native(5) [opensolaris man page]
native(5) Standards, Environments, and Macros native(5) NAME
native - native branded zone DESCRIPTION
The native brand uses the branded zones framework described in brands(5) to run zones installed with the same software as is installed in the global zone. The system software must always be in sync with the global zone when using a native brand. SUB-COMMANDS The following native brand-specific subcommand options are supported in zoneadm(1M). attach [-u] [-b patchid]... For native zones, zoneadm checks package and patch levels on the machine to which the zone is to be attached. If the packages/patches that the zone depends on from the global zone are different (have different revision numbers) from the dependent packages/patches on the source machine, zoneadm reports these conflicts and does not perform the attach. If the destination system has only newer dependent packages/patches (higher revision numbers) than those on the source system, you can use the -u option to update the attached zone to match the -revision packages and patches that exist on the new system. With -u, as in the default behavior, zoneadm does not perform an attach if outdated packages/patches are found on the target system. For native zones, one or more -b options can be used to specify a patch ID for a patch installed in the zone. These patches will be backed out before the zone is attached or, if -u was also specified, updated. install [-a archive] | [-d path] [-p] [-s] [-u] [-v] [-b patchid]... The native brand installer supports installing the zone from either the software already installed on the system or from an image of an installed system running the same release. This can be a full flash archive (see flash_archive(4)) or a cpio(1) or pax(1) "xustar" ar- chive. The cpio archive be compressed with gzip or bzip2. The image can also be a level 0 ufsdump(1M), a path to the top-level of a system's root tree, or a pre-existing zone path. With no options the zone is installed using same software as is running the global zone. To install the zone from a system image either the -a or -d is required. Either the -u or -p option is also required in this case. -a archive The path to a flash_archive(4), cpio(1), or pax(1) "xustar" archive, or a level0 ufsdump(1M), of an installed system. cpio archives may be compressed using gzip or bzip2. -b patchid One or more -b options can be used to specify a patch ID for a patch installed in the system image. These patches will be backed out during the installation process. -d path The path to the root directory of an installed system. If path is a hyphen (-), the zonepath is presumed to be already populated with the system image. -p Preserve the system configuration after installing the zone. -s Install silently. -u Run sys-unconfig(1M) on the zone after installing it. -v Verbose output from the install process. ATTRIBUTES
See attributes(5) for a description of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWzoneu | +-----------------------------+-----------------------------+ |Interface Stability |Uncommitted | +-----------------------------+-----------------------------+ SEE ALSO
cpio(1), pax(1), zlogin(1), zonename(1), sys-unconfig(1M), ufsdump(1M), zoneadm(1M), zonecfg(1M), flash_archive(4), attributes(5), brands(5), privileges(5), zones(5), lx_systrace(7D) SunOS 5.11 13 Feb 2009 native(5)
Check Out this Related Man Page
zones(5) Standards, Environments, and Macros zones(5) NAME
zones - Solaris application containers DESCRIPTION
The zones facility in Solaris provides an isolated environment for running applications. Processes running in a zone are prevented from monitoring or interfering with other activity in the system. Access to other processes, network interfaces, file systems, devices, and inter-process communication facilities are restricted to prevent interaction between processes in different zones. The privileges available within a zone are restricted to prevent operations with system-wide impact. See privileges(5). You can configure and administer zones with the zoneadm(1M) and zonecfg(1M) utilities. You can specify the configuration details a zone, install file system contents including software packages into the zone, and manage the runtime state of the zone. You can use the zlogin(1) to run commands within an active zone. You can do this without logging in through a network-based login server such as in.rlogind(1M) or sshd(1M). An alphanumeric name and numeric ID identify each active zone. Alphanumeric names are configured using the zonecfg(1M) utility. Numeric IDs are automatically assigned when the zone is booted. The zonename(1) utility reports the current zone name, and the zoneadm(1M) utility can be used to report the names and IDs of configured zones. A zone can be in one of several states: CONFIGURED Indicates that the configuration for the zone has been completely specified and committed to stable storage. INCOMPLETE Indicates that the zone is in the midst of being installed or uninstalled, or was interrupted in the midst of such a transition. INSTALLED Indicates that the zone's configuration has been instantiated on the system: packages have been installed under the zone's root path. READY Indicates that the "virtual platform" for the zone has been established. Network interfaces have been plumbed, file systems have been mounted, devices have been configured, but no processes associated with the zone have been started. RUNNING Indicates that user processes associated with the zone application environment are running. SHUTTING_DOWN Indicates that the zone is being halted. The zone can become stuck in one of these states if it is unable to tear DOWN down the application environment state (such as mounted file systems) or if some portion of the virtual platform cannot be destroyed. Such cases require operator intervention. Process Access Restrictions Processes running inside a zone (aside from the global zone) have restricted access to other processes. Only processes in the same zone are visible through /proc (see proc(4) or through system call interfaces that take process IDs such as kill(2) and priocntl(2). Attempts to access processes that exist in other zones (including the global zone) fail with the same error code that would be issued if the specified process did not exist. Privilege Restrictions Processes running within a non-global zone are restricted to a subset of privileges, in order to prevent one zone from being able to per- form operations that might affect other zones. The set of privileges limits the capabilities of privileged users (such as the super-user or root user) within the zone. The list of privileges available within a zone can be displayed using the ppriv(1) utility. For more informa- tion about privileges, see privileges(5). Device Restrictions The set of devices available within a zone is restricted, to prevent a process in one zone from interfering with processes in other zones. For example, a process in a zone should not be able to modify kernel memory using /dev/kmem, or modify the contents of the root disk. Thus, by default, only a few pseudo devices considered safe for use within a zone are available. Additional devices can be made available within specific zones using the zonecfg(1M) utility. The device and privilege restrictions have a number of effects on the utilities that can run in a non-global zone. For example, the eep- rom(1M), prtdiag(1M), and prtconf(1M) utilities do not work in a zone since they rely on devices that are not normally available. File Systems Each zone has its own section of the file system hierarchy, rooted at a directory known as the zone root. Processes inside the zone can access only files within that part of the hierarchy, that is, files that are located beneath the zone root. This prevents processes in one zone from corrupting or examining file system data associated with another zone. The chroot(1M) utility can be used within a zone, but can only restrict the process to a root path accessible within the zone. In order to preserve file system space, sections of the file system can be mounted into one or more zones using the read-only option of the lofs(7FS) file system. This allows the same file system data to be shared in multiple zones, while preserving the security guarantees supplied by zones. NFS and autofs mounts established within a zone are local to that zone; they cannot be accessed from other zones, including the global zone. The mounts are removed when the zone is halted or rebooted. Networking Zones can be assigned logical network interfaces, which can be used to communicate over the network. These interfaces are configured using the zonecfg(1M) utility. The interface is removed when the zone is halted or rebooted. Only logical interfaces can be assigned to a zone. ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ SEE ALSO
zlogin(1), zonename(1), in.rlogind(1M), sshd(1M), zoneadm(1M), zonecfg(1M), getzoneid(3C), kill(2), priocntl(2), ucred_get(3C), get- zoneid(3C), proc(4), attributes(5), privileges(5), crgetzoneid(9F) SunOS 5.10 13 Apr 2004 zones(5)