Solaris Zones

Zones section off environments to improve security. Image source.

MYRA has set up and d​esigned a secure environment for one of our customers using Solaris Zones.

What are Solaris Zones?

The Solaris Zones facility in the Solaris Operating System provides an isolated environment in which to run applications on your system. Solaris Zones are a component of the Solaris Container environment.

Zones act as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets of application services onto one system and by placing each into isolated virtual server containers, system administrators can reduce cost and provide most of the same protections of separate machines on a single machine.

Each zone has its own node name, virtual network interfaces, and storage assigned to it; there is no requirement for a zone to have any minimum amount of dedicated hardware other than the disk storage necessary for its unique configuration. Specifically, it does not require a dedicated CPU, memory, physical network interface or HBA, although any of these can be allocated specifically to one zone.

Zones Security Overview

The Solaris Zones partitioning technology is used to virtualize operating system services and provide an isolated and secure environment for running applications. When you create a zone, you produce an application execution environment in which processes are isolated from the rest of the system. This isolation prevents processes that are running in one zone from monitoring or affecting processes that are running in other zones. Even a process running with superuser credentials cannot view or affect activity in other zones.

Each zone has a security boundary surrounding it which prevents a process associated with one zone from interacting with or observing processes in other zones. Each zone can be configured with its own separate user list.

A zone also provides an abstract layer that separates applications from the physical attributes of the machine on which they are deployed.

Zones allow you to delegate some administrative functions while maintaining overall system security.

When to Use Zones

Zones are ideal for environments that consolidate a number of applications on a single server. The cost and complexity of managing numerous machines make it advantageous to consolidate several applications on larger, more scalable servers.

Zones enable more efficient resource utilization on your system. Dynamic resource reallocation permits unused resources to be shifted to other containers as needed. Fault and security isolation mean that poorly behaved applications do not require a dedicated and under-utilized system. With the use of zones, these applications can be consolidated with other applications.

Zones Strengths 

Solaris Zones have many strengths relative to other server virtualization solutions, including:

  • Cost: Zones are a feature of the operating system. There is no extra charge for using them.
  • Integration: Zones are integrated into the operating system, providing seamless functionality and a smooth upgrade path.
  • Portability: Zones are not tied to any one hardware platform. As a device-independent feature set of OpenSolaris, their functionality is exactly the same on all hardware to which OpenSolaris has been ported.
  • Observability: The Global Zone has visibility into all activity in all zones, including viewing process and network activity, system-wide accounting and auditing, etc. This makes it possible to find performance problems and resolve inter-zone conflicts, both of which are extremely difficult problems on most other SV solutions.
  • Manageability: You can manage all of the zones on one system as one collection, rather than as separate servers. This includes adding packages and patches once per system, not once per zone.