SUN has introuduced the concept of Solaris zones from Solaris 10. Although you can virtualize the servers running Solaris 10, this concept is not applicable to Solars 8 and Solaris 9 as zones share the same kernel spaceof physical server. So servers running these operating system are hard to virtualze. SUN has introduced the way to virtualize servers running Solaris 8 and Solaris 9 Operating system by introducing the concept of Solaris Branded zones in Solaris 10.

With this branded zones, now any server running either Solaris 8 or Solaris 9 can be configured as a branded zone on Solaris 10 and run applications in the same way as in physical server. No modifications are required from application point of view. All this procedure is seamless and transparent that users don’t even know that they are in virtual server. But there are some differences in the way Solaris 10 zones (non-branded zones) and branded zones developed from OS administration point.

As zones share same kernel space with physical server, all devices are owned by physical server. Thus zone administrator won’t have any ownership to devices and he/she can’t run any commands that change/analyze the physical device sructure like formant, snoop etc. This is achived by the concept of privileges in Solaris. By default the zone won’t have all privileges associated with phsical server. All other administrative commands and trouble shooting commands like ping, traceroute etc.  works fine.

There ia a privilege called net_rawaccess in Solaris which helps in accessing network raw device and run commands like packet capture (snoop),configuring the interface (ifconfig) etc. on network device.

With Solaris non-branded zones, you don’t require this privilege to run traceroute command in non-global zone.

But you need to give thir privilege to Solaris branded zones, to run traceroute command. You will get an error message like below when you attempt to run traceroute command from Solaris 10 Branded zone without net_rawaccess privilege.

bash-2.03$ /usr/sbin/traceroute x.x.x.x
traceroute: raw socket: Protocol not supported

This is due to difference in the way these two zones are developed and integrated into Solaris 10 kernel. The privileges can be given through zonecfg interface.

zonecfg -z <ZoneName>

set priv=default, net_rawaccess.

commit

exit

Reboot the zone

zoneadm -z <ZoneName> reboot

But even though you have given net_rawaccess privilege, commands like snoop, ifconfig won’t work as device in not physically owned by Zone.

Advertisements