Non-global zones provide the following features:
Once a process has been placed in a zone other than the global zone, neither the process norany of its subsequent children can change zones.
Network services can be run in a zone. By running network services in a zone, you limit thedamage possible in the event of a security violation. An intruder who successfully exploits asecurity flaw in software running within a zone is confined to the restricted set of actionspossible within that zone. The privileges available within a zone are a subset of those available inthe system as a whole.
Zones allow the deployment of multiple applications on the same system, even if thoseapplications operate in different trust domains, require exclusive access to a global resource, orpresent difficulties with global configurations. The applications are also prevented from monitoringor intercepting each other's network traffic, file system data, or process activity.
Zones are configured as exclusive-IP type by default. The zones are isolated from the globalzone and from each other at the IP layer. This isolation is useful for both operational and securityreasons. Zones can be used to consolidate applications that must communicate on different subnetsusing their own LANs or VLANs. Each zone can also define its own IP layer security rules.
Zones provide a virtualized environment that can hide details such as physical devices and thesystem's primary IP address and host name from applications. The same application environment can bemaintained on different physical machines. The virtualized environment allows separateadministration of each zone. Actions taken by a zone administrator in a non-global zone do notaffect the rest of the system.
A zone can provide isolation at almost any level of granularity. SeeNon-Global Zone Isolation for more information.
Zones do not change the environment in which applications execute except when necessary toachieve the goals of security and isolation. Zones do not present a new API or ABI to whichapplications must be ported. Instead, zones provide the standard Oracle Solaris interfaces andapplication environment, with some restrictions. The restrictions primarily affect applications thatattempt to perform privileged operations.
Applications in the global zone run without modification, whether or not additional zones areconfigured.