The zones.xml script has a clear warning:
<!--
Until overlay device creation is moved out of the zone
state-change script, zones must be dependent on varpd's
successful launch.
-->
<dependency
name='varpd'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/network/varpd' />
</dependency>
With recently-pushed-upstream illumos#14434, the default setting for varpd's SMF service is disabled. We are not enabling it in the varpd.xml file to reduce diffs with upstream.
For now, as part of merging with 14434, we're automatically enabling varpd in the network/early-admin service method. Longer term we should break the dependency, and either have the zone state-change script not create overlay devices, OR have it perform the launching-and-verification of the varpd service only if overlays are required.
The correct approach to this problem is not obvious, and the text here, or even the summary, may change upon further exploration.