Now it's possible to set portions of the root file system as read-only.
The improvement is two-folded:
Security
If the zone virtual environment somehow gets compromised, then the read-only root file system will be a tough barrier helping to limit the exposed surface.
For instance, a DNS service running on a dedicated immutable zone doesn't require the associated SMF service tunning in order to run the service under a non-root account.
Management
This is easier to understand. Once perfectly set up, it's assured that the configuration won't be changed by accident or even by tampering. It's known that a many problems arise from a poor change management. Now the operating system supports and enforces the expected behavior. Great!
There are 3 degrees of protection:
Complete
This is given by the zone property file-mac-profile=strict.
Nothing can be changed and data can only be logged remotely.
Fixed
This is given by file-mac-profile=fixed-configuration.
Logging can be local and portions of /var are writable.
For instance, NIS services seem to work fine.
Flexible
This is given by file-mac-profile=flexible-configuration.
This differs from Fixed by allowing a writable /etc.
To check if a zone is configured as immutable:
# zonecfg -z server-1b info file-mac-profile
file-mac-profile: fixed-configuration
To check if a zone is running as immutable:
# zoneadm list -p | grep server-1b | cut -d: -f8,9
R:fixed-configuration
NOTE
Immutable zones doesn't protect non-root file systems.
Thus other forms of protection and recover must be devised.
NOTE
To manage an immutable zone, it's necessary to temporarily remove the immutability / read-only enforcements:
# zoneadm -z <zonename> boot -w
If the zone is already running immutable you don't need to halt or shutdown and then perform the above command; simply use:
# zoneadm -z <zonename> reboot -w
On the last case (a reboot for management) the message [NOTICE: Read-only zone rebooting read-write] will follow on the zone's console.
After the management, to reenter the immutable state simply use init 6 or shutdown -r for an ordered shutdown as usual.
