BrandZ provides the framework to create containers that contain non-native operating environments. These containers are branded zones used in the Solaris Operating System to run applications that cannot be run in a native environment. The brand described here is the solaris9 brand, Solaris 9 Containers.
If you want to create solaris9 zones now, go to Assess the Solaris 9 System.
By default, a non-global zone has the same characteristics as the operating system in the global zone, which is running the Solaris 10 Operating System or later Solaris 10 release. These native non-global zones and the global zone share their conformance to standards, runtime behavior, command sets, and performance traits in common.
It is also possible to run a different operating environment inside of a non-global zone. The branded zone (BrandZ) framework extends the Solaris Zones infrastructure to include the creation of brands, or alternative sets of runtime behaviors. Brand can refer to a wide range of operating environments. For example, the non-global zone can emulate another version of the Solaris Operating System, or an operating environment such as Linux. Or, it might augment the native brand behaviors with additional characteristics or features. Every zone is configured with an associated brand.
The brand defines the operating environment that can be installed in the zone and determines how the system will behave within the zone so that the non-native software installed in the zone functions correctly. In addition, a zone's brand is used to identify the correct application type at application launch time. All branded zone management is performed through extensions to the native zones structure. Most administration procedures are identical for all zones.
You can change the brand of a zone in the configured state. Once a branded zone has been installed, the brand cannot be changed or removed.
BrandZ extends the zones tools in the following ways:
The zonecfg command is used to set a zone's brand type when the zone is configured.
The zoneadm command is used to report a zone's brand type as well as administer the zone.
Although you can configure and install branded zones on a Solaris Trusted Extensions system that has labels enabled, you cannot boot branded zones on this system configuration.
The following components available in a branded zone are defined by the brand.
The privileges.
Device support. A brand can choose to disallow the addition of any unsupported or unrecognized devices. Devices can be added to solaris9 non-global zones. See About Solaris 9 Branded Zones.
The file systems required for a branded zone are defined by the brand. You can add additional Solaris file systems to a branded zone by using the fs resource property of zonecfg.
Branded zones provide a set of interposition points in the kernel that are only applied to processes executing in a branded zone.
These points are found in such paths as the syscall path, the process loading path, and the thread creation path.
At each of these points, a brand can choose to supplement or replace the standard Solaris behavior.
A brand can also provide a plug-in library for librtld_db. The plug-in library allows Solaris tools such as the debugger, described in mdb(1), and DTrace, described in dtrace(1M), to access the symbol information of processes running inside a branded zone.
The container provides a virtual mapping from the application to the platform resources. Zones allow application components to be isolated from one another even though the zones share a single instance of the Solaris Operating System. Resource management features permit you to allocate the quantity of resources that a workload receives.
The container establishes boundaries for resource consumption, such as CPU utilization. These boundaries can be expanded to adapt to changing processing requirements of the application running in the container.
For additional information not in this guide, also refer to the System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones. That book provides a complete overview of Solaris Zones and branded zones.
You should be familiar with the following zones and resource management concepts, which are discussed in the guide:
Supported and unsupported features
Resource controls that enable the administrator to control how applications use available system resources
Commands used to configure, install, and administer zones, primarily zonecfg, zoneadm, and zlogin
The global zone and the non-global zone
The whole-root non-global zone model
The global administrator and the zone administrator
The zone state model
The zone isolation characteristics
Privileges
Networking
Zone IP types, exclusive-IP and shared-IP
The Solaris Container concept, which is the use of resource management features, such as resource pools, with zones
The fair share scheduler (FSS), a scheduling class that enables you to allocate CPU time based on shares
The resource capping daemon (rcapd), which can be used from the global zone to control resident set size (RSS) usage of branded zones
A Solaris 9 branded zone (solaris9) is a complete runtime environment for Solaris 9 applications on SPARC machines running the Solaris 10 8/07 Operating System or later. The brand supports the execution of 32-bit and 64-bit Solaris 9 applications.
solaris9 branded zones are based on the whole root zone model. Each zone's file system contains a complete copy of the software that comprises the operating system. However, solaris9 zones are different from native whole root zones in that central patching is not applied.
Many Solaris 10 capabilities are available to the solaris9 zones, including the following:
Fault management architecture (FMA) for better system reliability (see smf(5).
The ability to run on newer hardware that Solaris 9 does not support.
Solaris 10 performance improvements.
DTrace, run from the global zone, can be used to examine processes in solaris9 zones.
Some functionality available in Solaris 9 is not available inside of Solaris Zones.
The following features cannot be configured in a non-global zone:
Solaris Live Upgrade boot environments
Solaris Volume Manager metadevices
DHCP address assignment in a shared-IP zone
SSL proxy server
In addition, a non-global zone cannot be an NFS server, and dynamic reconfiguration (DR) operations can only be done from the global zone.
The following limitations apply to solaris9 branded zones:
Solaris Auditing and Solaris Basic Security Module Auditing, described in bsmconv(1M) and auditon(2), are not supported. The audit subsystem will always appear to be disabled.
The CPU performance counter facility described in cpc(3CPC) is not available.
The following disk and hardware related commands do not work:
add_drv(1M)
disks(1M)
format(1M)
fdisk(1M)
prtdiag(1M)
rem_drv(1M)
The following DTrace providers do not work:
plockstat
pid
Although the zone cannot use a delegated ZFS dataset, the zone can reside on a ZFS file system. You can add a ZFS file system to share with the global zone through the zonecfg fs resource. See Step 7 in How to Configure a solaris9 Branded Zone.
Note that the setfacl and getfacl commands cannot be used with ZFS. When a cpio archive with ACLs set on the files is unpacked, the archive will receive warnings about not being able to set the ACLs, although the files will be unpacked successfully. These commands can be used with UFS.
You can add the following components to a solaris9 branded zone through the zonecfg command:
You can add additional Solaris file systems to a branded zone by using the fs resource. For examples, see How to Configure the Zone in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.
Devices can be added to a solaris9 non-global zone by using the device resource. For information about adding devices, see Chapter 18, Planning and Configuring Non-Global Zones (Tasks), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones. To learn more about device considerations in non-global zones, see Device Use in Non-Global Zones in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.
Privileges can be added to a solaris9 non-global zone by using the limitpriv resource. For information about adding privileges, see Chapter 18, Planning and Configuring Non-Global Zones (Tasks), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones Privileges in a Non-Global Zone in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.
You can specify network configurations. For more information, see Preconfiguration Tasks, Networking in Shared-IP Non-Global Zones in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones and Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones
You can use various resource control features. For more information, see Chapter 17, Non-Global Zone Configuration (Overview), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 18, Planning and Configuring Non-Global Zones (Tasks), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, and Chapter 27, Solaris Zones Administration (Overview), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.
An existing Solaris 9 system can be directly migrated into a solaris9 branded zone. For more information, see Creating the Image for Directly Migrating Solaris 9 Systems Into Zones.