Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality Effective: 30/11/2009
2.1.2. Zones and software installation
[dd] The respective requirements on local zones determine the manner in which software is installed
in zones.
There are two ways of supplying software in zones:
1. Software is usually supplied in pkg format. If this software is installed in the global zone with
pkgadd, it will be automatically available to all other local zones as well. This considerably
simplifies the installation and maintenance of software since – even if many zones are
installed – software maintenance can be performed centrally from the global zone.
2. Software can be installed exclusively for a local or for the global zone in order to e.g. be able
to make software changes in one zone independent of other zones. This can be achieved by
installation using special pkgadd options or by special types of software installations.
In any case the Solaris kernel and the drivers are shared by all zones but can be directly installed and
modified in the global zone only.
2.1.3. Zones and security
[dd] By providing separate root directories for each zone, separate stipulations regarding security
settings can be made by the local name service environments in the zones (RBAC – Role Based
Access Control, passwd database). Furthermore, a separate passwd database with its own user
accounts is provided in each zone. This makes it possible to build separate user environments for
each zone as well as introducing separate administrator accounts for each zone.
Solaris 10 5/08, like earlier Solaris versions, is certified according to Common Criteria EAL4+. This
certification was performed by the Canadian CCS. The Canadian CCS is a member of the group of
certification authorities of Western states of which the Federal Office for Information Security (BSI,
Bundesamt für Sicherheit in der Informationstechnik) is also a member. This certification is also
recognized by BSI. A constituent component of the certification is protection against break-ins,
separation and – new in Solaris 10 – zone differentiation. Details on this are available at:
http://www.sun.com/software/security/securitycert/
Solaris Trusted Extensions allow customers who are subject to specific laws or data protection
requirements to use labeling features that have thus far only been contained in highly specialized
operating systems and appliances. To implement labeled security, so-called compartments are used.
For Solaris Trusted Extensions, these compartments are put into practice by Solaris zones.
2.1.4. Zones and privileges
[dd] Local zones have fewer process privileges than the global zone whereby some commands
cannot be executed within a local zone. For standard configurations of zones, this access is permitted
only in the global zone. The restrictions include, among other things:
• Configuration of swap space and processor sets
• Modifications to the process scheduler and the shared memory
• Setting up device files
• Downloading and uploading kernel modules
• For shared IP authorities:
− Access to the physical network interface
− Setting up IP addresses
Since Solaris 10 11/06, local zones can have additional process privileges assigned to them when
zones are being configured that allow extended possibilities for local zones (but not all).
Potential combinations and usable privileges in zones are shown here:
http://docs.sun.com/app/docs/doc/817-1592/6mhahuotq?a=view
4