Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Effective: 30/11/2009
5.1.15. Accelerated automatic creation of zones on a ZFS file system
[bf/ug] If a zone is configured on a ZFS file system, it can be duplicated very quickly by using ZFS
snapshots. This procedure is described below by means of an e xample script. The script is available
for download at http://blogs.sun.com/blogfinger/entry/how_to_create_a_lot.
In the first part of the script, the most important parameters for the zones are to be defined. These
include for example:
•Number of zones to be created
•Network address range
•Name of network interface
•Net mask
•Gateway
•Base zone name (supplemented with number for the zone name)
•Zone directory (supplemented with zone name)
•Name of the zone that is used as the basis for cloning
•Information for the sysidcfg file
•Start status for the zone after installation
Once these settings have been made, th e script can create the zones automatically and start in the
configured state. More details on the script are available in the blog entry.
5.1.16. Zones hardening
[dd] To harden Solaris, the Solaris Security Toolkit is recommended as a general rule. Complete
procedures and mechanisms can be found here:
http://www.sun.com/products-n-
solutions/hardware/docs/Software/enterprise_computing/systems_management/sst/index.html
Within the toolkit, the features that are required to harden sparse-root or whole-root zones are
described. Details on this can be found here:
http://www.sun.com/products-n-solutions/hardware/docs/html/819-1503-10/introduction.html#pgfId-
1001177
With Solaris 10 1 1/06, the feature " Secure by default" was introduced for network services which
allows all network services except for sshd to be turned off or reconfigured by calling up
netservices limited such that they will only react to requests by localhost. As a result,
considerable safeguarding of zones in networks is possible using simple means.
80