory, but you might decide to set locked memory if the zone’s applications are known to lock memory.
550: 
551: If the zone administrator is less than trusted or if DOS exploits are of concern, you can also consider setting the locked memory cap to 10% of the system’s physical memory or to the zone’s physical memory cap.
552: [November 2008]
553: 
554: [[Back to Top>>faq]] 
555: 
556: ===Section 4: System Administration
557: 
558: ==== //**Q:** What software can manage zones?//
559: 
560:  A: Here are just a few of the software tools - some free, some not free - which will help you manage Solaris Zones:
561: 
562: * [[SunMC>>http://www.sun.com/software/products/sunmanagementcenter/]] (Sun Management Center) GUI
563: * [[WebMin>>http://webmin.com/]] GUI has a [[Solaris Zones module>>http://www.webmin.com/webmin/download/modules/zones.wbm.gz]]
564: * [[Xone Control>>http://www.init6.com]] GUI
565: * [[The Zone Manager>>Project zonemgr.WebHome]] Command
566: * [[Zonestat>>Project zonestat.WebHome]] command reports on resource usage and caps
567: 
568:  [April 2009]
569: ==== //**Q:** How do I create a zone?//
570: 
571:  A: First gather some information, then use the Solaris Container Manager GUI or the commands shown below. This is the simplest possible creation of a zone that has network access. You will need this information (example values in parentheses:
572: 
573: 1. Name that you choose for the zone (my-zone)
574: 2. Hostname that choose for the zone (my-zone)
575: 3. Name of the directory in the global zone where all of the zone’s operating system files will be (/zones/zone_roots/my-zone)
576: 4. IP address of the zone (10.1.1.1)
577: 5. Name of the network device that the zone should use (hme0)
578: 
579: Using the sample information in the appropriate commands, which will take about 10 minutes on a small system with a new installation of OpenSolaris or Solaris 10:
580: 
581: {{{
582: 
583: global# zonecfg -z my-zone
584: zonecfg:my-zone> create
585: zonecfg:my-zone> set zonepath=/zones/zone_roots/my-zone
586: zonecfg:my-zone> add net
587: zonecfg:my-zone:net> set address=10.1.1.1
588: zonecfg:my-zone:net> set physical=hm0
589: zonecfg:my-zone:net> end
590: zonecfg:my-zone> commit
591: zonecfg:my-zone> exit
592: global# zoneadm -z my-zone install
593: global# zoneadm -z my-zone boot
594: 
595: }}}
596: 
597: Also, see [[the two chapters on installing and uninstalling zones at docs.sun.com>>http://docs.sun.com/app/docs/doc/817-1592]]. [September 2005]
598: ==== //**Q:** How do I remove a zone?//
599: 
600:  A: Use these commands, substituting the correct names for <bracketed> text.
601: 
602: {{{
603: 
604: global# zoneadm -z <zonename> uninstall
605: global# zonecfg -z <zonename> delete
606: 
607: }}}
608: 
609:  Also, see [[the two chapters on installing and uninstalling zones at docs.sun.com>>http://docs.sun.com/app/docs/doc/817-1592]]. [September 2005]
610: ==== //**Q:** Is the maximum number of exclusive-IP zones limited to the number of physical ethernet ports?//
611: 
612:  A: No, if you use VLANs you can have one per VLAN per port. To use the same base ’bge0’ for multiple dhcp zones, in the case of VLANs you would assign bge1000 to zoneA, bge2000 to zoneB, etc. The VNIC component of Crossbow allows multiple virtual NICs on a port without any VLANs. You can try this out at [[Crossbow project>>http://hub.opensolaris.org/bin/view/Project+crossbow/]].  [May 2008]
613: ==== //**Q:** Are there any recent changes for exclusive-IP zones in OpenSolaris?//
614: 
615:  A: Prior to build 83, the data-link used with exclusive-IP zones must be GLDv3. Note that there is a patch [patch ID 118777-12] that allows the legacy ce device to be used with exclusive-IP zones with build 80-82. In OpenSolaris build 83 and later, the data-link used with exclusive-IP zones need not be GLDv3 since the Nemo unification provides a way to present legacy device drivers as GLDv3 using a shim module. Hence, no patch to ce is necessary.[May 2008]
616: ==== //**Q:** Is it still necessary to set the NFSv4 domain parameter?//
617: 
618:  A: The new keyword nfs4_domain was added to the sysidcfg file to allow "no-hands" reboot in SX CE and Solaris 10 8/07.
619: ==== //**Q:** How do I patch zones?//
620: 
621:  A: See the [[Patching and Packaging sections in the guide at docs.sun.com>>http://docs.sun.com/app/docs/doc/817-1592]]. Note that a zones parallel patching enhancement to the standard Solaris 10 patch utilities increases the patching tools performance on systems with multiple zones by allowing parallel patching of the non-global zones. See "Zones Parallel Patching" on the Solaris Containers (Zones) BigAdmin System Administration Portal.
622: ==== //**Q:** Can each container be a different Solaris patch level, so I can test patches in a "test" container before applying them to a "production" container?//
623: 
624:  A: There are two parts to the answer: 1) There is only one kernel running on the system, so all zones must be at the same patch level with respect to the kernel and core system components. Such patches can only be applied from the global zone, and they affect the global and all local zones equally. The KU is an example of such a patch.
625:  2) Middleware such as Java Enterprise System can be patched on a per-zone basis. If the software can be installed in the local zone then it must be patchable from the local zone as well, regardless of the zone type, whole-root or sparse-root.
626: ==== //**Q:** Can I move a zone from one computer/domain to another?//
627: 
628:  A: Yes. See [[Migrating a Non-Global Zone to a Different Machine>>http://docs.sun.com/app/docs/doc/819-2450]]. For information on migrating a Solaris 8 or Solaris 9 container, see [[ System Administration Guide: Solaris 8 Containers>>http://docs.sun.com/doc/820-2914/]] and [[ System Administration Guide: Solaris 9 Containers>>http://docs.sun.com/doc/820-4490/]].
629:  [November 2008]
630: ==== //**Q:** Is there a way to correlate audit records from multiple containers?//
631: 
632:  A: Yes, the global zone sees all audit records. Each non-global zone only sees its own audit records.
633: ==== //**Q:** Can I add packages to just the global zone (for example, SRS netConnect)?//
634: 
635:  A: Yes, use pgkadd -G. Note that if the SUNW_PKG_THISZONE package parameter is set to true, you do not have to use the -G option. See [[packaging and patching chapters >>http://docs.sun.com/app/docs/doc/819-2450]]
636:  [September 2006]
637: ==== //**Q:** Can I add a package to one non-global zone without adding it to the global zone?//
638: 
639:  A: That depends on the settings used when the package was created. See the [[ Packaging sections at docs.sun.com>>http://docs.sun.com/app/docs/doc/817-1592/pkginst.ov-1]].
640: ==== //**Q:** What commands don’t work, or behave differently, inside a zone?//
641: 
642:  A: Most Unix commands and programs work correctly, without alteration or re-compilation. >>Project crossbow.CrossbowBeta]]
643: 
644: However, the implementation of the security isolation boundary limits the functionality of several system calls and libraries. That, in turn, limits the functionality of several system commands. In other words, some Solaris commands behave differently when run inside a zone, or do not work at all inside a zone.
645:  See the sections 6.1 System Calls, 6.2 Library Functions, 6.3 Commands, and 6.4 Device and Interface Special Files in [[ http://www.sun.com/bigadmin/features/articles/zones_partition.html#limitations>>http://www.sun.com/bigadmin/features/articles/zones_partition.html#limitations]].
646:  For information on the status of privileges in zones, see Table 26-1 [[Status of Privileges in Zones>>http://docs.sun.com/app/docs/doc/819-2450/z.admin.task-1]]
647:  [November 2006]
648: ==== //**Q:** Do zones boot automatically, or must I boot each one manually every time the system (re)boots?//
649: 
650:  A: The zones autoboot property determines whether the zone is booted when the system boots. The global zone adminstrator can set the autoboot property to "true" or "false." The zones service svc:/system/zones:default must also be enabled. [September 2006]
651: ==== //**Q:** Should I halt a system’s zones before applying patches?//
652: 
653:  A: There is no need to do this. In fact, the package and patch tools will perform their operations on all zones that are running, as well as all zones that are not currently running but are capable of being booted (e.g. they are at least in the "installed" state). The running zones are operated on first, and then for each zone that is not running but can be booted, the zone is booted, the operation is performed, and the zone is then halted.
654: ==== //**Q:** Where does a zone’s syslog output go?//
655: 
656:  A: By default the syslog output from a zone goes only into the zone’s syslog file. If you would like the output to also appear in the global zone’s log files, configure the non-global zone’s loghost to be the global zone.
657: ==== //**Q:** I removed a device from a zone, but it’s still there. Why, and how do I get rid of it?//
658: 
659:  A: This is bug 4963368. The current (Feb 2005) workaround is: after using zonecfg to remove the device, manually remove the corresponding entry in {ZONEPATH}/dev.
660:  If you’re running Solaris Express, this bug is corrected in builds 46 and higher. If you are running Solaris 10, this bug is corrected in Solaris 10 8/07.
661: ==== //**Q:** How do I upgrade a system with zones installed? Does Live Upgrade work?//
662: 
663:  A: Information about how to upgrade your Solaris 10 system to a later release if you are running zones is available in the System Administration Guide: Solaris Containers~--Resource Management and Solaris Zones, [[Chapter 27 Upgrading a Solaris 10 System That Has Installed Non-Global Zones>>http://docs.sun.com/app/docs/doc/817-1592]].
664: 
665: Limited upgrade for a Solaris Express system that has zones installed began in SX 7/06. Can only use standard upgrade with limitations and limited JumpStart keywords. See [[the installation documentation>>http://docs.sun.com/app/docs/doc/820-0724/gdatc?l=en&q=Solaris+Express&a=view]].
666: 
667:  Full upgrade for a Solaris Express system that has zones installed began in SX 2/07. No limitations on standard upgrade, no limitations on JumpStart, and includes Solaris(tm) Live Upgrade. See [[ the installation documentation>>http://docs.sun.com/app/docs/doc/820-0157/]].
668: 
669:  Full upgrade for a Solaris 10 system that has zones installed began in Solaris 10 8/07. You can use Solaris Live Upgrade, the standard Solaris interactive installation program, or the custom JumpStart installation program to upgrade your Solaris system with zones installed. See [[the installation documentation>>http://docs.sun.com/app/docs/doc/820-0175]]. Limited upgrade via standard upgrade with limitations and limited JumpStart keywords was available in Solaris 10 11/06.
670: 
671: |=Solaris Release|=Traditional Upgrade w/ Zones|=Live Upgrade w/ Zones
672: |Solaris 10 3/05|N/A|N/A
673: |Solaris 10 1/06|Yes|No
674: |Solaris 10 6/06|Yes|No
675: |Solaris 10 11/06|Yes*|No
676: |Solaris 10 8/07 onward|Yes*|Yes
677: |Solaris Express|Yes|Yes
678: 
679:  * Note, however, that there are two limitations regarding the process of upgrading Solaris 10 if there are zones that use ZFS or LOFS. Note that the LOFS problem has been fixed in Solaris 10 8/07.
680: 
681: 1. Solaris 10 6/06 supports the use of ZFS file systems. It is possible to install a zone into a ZFS fs, but the installer/upgrader program does not yet understand ZFS well enough to upgrade zones that ’live’ on a ZFS file system. Because of this, upgrading a system that has a zone installed on a ZFS file system is not yet supported.
682: 2. If all non-global zones that are configured with "lofs" fs resources are mounting directories that exist in the miniroot, the system can be upgraded from a previous release of Solaris 10 to the Solaris 10 11/06 release using standard upgrade. For example, a lofs mounted /opt directory presents no issues for upgrade.
683:  However, if any of your non-global zones are configured with a non-standard lofs mount, such as a lofs mounted /usr/local directory, the following error message is displayed:
684: 
685: {{{
686:  The zones upgrade failed and the system needs to be restored
687:  from backup.  More details can be found in the file
688:  /var/sadm/install_data/upgrade_log on the upgrade root file
689:  system.
690: }}}
691: 
692: The error message is incorrect: although this error message states that the system must be restored from backup, the system is actually fine, and it can be upgraded successfully using the workaround.
693: 
694: {{{
695: Workaround:
696: 1. Reboot your system with the installed OS.
697: 2. Reconfigure the zones, removing the "fs" resources defined with a
698: type of "lofs."
699: 3. After removing these resources, upgrade the system to Solaris 10 11/06.
700: 4. Following the upgrade, you can again reconfigure your zones to
701: restore the additional "fs" resources that you removed.
702: }}}
703: 
704:  This problem is being tracked as CR 6454140: "Zones With an "fs" Resource Defined With a Type of "lofs" Cannot Be Upgraded to Solaris 10 11/06" and is also described in the Solaris 10 11/06 Release Notes.
705:  [November 2006]
706: 
707: ==== //**Q:** Are there any special guidelines for using Live Upgrade with zones?//
708: 
709:  A: There are a number of considerations when using Live Upgrade (LU) on a system with zones installed. It is critical to avoid zone state transitions during lucreate and lumount operations.
710: 
711: * When you lucreate an alternate boot environment (ABE), if a zone is not running, then it cannot be booted until the lucreate has completed.
712: * When you lucreate an ABE, if a zone is running, it should not be halted or rebooted until the lucreate has completed.
713: * When an ABE is lumounted, you cannot boot zones or reboot them, although zones that were running before the lumount can continue to run.
714: 
715:  Because a non-global zone can be controlled by a non-global zone administrator as well as the global zone administrator, it is best to have all zones halted during lucreate or lumount.
716: 
717:  It is important to note that when LU operations are underway, non-global zone administrator involvement is critical. The upgrade affects their work as administrators, and they will be dealing with the changes that occur as a result of the upgrade. They should make sure that any local packages are stable throughout the sequence, handle any post-upgrade tasks (such as configuration file tweaking), and generally schedule around the system outage.
718: 
719:  Here is an example of a problem that could occur if these guidelines are not followed. If this sequence of actions takes place:
720: 
721: 1. In global zone: lucreate -n new
722: 2. In non-global zone: pkgadd FooBar
723: 3. In global zone: luupgrade -n new, luactivate -n new, init 6
724: 
725:  When the system comes back up, the non-global zone users will notice that they no longer have the FooBar feature added by the package.
726:  [January 2008]
727: 
728: ==== //**Q:** Are Solaris 10 zones configured on ZFS prior to the Solaris 10 10/08 release upgradeable using Live Upgrade?//
729: 
730:  A: Not yet, but it is being investigated. Live Upgrade can be used on Solaris 10 10/08 systems that have zones configured with the zonepath on ZFS.
731: [November 2008]
732: ==== //**Q:** What is the default networking service configuration of a non-global zone when it is installed?//
733: 
734:  A: On Solaris 10 systems, the traditional open configuration is installed. On SX systems, the limited networking configuration is installed.
735:  You can switch the zone to either networking configuration by using the netservices command, or enable and disable specific services by using SMF commands. [September 2006]
736: ==== //**Q:** Can the patch levels between a zone migrated to the target machine using update on attach and a zone created on the target machine be different?//
737: 
738:  A: Yes. It is normal and expected that a migrated zone and a newly installed zone would have different patches. The update on attach feature looks at the zone you are migrating and determines which packages need to be updated to match the new host. Only those packages are updated. By definition, the rest of the packages (with their patches) are allowed to vary from zone to zone. You can think of this as setting up a number of zones and then, over time, the zone administrators for those zones install and remove packages and apply different patch streams to the packages that they are allowed to change in their zones.
739:  The update on attach feature for zone migration is available in Solaris Express, and it was added in the Solaris 10 10/08 release.
740:  [March 2009]
741: 
742: [[Back to Top>>faq]] 
743: 
744: ===Section 5: Security
745: 
746: ==== //**Q:** Can I access one zone from another zone?//
747: 
748:  A: Only through IP connections, e.g. telnet, rlogin.
749: ==== //**Q:** Can I ’su’ from one zone to another?//
750: 
751:  A: No, this would violate the security implementation of zones. In this context, think of zones as separate computers - you can’t ’su’ from one Unix computer to another.
752:  You //can// use the zlogin(1) command to login to a non-global zone from the global zone. You must have all privileges(5) to use zlogin.
753: ==== //**Q:** Can I prevent the root account in one zone from affecting other zones?//
754: 
755:  A: Because each container has its own namespace, each container has its own root account. Each zone’s root account is unable to access other containers in any way.
756: ==== //**Q:** Can programs running in one zone change the operation of programs running in another container?//
757: 
758:  A: A great deal of design work was done to prevent containers from affecting each other. By default it is very difficult for one local zone to affect another zone, but it is possible. It is also easy for the global zone administer to configure containers unsafely. Consider these factors:
759: 
760: * First, there are no known methods for one user (even root) in one local zone to ’break into’ another zone (global or non-global).
761:  However, a modern computer has many resources, some of them real, some virtual. Denial of Service attacks often attempt to use all of the instances of a virtual resource. One early attack on Unix systems was creating so many processes that all of the PIDs were in use, preventing the creation of new processes. There are now methods to prevent those attacks, and those methods automatically apply, or have been applied to, zones. In some cases the method of prevention includes the manual use of Solaris features, e.g. projects.
762: * By default it is difficult to disrupt operation of zones. However, the global zone administrator can make it easier for a non-global zone user to impact operation of one or more other zones, even the global zone. Try to avoid assigning disk devices directly to non-global zones: the root user of that zone might be able to take advantage of this to cause a SCSI bus reset or even panic the kernel. Also, avoid assigning the same device or file system to multiple zones unless needed to achieve a specific goal. If that is necessary, ensure that all of the software in those two zones will obey a synchronization mechanism when using the device or file system.
763: 
764: ==== //**Q:** How do I prevent a ’fork bomb’ from affecting all of the zones?//
765: 
766:  A: A ’fork bomb’ is a process which creates (forks) as many child processes as possible, attempting to use up all of the virtual memory or PIDs in a system, resulting in a Denial of Service to other users. If you would like to prevent someone from doing this in a non-global zone, add this to a zone’s configuration, using zonecfg(1M):
767: 
768: {{{
769: 
770: add rctl
771: set name=zone.max-lwps
772: add value (priv=privileged,limit=1000,action=deny)
773: end
774: 
775: }}}
776: 
777: That will prevent a zone’s processes from having a total of more than 1000 LWPs simultaneously. [//December 2005//]
778: 
779: [[Back to Top>>faq]] 
780: 
781: ===Section 6: Application-specific Information
782: 
783: ==== //**Q:** Can Oracle use shared memory in a Container?//
784: 
785:  A: In Solaris, Oracle uses ISM (Intimate Shared Memory) or DISM (Dynamic ISM). DISM is preferred because it provides more flexibility.
786: 
787: ISM can be used in a Solaris Container, for any release of Solaris 10.
788: 
789: Because we keep improving Containers, there are slightly different answers to the question "can DISM be used," depending on the particular release of Solaris 10.
790: 
791: 1. Solaris 10 8/07 and newer: Yes, Oracle can use DISM in a Container. Because the Solaris privilege ’proc_lock_memory’ is in a zone’s default set of privileges, you should limit the amount of RAM that a particular zone can lock. If you don’t do this, that zone could lock down enough memory that the global zone - including platform management tools - cannot function properly.
792: In Solaris 10 5/08 and later, you should set that limit with the following command:
793: 
794: {{{
795: global# zonecfg -z myzone
796: add capped-memory
797: set locked=4g
798: end
799: exit
800: }}}
801: 
802: Note that common memory-size suffixes can be used: k or K (kilobytes), m or M (MB), g or G (GB), etc. See zonecfg(1M) for more details.
803: In Solaris 10 8/07 you should set that limit with the following command:
804: 
805: {{{
806: global# zonecfg -z myzone
807: set max-locked-memory=4g
808: exit
809: }}}
810: 
811: 2. Solaris 10 11/06: Yes, Oracle can use DISM in a Container. To enable the use of DISM, the global zone administrator must add the privilege "proc_lock_memory" to the Container. To do this, use zonecfg(1M) to add the line
812: 
813: {{{
814: set limitpriv=default,proc_lock_memory
815: }}}
816: 
817:  to the Container’s configuration.
818: 3. Solaris 10, Releases 3/05, 1/06, 6/06: A Container can only use ISM. It cannot use DISM. This is a side-effect of the implementation of the security boundary which protects zones from each other.
819: 
820:  [//September 2008//]
821: ==== //**Q:** Can I use the Solaris 10 FSS (Fair Share Scheduler) with Oracle in a Solaris Container?//
822: 
823:  A: There are currently (June 2006) two distinct concerns regarding the use of FSS in a Container when running Oracle databases:
824: 
825: 1. In testing - Oracle processes use internal methods to prioritize themselves to improve inefficiency. It is possible that these methods might not work well in conjunction with the Solaris FSS. Although there are no known problems with non-RAC configurations, Sun and Oracle are testing this type of configuration to discover any negative interactions. This testing should be completed soon.
826: 2. It is not possible to use the Solaris FSS with Oracle RAC in a Container. A Solaris patch is being tested that fixes this problem.
827: 
828: ==== //**Q:** Can I use Oracle RAC in a Container?//
829: 
830:  A: This is really three questions: (1) does it work (2) in what configurations does Sun support the Solaris components (3) in what configurations does Oracle support this? The short answers are:
831: 
832: 1. Oracle RAC has been demonstrated consistently using the Solaris OS, the Solaris Zones Cluster feature of Solaris Cluster software and Oracle RAC
833: 2. Sun supports ’Solaris Zone Clusters" using Solaris Cluster
834: 3. only Oracle can determine the level of support available for Oracle RAC in Solaris Zones Clusters.
835: 
836:  The Sun BluePrint "[[Deploying Oracle Real Application Clusters (RAC) on Solaris Zone Clusters>>http://www.sun.com/offers/details/820-7661.xml]]" describes the installation and use of Oracle RAC in Solaris Zone Clusters. [//May 2009//]
837: ==== //**Q:** Are there any third-party documents that address using applications with zones?//
838: 
839:  A: Yes. To use Veritas Volume Manager Volumes from non-global zones, see [[this document>>http://seer.entsupport.symantec.com/docs/285063.htm]].
840: 
841:  Sun is not responsible for the availability of third-party web sites mentioned in this FAQ. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources.
842: 
843: [[Back to Top>>faq]] 
844: 
845: ===Section 7: Other Server Virtualization Solutions
846: 
847: ==== //**Q:** What are zone’s strengths compared to other server virtualization solutions?//
848: 
849:  A: Solaris Zones have many strengths relative to other server virtualization solutions, including:
850: 
851: * Cost: zones are a feature of the operating system. There is no extra charge for using them.
852: * Integration: Zones are integrated into the operating system, providing seamless functionality and a smooth upgrade path.
853: * Portability: Zones are not tied to any one hardware platform. As a device-independent feature set of OpenSolaris, their functionality is exactly the same on all hardware to which OpenSolaris has been ported.
854: * Observability: The Global Zone has visibility into all activity in all zones, including viewing process and network activity, system-wide accounting and auditing, etc. This makes it possible to find performance problems and resolve inter-zone conflicts, both of which are extremely difficult problems on most other SV solutions. It is even possible to re-host applications typically found on different systems (e.g. web server and app server) on different zones in the same system, and then use DTrace to analyze their interactions.
855: * Manageability: You can manage all of the zones on one system as one collection, rather than as separate servers. This includes adding packages and patches **once** per system, not once per zone.
856: * Sun Dynamic System Domains
857: 
858: ==== //**Q:** Are containers like VMware?//
859: 
860:  A: They are only vaguely similar. Both technologies are very useful for consolidating servers. However, the basic model is different: Containers form isolated application environments that share one OS instance, while VMware hosts multiple OS instances. The differences also include:
861: 
862: * Containers are only available for Solaris 10 and SX Nevada. VMware supports Solaris, Microsoft Windows and Linux clients, simultaneously.
863: * VMware uses a great deal of CPU capacity managing the multiple environments. CPU overhead of containers is hardly measurable (typically <1%) for a few zones or even dozens of zones, depending somewhat on the applications.
864: * Containers do not have any financial cost beyond Solaris license and/or support costs. VMware for production environments costs thousands of dollars, and a license is necessary for each Windows or RH instance hosted on top of VMware.
865: 
866: ==== //**Q:** Are containers like HP vPars or nPars?//
867: 
868:  A: Containers are not similar to either except in purpose: server consolidation. However, the differences include:
869: 
870: * HP nPars and Sun’s Dynamic System Domains are similar in that both provide complete isolation of data, applications, and programs. A complete comparison of Domains and nPars is outside the scope of this document.
871: * vPars are HP’s "soft" partitioning technology. vPars and Containers each enable multiple applications to co-exist in a set of hardware resources with some degree of isolation.
872: * Each vPar is its own instance of an operating system, and must be managed separately. Each container is a virtual instance of Solaris, but there is only one copy of Solaris to maintain.
873: * Containers are only available for Solaris 10. vPars only support HP-UX (versions ??).
874: * All vPars share the same root password. Someone who gains root access in one vPar can do anything to any vPar. Conversely, each Solaris Container has its own namespace, including its own root account. Someone who gains root access in one container can damage that container (unless privileges have been removed) but cannot cause any damage to any other container, including the global container. However, keep in mind that if a vPar or Container is configured poorly, the potential for inter-partition damage is increased.
875: 
876: ==== //**Q:** Are containers like IBM Micro-Partitions?//
877: 
878:  A: They are only vaguely similar. Both technologies are very useful for consolidating servers. However, the differences include:
879: 
880: * Containers are only available for Solaris 10. MicroPars only support AIX 5.3, RH.
881: * Each MicroPartition requires a separate license to run an operating system. There is a cost associated with each AIX license.
882: * Containers have almost no overhead, i.e. running 10 applications in 10 Containers is only slightly less efficient than running those 10 applications in a non-zoned system. The difference is typically <1%. MicroPartitions are inefficient and have high overhead. According to IBM documentation, 10 MicroPartitions can have a compute overhead of 35%, **//in addition to the application workload//**.
883: * Containers and MicroPartitions can share I/O resources, but the implementation is different. MicroPars that want to share an I/O connector must use an LPAR dedicated to the multiplexing of I/O. This LPAR has extra costs associated with it: one or more additional Power processors, another AIX license, etc. [Updated July 2005]
884: 
885: ==== //**Q:** Are containers like Linux vServers?//
886: 
887:  A: The basic model used to implement the Solaris 10 Containers feature set and the Linux vServers project are fairly similar. However, the implementation is different. (More coming soon!) [Updated August 2005]
888: 
889: [[Back to Top>>faq]] 
890: 
891: ===Section 8: Zones in OpenSolaris
892: 
893: ==== //**Q:** How are zones different on OpenSolaris 2009.06?//
894: 
895:  A:
896: * The ipkg brand is the default instead of the native brand
897: * Are whole-root type only; inherit-pkg-dir should not be used
898: * Have different software management related functionality
899: ** IPS vs SVr4 packaging
900: ** install, detach/attach, p2v
901:  For attach, you currently have to manually set up the correct dataset hierarchy, which might cause problems if Not done correctly. Also, dry-run doesn’t work yet. Engineering is currently fixing these problems.
902: * Have different global zone software operations: employ manual syncing, not patching. Currently, the zones don’t automatically update when you pkg image-update the system. You must manually update the zones after rebooting to keep them in sync with the global zone.
903: * Use boot environments instead of LU
904: * Integrated with beadm
905: * Zone root is a dataset
906: * Host identifiers (hostids) can be emulated on a per-zone basis; see zonecfg(1M)). (Also available in the community release beginning with snv_108.)
907: * Zone software is minimized to start; any additional packages the zone needs must be added
908: * Must be on net to install zone; install is from the OpenSolaris Packaging Repository
909: 
910:  Note that pkg_image-update is not fully supported. You can use detach and attach -u as a workaround. Detach the zone before running pkg_image-update, and use attach -u after running pkg_image-update. [Added June 2009]
911: ==== //**Q:** Why are zones so different on OpenSolaris?//
912: 
913:  A: IPS is a new model for software management, and zones have to change to utilize this model.[Added June 2009]
914: ==== //**Q:** Why can’t I use sparse root zones?//
915: 
916:  A: The sparse root type of zone describes a fundamental interaction between zones and the package management system, and IPS doesn’t support this concept. BUT, we’re working on providing the positive attributes of sparse root zones in different ways:
917: 
918: * reduced memory footprint
919: * reduced disk footprint
920: * centralized control of zone’s software
921: * security due to read-only mounts
922: * faster install/upgrade times
923: * fewer bits to migrate across systems
924: 
925:  [Added June 2009]
926: ==== //**Q:** Are zones on OpenSolaris done? Will zones continue to look like they do on 2009.06?//
927: 
928:  A: No, zones are a work in progress and things will continue to evolve as development continues. [Added June 2009]
929: ==== //**Q:** How do I control what software is installed in the zone?//
930: 
931:  A: Use the -e option to zoneadm install. [Added June 2009]
932: ==== //**Q:** Why is zone root its own dataset?//
933: 
934:  A: Eventually, we want to support beadm inside zones for pkg_image-update, just as you can do in the global zone. To accomplish this, the zone’s root dataset must be controlled inside the zone. [Added June 2009]
935: ==== //**Q:** Why isn’t the zone root available when the zone is halted? How do I set up the zone’s sysidcfg file?//
936: 
937:  A: Ready the zone, which will mount the correct zone root dataset. [Added June 2009]
938: ==== //**Q:** I created a zone in OpenSolaris 2009.06, and tried to add an /etc/sysidcfg file - but <zonepath>/root/etc doesn’t exist! Where did it go?//
939: 
940:  A: OpenSolaris zones are a little different from Solaris 10 zones. When a zone is in the ’installed’ state, its ZFS file system is not mounted. To mount the zone’s root file system before booting the zone, use this command: 
941: 
942: {{{
943: 
944: global# zoneadm -z <zonename> ready
945: 
946: }}}
947: 
948: Then edit <zonepath>/root/etc/sysidcfg. After that, you can finish booting the zone. If the sysidcfg file was correct, configuration questions will not be sent to the zone’s console, and it will complete the boot process.
949: 
950: ==== //**Q:** Can I continue to use zones created on OpenSolaris 2008.05?//
951: 
952:  A: No, existing zones from this release cannot be used. [Added June 2009]
953: 
954: [[Back to Top>>faq]] 
955: 
956: ===Section 9: Common but Non-Obvious Problems
957: 
958: ==== //**Q:** I created a zone and booted it, but it doesn’t work. What should I do?//
959: 
960:  A: The most common problem is that the zone doesn’t have its system identification information yet. You can determine if this is the problem by running "ps -fz " in the global zone. If the output only shows zsched, init, and a (3-6) processes related to SMF (/lib/svc/..., /usr/sbin/svccfg) then system identification is not complete. To complete this, attach to the zone’s console by running "zlogin -C " in the global zone, pressing  once, and following the instructions. [//March 2006//]
961: 
962: ==== //**Q:** I added some privileges to a user in a zone, and now the user can’t login. What should I do?//
963: 
964:  A: This resulted from a bug that was fixed in Solaris Express 4/06. It will be corrected in Solaris 10 11/06 as well.
965:  Updated information on privileges and zones has been added to the System Administration Guide: Solaris Containers~--Resource Management and Solaris Zones. See [[documentation>>http://docs.sun.com/app/docs/doc/819-2450/z.admin.ov-1]] for a list of the Solaris privileges and the status of each privilege with respect to zones. To alter privileges in zones, use the limitpriv property in zonecfg. [September 2006]
966: 
967: ==== //**Q:** I tried to upgrade to Solaris 10 11/06 and it told me the upgrade failed and I need to restore from backup. Now what?//
968: 
969:  A: Although this error message states that the system must be restored from backup, the system is actually fine, and it can be upgraded successfully. See [["How do I upgrade a system with zones installed? Does Live Upgrade work?">>#sa_upgrade]] for more information and a workaround you can use to upgrade your system.
970: 
971: [[Back to Top>>faq]] 
972: 
973: {{html}}
974: 
975: <script type="text/javascript">
976: sc_project=3556907;
977: sc_invisible=1;
978: sc_partition=34;
979: sc_click_stat=1;
980: sc_security="ff0d6377";
981: sc_remove_link=1;
982: </script>
983: 
984: <script type="text/javascript" 
985: src="http://www.statcounter.com/counter/counter_xhtml.js"></script><noscript><div 
986: class="statcounter"><img class="statcounter" 
987: src="http://c.statcounter.com/3556907/0/ff0d6377/1/" alt="website hit 
988: counter" ></div></noscript>
989: 
990: <script type="text/javascript">
991: sc_project=3567784;
992: sc_invisible=1;
993: sc_partition=39;
994: sc_security="1cc9f797";
995: sc_remove_link=1;
996: </script>
997: 
998: <script type="text/javascript" 
999: src="http://www.statcounter.com/counter/counter_xhtml.js"></script><noscript><div 
1000: class="statcounter"><img class="statcounter" 
1001: src="http://c40.statcounter.com/3567784/0/1cc9f797/1/" alt="free web 
1002: tracker" ></div></noscript>
1003: 
1004: {{/html}}
1005:
OpenSolaris

Top Menu

Wiki code for Zones and Containers FAQ

Search

Collectives

Community Group

Project

User Group

Subsites

Community Group zones Pages
