Chapter 17 Non-Global Zone Configuration (Overview)

This chapter provides an introduction to non-global zone configuration.

The following topics are covered in this chapter:

• What's New in This Chapter?

• About Resources in Zones

• Pre-Installation Configuration Process

• Zone Components

• Using the zonecfg Command

• zonecfg Modes

• Zone Configuration Data

• Tecla Command-Line Editing Library

After you have learned about zone configuration, go to Chapter 18, Planning and Configuring Non-Global Zones (Tasks) to configure non-global zones for installation on your system.

For information about lx branded zone configuration, see Chapter 31, Planning the lx Branded Zone Configuration (Overview) and Chapter 32, Configuring the lx Branded Zone (Tasks).

What's New in This Chapter?

Solaris 10 6/06: Support for the ZFS^TM file system, including the ability to add a dataset resource in a native non-global zone, has been added. See Resource Type Properties for more information.

Solaris 10 11/06: Support for configurable privileges has been added. See Solaris 10 11/06 and Later: Configurable Privileges.

Solaris 10 8/07: Support for the following features has been added to the zonecfg command:

• Better integration of resource management features and zones. The zonecfg command can now be used to configure temporary pools, memory limits, the default scheduling class for the zone, and resource control aliases. You no longer have to perform any manual steps to set up resource management. New resource controls were added:

  • zone.max-locked-memory

  • zone.max-msg-ids

  • zone.max-sem-ids

  • zone.max-shm-ids

  • zone.max-shm-memory

  • zone.max-swap

• Ability to use the zonecfg command in the global zone.

• Ability to specify an IP type for a zone. The two IP types available for non-global zones are shared-IP and exclusive-IP.

• Ability to use DTrace in a zone by adding required privileges through the limitpriv property.

• Ability to use boot arguments in a zone through the bootargs property.

Solaris 10 10/08: The defrouter property has been added to the net resource in the zonecfg utility for shared-IP non-global zones. You can set the default router for the network interface through this property.

For a complete listing of new Solaris 10 features and a description of Solaris releases, see Solaris 10 What’s New.

About Resources in Zones

A zone that includes resource management features is called a container. Resources that can be controlled in a container include the following:

• Resource pools or assigned CPUs, which are used for partitioning machine resources.

• Resource controls, which provide a mechanism for the constraint of system resources.

• Scheduling class, which enables you to control the allocation of available CPU resources among zones through relative shares. You can express the importance of the workloads in a given zone through the number of shares of CPU resources that you assign to that zone.

Pre-Installation Configuration Process

Before you can install a non-global zone and use it on your system, the zone must be configured.

The zonecfg command is used to create the configuration and to determine whether the specified resources and properties are valid on a hypothetical system. The check performed by zonecfg for a given configuration verifies the following:

• Ensures that a zone path is specified

• Ensures that all of the required properties for each resource are specified

For more information about the zonecfg command, see the zonecfg(1M) man page.

Zone Components

This section covers the required and optional zone components that can be configured. Additional information is provided in Zone Configuration Data.

Zone Name and Path

You must choose a name and a path for your zone.

Zone Autoboot

The autoboot property setting determines whether the zone is automatically booted when the global zone is booted. The zones service, svc:/system/zones:default must also be enabled.

Resource Pool Association

If you have configured resource pools on your system as described in Chapter 13, Creating and Administering Resource Pools (Tasks), you can use the pool property to associate the zone with one of the resource pools when you configure the zone.

Starting with the Solaris 10 8/07 release, if you do not have resource pools configured, you can still specify that a subset of the system's processors be dedicated to a non-global zone while it is running by using the dedicated-cpu resource. The system will dynamically create a temporary pool for use while the zone is running. With specification through zonecfg, pool settings propagate during migrations.

A zone configuration using a persistent pool set through the pool property is incompatible with a temporary pool configured through the dedicated-cpu resource. You can set only one of these two properties.

Solaris 10 8/07: dedicated-cpu Resource

The dedicated-cpu resource specifies that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system will dynamically create a temporary pool for use while the zone is running.

With specification in zonecfg, pool settings propagate during migrations.

The dedicated-cpu resource sets limits for ncpus, and optionally, importance.

ncpus

Specify the number of CPUs or specify a range, such as 2–4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:

• Set the importance property.

• Enable the poold service. For instructions, see Solaris 10 11/06 and Later: How to Enable the Dynamic Resource Pools Service Using svcadm.

importance

If you are using a CPU range to achieve dynamic behavior, also set the importance property, The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, importance defaults to 1. For more information, see pool.importance Property Constraint.

The capped-cpu resource and the dedicated-cpu resource are incompatible. The cpu-shares rctl and the dedicated-cpu resource are incompatible.

Solaris 10 5/08: capped-cpu Resource

The capped-cpu resource provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone. When used in conjunction with processor sets, CPU caps limit CPU usage within a set. The capped-cpu resource has a single ncpus property that is a positive decimal with two digits to the right of the decimal. This property corresponds to units of CPUs. The resource does not accept a range. The resource does accept a decimal number. When specifying ncpus, a value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system.

The capped-cpu resource and the dedicated-cpu resource are incompatible.

Scheduling Class in a Zone

You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among zones, based on the importance of the workloads in the zone. This workload importance is expressed by the number of shares of CPU resources that you assign to each zone. Even if you are not using FSS to manage CPU resource allocation between zones, you can set the zone's scheduling-class to use FSS so that you can set shares on projects within the zone.

When you explicitly set the cpu-shares property, the fair share scheduler (FSS) will be used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class. The following actions set the scheduling class for a zone:

• In the Solaris 10 8/07 release, you can use the scheduling-class property in zonecfg to set the scheduling class for the zone.

• You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default. See Introduction to Resource Pools and How to Associate a Pool With a Scheduling Class.

• If the cpu-shares rctl is set and FSS has not been set as the scheduling class for the zone through another action, zoneadmd sets the scheduling class to FSS when the zone boots.

• If the scheduling class is not set through any other action, the zone inherits the system default scheduling class.

Note that you can use the priocntl described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.

Solaris 10 8/07: Physical Memory Control and the capped-memory Resource

The capped-memory resource sets limits for physical, swap, and locked memory. Each limit is optional, but at least one must be set.

• Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone.

• The swap property of the capped-memory resource is the preferred way to set the zone.max-swap resource control.

• The locked property of the capped-memory resource is the preferred way to set the zone.max-locked-memory resource control.

Applications generally do not lock significant amounts of memory, but you might decide to set locked memory if the zone's applications are known to lock memory. If zone trust is a concern, you can also consider setting the locked memory cap to 10 percent of the system's physical memory, or 10 percent of the zone's physical memory cap.

For more information, see Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone. To temporarily set a resource cap for a zone, see How to Specify a Temporary Resource Cap for a Zone.

Zone Network Interfaces

Zone network interfaces configured by the zonecfg command to provide network connectivity will automatically be set up and placed in the zone when it is booted.

The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.

There are two IP types available for non-global zones, shared-IP and exclusive-IP. The shared-IP zone shares a network interface and the exclusive-IP zone must have a dedicated network interface.

For information about IP features in each type, see Networking in Shared-IP Non-Global Zones and Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones.

Shared-IP Non-Global Zones

The shared-IP zone is the default type. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:

• The zone is to be connected to the same data-link, that is, be on the same IP subnet or subnets as the global zone

• You do not want the other capabilities that the exclusive-IP zone provides.

Shared-IP zones are assigned one or more IP addresses using the zonecfg command. The data-link names must also be configured in the global zone.

These addresses are associated with logical network interfaces. The ifconfig command can be used from the global zone to add or remove logical interfaces in a running zone. For more information, see Shared-IP Network Interfaces.

Solaris 10 8/07: Exclusive-IP Non-Global Zones

Full IP-level functionality is available in an exclusive-IP zone.

An exclusive-IP zone has its own IP-related state.

This includes the ability to use the following features in an exclusive-IP zone:

• DHCPv4 and IPv6 stateless address autoconfiguration

• IP Filter, including network address translation (NAT) functionality

• IP Network Multipathing (IPMP)

• IP routing

• ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs

• IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association

An exclusive-IP zone is assigned its own set of data-links using the zonecfg command. The zone is given a data-link name such as xge0, e1000g1, or bge32001, using the physical property of the net resource. The address property of the net resource is not set.

Note that the assigned data-link enables the snoop command to be used.

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. See Solaris 10 8/07: Administering Data-Links in Exclusive-IP Non-Global Zones for usage examples.

Inside a running exclusive-IP zone, the ifconfig command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as for the global zone, by using the sysidtools described in sysidcfg(4).

The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command. An example follows.

global# zlogin zone1 ifconfig -a

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, the superuser in an exclusive-IP zone can send spoofed packets on those data-links, just as can be done in the global zone.

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.

File Systems Mounted in Zones

Generally, the file systems mounted in a zone include the following:

• The set of file systems mounted when the virtual platform is initialized

• The set of file systems mounted from within the application environment itself

This can include, for example, the following file systems:

• File systems specified in a zone's /etc/vfstab file

• AutoFS and AutoFS-triggered mounts

• Mounts explicitly performed by a zone administrator

Certain restrictions are placed on mounts performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.

There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.

Configured Devices in Zones

The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the zone's /dev file system. For more information, see How to Configure the Zone.

Setting Zone-Wide Resource Controls

The global administrator can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.

These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone.

Starting with the Solaris 10 8/07 release, the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource.

Solaris 10 5/08: The zone.cpu-cap resource control sets an absolute limit on the amount of CPU resources that can be consumed by a zone. A value of 100 means 100 percent of one CPU as the project.cpu-cap setting. A value of 125 is 125 percent, because 100 percent corresponds to one full CPU on the system when using CPU caps.

When setting the capped-cpu resource, you can use a decimal number for the unit. The value correlates to the zone.capped-cpu resource control, but the setting is scaled down by 100. A setting of 1 is equivalent to a setting of 100 for the resource control.

The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on a Solaris System With Zones Installed. The global property name for this control is cpu-shares.

The zone.max-locked-memory resource control limits the amount of locked physical memory available to a zone The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Table 6–1 for more information.

The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Table 6–1 for more information. The global property name for this control is max-lwps.

The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.

The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat -Z displays a SWAP column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting.

These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.

Solaris 10 11/06 and Later: Configurable Privileges

When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:

• Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.

• Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.

There are a few privileges that cannot be removed from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.

For more information, see Privileges in a Non-Global Zone, How to Configure the Zone, and privileges(5).

Including a Comment for a Zone

You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone.

Using the zonecfg Command

The zonecfg command, which is described in the zonecfg(1M) man page, is used to configure a non-global zone. In the Solaris 10 8/07 release, this command can also be used to persistently specify the resource management settings for the global zone.

The zonecfg command can be used in interactive mode, in command-line mode, or in command-file mode. The following operations can be performed using this command:

• Create or delete (destroy) a zone configuration

• Add resources to a particular configuration

• Set properties for resources added to a configuration

• Remove resources from a particular configuration

• Query or verify a configuration

• Commit to a configuration

• Revert to a previous configuration

• Rename a zone

• Exit from a zonecfg session

The zonecfg prompt is of the following form:

zonecfg:zonename>

When you are configuring a specific resource type, such as a file system, that resource type is also included in the prompt:

zonecfg:zonename:fs>

For more information, including procedures that show how to use the various zonecfg components described in this chapter, see Chapter 18, Planning and Configuring Non-Global Zones (Tasks).

zonecfg Modes

The concept of a scope is used for the user interface. The scope can be either global or resource specific. The default scope is global.

In the global scope, the add subcommand and the select subcommand are used to select a specific resource. The scope then changes to that resource type.

• For the add subcommand, the end or cancel subcommands are used to complete the resource specification.

• For the select subcommand, the end or cancel subcommands are used to complete the resource modification.

The scope then reverts back to global.

Certain subcommands, such as add, remove, and set, have different semantics in each scope.

zonecfg Interactive Mode

In interactive mode, the following subcommands are supported. For detailed information about semantics and options used with the subcommands, see the zonecfg(1M) man page for options. For any subcommand that could result in destructive actions or loss of work, the system requests user confirmation before proceeding. You can use the -F (force) option to bypass this confirmation.

help

Print general help, or display help about a given resource.

zonecfg:my-zone:inherit-pkg-dir> help

create

Begin configuring an in-memory configuration for the specified new zone for one of these purposes:

• To apply the Sun default settings to a new configuration. This method is the default.

• With the -t template option, to create a configuration that is identical to the specified template. The zone name is changed from the template name to the new zone name.

• With the -F option, to overwrite an existing configuration.

• With the -b option, to create a blank configuration in which nothing is set.

export

Print the configuration to standard output, or to the output file specified, in a form that can be used in a command file.

add

In the global scope, add the specified resource type to the configuration.

In the resource scope, add a property of the given name with the given value.

See How to Configure the Zone and the zonecfg(1M) man page for more information.

set

Set a given property name to the given property value. Note that some properties, such as zonepath, are global, while others are resource specific. Thus, this command is applicable in both the global and resource scopes.

select

Applicable only in the global scope. Select the resource of the given type that matches the given property name-property value pair criteria for modification. The scope is changed to that resource type. You must specify a sufficient number of property name-value pairs for the resource to be uniquely identified.

clear

Solaris 10 8/07: Clear the value for optional settings. Required settings cannot be cleared. However, some required settings can be changed by assigning a new value.

remove

In the global scope, remove the specified resource type. You must specify a sufficient number of property name-value pairs for the resource type to be uniquely identified. If no property name-value pairs are specified, all instances will be removed. If more than one exists, a confirmation is required unless the -F option is used.

In the resource scope, remove the specified property name-property value from the current resource.

end

Applicable only in the resource scope. End the resource specification.

The zonecfg command then verifies that the current resource is fully specified.

• If the resource is fully specified, it is added to the in-memory configuration and the scope will revert back to global.

• If the specification is incomplete, the system displays an error message that describes what needs to be done.

cancel

Applicable only in the resource scope. End the resource specification and reset the scope to global. Any partially specified resources are not retained.

delete

Destroy the specified configuration. Delete the configuration both from memory and from stable storage. You must use the -F (force) option with delete.

---

Caution –

This action is instantaneous. No commit is required, and a deleted zone cannot be reverted.

---

info

Display information about the current configuration or the global resource properties zonepath, autoboot, and pool. If a resource type is specified, display information only about resources of that type. In the resource scope, this subcommand applies only to the resource being added or modified.

verify

Verify current configuration for correctness. Ensure that all resources have all of their required properties specified.

commit

Commit current configuration from memory to stable storage. Until the in-memory configuration is committed, changes can be removed with the revert subcommand. A configuration must be committed to be used by zoneadm. This operation is attempted automatically when you complete a zonecfg session. Because only a correct configuration can be committed, the commit operation automatically does a verify.

revert

Revert configuration back to the last committed state.

exit

Exit the zonecfg session. You can use the -F (force) option with exit.

A commit is automatically attempted if needed. Note that an EOF character can also be used to exit the session.

zonecfg Command-File Mode

In command-file mode, input is taken from a file. The export subcommand described in zonecfg Interactive Mode is used to produce this file. The configuration can be printed to standard output, or the -f option can be used to specify an output file.

Zone Configuration Data

Zone configuration data consists of two kinds of entities, resources and properties. Each resource has a type, and each resource can also have a set of one or more properties. The properties have names and values. The set of properties is dependent on the resource type.

Resource and Property Types

The resource and property types are described as follows:

Zone name

The zone name identifies the zone to the configuration utility. The following rules apply to zone names:

• Each zone must have a unique name.

• A zone name is case-sensitive.

• A zone name must begin with an alpha-numeric character.

  The name can contain alpha-numeric characters, underbars (_), hyphens (-), and periods (.).

• The name cannot be longer than 64 characters.

• The name global and all names beginning with SUNW are reserved and cannot be used.

zonepath

The zonepath property is the path to the zone root. Each zone has a path to its root directory that is relative to the global zone's root directory. At installation time, the global zone directory is required to have restricted visibility. It must be owned by root with the mode 700.

The non-global zone's root path is one level lower. The zone's root directory has the same ownership and permissions as the root directory (/) in the global zone. The zone directory must be owned by root with the mode 755. These directories are created automatically with the correct permissions, and do not need to be verified by the zone administrator. This hierarchy ensures that unprivileged users in the global zone are prevented from traversing a non-global zone's file system.

Path	Description
/home/export/my-zone	zonecfg zonepath
/home/export/my-zone/root	Root of the zone
/home/export/my-zone/dev	Devices created for the zone

See Traversing File Systems for a further discussion of this issue.

---

Note –

See Solaris 10 6/06, Solaris 10 11/06, Solaris 10 8/07, and Solaris 10 5/08: Do Not Place the Root File System of a Non-Global Zone on ZFS for ZFS restrictions for these releases.

---

autoboot

If this property is set to true, the zone is automatically booted when the global zone is booted. Note that if the zones service, svc:/system/zones:default is disabled, the zone will not autoboot, regardless of the setting of this property. You can enable the zones service with the svcadm command described in the svcadm(1M) man page:

global# svcadm enable zones

bootargs

Solaris 10 8/07: This property is used to set a boot argument for the zone. The boot argument is applied unless overridden by the reboot, zoneadm boot, or zoneadm reboot commands. See Solaris 10 8/07: Zone Boot Arguments.

pool

This property is used to associate the zone with a resource pool on the system. Multiple zones can share the resources of one pool. Also see Solaris 10 8/07: dedicated-cpu Resource.

limitpriv

Solaris 10 11/06 and Later:This property is used to specify a privilege mask other than the default. See Privileges in a Non-Global Zone.

Privileges are added by specifying the privilege name, with or without the leading priv_. Privileges are excluded by preceding the name with a dash (-) or an exclamation mark (!). The privilege values are separated by commas and placed within quotation marks (“).

As described in priv_str_to_set(3C), the special privilege sets of none, all, and basic expand to their normal definitions. Because zone configuration takes place from the global zone, the special privilege set zone cannot be used. Because a common use is to alter the default privilege set by adding or removing certain privileges, the special set default maps to the default, set of privileges. When default appears at the beginning of the limitpriv property, it expands to the default set.

The following entry adds the ability to use DTrace programs that only require the dtrace_proc and dtrace_user privileges in the zone:

global# zonecfg -z userzone zonecfg:userzone> set limitpriv="default,dtrace_proc,dtrace_user"

If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege, an attempt to verify, ready, or boot the zone will fail with an error message.

scheduling-class

Solaris 10 8/07: This property sets the scheduling class for the zone. See Scheduling Class in a Zone for additional information and tips.

ip-type

Solaris 10 8/07: This property is required to be set only if the zone is an exclusive-IP zone. See Solaris 10 8/07: Exclusive-IP Non-Global Zones and How to Configure the Zone.

dedicated-cpu

Solaris 10 8/07: This resource dedicates a subset of the system's processors to the zone while it is running. The dedicated-cpu resource provides limits for ncpus and, optionally, importance. For more information, see Solaris 10 8/07: dedicated-cpu Resource.

capped-cpu resource

Solaris 10 5/08: This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running. The resource provides a limit for ncpus.

capped-memory resource

Solaris 10 8/07: This resource groups the properties used when capping memory for the zone. The capped-memory resource provides limits for physical, swap, and locked memory. At least one of these properties must be specified.

dataset

Solaris 10 6/06: Adding a ZFS file system dataset resource enables the delegation of storage administration to a non-global zone. The zone administrator can create and destroy file systems within that dataset, and modify properties of the dataset. The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone.

ZFS datasets can be added to a zone in the following ways.

• As an lofs mounted file system, when the goal is solely to share space with the global zone

• As a delegated dataset

See Chapter 10, ZFS Advanced Topics, in Solaris ZFS Administration Guide and File Systems and Non-Global Zones.

Also see Chapter 29, Troubleshooting Miscellaneous Solaris Zones Problems for information on dataset issues.

fs

Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones.

inherit-pkg-dir

This resource should not be configured in a whole root zone.

In a sparse root zone, the inherit-pkg-dir resource is used to represent directories that contain packaged software that a non-global zone shares with the global zone.

The contents of software packages transferred into the inherit-pkg-dir directory are inherited in read-only mode by the non-global zone. The zone's packaging database is updated to reflect the packages. These resources cannot be modified or removed after the zone has been installed using zoneadm.

---

Note –

Four default inherit-pkg-dir resources are included in the configuration. These directory resources indicate which directories should have their associated packages inherited from the global zone. The resources are implemented through a read-only loopback file system mount.

• /lib

• /platform

• /sbin

• /usr

---

net

The network interface resource is the interface name. Each zone can have network interfaces that are be set up when the zone transitions from the installed state to the ready state.

device

The device resource is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.

rctl

The rctl resource is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.

attr

This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alpha-numeric character. The name property can contain alpha-numeric characters, hyphens (-), and periods (.) . Attribute names beginning with zone. are reserved for use by the system.

Resource Type Properties

Resources also have properties to configure. The following properties are associated with the resource types shown.

dedicated-cpu

ncpus, importance

Solaris 10 8/07: Specify the number of CPUs and, optionally, the relative importance of the pool. The following example specifies a CPU range for use by the zone my-zone. importance is also set.

zonecfg:my-zone> add dedicated-cpu zonecfg:my-zone:dedicated-cpu> set ncpus=1-3 zonecfg:my-zone:dedicated-cpu> set importance=2 zonecfg:my-zone:dedicated-cpu> end

capped-cpu

ncpus

Specify the number of CPUs. The following example specifies a CPU cap of 3.5 CPUs for the zone my-zone.

zonecfg:my-zone> add capped-cpu zonecfg:my-zone:capped-cpu> set ncpus=3.5 zonecfg:my-zone:capped-cpu> end

capped-memory

physical, swap, locked

Specify the memory limits for the zone my-zone. Each limit is optional, but at least one must be set.

zonecfg:my-zone> add capped-memory zonecfg:my-zone:capped-memory> set physical=50m zonecfg:my-zone:capped-memory> set swap=100m zonecfg:my-zone:capped-memory> set locked=30m zonecfg:my-zone:capped-memory> end

fs

dir, special, raw, type, options

The fs resource parameters supply the values that determine how and where to mount file systems. The fs parameters are defined as follows:

dir

Specifies the mount point for the file system

special

Specifies the block special device name or directory from the global zone to mount

raw

Specifies the raw device on which to run fsck before mounting the file system

type

Specifies the file system type

options

Specifies mount options similar to those found with the mount command

The lines in the following example specify that /dev/dsk/c0t0d0s2 in the global zone is to be mounted as /mnt in a zone being configured. The raw property specifies an optional device on which the fsck command is to be run before an attempt is made to mount the file system. The file system type to use is UFS. The options nodevices and logging are added.

zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/mnt zonecfg:my-zone:fs> set special=/dev/dsk/c0t0d0s2 zonecfg:my-zone:fs> set raw=/dev/rdsk/c0t0d0s2 zonecfg:my-zone:fs> set type=ufs zonecfg:my-zone:fs> add options [nodevices,logging] zonecfg:my-zone:fs> end

For more information, see The -o nosuid Option, Security Restrictions and File System Behavior, and the fsck(1M) and mount(1M) man pages. Also note that section 1M man pages are available for mount options that are unique to a specific file system. The names of these man pages have the form mount_filesystem.

---

Note –

To add a ZFS file system using the fs resource property, see Adding ZFS File Systems to a Non-Global Zone in Solaris ZFS Administration Guide.

---

dataset

name

The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.

zonecfg:my-zone> add dataset zonecfg:my-zone> set name=tank/sales zonecfg:my-zone> end

inherit-pkg-dir

dir

The lines in the following example specify that /opt/sfw is to be loopback mounted from the global zone.

zonecfg:my-zone> add inherit-pkg-dir zonecfg:my-zone:inherit-pkg-dir> set dir=/opt/sfw zonecfg:my-zone:inherit-pkg-dir> end

net

address, physical, defrouter

---

Note –

For a shared-IP zone, both the IP address and the device are specified. Optionally, the default router can be set. For an exclusive-IP zone, only the physical interface is specified.

---

In the following example for a shared-IP zone, the IP address 192.168.0.1 is added to the zone. An hme0 card is used for the physical interface. To determine which physical interface to use, type ifconfig -a on your system. Each line of the output, other than loopback driver lines, begins with the name of a card installed on your system. Lines that contain LOOPBACK in the descriptions do not apply to cards.

zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=hme0 zonecfg:my-zone:net> set address=192.168.0.1 zonecfg:my-zone:net> end

In the following example for an exclusive-IP zone, a bge32001 link is used for the physical interface. To determine which data-links are available, use the command dladm show-link. The data-link must be GLDv3 to be used with exclusive-IP zones, and non-GLDv3 data-links appear as type: legacy in the dladm show-link output. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=bge32001 zonecfg:my-zone:net> end

device

match

In the following example, a /dev/pts device is included in a zone.

zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/pts* zonecfg:my-zone:device> end

rctl

name, value

Solaris 10 8/07: New resource controls for this release are zone.max-locked-memory, zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, zone.max-shm-memory, and zone.max-swap.

The following zone-wide resource controls are available:

• zone.cpu-shares (preferred: cpu-shares)

• zone.max-locked-memory

• zone.max-lwps (preferred: max-lwps)

• zone.max-msg-ids (preferred: max-msg-ids)

• zone.max-sem-ids (preferred: max-sem-ids)

• zone.max-shm-ids (preferred: max-shm-ids)

• zone.max-shm-memory (preferred: max-shm-memory)

• zone.max-swap

Note that the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource, as shown in How to Configure the Zone. If zone-wide resource control entries in a zone are configured using add rctl, the format is different than resource control entries in the project database. In a zone configuration, the rctl resource type consists of three name/value pairs. The names are priv, limit, and action. Each of the names takes a simple value.

zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.cpu-shares zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none)zonecfg:my-zone:rctl> end

zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.max-lwps zonecfg:my-zone:rctl> add value (priv=privileged,limit=100,action=deny) zonecfg:my-zone:rctl> end

For general information about resource controls and attributes, see Chapter 6, Resource Controls (Overview) and Resource Controls Used in Non-Global Zones.

attr

name, type, value

In the following example, a comment about a zone is added.

zonecfg:my-zone> add attr zonecfg:my-zone:attr> set name=comment zonecfg:my-zone:attr> set type=string zonecfg:my-zone:attr> set value="Production zone" zonecfg:my-zone:attr> end

You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.

Tecla Command-Line Editing Library

The Tecla command-line editing library is included for use with the zonecfg command. The library provides a mechanism for command-line history and editing support.

The Tecla command-line editing library is documented in the following man pages:

• enhance(1)

• libtecla(3LIB)

• ef_expand_file(3TECLA)

• gl_get_line(3TECLA)

• gl_io_mode(3TECLA)

• pca_lookup_file(3TECLA)

• tecla(5)