Sun Microsystems 10 manual Paradigms, Applications in local zones only

4.2. Paradigms

Paradigms are design rules for the construction of zones. Depending on the application, a decision must be made which one of them should be applied.

4.2.1. Delegation of admin privileges to the application department

[ug] Administration of an application can be delegated to the department responsible for the application. Through zone isolation, the root administrator can influence only resources that are assigned to the zone. This also applies to other defined privileged users in the zone (see process privileges, ppriv).

∙If a zone is assigned to a shared IP instance, the network can only be configured in the global zone.

∙If a zone had an exclusive IP instance assigned to it, the administrator of this zone can undertake the network configuration for the zone independently.

∙ File systems can be specified from the global zone (zonecfg add fs).

∙File system administration can be handed over to the administrator of the local zone (zonecfg add device).

4.2.2. Applications in local zones only

[ug] If local zones are used for applications, it is recommended not to use the global zone for applications as well.

∙Only then it is possible for computer hardware administration to remain purely with the platform administrators of the global zone.

∙Platform administrators are the administrators who administer the global zone. They have access to the hardware (cabinet, power cable, hard drives) and perform the Solaris installation in the global zone. The platform administrator is also responsible for kernel patching and rebooting the entire system.

∙It is not necessary to give the application admin access to the global zone.

∙If the application admin needs root access, he/she can receive the root password for the local zone of his/her application. He/she must then, however, assume responsibility for the availability of the application, in consultation with operations.

∙Requests for disk space are submitted through platform administration who can assign resources to the corresponding local zone, following approval by storage administration (if separate).

∙For network configuration, a distinction must be made between a shared and an exclusive IP instance. Contrary to a shared IP instance, the administrator of a zone with exclusive IP instance can undertake network administration himself.

In the global zone, only system-oriented applications are installed that are required for management, monitoring or backup/restore purposes. To increase availability, cluster software can be used as well.

Advantages:

∙Responsibilities for system, storage and application can be distinctly separated.

∙Root-user access to the basic system is restricted to system administration. This results in improved stability.

Disadvantages:

∙Some applications are not yet explicitly released for use in zones. Usually, the applications work in zones but they have not yet been certified by the manufacturer of the application.

46