Solaris · Zones

Solaris · Virtualization

Zones

Zones are Solaris's built-in OS virtualization technology. The global zone owns the hardware; non-global zones are isolated environments inside the same OS. Kernel zones go one step further: they run their own kernel and SRU level on top of a Solaris host, like lightweight VMs with ZFS integration.

What are Zones in Solaris?

A zone is a virtualized Solaris environment that shares the same kernel as the global zone, but appears as a separate OS instance to applications and users. Zones provide isolation, security and consolidation on a single Solaris host.

Global Zone

The primary OS instance with full control over hardware and all zones. Zone ID 0.

Non-Global Zones

Isolated environments inside the same kernel, used to separate applications, environments or tenants.

Kernel Zones

Nested Solaris instances with their own kernel & SRU level, running on top of a Solaris host (brand: solaris-kz).

Why use zones?

  • Consolidate many environments on one physical server.
  • Isolate applications for security and stability.
  • Simplify patching and rollout (zone-level changes).
  • Kernel zones allow different SRU levels per guest.

Global Zone, Non-Global Zones, and Kernel Zones – Differences

Global Zone

  • Zone ID = 0.
  • Has full access to hardware, ZFS pools, network interfaces.
  • Manages and controls all other zones.
  • All admin tasks (zonecfg, zoneadm) are done from here.

Non-Global Zones (brand: solaris)

  • Share the same kernel as the global zone.
  • Can have their own file systems, packages, services.
  • Good for app isolation but same kernel/SRU level.

Kernel Zones (brand: solaris-kz)

  • Run their own Solaris kernel on top of host.
  • Can have different SRU level from the host.
  • Behave more like full VMs but tightly integrated with ZFS.

Identifying global zone and kernel zone capability

terminal — global zone check
solaris-lab
[root@solaris ~]# zonename
global
 
[root@solaris ~]# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
terminal — virtinfo
solaris-lab
[root@solaris ~]# virtinfo -a
Hostname: sol11-kz-host
...
kz_enabled supported
lDom_control not supported
brand native
 
# If 'kz_enabled' is supported/true, you can use kernel zones.

Kernel Zones – what and why?

A kernel zone is a special kind of zone that runs its own Solaris kernel, providing an extra layer of isolation and flexibility. The host system (global zone) sees it as a guest, but inside the kernel zone it looks like a full Solaris machine.

Advantages of kernel zones

  • Different SRU level from the host – great for testing upgrades.
  • Better isolation from host kernel issues.
  • Useful when application certification requires a specific SRU.
  • Snapshot/clone/migration capabilities (depending on version).

When *not* to use kernel zones

  • If simple isolation using non-global zones is enough.
  • If you don’t want extra overhead of another kernel.
  • If hardware resources are very tight.

Practical: create, install, boot and manage a kernel zone

1. Configure kernel zone using zonecfg

Define zonepath, memory/CPU caps, network, and other properties.

terminal — zonecfg kernel zone
solaris-lab
# Create a new kernel zone definition
[root@solaris ~]# zonecfg -z kz1
zonecfg:kz1> create -t SYSsolaris-kz
zonecfg:kz1> set zonepath=/system/zones/kz1
 
# Set memory and vCPUs (example)
zonecfg:kz1> add capped-memory
zonecfg:kz1:capped-memory> set physical=4G
zonecfg:kz1:capped-memory> end
 
zonecfg:kz1> add capped-cpu
zonecfg:kz1:capped-cpu> set ncpus=2
zonecfg:kz1:capped-cpu> end
 
# Network
zonecfg:kz1> add net
zonecfg:kz1:net> set physical=net0
zonecfg:kz1:net> end
 
# Verify and commit
zonecfg:kz1> verify
zonecfg:kz1> commit
zonecfg:kz1> exit

2. Install the kernel zone

This creates the OS image for the kernel zone (root filesystem, packages). It may use local or network IPS repository.

terminal — zoneadm install
solaris-lab
[root@solaris ~]# zoneadm -z kz1 install
A ZFS file system has been created for this zone.
 
Image: Preparing at /system/zones/kz1/root.
Installing: This may take several minutes...
Done: Installation completed in 950.123 seconds.
 
Next Steps: Boot the zone, then log into the zone console.
Log in as 'root' to configure the zone.

3. Boot the kernel zone and log in

After boot, use zlogin -C <zone> to access the console for initial configuration.

terminal — zoneadm boot & zlogin
solaris-lab
[root@solaris ~]# zoneadm -z kz1 boot
 
[root@solaris ~]# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
1 kz1 running /system/zones/kz1 solaris-kz excl
 
[root@solaris ~]# zlogin -C kz1
[Connected to zone 'kz1' console]
 
Hostname: kz1
...
kz1 console login: root
Password:
# Now you are inside the kernel zone.

4. Reboot / halt kernel zone

You can manage kernel zones centrally from the global zone.

terminal — reboot/halt
solaris-lab
# Reboot the kernel zone
[root@solaris ~]# zoneadm -z kz1 reboot
 
# Gracefully halt the kernel zone
[root@solaris ~]# zoneadm -z kz1 halt
 
[root@solaris ~]# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- kz1 installed /system/zones/kz1 solaris-kz excl

5. Uninstall and remove kernel zone (optional)

When no longer needed, cleanly uninstall and delete the zone.

terminal — uninstall/delete
solaris-lab
# Uninstall kernel zone OS image
[root@solaris ~]# zoneadm -z kz1 uninstall -F
 
# Remove zone configuration
[root@solaris ~]# zonecfg -z kz1 delete -F

6. View configuration anytime

terminal — zonecfg info
solaris-lab
[root@solaris ~]# zonecfg -z kz1 info
zonename: kz1
zonepath: /system/zones/kz1
brand: solaris-kz
autoboot: false
...
capped-memory:
physical: 4G
capped-cpu:
ncpus: 2

Best practices for working with zones

  • Plan CPU and memory allocation; don’t overcommit on production without understanding workload.
  • Keep zone configurations (zonecfg export) in version control for DR and documentation.
  • Use ZFS snapshots of zone datasets before risky changes/patches, especially for kernel zones.
  • Always manage zones from the global zone; avoid hacking files directly under zonepath from outside.

Once you're comfortable with zones and kernel zones, Solaris becomes a very powerful consolidation and test platform.