ask | dr. root

Solaris 10 zones have been described variously as FreeBSD jails grown up or chroot on steroids... In a nutshell, Solaris zones (a.k.a. containers) provide a means of creating virtualized operating system environments within an instance of Solaris, allowing one or more processes to run in isolation from other activity on the system. This isolation prevents processes running in one zone either monitoring or interacting, in any way, with processes in another zone. A user or process in one zone knows nothing of any other users or process in any other zone. Only the global or initial zone can see all of the processes. In the event of a zone becoming compromised and someone gaining root priveleges, the breach will be contained within that zone and cannot effect any other zone - in a suitably configured envirnoment.

Zones also provide a layer of physical abstraction, they can only see the resources that have been assigned them from the global zone - physical devices and path names can be hidden from them. The administrator in the global zone can create a filesystem on a soft partition as part of mirrored volume and only assign the file system to a particualar zone. Now that zone has a mirrored flesystem (the soft partition) for its use but has no access or priveleges to the physical devices that make up the meta device. To go back to our compromised zone example, if the physical disk device had been allocated to a zone, then a rouge admin account could format the disk which could then impact on other zones, however if only a filesystem has been alloacted to a zone only this can be affected.

The zones framework has a very low system overhead, in a steady state, thousands of zones can exist on a given Solaris instance. The resources used by a zone depend on the process running in them, so two busy zones could fully load a system, however this would be the same if all the processes were running in one Solaris image or in multiple zones, what is key is that the framework to provide the segregation and virtualisation itself has almost no overhead. When zones are combined with resource management (fair share scheduling, cpu.shares, proecssor sets etc.) they become a more complete consolidation environment.

Finally Zones are part of OpenSolaris, for the low down check out http://www.opensolaris.org/os/community/zones/