Usecase for ZFS/Zones: Locking down a customer environment

James posted another good example how to orchestrate some of the key Solaris 10 features: Extra layer of security on 15 minutes. When i think a little bit longer about it, it seems to me as a nice idea to run the services in a zone even when it´s the only zone on the system. You use only the global domain only as a service domain. You would be able to move around your installation within a seconds (when you host your zone filesystem on a network file system). You would be able to observe the zone undetectable from users inside the zone. An attacker would have no way to detect the tripwires running in the global zone for example. Upgrading your zone would be easier two: Clone the zone, upgrade it, do some configs, rename it, change the ipnumber and when you detect later on, that you´ve done total bullshit you can switch back to your old zone within a few seconds. I think, i will do some research regarding this concepts when i´m back from the States …