I\u2019ve been asked several times by my students:<\/p>\n
1) \u00a0 \u201cWhat is the advantage of an immutable zone?\u201d<\/p>\n
2) \u00a0\u201cHow does the immutable zone compare to the sparse root zone in Solaris 10?\u201d<\/p>\n
3) \u00a0“What’s the advantage of the four different types of read-only non-global zones in Solaris 11?”<\/p>\n
<\/strong>In Solaris 10, a non-global zone\u2019s root file system could be either whole root or sparse.\u00a0 The whole root zone provided the greatest configuration flexibility because all the required Solaris packages are copied to the zone\u2019s private file system and the root file system is read-writable.<\/p>\n In Solaris 10, a sparse root zone shares parts of the root file system with the global zone.\u00a0 The sparse root zone implemented a read-only loopback file system from the global zone and it installed only a subset of the system root packages locally. The majority of the root file system was shared (inherited) from the global zone, which saved a great deal of disk space.\u00a0\u00a0 The sparse root file system provided a smaller foot print requiring less disk space and a read-only root file system that could not be modified.\u00a0 Although the read-only sparse root zone provided security against unauthorized or accidental changes, the disadvantage is that it was difficult to make authorized modifications to the root file system.\u00a0 In addition, with advances in ZFS file systems such as ZFS data deduplication, sparse root zones are no longer required and have been discontinued and replaced with immutable zones.<\/p>\n Immutable zones are read-only zones, but still contain \u201cwhole root\u201d file systems.\u00a0 The immutable zone can be configured as a completely read-only zone or it can be partially read-only.\u00a0 The immutable zone is controlled by a mandatory write access control (MWAC) kernel policy.\u00a0 This MWAC policy enforces the zone\u2019s root file system write privilege through a zonecfg file-mac-profile<\/span> property. The policy is enabled at zone boot.<\/p>\n By default, a zone’s file-mac-profile<\/span> property is not set in a non-global zone. The default policy for a nonglobal zone is to have a writable root file system. In a Solaris read-only zone, the file-mac-profile<\/span> property is used to configure a read-only zone root. A read-only root restricts access to the\u00a0run-time\u00a0environment from inside the zone. Through the zonecfg<\/span> utility, the file-mac-profile<\/span> can be set to one of the following values.<\/span><\/p>\n \u00a0 \u00a0 \u00a0file-mac-profile Values<\/strong><\/p>\n All of the profiles except none will cause the \/var\/pkg<\/span> directory and its contents to be read-only from inside the zone.<\/p>\n I like to explain things by using examples.\u00a0 The following examples explain each immutable zone model by taking you through the creation of each of the four types immutable zones.<\/p>\n It’s not required, but I prefer to put my non-global zones on their own ZFS pool, so I create a storage pool named \u201czones\u201d as follows:<\/p>\n root@solaris:~# zpool create zones c7t2d0<\/strong><\/p>\n Now, let’s create a simple exclusive-IP zone with no restrictions:<\/p>\n root@solaris:~# zonecfg -z testzone zonecfg:testzone> create zonecfg:testzone> set zonepath=\/zones\/testzone<\/strong><\/p>\n zonecfg:testzone> exit<\/strong><\/p>\n Use the # zonecfg<\/strong>\u00a0command to view the zone configuration as follows.<\/p>\n zonename: testzone Notice that the file-mac-profile<\/span>\u00a0property is not set. \u00a0Not setting the value of the file-mac-profile<\/span> property is equivalent to setting the value to none<\/span>. This value can be set to any of the four file-mac-profile<\/span> values described in the previous table. \u00a0The zone is a standard, read-write, non-global zone, with no additional protection beyond the existing zone’s boundaries.<\/p>\n Install the zone as follows:<\/p>\n root@solaris:~# zoneadm -z testzone install<\/strong><\/p>\n Boot the zone and connect to the zone console as follows:<\/p>\n root@solaris:~# zoneadm -z testzone boot; zlogin \u2013C testzone<\/strong><\/p>\n You\u2019ll be asked to answer the typical system configuration questions ( network, time zone, user and root accounts, name services).\u00a0After completing the system configuration tool, log into the zone console.<\/p>\n The\u00a0following\u00a0examples will illustrate that the root file system is unrestricted to the root user.\u00a0 I\u2019ll create the directory \/usr\/local<\/span>:<\/p>\n No errors are displayed because \/usr is writeable.<\/p>\n The strict configuration profile provides the tightest security because all file systems, except \u00a0\/tmp<\/span>\u00a0are read-only. \u00a0\u00a0\u00a0This is more strict that the Oracle Solaris 10 sparse root zone.\u00a0 It\u2019s equivalent to booting from the DVD, a read-only file system.\u00a0 Nothing can be changed, added or deleted in this zone including the \/root<\/span> directory and the \/export<\/span> file system.<\/p>\n Shut the zone down and reconfigure it with a strict profile as follows:<\/p>\n root@solaris:~# zonecfg -z testzone set file-mac-profile=strict<\/strong><\/p>\n Verify that the file-mac-profile<\/span> property was set on the zone by typing:<\/p>\n root@solaris:~# zonecfg -z testzone info<\/strong><\/p>\n zonename: testzone You can also get a quick overview of the file-mac-profile<\/span> property by typing:<\/p>\n root@solaris:~# zoneadm list -p<\/strong><\/p>\n 0:global:running:\/::solaris:shared:-:none<\/span> Notice that the global zone has a policy of none<\/span> and the testzone has a strict<\/span> policy.\u00a0 The R<\/b><\/span> in the second to last field indicates that the non-global zone is Read-Only.<\/p>\n Boot the zone and log back into the testzone console as follows:<\/p>\n root@solaris:~# zoneadm -z testzone boot<\/strong><\/p>\n Try to create a subdirectory in the \/usr\/local directory that you created earlier:<\/p>\n root@testzone:\/usr\/local# mkdir \/usr\/local\/bin The \/usr file system is read-only.\u00a0 \u00a0\u00a0The strict profile allows no exceptions to the read-only policy. \u00a0Everything in the root filesystem is read only, including \/var\/tmp<\/span>, the \/root<\/span> home directory, and \/export<\/span> as illustrated in the following examples:<\/p>\n root@testzone:\/# touch \/var\/adm\/foo root@testzone:\/# touch \/export\/foo<\/strong> root@testzone:~# touch \/root\/foo<\/strong> The only file system that is writeable is \/tmp<\/span>:<\/p>\n root@testzone:\/# touch \/tmp\/foo<\/strong><\/p>\n In a strict configuration, I can change a service state, but it is not persistent because the SMF repository is read-only as shown next:<\/p>\n # svcadm disable ssh<\/strong><\/p>\n The SMF repository is changed in memory, but not on disk.\u00a0 Therefore, the service is disabled now, but the next time the system boots, this service will return to its default state.\u00a0 The change is not a persistent change.<\/p>\n When the immutable zone is in strict mode:<\/p>\n However, you can always shut the zone down, change the\u00a0file-mac-profile<\/span> property back to none<\/span> and install packages, update the packages and modify services.\u00a0 When finished, set the zone back to a strict<\/span> policy.\u00a0 But, there is even an easier method.\u00a0 Simply boot the zone using the -w<\/span> (write) option as follows:<\/p>\n # zoneadm \u2013z testzone boot -w<\/strong><\/p>\n As the zone boots, the following message is displayed in the testzone console:<\/p>\n [NOTICE: Read-only zone booting up read-write]<\/p>\n From the global zone, view the testzone properties as follows:<\/p>\n root@solaris:~# zoneadm -z testzone list -p Notice the W<\/span> (write) in the second to last field.<\/p>\n Log into the zone and make the required changes. \u00a0In the example, I log into the zone and create a new directory in \/usr\/local and disable the ssh service as follows:<\/p>\n root@testzone:~# mkdir \/usr\/local\/bin<\/strong><\/p>\n root@testzone:~# svcadm disable ssh<\/strong><\/p>\n Because the zone is in a writeable state, the service changes were saved in the repository (on disk) and will be persistent across reboots.<\/p>\n A fixed-configuration zone provides more flexibility than the strict profile and allows log files to be created and modified in \/var.\u00a0 A non-global zone is set with a fixed-configuration by setting the file-mac-profile<\/span> and booting the zone as follows:<\/p>\n root@solaris:~# zonecfg -z testzone set file-mac-profile=fixed-configuration<\/strong><\/p>\n root@solaris:~# zoneadm -z testzone boot<\/strong><\/p>\n A fixed-configuration profile allows the zone to write to files in and below \/var, except directories containing configuration files:<\/p>\n When the zone is booted, view the zone properties as follows:<\/p>\n root@solaris:~# zoneadm -z testzone list -p Notice that the global zone has a policy of none<\/span> and the testzone has a fixed-configuration<\/span> policy.\u00a0 The R<\/b><\/span> in the second to last field indicates that the non-global zone is Read-Only.<\/p>\n Log into the zone console and the following examples will show that the root file system is still read-only and some of the directories in \/var are writeable. \u00a0For example, \/var\/tmp<\/span> and \/tmp<\/span> are writeable:<\/p>\n root@testzone:~# touch \/var\/tmp\/foo<\/strong><\/p>\n root@testzone:~# touch \/tmp\/foo<\/strong><\/p>\n The \/var directories which contain configuration files are still read-only as shown when I try to create a file in \/var\/spool\/cron\/crontabs:<\/p>\n The \/export and the \/root home directories are also read-only as shown:<\/p>\n root@testzone:\/# touch \/export\/foo root@testzone:~# touch \/root\/foo The flexible-configuration<\/span> provides the closest functionality to the Oracle Solaris 10 sparse root zone.\u00a0 The flexible configuration is equal to the fixed-configuration, but it also allows write access to files in the \/etc<\/span>, \/var<\/span>, and \/root<\/span> home directories.<\/p>\n Set the flexible-configuration on testzone and boot the zone as follows:<\/p>\n root@solaris:~# zonecfg -z testzone set file-mac-profile=flexible-configuration<\/strong><\/p>\n root@solaris:~# zoneadm -z testzone boot<\/strong><\/p>\n List the properties for testzone as follows:<\/p>\n root@solaris:~# zoneadm -z testzone list -p Verify write access to the \/etc<\/span>, \/var<\/span> and \/root<\/span> directories as follows:<\/p>\n root@testzone:~# touch \/etc\/hosts<\/strong><\/p>\n root@testzone:~# touch \/etc\/foo<\/strong><\/p>\n root@testzone:\/# touch \/root\/foo<\/strong><\/p>\n The \/export<\/span> file system is still read-only:<\/p>\n root@testzone:\/# touch \/export\/foo I’ve provided an explanation and given a few examples of immutable zones for Solaris 11. \u00a0Send me a comment below if there is anything I can help clear up for you.<\/p>\n","protected":false},"excerpt":{"rendered":" I\u2019ve been asked several times by my students: 1) \u00a0 \u201cWhat is the advantage of an immutable zone?\u201d 2) \u00a0\u201cHow does the immutable zone compare to the sparse root zone […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"footnotes":""},"categories":[13,15],"tags":[11,12,14],"class_list":["post-36","post","type-post","status-publish","format-standard","hentry","category-solaris-11","category-zones","tag-immutable-root","tag-immutable-zones","tag-solaris-11-zones"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9J8F7-A","_links":{"self":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/36","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/comments?post=36"}],"version-history":[{"count":0,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/36\/revisions"}],"wp:attachment":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/media?parent=36"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/categories?post=36"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/tags?post=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Solaris 11 – Immutable Zones<\/strong><\/span><\/h4>\n
\n\n
\n none<\/td>\n \n \n
\n strict<\/td>\n \n \n
\n fixed-configuration<\/td>\n \n \n
\n flexible-configuration<\/td>\n \n \n
Create a Simple Zone (read-writeable)<\/strong><\/span><\/h4>\n
\n<\/strong>Use ‘create’ to begin configuring a new zone.<\/p>\n
\n<\/strong>create: Using system default template ‘SYSdefault’<\/p>\n
\nzonepath: \/zones\/testzone
\nbrand: solaris
\nautoboot: false
\nbootargs:
\nfile-mac-profile:
\npool:
\n…<output has been truncated>…<\/p>\nSet the Zone to Immutable: strict<\/strong><\/span><\/h4>\n
\nzonepath: \/zones\/testzone
\nbrand: solaris
\nautoboot: false
\nbootargs:
\nfile-mac-profile: strict<\/span>
\npool:
\nlimitpriv:
\n..<output has been truncated>\u2026<\/em><\/em><\/em><\/em><\/em><\/em><\/em><\/em><\/em><\/em><\/p>\n
\n2:testzone:running:\/zones\/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:strict<\/b><\/span><\/p>\n
\n<\/strong>mkdir: Failed to make directory “bin”; Read-only file system<\/em><\/em><\/p>\n
\n<\/strong>touch: cannot create \/var\/adm\/foo: Read-only file system<\/em><\/p>\n
\ntouch: cannot create \/export\/foo: Read-only file system<\/em><\/p>\n
\ntouch: cannot create \/root\/foo: Read-only file system<\/em><\/p>\n\n
\n<\/strong>\u00a0 \u00a0\u00a0<\/b><\/span>6:testzone:running:\/zones\/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:W:strict<\/span><\/em><\/p>\nSet the Zone to Immutable: fixed-configuration<\/em><\/strong><\/span><\/em><\/h4>\n
\n
\n<\/strong>2:testzone:running:\/zones\/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:fixed-configuration<\/span><\/p>\n
\n<\/strong>touch: cannot create \/export\/foo: Read-only file system<\/em><\/p>\n
\n<\/strong>touch: cannot create \/root\/foo: Read-only file system<\/em><\/p>\nSet the Zone to Immutable: flexible-configuration<\/strong><\/span><\/em><\/h4>\n
\n<\/strong>3:testzone:running:\/zones\/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:flexible-configuration<\/span><\/em><\/p>\n
\n<\/strong>touch: cannot create \/export\/foo: Read-only file system<\/em><\/p>\nSummary<\/h4>\n