Version 3.1-enSolaris 10 Container Guide - 3.1 2. Functionality

Effective: 30/11/2009

2.1.2. Zones and software installation

[dd]The respective requirements on local zones determine the manner in which software is installed in zones.

There are two ways of supplying software in zones:

1.Software is usually supplied in pkg format. If this software is installed in the global zone with pkgadd, it will be automatically available to all other local zones as well. This considerably simplifies the installation and maintenance of software since even if many zones are installed software maintenance can be performed centrally from the global zone.

2.Software can be installed exclusively for a local or for the global zone in order to e.g. be able to make software changes in one zone independent of other zones. This can be achieved by installation using special pkgadd options or by special types of software installations.

In any case the Solaris kernel and the drivers are shared by all zones but can be directly installed and modified in the global zone only.

2.1.3. Zones and security

[dd]By providing separate root directories for each zone, separate stipulations regarding security settings can be made by the local name service environments in the zones (RBAC Role Based Access Control, passwd database). Furthermore, a separate passwd database with its own user accounts is provided in each zone. This makes it possible to build separate user environments for each zone as well as introducing separate administrator accounts for each zone.

Solaris 10 5/08, like earlier Solaris versions, is certified according to Common Criteria EAL4+. This certification was performed by the Canadian CCS. The Canadian CCS is a member of the group of certification authorities of Western states of which the Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik) is also a member. This certification is also recognized by BSI. A constituent component of the certification is protection against break-ins, separation and new in Solaris 10 zone differentiation. Details on this are available at:

http://www.sun.com/software/security/securitycert/

Solaris Trusted Extensions allow customers who are subject to specific laws or data protection requirements to use labeling features that have thus far only been contained in highly specialized operating systems and appliances. To implement labeled security, so-called compartments are used. For Solaris Trusted Extensions, these compartments are put into practice by Solaris zones.

2.1.4. Zones and privileges

[dd]Local zones have fewer process privileges than the global zone whereby some commands cannot be executed within a local zone. For standard configurations of zones, this access is permitted only in the global zone. The restrictions include, among other things:

Configuration of swap space and processor sets

Modifications to the process scheduler and the shared memory

Setting up device files

Downloading and uploading kernel modules

For shared IP authorities:

Access to the physical network interface

Setting up IP addresses

Since Solaris 10 11/06, local zones can have additional process privileges assigned to them when zones are being configured that allow extended possibilities for local zones (but not all).

Potential combinations and usable privileges in zones are shown here:

http://docs.sun.com/app/docs/doc/817-1592/6mhahuotq?a=view

4

Page 11
Image 11
Sun Microsystems 10 manual Zones and software installation, Zones and security, Zones and privileges