Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices Effective: 30/11/2009
4.1.8. Additional devices in zones
4.1.8.1. Configuration of devices
[ug] In principle, a local zone uses no physical devices. To use network interfaces exclusively in one
zone, the zone has to be configured as an exclusive IP zone (4.1.7.4 Exclusive IP instance ).
Disks or volumes can be inserted in a zone with zonecfg (5.1.12.6 Using a DVD drive in the local
zone). To activate such a modified configuration, the zone has to be restarted. Devices can also be
brought into a zone dynamically with mknod without a shutdown of a zone having(5.1.12.7 Dynamic
configuration of devices).
Device removal is done by removal with zonecfg or, for dynamically added devices, by deleting the
device node.
In principle, other devices such as for example serial interfaces can be passed on to local zones as
well. The task of the administrator of the global zone or the person responsible for the configuration of
the local zones is to coordinate use of the devices and to avoid double allocation or double usage
from global zone and local zone.
4.1.8.2. Static configuration of devices
[ug] Devices for a zone are defined during zone configuration using zonecfg with the command
add device.
Solaris then generates the device for the zone by means of a device node in the file system /dev of
the zone. The /dev directory of the zone is located in th e zonepath of t he zone under the
subdirectory dev. Devices are deleted by deleting them in the zone configuration. At the next reboot
of the zone , the device is removed from its /dev directory.
This is one of the differences between the global zone and the local zones, since in the local zone,
the device node is located directly in the /dev directory. The global zone only contains a symbolic
link in /dev to a device entry in /devices. All devices recognized by the system, with their device
nodes, are located in /devices.
A zone is not able to create device nodes by itself in its /dev since the command mknod(1M) and
the system call mknod(2) is forbidden by privileges in a local zone. Furthermore, a zone can itself
only mount file systems with the option nodevices whereby the device entries in this file system are
not usable.
The security of zones with respect to devices is based exactly o n these measures because no zone
can obtain access to devices that are not configured for it.
4.1.8.3. Dynamic configuration of devices
[ug] Rebooting the local zone is sometimes not desirable although new devices have to be added to,
for example, to procure additional space for a database.
Then, new devices can be added dynamically to the zone by emulating the process of static device
configuration.
First, running ls -lL <device> in the global zone determines which device node lies behind
the device; the important outputs here are the major and minor numbers. The major number
specifies the driver and the minor number is something like the serial number of the device.
Next, the device for a zone can be created with mknod by generating the corresponding node in the
/dev tree of the target zone. For security reasons, this can only be done by the administrator of the
global zone (since the local zones lack privileges after all).
If access to the device is to be revoked, the node can be deleted in the /dev of the zone. In doing so,
care must be taken that programs or mounts that have opened the device still retain access (as usual
in Unix). A mount should be removed before access is terminated.
If the device is to be used in the zone permanently, the corresponding entry should be made in the
zone configuration as well (example in 5.1.12.7 Dynamic configuration of devices ).
44