zonecfg - set up zone configuration zonecfg
-
System Administration Commands zonecfg(1M) NAME zonecfg - set up zone configuration SYNOPSIS zonecfg -z zonename [-r] zonecfg -z zonename [-r] subcommand zonecfg -z zonename [-r] -f command_file zonecfg help DESCRIPTION The zonecfg utility creates, modifies, and lists the configuration of a zone. The creation and modification functions are only available to authorized users and require that the process is executed with an effective user ID of root. Otherwise it runs in read-only mode. A zone's configuration consists of a number of resources and proper- ties. To simplify the user interface, zonecfg uses the concept of a scope. The default scope is global. The following synopsis of the zonecfg command is for non-interactive usage: zonecfg -z zonename subcommand The zonecfg utility can run in two edit modes: default Allows to create, modify and list the persistent zone con- figuration stored on the stable storage. Parameters changed through zonecfg in the default mode do not affect a running zone. The zone must be reconfigured using zoneadm(1M) apply subcommand or rebooted for the changes to take effect. The authorization solaris.zone.config/zonename is required to allow changes in the persistent configuration. live Allows to retrieve, modify and list the live configuration of a running zone. Parameters changed through zonecfg in the live mode take effect immediately after they are commited and remain active until the next zone reboot. The live mode is available only for a running zone and requires the autho- rization solaris.zone.liveconfig/zonename. See the respective brand manual page for details on resources supported by the live zone reconfiguration. In addition to creating and modifying a zone, the zonecfg utility can also be used to persistently specify the resource management settings for the global zone or to configure the global zone as an immutable global zone by specifying a file-mac-profile in combination with set- tings forfs-allowed, dataset, and devices.. In the following text, "rctl" is used as an abbreviation for "resource control". See resource-controls (5). Every zone is configured with an associated brand. The brand determines the user-level environment used within the zone, as well as various behaviors for the zone when it is installed, boots, or is shutdown. Once a zone has been installed the brand cannot be changed. The default brand is determined by the installed distribution in the global zone. Some brands do not support all of the zonecfg properties and resources. See the brand-specific man page for more details on each brand. For an overview of brands, see the brands(5) man page. Resources The following resource types are supported: attr Generic attribute. capped-cpu Limits for CPU usage. capped-memory Limits for physical, swap, and locked memory. dataset ZFS dataset. dedicated-cpu Subset of the system's processors dedicated to this zone while it is running. device Device. fs file-system ib-vhca Virtual InfiniBand device. port Port for virtual InfiniBand device. Port resource is only valid in ib-vhca resource scope. keysource Encryption key net Network interface. anet Automatic network interface. mac Extra mac-address configured for a zone. The mac resource is only valid within an anet resource. admin Delegated administrator. rctl Resource control. suspend Suspend image rootzpool Dedicated ZFS zpool for zone installation. virtual-cpu Virtual CPUs configured for the zone. zpool ZFS zpool delegated to the zone. npiv Fibre Channel NPIV port. verified-boot Verified Boot settings for the zone. Multi-instance resources have an identifier which uniquely identifies each instance of a resource. The identifier is a number displayed next to the resource for every instance of all multi-instance resources, in the output of info subcommand. The identifiers are automatically gener- ated and are not user modifiable, they are consistent only across a zonecfg session. Sparse and Whole Root Non-Global Zones Previous releases of Solaris offered the notion of sparse root zones. This functionality was intimately associated with the SVr4 packaging system and intended to save disk space and reduce administrative effort. The new packaging system, IPS, provides more flexibility when choosing which packages to install in a zone. This, along with advances in file system technology (notable among which is ZFS deduplication), means that it was most sensible to remove sparse root zones. The benefits of sparse root zones are provided for all zones by means of the combina- tion of IPS packaging and file system advances. Properties Each resource type has one or more properties. There are also some global properties, that is, properties of the configuration as a whole, rather than of some particular resource. The following properties are supported: (global) zonename (global) zonepath (global) autoboot (global) autoshutdown (global) global-time (global) bootargs (global) pool (global) limitpriv (global) brand (global) cpu-shares (global) hostid (global) max-lwps (global) max-msg-ids (global) max-processes (global) max-sem-ids (global) max-shm-ids (global) max-shm-memory (global) scheduling-class (global) fs-allowed (global) file-mac-profile (global) tenant (global) cpu-arch fs dir, special, raw, type, options net address, allowed-address, configure-allowed-address, physical, defrouter, id anet linkname, lower-link, allowed-address, auto-mac-address, configure- allowed-address, defrouter, mac-address, mac-slot, mac-prefix, mtu, maxbw, bwshare, priority, vlan-id, vsi-typeid, vsi-vers, vsi-mgrid, rxfanout, rxrings, txrings, link-protection, allowed-dhcp-cids, pkey, linkmode, etsbw-lcl, cos, id, evs, vport, iov mac auto-mac-address, mac-address, mac-prefix, id device match, allow-partition, allow-raw-io, id, storage ib-vhca over-hca, id port pkey, id rctl name, value attr name, type, value dataset name, alias dedicated-cpu ncpus, importance cpus, cores, sockets virtual-cpu ncpus capped-memory physical, swap, locked capped-cpu ncpus admin user, auths rootzpool storage zpool storage, name npiv virtual-port-wwn, over-hba verified-boot policy, cert hostkey raw suspend path, storage As for the property values that are paired with these names, they are either a string or a list of strings. The type allowed is property spe- cific. Single values can be optionally enclosed within quotation marks. Lists have the syntax: [<value>,...] where each <value> is a string property. A list of a single value is equivalent to specifying that value without the list syntax. That is, "foo" is equivalent to "[foo]". A list can be empty (denoted by "[]"). The property types are described as follows: global: zonename The name of the zone. global: zonepath Path to zone's file system. The default value of zonepath is /sys- tem/zones/%{zonename}. global: global-time Boolean indicating that a zone can change global/system-wide time (if true) or can change the zone-specific time (if false). global: autoboot Boolean indicating that a zone should be booted automatically at system boot. Note that if the zones service is disabled, the zone will not autoboot, regardless of the setting of this property. You enable the zones service with a svcadm command, such as: # svcadm enable svc:/system/zones:default Replace enable with disable to disable the zones service. See svcadm(1M). global: autoshutdown Action to take for this zone on clean shutdown of the global zone. Can be "shutdown" (a clean zone shutdown; the default); "halt"; or "suspend". global: bootargs Arguments (options) to be passed to the zone bootup, unless options are supplied to the "zoneadm boot" command, in which case those take precedence. The valid arguments are described in zoneadm(1M). global: pool Name of the resource pool that this zone must be bound to when booted. This property is incompatible with the dedicated-cpu resource. global: limitpriv The maximum set of privileges any process in this zone can obtain. The property should consist of a comma-separated privilege set specification as described in priv_str_to_set(3C). Privileges can be excluded from the resulting set by preceding their names with a dash (-) or an exclamation point (!). The special privilege string "zone" is not supported in this context. If the special string "default" occurs as the first token in the property, it expands into a safe set of privileges that preserve the resource and secu- rity isolation described in zones(5). A missing or empty property is equivalent to this same set of safe privileges. The system administrator must take extreme care when configuring privileges for a zone. Some privileges cannot be excluded through this mechanism as they are required in order to boot a zone. In addition, there are certain privileges which cannot be given to a zone as doing so would allow processes inside a zone to unduly affect processes in other zones. zoneadm(1M) indicates when an invalid privilege has been added or removed from a zone's privilege set when an attempt is made to either "boot" or "ready" the zone. See privileges(5) for a description of privileges. The command "ppriv -l" (see ppriv(1)) produces a list of all Solaris privi- leges. You can specify privileges as they are displayed by ppriv. In privileges(5), privileges are listed in the form PRIV_privi- lege_name. For example, the privilege sys_time, as you would spec- ify it in this property, is listed in privileges(5) as PRIV_SYS_TIME. global: brand The zone's brand type. global: ip-type A zone can either have its own exclusive instance of IP (the default) or share the IP instance with the global zone. In the default zone template, SYSdefault, ip-type is set to exclusive. In the also-supplied SYSdefault-shared-ip template, ip-type is set to shared. This property takes the values exclusive and shared. The shared-IP feature might be removed in a future release. We strongly recommend using exclusive-IP. Once this feature is removed, zones configured to use this feature will no longer boot. To continue using your zones, please convert any zones which have ip-type set to shared to have ip-type set to exclusive. In most cases this will involve replacing zonecfg(1M) "net" resources with "anet" resources. If you have shared IP zones that are using inter- faces which are part of a global zone IPMP group, then you should switch to using DLMP aggregations. In the global zone create a DLMP aggregation on old IPMP interfaces and then then create a zonecfg(1M) "anet" resource where the lower-link points to the DLMP aggregation. Limited shared-IP support will be retained for certain multilevel server Trusted Extensions configurations. global: hostid A zone can emulate a 32-bit host identifier to ease system consoli- dation. A zone's hostid property is empty by default, meaning that the zone does not emulate a host identifier. Zone host identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x or 0X pre- fix is optional. Both uppercase and lowercase hexadecimal digits are acceptable. global: fs-allowed A comma-separated list of additional file systems that can be mounted within the zone; for example, ufs,pcfs. By default, only hsfs(7FS) and network file systems can be mounted. This property does not apply to file systems mounted into the zone by means of add fs or add dataset. Caution - Allowing filesystem mounts other than the default might allow the zone administrator to compromise the system with a bogus filesys- tem image and is not supported. global: file-mac-profile Define which parts of the filesystem are exempted from the read- only policy, that is, which parts of the filesystem the zone is allowed to write to. There are currently five supported values for this property: none, strict, dynamic-zones, fixed-configuration, and flexible-configura- tion. none makes the zone exactly the same as a normal, r/w zone. strict allows no exceptions to the read-only policy. fixed-configuration allows the zone to write to files in and below /var, except direc- tories containing configuration files: /var/ld /var/lib/postrun /var/pkg /var/spool/cron, /var/spool/postrun /var/svc/manifest /var/svc/profiles dynamic-zones is equal to fixed-configuration but allows creating and destroying non-global zones and kernel zones. This profile is only valid for global zones, including the global zone of a kernel zone. flexible-configuration is equal to dynamic-zones, but allows writ- ing to files in /etc in addition. global: tenant Note - To use this property and anet resource's evs and vport property, install Elastic Virtual Switch (EVS) IPS packages and configure the EVS controller as described in evsadm(1M) manpage and Manag- ing Network Virtualization and Network Resources in Oracle Solaris 11.3. Defines the name of the tenant that owns the EVS to which a VNIC anet will be connected to. See evsadm(1M). global: cpu-arch Specify the migration class configured for a solaris-kz brand zone. For now, this only works on SPARC platform and is not supported on x86 platform. The possible values of this property are: generic kernel zone can perform a CPU-type independent migration, but not to a system older than T4. migration-class1 kernel zone can perform cross-CPU type migra- tion between SPARC T4, SPARC T5, SPARC M5, and SPARC M6. sparc64-class1 kernel zone can perform cross-CPU type migra- tion between Fujitsu M10 and M10+. If no value is set, the the kernel zone's CPU migration class is the same as the host. It can migrate between CPU types that is com- patible of host CPU class. Note that the kernel zone's CPU migration class cannot exceed the limit of host's CPU class. fs: dir, special, raw, type, options Values needed to determine how, where, and so forth to mount file systems. See mount(1M), mount(2), fsck(1M), and vfstab(4). net: address, allowed-address, configure-allowed-address, physical, defrouter, id The net resource represents the assignment of a physical network resource to a zone. The resource must exist in the global zone prior to the assignment. The network address and physical interface name of the network interface. The network address is one of: o a valid IPv4 address, optionally followed by "/" and a prefix length; o a valid IPv6 address, which must be followed by "/" and a prefix length; o a host name which resolves to an IPv4 address. Note that host names that resolve to IPv6 addresses are not sup- ported. The physical interface name is the network interface name. The value for the optional default router is specified similarly to the network address except that it must not be followed by a / (slash) and a network prefix length. To enable correct use of the defrouter functionality, the zones that use the property must be on a different subnet from the subnet on which the global zone resides. Also, each zone (or set of zones) that uses a different defrouter setting must be on a different subnet. The id value is a positive integer used to identify the network interface; see solaris-kz(5). A zone can be configured to be either exclusive-IP or shared-IP. For a shared-IP zone, you must set both the physical and address properties; setting the default router is optional. The interface specified in the physical property must be plumbed in the global zone prior to booting the non-global zone. However, if the inter- face is not used by the global zone, it should be configured down in the global zone, and the default router for the interface should be specified here. The allowed-address property cannot be set for a shared-IP zone. For an exclusive-IP zone, the physical property must be set and the address property must not be set. Optionally, the set of IP addresses that the exclusive-IP zone can use might be constrained by specifying the allowed-address property. If allowed-address has not been specified, then the exclusive-IP zone can use any IP address on the associated physical interface for the net resource. Otherwise, when allowed-address is specified, the exclusive-IP zone cannot use IP addresses that are not in the allowed-address list for the physical address. If configure-allowed-address is set to true, the addresses specified by allowed-address are automatically configured on the interface each time the zone boots. When it is set to false, the allowed-address will not be configured on zone boot. By default, configure-allowed-address is set to true when an allowed-address is specified. In addition, when the allowed-address list has been populated, the defrouter property can also be option- ally specified. However, if the defrouter value is specified and configure-allowed-address is set to false, the defrouter value will be ignored and an appropriate warning message will be shown. The interface specified for the physical property must not be in use in the global zone. If an allowed-address and default router are spec- ified by means of zonecfg, these will be applied to the interface when it is enabled by means of ipadm(1M) in the non-global, exclu- sive-IP zone, typically during zone boot. The non-global exclusive- IP zone will not be able to apply any other addresses to that interface, nor will it be able to transmit packets with a different source address for the specified IP version. A default router set up by means of zonecfg cannot be persistently deleted from within the non-global exclusive-IP zone using the -p flag with route(1M). Note that a single datalink cannot be shared among multiple exclu- sive-IP zones. Assigning an IPoIB VNIC to a solaris-kz brand zone is not currently supported. anet: linkname, lower-link, allowed-address, auto-mac-address, config- ure-allowed-address, defrouter, mac-address, mac-slot, mac-prefix, mtu, maxbw, bwshare, priority, vlan-id, vsi-typeid, vsi-vers, vsi-mgrid, rxfanout, rxrings, txrings, link-protection, allowed-dhcp-cids, pkey, linkmode, etsbw-lcl, cos, id, evs, vport, lro, mac, iov The anet resource represents the automatic creation of a network resource for an exclusive-IP zone. When zonecfg creates a zone using the default SYSdefault template, an anet resource with the following properties is automatically included in the zone configu- ration: linkname=net0 lower-link=auto mac-address=default link-protection=mac-nospoof When such a zone boots, a temporary VNIC or IPoIB datalink is auto- matically created for the zone. The VNIC or the IPoIB datalink is deleted when the zone halts. Note - To use EVS and VPort install Elastic Virtual Switch (EVS) IPS packages, and then configure EVS controller as described in the evsadm(1M) manpage and Managing Network Virtualization and Net- work Resources in Oracle Solaris 11.3. An EVS is a virtual switch that spans one or more servers (physical machines). It represents an isolated L2 segment, and provides net- work connectivity between the zones whose VNIC anets are connected to it. A VPort is uniquely identified by 3-tuple <tenant, evs, vport>, so a zone's configuration should include this information if a VNIC anet need to be connected to an EVS. Note - For a VNIC anet connecting to an EVS, only allowed anet property is linkname, as it acquires other properties from the VPort. The supported properties are described below. All these properties are optional. Only the global zone is allowed to modify the auto- matically created VNIC or IPoIB datalink or its properties. If a property set in zonecfg cannot be assigned to the VNIC or IPoIB datalink at its creation time, the zone will fail to boot. linkname Specify a name for the automatically created VNIC or IPoIB datalink. By default, this property will be automatically set to the first available name (for the zone) of the form netN, where N is a non-negative integer. For example: net0, net1, and so on. The info subcommand displays the automatically selected linkname. Multiple zones, including the global zone, can have links with the same name at the same time. evs vport If EVS is specified and optionally a VPort is specified, then VNIC anet will be created by connecting to that EVS at that VPort. If the global tenant property is specified, then EVS will be searched in that tenant's namespace. If VPort is specified, then the SLA properties (maxbw, cos, and priority), IP address, and default router MAC address of the VPort will be inherited by the VNIC. If VPort is not specified, then EVS controller will generate a system VPort, (it will have IP address, MAC address, and EVS' default SLA properties) and then the VNIC will be connected to this system VPort. The IP address anti-spoof will be enabled on the VNIC, by set- ting the allowed-ips VNIC property to that of the VPort's IP address. VPort's IP address will be automatically configured on the interface each time the zone boots. The default router IP address associated with the VPort is also automatically config- ured in the zone. See the evsadm(1M) manpage for more information on EVS and VPorts. lower-link Specify the link over which the VNIC or IPoIB will be created. This property has a default value of auto for Ethernet links. If pkey is specified, lower-link must be specified with a valid IPoIB phys class datalink. The administrator may explicitly specify a value upon adding an anet resource. The link can be any link accepted as an argument to dladm create-vnic's -l option or to dladm create-part's -l option (see dladm(1M)). If this property is set to a linkname (other than auto) and that link does not exist, then the zone will fail to boot. When set to auto, the zoneadmd(1M) daemon will automatically choose the link over which the VNIC will be created each time the zone boots. All IPoIB datalinks will will be skipped when selecting the default lower-link for creating the VNIC automatically dur- ing boot. A link will be chosen using the following heuristic: 1. A link aggregation that has a link state of up. 2. Of the physical Ethernet links, choose the link with the following: a. Link state of up b. Maximum number of available VFs (only if iov=auto/on) c. Maximum number of free mac-slots d. The one with the alphabetically smallest name 3. If none is up, the datalink named net0 is used if it exists. If none of the above can be satisfied, the zone will fail to boot. allowed-address See the description of the allowed-address property for exclu- sive-IP zones in the net resource. auto-mac-address Holds the list of the randomly generated MAC addresses when the mac-address property (see below) is set to random or auto, so that the zone reacquires the same addresses on a persistent basis. To reset the randomly generated addresses, an adminis- trator needs to clear this property. bwshare Specify the bandwidth share for the VNIC. See bwshare property in dladm(1M). This property is currently supported only on cer- tain NICs. configure-allowed-address See the description of the configure-allowed-address property for exclusive-IP zones in the net resource. cos The 802.1p priority associated with the datalink. See dladm(1M) for details on this property. defrouter See the description of the defrouter property for exclusive-IP zones in the net resource. etsbw-lcl Indicates the ETS bandwidth on the TX side. See dladm(1M) for details on this property. mac-address Set the VNIC's list of MAC addresses based on the specified values or keywords. If an element of the list is not a keyword, it is interpreted as a unicast MAC address. This property is not supported on IPoIB datalinks. The supported keywords are: o factory: Assign a factory MAC address to the VNIC. When a factory MAC address is requested, the mac- slot property can be used to specify the MAC address slot identifier. Otherwise, the next available fac- tory MAC address will be used. o random: Assign a random MAC address to the VNIC. Use the mac-prefix property to specify a prefix. Other- wise, a default prefix consisting of a valid IEEE OUI with the local bit set will be used. o auto: Try to assign random mac-address first if pos- sible, if NIC supports it, else try to assign a fac- tory mac-address. This is the default value. o default: Use a platform specific assignment strat- egy. In most cases this attempts to allocate a ran- dom address (see 'random' above). If the current platform is an Oracle Solaris kernel zone, a factory MAC address will be assigned (see 'factory' above). If any random MAC addresses are selected, then the addresses generated will be preserved across zone boots and zone detach/attach. This will allow zones to retain their DHCP leases by maintaining stable client IDs, and otherwise take advantage of other benefits of having stable MAC addresses. mac-prefix Specify the list of MAC address prefixes to use if random MAC address allocation is requested. Otherwise this property is ignored. This property is not valid over IPoIB datalinks. mac-slot Specify the list of MAC address slot identifiers used if fac- tory MAC addresses are requested. Otherwise this property is ignored. This property is not valid over IPoIB datalinks. mtu The maximum transmission unit of the VNIC in bytes. See mtu property in dladm(1M). maxbw Specify the full duplex bandwidth for the VNIC. See maxbw prop- erty in dladm(1M). By default, the VNIC will use the maxbw set on the lower-link and if none is set then there is no bandwidth limit. priority Specify the relative priority for the VNIC. See the priority property in dladm(1M) for supported values and default. lro Large receive offload. Valid values are off, on or auto. The value auto is set to inherit the lower link's lro disposition. This property is valid only for Ethernet links. See the description in dladm(1M). vlan-id Enable VLAN or PVLAN tagging for this VNIC and specify a id for the VLAN tag. There is no default value which means if this property is not set then the VNIC does not participate in any VLAN. This property is not supported on IPoIB datalinks. See the dladm(1M) for supported VLAN ID format. vsi-typeid Specify the VSI Type ID associated with a VNIC. See description in dladm(1M). vsi-vers Specify the VSI Version associated with a VNIC. See description in dladm(1M). vsi-mgrid Specify the VSI Manager ID associated with a VNIC. See descrip- tion in dladm(1M). rxfanout Specify the number of receive-side fanout threads. See descrip- tion in dladm(1M). rxrings Specify the receive rings for the VNIC. See rxrings property in dladm(1M) for supported values and default. txrings Specify the transmit rings for the VNIC. See txrings property in dladm(1M) for supported values and default. link-protection Enables one or more types of link protection using comma-sepa- rated values. See the protection property in dladm(1M) for sup- ported values. It has a default value of mac-nospoof. Note that adding ip-nospoof to this property will have no effect unless allowed-address is also set. Setting allowed- address will implicitly add ip-nospoof to the set of link-pro- tection, and clearing allowed-address will remove it. allowed-dhcp-cids Setting this property will enable dhcp-nospoof on the VNIC. See dladm(1M) for details. pkey Specifies the InfiniBand Partition key value in hexadecimal. pkey is always treated as hexadecimal, whether it has the 0x prefix or not. This property is only valid for IPoIB datalinks. linkmode Sets the link transport service type on an IB partition datalink. The default value is cm. This property is valid only for IPoIB datalinks. Valid values are: cm Connected Mode. This mode uses a default MTU of 65520 and supports a maximum MTU of 65535 bytes. If Connected Mode is not available for a remote node, Unreliable Datagram mode will automatically be used instead. ud Unreliable Datagram Mode. This mode uses a default MTU of 2044 and supports a maximum MTU of 4092 bytes. iov Setting this property allows a solaris-kz brand zone to make use of SR-IOV VFs for network devices. The possible values of this property are: o auto: Use a VF if one is available, if not, fallback to using a paravirtual device. o on: Must use a VF. If a VF is not available, creation of anet fails. o off: Do not use a VF (the default). If this property is auto/on and lower-link is not speci- fied, the lower link selection logic will take this into consideration in addition to other criteria (see lower-link property for details). Here are the limitations of this property: o It can only be used with the solaris-kz brand zone. o It is incompatible with all anet properties except for lower-link, id, mac-address, mac-pre- fix, mac-slot. o zoneadm migrate/suspend will fail if this prop- erty is set to auto/on. The id value is a positive integer used to identify the network interface; see solaris-kz(5). mac: auto-mac-address, mac-address, mac-prefix, id The mac resource is used to add extra mac-addresses to the anet resource, the primary mac address is given by the anet:mac-address property. auto-mac-address Holds the list of the randomly generated MAC addresses when the mac-address property (see below) is set to random or auto, so that the zone re-acquires the same addresses on a per- sistent basis. To reset the randomly generated addresses, an administrator needs to clear this property. mac-address Sets the VNIC's list of MAC addresses based on the specified values or keywords. If an element of the list is not a keyword, it is interpreted as a uni-cast MAC address. This property is not supported on IPoIB datalinks. The supported keywords are: factory: Assigns a factory MAC address to the VNIC. When a factory MAC address is requested, the mac-slot property can be used to specify the MAC address slot identifier. Other- wise, the next available factory MAC address will be used. random: Assigns a random MAC address to the VNIC. Use the mac-prefix property to specify a prefix. Otherwise, a default prefix consisting of a valid IEEE OUI with the local bit set will be used. auto: Assigns random mac-address, if NIC supports it, else it tries to assign a factory mac-address. This is the default value. If any random MAC addresses are selected, then the addresses generated will be preserved across zone boots and zone detach/attach. This will allow zones to retain their DHCP leases by maintaining stable client IDs, and otherwise take advantage of other benefits of having sta- ble MAC addresses. mac-prefix Specifies the list of MAC address prefixes to use if random MAC address allocation is requested. Otherwise, this property is ignored. This property is not valid over IPoIB datalinks. The id value is a positive integer used to identify a resource uniquely. ib-vhca: over-hca, id, port An ib-vhca resource represents the automatic creation of a virtual Infiniband HCA device for a kernel zone. When such a zone boots, a temporary VHCA is created. It is destroyed when the zone halts. The supported properties are described below. All these properties are optional. Only the host system's global zone is allowed to mod- ify the automatically VHCAs. If a property set in zonecfg cannot be assigned to the VHCA at its creation time, the zone will fail to boot. over-hca Sets the physical InfiniBand device to use for configu- ration of the virtual InfiniBand device. The device name is as listed in the ibadm command. For more infor- mation, see ibadm(1M) man page. id Uniquely identifies the ib-vhca resource. port: pkey, id pkey Specifies the InfiniBand Partition key value. The pkey value can either be a keyword or a comma seperated list of hexadecimal values. The 0x prefix should not be used for specifying the hexadecimal value. The keyword allowed for pkey is: auto Assigns an automatically generated pkey value based on over-hca value specified. This is the default value. id Id is used to uniquely identify the port resource. Each id corresponds to the physical port number. The GUID assigned to each port on zone boot can be obtained by inspecting the Live Configuration of the running zone. device: match, allow-partition, allow-raw-io, id Device name to match. This can be a glob pattern to match or an absolute pathname. Note that device resources and aliased datasets can have namespace conflicts in /dev/zvol. See dev(7FS). Alternatively, the storage property can be set to a storage URI (see suri(5)). In this case, the SURI is mapped when the zone boots, and the matching device nodes are available inside the zone. The SURI is unmapped when the zone halts. In this case, allow-par- tition is automatically set to true. Both allow-partition and allow-raw-io can be set to true or false, and default to false. See NOTES. Note - In general, adding devices to a zone can compromise the security of the system; see NOTES. The id value is a positive integer used to identify the virtual block device; see solaris-kz(5). rctl: name, value The name and priv/limit/action triple of a resource control. See prctl(1) and rctladm(1M). The preferred way to set rctl values is to use the global property name associated with a specific rctl. Multiple rctl values may be given, and are of the form: (priv=<value>,limit=<value>,action=<value>) virtual-cpus: ncpus Specify the number of virtual CPUs configured for a solaris-kz brand zone. See solaris-kz(5). attr: name, type, value The name, type and value of a generic attribute. The type must be one of int, uint, boolean or string, and the value must be of that type. uint means unsigned, that is, a non-negative integer. The "name" property of an "attr" resource is syntactically restricted in a fashion similar but not identical to zone names: it must begin with an alphanumeric, and can contain alphanumerics plus the hyphen (-), underscore (_), and dot (.) characters. Attribute names beginning with "zone" are reserved for use by the system. Finally, the autoboot and global-time global property must have a value of "true" or "false". dataset: name, alias The name of a ZFS dataset to be accessed from within the zone. See zfs(1M). Each dataset is aliased such that it appears as a virtual ZFS pool in the zone. The alias is the name of this virtual pool. See zpool(1M) for name restrictions that apply to ZFS pool names and as a result also apply to dataset alias values. The alias rpool is reserved from the zone's rpool dataset. Note that aliased datasets and device resources can have namespace conflicts in /dev/zvol. See dev(7FS). global: cpu-shares The number of Fair Share Scheduler (FSS) shares to allocate to this zone. This property is incompatible with the dedicated-cpu resource. This property is the preferred way to set the zone.cpu- shares rctl. global: max-lwps The maximum number of LWPs simultaneously available to this zone. This property is the preferred way to set the zone.max-lwps rctl. global: max-msg-ids The maximum number of message queue IDs allowed for this zone. This property is the preferred way to set the zone.max-msg-ids rctl. global: max-processes The maximum number of process table slots simultaneously available to this zone. This property is the preferred way to set the zone.max-processes rctl. Setting this property will implicitly set the value of the max-lwps property to 10 times the number of process slots unless the max-lwps property has been set explicitly. global: max-sem-ids The maximum number of semaphore IDs allowed for this zone. This property is the preferred way to set the zone.max-sem-ids rctl. global: max-shm-ids The maximum number of shared memory IDs allowed for this zone. This property is the preferred way to set the zone.max-shm-ids rctl. global: max-shm-memory The maximum amount of shared memory allowed for this zone. This property is the preferred way to set the zone.max-shm-memory rctl. A scale (K, M, G, T) can be applied to the value for this number (for example, 1M is one megabyte). global: scheduling-class Specifies the scheduling class used for processes running in a zone. When this property is not specified, the scheduling class is established as follows: o If the cpu-shares property or equivalent rctl is set, the scheduling class FSS is used. o If neither cpu-shares nor the equivalent rctl is set and the zone's pool property references a pool that has a default scheduling class, that class is used. o Under any other conditions, the system default schedul- ing class is used. dedicated-cpu: cpus, cores, sockets ncpus, importance This resource will create a pool and processor set for exclusive use by the zone when it boots. These processors are not available for use by other zones or the global zone while the zone is run- ning. See the poolcfg(1M) and pooladm(1M) man pages for more infor- mation on pools. The cpus to dedicate can be specifically chosen, or automatically chosen: Choosing specific cpu resources Set one of cpus, cores, or sockets to a list of cpu, core or socket ids. Use psrinfo -t and pooladm to see which cpus, cores and/or sockets are available. If any of the specified resources are assigned to another zone or pool, the zone will fail to boot. This includes subsets of the assigned resources. For example, if an assigned socket has a core assigned elsewhere. If any of the specified cpu resources do not exist or are faulted or offline, a warning will be displayed when the zone boots. The zone will receive all of the specified cpu resources that are online. If a cpu resource is partially online, such as a core with some cpus faulted, the zone will receive the remaining online cpus from the core, and a warning will be displayed. If none of the specified cpu resources are online, the zone will fail to boot. Automatically chosen cpus resources This can vary on each boot or live zone reconfiguration of the zone. Set ncpus to an integer range or scalar value. A range is expressed using a -, such as 1-4 to represent one to four pro- cessors. If a range is specified, the quantity of cpus dedi- cated to the zone may change while the zone is running. Optionally set "importance" to configure the pool.importance value of the resource pool associated with the dedicated cpus. The "importance" value is an integer value. Pools with higher importance are favored for cpu allocation when ranges are used. See thelibpool(3LIB) manpage for a description of importance based allocation. If there are not sufficient available online cpus to satisfy the minimum or integer value set, the zone will fail to boot or live reconfigure. When automatic cpus are configured the specific cpus, dedicated to the zone can change while it is running. For example, if a cpu resource in use by an automatic running zone is assigned elsewhere, the cpu resource will be replaced with another available cpu resource. The quantity of cpu resources dedicated to a running automatic cpu zone can also change within the con- straints the range specified. solaris-kz branded zones cannot change cpus while running. They do not support a range value for ncpus. Cpu resources in use by running solaris-kz branded zones cannot be assigned elsewhere, even if they are chosen automatically. Due to this, it is rec- ommended that zones using specific cpus should be be booted before solaris-kz branded zones using automatic cpus. This resource is incompatible with both the pool and cpu-shares properties. Only a single instance of this resource can be added to the zone. capped-memory: physical, swap, locked The caps on the memory that can be used by this zone. A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). Each of these properties is optional but at least one property must be set when adding this resource. Only a single instance of this resource can be added to the zone. The physical property sets the max-rss for this zone. This will be enforced by rcapd(1M) running in the global zone. The swap property is the preferred way to set the zone.max-swap rctl. The locked property is the preferred way to set the zone.max-locked-memory rctl. capped-cpu: ncpus Sets a limit on the amount of CPU time that can be used by a zone. The unit used translates to the percentage of a single CPU that can be used by all user threads in a zone, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth. When projects within a capped zone have their own caps, the minimum value takes prece- dence. The capped-cpu property is an alias for zone.cpu-cap resource con- trol and is related to the zone.cpu-cap resource control. See resource-controls (5). admin: user, auths Delegates zone administrative authorizations to the specified user or role. The user must correspond to a valid local account. The allowed values for auths are: login Allows authenticated use of zlogin(1) into this zone. manage Allows normal management of the configured zone. copyfrom Allows the use of the specified zone as a source from which to clone a new zone. config Allows to modify the persistent configuration of the zone. liveconfig Allows to inspect and to modify the live configuration of the running zone. rootzpool: storage Defines one or more storage resources to be used exclusively for a dedicated zpool containing the zone installation. The allowed val- ues for storage are defined in suri(5). zpool: storage, name Defines one or more storage resources to be used exclusively for a zpool delegated to the zone. The allowed values for storage are defined in suri(5). The allowed values for name are defined in zpool(1M). The name rpool is not permitted. npiv: virtual-port-wwn, over-hba Sets an unique 64bit port world wide name to an npiv with virtual- port-wwn, which is optional and will be set with an automatically generated wwn. users can still override this generated wwn. Property over-hba is optional as well and it could be an empty string, which means physical HBA ports are chosen in a round-robin policy to spread them across the available ports. If this property is set the value for over-hba must be an unsigned integer leading by 'c' for one physical NPIV capable FC HBA controller as shown under /dev/cfg/c*. Please refer to cfgadm_fp(1M) for more detailed information. verified-boot: policy, cert policy Controls ELF signature verification of bootloader and kernel modules in the zones guest. Values can be set to "none", "warning" and "enforce". "None" skips verifica- tion. "Warning" logs a message on verification failure. "Enforce" causes the module to not load on failure. By default, policy is set to "warning". cert Adds customer-installed public key cert for third-party and self-signed software. These cert files are used for ELF signature verification in addition to the default Oracle cert. The cert path can be added using file:///, http:// or https:// URL. keysource: raw Provides administrative access to the cryptographic key used for kernel zone suspend images and host data as described in solaris- kz(5). The value of raw cannot be set directly, except with the command_file mode. suspend: path, storage Configures the location of a kernel zone's suspend image. Only one suspend resource is allowed. If no suspend resource is present, suspend and resume are not supported by the kernel zone. The sus- pend resource allows either path or storage to be specified, and not both. If path is specified, it is the full path to which the suspend file will be written and its parent directory must exist. If storage is specified, it must be a device referenced by a stor- age URI as described in suri(5). Using Kernel Statistics to Monitor CPU Caps Using the kernel statistics (kstat(3KSTAT)) module caps, the system maintains information for all capped projects and zones. You can access this information by reading kernel statistics (kstat(3KSTAT)), specify- ing caps as the kstat module name. The following command displays ker- nel statistics for all active CPU caps: # kstat caps::'/cpucaps/' A kstat(1M) command running in a zone displays only CPU caps relevant for that zone and for projects in that zone. See EXAMPLES. The following are cap-related arguments for use with kstat(1M): caps The kstat module. project_caps or zone_caps kstat class, for use with the kstat -c option. cpucaps_project_id or cpucaps_zone_id kstat name, for use with the kstat -n option. id is the project or zone identifier. The following fields are displayed in response to a kstat(1M) command requesting statistics for all CPU caps. module In this usage of kstat, this field will have the value caps. name As described above, cpucaps_project_id or cpucaps_zone_id above_sec Total time, in seconds, spent above the cap. below_sec Total time, in seconds, spent below the cap. maxusage Maximum observed CPU usage. nwait Number of threads on cap wait queue. usage Current aggregated CPU usage for all threads belonging to a capped project or zone, in terms of a percentage of a single CPU. value The cap value, in terms of a percentage of a single CPU. zonename Name of the zone for which statistics are displayed. See EXAMPLES for sample output from a kstat command. Configuration From Unified Archives Unified Archives, created with archiveadm(1M), provide a means for ar- chiving Solaris instances. Each Unified Archive may contain data and metadata corresponding to one or more global and/or non-global zones. By default, archiveadm(1M) generates an archive that is suitable for system or zone cloning. Optionally, archiveadm(1M) may create an ar- chive that is suitable for system recovery. If the zonecfg create -a archive [options] subcommand is used to con- figure a zone from an Unified Archive, archive creation options can affect the degree to which the archived configuration is preserved: when configuring from a clone archive, property values that are likely to cause problems if they are the same for multiple hosts will take on a default value. These properties are: - host id anet allowed-address anet mac-address net allowed-address Additonally, if the archived zone name and the name of the zone being installed do not match, some properties will be automatically updated to reflect the new zone name: zonepath If the last element of the zonepath matches the archived zone name, the last element in the zonepath is replaced with the new zone name. dataset/alias For dataset resources, if the alias matches the archived zone name, the alias is replaced with the new zone name. dataset/name For dataset resources, if the last element of the name property matches the archived zone name, the last ele- ment in the name property is replaced with the new zone name. Configuration from a Unified Archive does not prevent the use of subse- quent commands to modify resources and property values as required. OPTIONS The following options are supported: -f command_file Specify the name of zonecfg command file. command_file is a text file of zonecfg subcommands, one per line obtained from output of export subcommand. -r Enables the live edit mode. Instructs zonecfg to edit the live con- figuration of a running zone instead of a persistent configuration from a stable storage. When used, zonecfg retrieves a snapshot of the current live zone configuration. The full set of zonecfg sub- commands is supported in this mode. The live configuration takes effect immediately after it is commited and remains active until the next zone reboot. The live mode is only allowed for a running zone and requires the authorization solaris.zone.liveconfig/zone- name. -z zonename Specify the name of a zone. Zone names are case sensitive. Zone names must begin with an alphanumeric character and can contain alphanumeric characters, the underscore (_) the hyphen (-), and the dot (.). The name global and all names beginning with SYS are reserved and cannot be used. TOKENS The following tokens are supported for use in certain properties: %{zonename} Evaluates to name of the zone. %{id} Evaluates to id property of a particular resource. This token is used within a resource scope which supports id property. %{global-rootzpool} Evaluates to global zone's rootzpool name. %% Evaluates to %. ----------------------------------------------------------------- |Resource | Property | Supported Tokens | |---------------------------------------------------------------| |global | zonepath | %{zonename} | |---------------------------------------------------------------| |dataset | name | %{zonename} | |---------------------------------------------------------------| |device | match | %{zonename}, %{id}, %{global-rootzpool} | | | storage | %{zonename}, %{id}, %{global-rootzpool} | |---------------------------------------------------------------| |fs | raw | %{zonename} | | | special | %{zonename} | |---------------------------------------------------------------| |net | physical | %{id} | |---------------------------------------------------------------| |anet | linkname | %{id} | |---------------------------------------------------------------| |suspend | storage | %{zonename}, %{global-rootzpool} | | | path | %{zonename} | |---------------------------------------------------------------| |rootzpool | storage | %{zonename}, %{global-rootzpool} | |---------------------------------------------------------------| |zpool | storage | %{zonename}, %{global-rootzpool} | ----------------------------------------------------------------- SUBCOMMANDS You can use the add and select subcommands to select a specific resource, at which point the scope changes to that resource. The selected subcommand can only be applied on resources that have been already added to the zone configuration. Some resources, like anet, are added automatically. The end and cancel subcommands are used to com- plete the resource specification, at which time the scope is reverted back to global. zonecfg supports a semicolon-separated list of subcommands. For exam- ple: # zonecfg -z myzone "add net; set physical=myvnic; end" Subcommands which can result in destructive actions or loss of work have an -F option to force the action. If input is from a terminal device, the user is prompted when appropriate if such a command is given without the -F option otherwise, if such a command is given with- out the -F option, the action is disallowed, with a diagnostic message written to standard error. The following subcommands are supported: add resource-type add property-name property-value (resource scope) In the global scope or in a resource scope, begin the specification for a given resource type. The scope is changed to that resource type. In the resource scope, add a property of the given name with the given value. The syntax for property values varies with different property types. In general, it is a simple value or a list of sim- ple values enclosed in square brackets, separated by commas ([foo,bar,baz]). See PROPERTIES. cancel End the resource specification and reset scope to global. Abandons any partially specified resources. cancel is only applicable in the resource scope. clear property-name Clears the value for the property to a default value. commit [-n] [-q] Default mode Commits the current configuration from memory to stable storage. The configuration must be committed to be used by zoneadm. Options -n and -q are not permitted in the default mode. Live mode Reconfigure the running zone to match the current in-memory live configuration and print out per- formed actions. Applied changes take effect immedi- ately and remain active until to the next zone reboot. If the live configuration externally changes before the commit subcommand is invoked, the operation returns an error. Such a case requires to reload the live configuration and reap- ply desired changes for the commit to succeed. The following options are supported: -n Runs the reconfiguration in a dry run mode that does not change the configuration of a running zone. The dry run mode acts the same way as the real reconfiguration but leaves the running zon intact. Use the dry run to review actions that would be performed by the real reconfiguration. -q Quiet mode. Suppresses all messages related to the zone reconfiguration. Until the in-memory configuration is committed you can remove changes with the reload subcommand. The commit operation is attempted automatically upon completion of a zonecfg session. Since a configuration must be correct to be committed, this operation automatically does a verify. create [-F] [ -a directory |-b | -t template] create [-F] -a archive [-z archived_zone] [-<cert|ca-cert|key>=path] ... Create an in-memory configuration for the specified zone. Use cre- ate to begin to configure a new zone. See commit for saving this to stable storage. If you are overwriting an existing configuration, specify the -F option to force the action. Specify the -t template option to cre- ate a configuration identical to template, where template is the name of a configured zone. create uses a default template of SYSdefault. The default template can be changed on a system-wide basis using the default_template SMF property of the svc:/system/zones:default service. An adminis- trator can override the default for this zone using -t (with a spe- cific template) or -b (to use a blank template). Use the -a directory option to facilitate configuring a detached zone on a new host. The path parameter is the zonepath location of a detached zone that has been moved on to this new host. Once the detached zone is configured, it should be installed using the "zoneadm attach" command (see zoneadm(1M)). All validation of the new zone happens during the attach process, not during zone config- uration. Use the -a archive option to facilitate configuring a zone from a Unified Archive created with archiveadm(1M). The archive may be an absolute path or a file, http, or https URI. If the Unified Archive contains multiple zones, the -z archived_zone option must be used to specify which zone in the archive is to be used for configura- tion. If archive is accessed through an https URI, the -x option may be used to specify the location of a certificate, CA certifi- cate, and/or key file. If specified, the cert, cacert, and key must be in PEM format. See Configuration from Unified Archives, above for more details. Use the -b option to create a blank configuration. Without argu- ments, create applies the Oracle Sun default settings. delete [-F] Delete the specified configuration from memory and stable storage. This action is instantaneous, no commit is necessary. A deleted configuration cannot be reverted. Specify the -F option to force the action. end End the resource specification. This subcommand is only applicable in the resource scope. zonecfg checks to make sure the current resource is completely specified. If so, it is added to the in-mem- ory configuration (see commit for saving this to stable storage) and the scope reverts to global or a previous resource scope. If the specification is incomplete, it issues an appropriate error message. export [-f output-file] Print configuration to standard output. Use the -f option to print the configuration to output-file. This option produces output in a form suitable for use in a command file. help [usage] [subcommand] [syntax] [command-name] Print general help or help about given topic. info zonename | zonepath | autoboot | autoshutdown | brand | pool | limitpriv | global-time info [-i | -I] [resource-type [identifier | [property-name=property- value]*]] Display information about the current configuration. If resource- type is specified, it displays only information about resources of the relevant type. If any identifier or property name value pairs are specified, displays only information about resources meeting the given criteria. In the resource scope, info displays informa- tion about the resource which is currently being added or modified. Tokens may be displayed when a specific property or resource type is requested in zonecfg interactive mode, as property-name.tem- plate: template-value. The evaulated output of this template value is given by property-name: propperty-value. See EXAMPLES. The following options are supported: -i Always include identifiers -I Never include identifiers remove resource-type [identifier | {property-name=property-value}] Remove the specified resource. If you have to remove only a single instance of the resource, you must specify either the identifier or enough property name-value pairs for the resource to be uniquely identified. If no identifier or property name-value pairs are spec- ified, all instances will be removed. If there is more than one instance of a resource-type, a confirmation is required, unless you use the -F option. select resource-type {identifier | {property-name=property-value}} Select the resource of the given type which matches the identifier specified or the given property-name property-value pair criteria, for modification. The scope is changed to that resource type. The {} syntax indicates one or more of whatever is inside the curly braces. You must specify enough property -name property-value pairs for the resource to be uniquely identified. set property-name=property-value Set a given property name to the given value. Some properties (for example, zonename and zonepath) are global while others are resource-specific. This subcommand is applicable in both the global and resource scopes. verify [-v] Verify the current configuration for correctness: o All resources have all of their required properties specified. o A zonepath is specified. If the -v option is specified, warnings will be issued if there is a potential for devices specified in device resources to conflict with and hide ZFS volumes created within aliased datasets. See dev(7FS). revert [-F] Revert the configuration back to the last committed state. The -F option can be used to force the action. reload [-F] Discard any uncommited changes and reload the configuration from a stable storage (default mode) or retrieve an up-to-date configura- tion of the running zone (live mode). The -F option can be used to force the action. revert [-F] Revert the persistent configuration back to the last committed state. The -F option can be used to force the action. This subcom- mand is not allowed in the live mode. exit [-F] Exit the zonecfg session. A commit is automatically attempted if needed. You can also use an EOF character to exit zonecfg. The -F option can be used to force the action. EXAMPLES Example 1 Creating the Environment for a New Zone In the following example, zonecfg creates the environment for a new zone. /usr/local is loopback mounted from the global zone into /opt/local. /opt/sfw is loopback mounted from the global zone, a VNIC over nxge0 is added to the zone with three IP addresses, and a limit on the number of fair-share scheduler (FSS) CPU shares for a zone is set using the rctl resource type. The example also shows how to select a given resource for modification; in this case, by selecting the anet resource that is automatically created by zonecfg. example# zonecfg -z myzone3 my-zone3: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:myzone3> create zonecfg:myzone3> info zonepath zonepath.template: /system/zones/%{zonename} zonepath: /system/zones/myzone3 zonecfg:myzone3> set autoboot=true zonecfg:myzone3> add fs zonecfg:myzone3:fs> set dir=/opt/local zonecfg:myzone3:fs> set special=/usr/local zonecfg:myzone3:fs> set type=lofs zonecfg:myzone3:fs> add options [ro,nodevices] zonecfg:myzone3:fs> end zonecfg:myzone3> add fs zonecfg:myzone3:fs> set dir=/mnt zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7 zonecfg:myzone3:fs> set type=ufs zonecfg:myzone3:fs> end zonecfg:myzone3> add fs zonecfg:myzone3:fs> set dir=/opt/sfw zonecfg:myzone3:fs> set special=/opt/sfw zonecfg:myzone3:fs> set type=lofs zonecfg:myzone3:fs> add options [ro,nodevices] zonecfg:myzone3:fs> end zonecfg:myzone3> select anet linkname=net0 zonecfg:myzone3:anet> set lower-link=nxge0 zonecfg:myzone3:anet> set allowed-address="192.168.0.1/24,192.168.1.2/\ 24,192.168.2.3/24" zonecfg:myzone3:anet> end zonecfg:my-zone3> set cpu-shares=5 zonecfg:my-zone3> add capped-memory zonecfg:my-zone3:capped-memory> set physical=50m zonecfg:my-zone3:capped-memory> set swap=100m zonecfg:my-zone3:capped-memory> end zonecfg:myzone3> exit Example 2 Creating an Exclusive-IP Zone The following example creates a zone that is assigned a VNIC named net0. The link over which the VNIC is created is automatically deter- mined. The IP addresses and routing are configured inside the new zone using ipadm(1M). example# zonecfg -z excl zonecfg:excl> create zonecfg:excl> set zonepath=/export/zones/excl zonecfg:excl> exit Example 3 Creating a Shared-IP Zone The following example creates a zone that shares an IP stack with the global zone, and is assigned a single IP address and default router. example# zonecfg -z shared zonecfg:shared> create -b zonecfg:shared> set zonepath=/export/zones/shared zonecfg:shared> set ip-type=shared zonecfg:shared> add net zonecfg:shared:net> set physical=nge0 zonecfg:shared:net> set address=192.168.0.3/24 zonecfg:shared:net> set defrouter=192.168.0.1 zonecfg:shared:net> end zonecfg:shared> exit Example 4 Associating a Zone with a Resource Pool The following example shows how to associate an existing zone with an existing resource pool: example# zonecfg -z myzone zonecfg:myzone> set pool=mypool zonecfg:myzone> exit For more information about resource pools, see pooladm(1M) and pool- cfg(1M). Example 5 Changing the Name of a Zone Changing the zonename property is permitted only for zones in config- ured state. For zones in installed state, use the zoneadm(1M) rename subcommand. The following example shows how to change the name of an existing zone: example# zonecfg -z myzone zonecfg:myzone> set zonename=myzone2 zonecfg:myzone2> exit Example 6 Changing the Privilege Set of a Zone The following example shows how to change the set of privileges. An existing zone's processes will be limited to the next time the zone is booted. In this particular case, the privilege set will be the standard safe set of privileges that a zone normally has along with the privi- lege to use the profile and syscall providers of dtrace with some caveats: example# zonecfg -z myzone zonecfg:myzone> set limitpriv="default,dtrace_user" zonecfg:myzone2> exit Example 7 Changing global-time property to set systime-wide time example# zonecfg -z myzone zonecfg:myzone> set global-time="true" zonecfg:myzone2> exit Example 8 Setting the zone.cpu-shares Property for the Global Zone The following command sets the zone.cpu-shares property for the global zone: example# zonecfg -z global zonecfg:global> set cpu-shares=5 zonecfg:global> exit Example 9 Using Pattern Matching The following commands illustrate zonecfg support for pattern matching. In the zone flexlm, enter: zonecfg:flexlm> add device zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]" zonecfg:flexlm:device> end In the global zone, enter: global# ls /dev/cua a a000 a001 a002 a003 a004 a005 a006 a007 b In the zone flexlm, enter: flexlm# ls /dev/cua a002 a003 a004 a005 Example 10 Setting a Cap for a Zone to Three CPUs The following sequence uses the zonecfg command to set the CPU cap for a zone to three CPUs. zonecfg:myzone> add capped-cpu zonecfg:myzone>capped-cpu> set ncpus=3 zonecfg:myzone>capped-cpu>capped-cpu> end The preceding sequence, which uses the capped-cpu property, is equiva- lent to the following sequence, which makes use of the zone.cpu-cap resource control. zonecfg:myzone> add rctl zonecfg:myzone:rctl> set name=zone.cpu-cap zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none) zonecfg:myzone:rctl> end Example 11 Using kstat to Monitor CPU Caps The following command displays information about all CPU caps. # kstat -n /cpucaps/ module: caps instance: 0 name: cpucaps_project_0 class: project_caps above_sec 0 below_sec 2157 crtime 821.048183159 maxusage 2 nwait 0 snaptime 235885.637253027 usage 0 value 18446743151372347932 zonename global module: caps instance: 0 name: cpucaps_project_1 class: project_caps above_sec 0 below_sec 0 crtime 225339.192787265 maxusage 5 nwait 0 snaptime 235885.637591677 usage 5 value 18446743151372347932 zonename global module: caps instance: 0 name: cpucaps_project_201 class: project_caps above_sec 0 below_sec 235105 crtime 780.37961782 maxusage 100 nwait 0 snaptime 235885.637789687 usage 43 value 100 zonename global module: caps instance: 0 name: cpucaps_project_202 class: project_caps above_sec 0 below_sec 235094 crtime 791.72983782 maxusage 100 nwait 0 snaptime 235885.637967512 usage 48 value 100 zonename global module: caps instance: 0 name: cpucaps_project_203 class: project_caps above_sec 0 below_sec 235034 crtime 852.104401481 maxusage 75 nwait 0 snaptime 235885.638144304 usage 47 value 100 zonename global module: caps instance: 0 name: cpucaps_project_86710 class: project_caps above_sec 22 below_sec 235166 crtime 698.441717859 maxusage 101 nwait 0 snaptime 235885.638319871 usage 54 value 100 zonename global module: caps instance: 0 name: cpucaps_zone_0 class: zone_caps above_sec 100733 below_sec 134332 crtime 821.048177123 maxusage 207 nwait 2 snaptime 235885.638497731 usage 199 value 200 zonename global module: caps instance: 1 name: cpucaps_project_0 class: project_caps above_sec 0 below_sec 0 crtime 225360.256448422 maxusage 7 nwait 0 snaptime 235885.638714404 usage 7 value 18446743151372347932 zonename test_001 module: caps instance: 1 name: cpucaps_zone_1 class: zone_caps above_sec 2 below_sec 10524 crtime 225360.256440278 maxusage 106 nwait 0 snaptime 235885.638896443 usage 7 value 100 zonename test_001 Example 12 Displaying CPU Caps for a Specific Zone or Project Using the kstat -c and -i options, you can display CPU caps for a spe- cific zone or project, as below. The first command produces a display for a specific project, the second for the same project within zone 1. # kstat -c project_caps # kstat -c project_caps -i 1 Example 13 Delegating Zone Administrative Rights The following example shows how to assign administrative rights for the current zone to a role. example# zonecfg -z myzone zonecfg:myzone> add admin zonecfg:myzone:admin> set user=zadmin zonecfg:myzone:admin> set auths=login,manage zonecfg:myzone:admin> end zonecfg:myzone> commit The result of executing these commands would be an updated entry in the RBAC user_attr(4) database, similar to the following: zadmin::::type=role;\ auths=solaris.zone.login/myzone,solaris.zone.manage/myzone;profiles=\ Zone Management Example 14 Creating an Exclusive-IP Zone with Non-Default Properties The following example creates a zone with an automatically created VNIC over mylink0 with the given MAC address, maximum bandwidth of 100 Mbps, high priority, dedicated hardware rings for RX side, no dedicated hard- ware rings for the TX side (that is, software-based) and with a VLAN id 2. example# zonecfg -z excl excl: No such zone configured Use 'create' to begin configuring a new zone zonecfg:excl> create -b zonecfg:excl> set zonepath=/export/zones/excl zonecfg:excl> add anet zonecfg:excl:anet> set linkname=mynic0 zonecfg:excl:anet> set lower-link=mylink0 zonecfg:excl:anet> set mac-address=8:0:20:fe:4e:b8 zonecfg:excl:anet> set maxbw=100M zonecfg:excl:anet> set priority=high zonecfg:excl:anet> set vlan-id=2 zonecfg:excl:anet> set rxrings=hw zonecfg:excl:anet> set txrings=sw zonecfg:excl:anet> end zonecfg:excl> exit Example 15 Creating a Read-Only Zone The following example creates a new zone that has its root filesystem protected against modifications by the zone. Files in /var are writable by virtue of the fixed-configuration profile that is applied. example# zonecfg -z rozone rozone: No such zone configured Use 'create' to begin configuring a new zone zonecfg:rozone> create zonecfg:rozone> set brand=solaris zonecfg:rozone> set zonepath=/export/zones/rozone zonecfg:rozone> set autoboot=true zonecfg:rozone> set file-mac-profile=fixed-configuration zonecfg:rozone> set ip-type=exclusive zonecfg:rozone> add net zonecfg:rozone:net> set physical=vnic0 zonecfg:rozone:net> end zonecfg:rozone> exit Example 16 Creating an Exclusive-IP Zone with an IB Partition The following example creates a zone with default properties. The zone will automatically create a IPoIB datalink when the zone boots and delete the datalink when the zone halts. example# zonecfg -z excl excl: No such zone configured Use 'create' to begin configuring a new zone zonecfg:excl> create zonecfg:excl> set zonepath=/export/zones/excl zonecfg:excl> set ip-type=exclusive zonecfg:excl> add anet zonecfg:excl> set linkname=part0 zonecfg:excl> set lower-link=net4 zonecfg:excl> set pkey=ffff zonecfg:excl:anet> end zonecfg:excl> exit Example 17 Creating a Zone Installed into a Dedicated Storage Resource and zpool The following example creates a new zone with a zpool resource com- prised of one storage resource containing the entire zone installation. The zpool will be automatically created or a pre-created zpool will be imported during zone installation. The name will be zoss_rpool. example# zonecfg -z zoss zoss: No such zone configured Use 'create' to begin configuring a new zone zonecfg:zoss> create zonecfg:zoss> set zonepath=/zoss zonecfg:zoss> add rootzpool zonecfg:zoss:rootzpool> add storage iscsi://127.0.0.1/luname.naa.6001\ 44f03d70c80000004ea57da10001 zonecfg:zoss:rootzpool> end zonecfg:zoss> exit Example 18 Creating a Zone with a Delegated zpool Resource The following example creates a new zone with a zpool resource dele- gated to the zone comprised of two storage resources. The zpool will be automatically created or a pre-created zpool will be imported during zone installation. The name will be zoss_mypool. example# zonecfg -z zoss zoss: No such zone configured Use 'create' to begin configuring a new zone zonecfg:zoss> create zonecfg:zoss> set zonepath=/zoss zonecfg:zoss> add zpool zonecfg:zoss:zpool> set name=mypool zonecfg:zoss:zpool> add storage dev:/dev/dsk/c0t1d0 zonecfg:zoss:zpool> add storage dev:/dev/dsk/c1t1d0 zonecfg:zoss:zpool> end zonecfg:zoss> exit Example 19 Creating a Zone with an npiv Resource The following example creates a new zone with two npiv resources dele- gated to the zone. The two npiv ports will be automatically created during zone installation. example# zonecfg -z vzone vzone: No such zone configured Use 'create' to begin configuring a new zone zonecfg:vzone> create zonecfg:vzone> add npiv zonecfg:vzone:npiv> set virtual-port-wwn=2100000000000001 zonecfg:vzone:npiv> set over-hba=c9 zonecfg:vzone:npiv> end zonecfg:vzone> add npiv zonecfg:vzone:npiv> end zonecfg:vzone> exit Example 20 Inspecting the Live Configuration of the Running Zone The following example inspects the live configuration of the running zone. example# zonecfg -z myzone -r zonecfg:myzone> info Example 21 Temporarily adding a new anet to the Running Zone Without Rebooting the Zone The following example temporarily adds a new anet to the running zone without rebooting the zone. example# zonecfg -z myzone -r zonecfg:myzone> add anet zonecfg:myzone> set linkname=anet1 zonecfg:myzone> set lower-link=net1 zonecfg:myzone> end zonecfg:myzone> commit Example 22 Creating a Zone Configuration From a Unified Archive The following example creates a new zone configuration from a Unified Archive stored in /export/archvies. The archive contains only one zone, named web with zonepath /zones/web. As is shown by the info subcommand, the zonepath was adjusted as described in the Configuration From Uni- fied Archives section, above. example# zonecfg -z ex17 ex17: No such zone configured Use 'create' to begin configuring a new zone zonecfg:ex17> create -a /export/archives/web.uar zonecfg:ex17> info zonepath zonepath: /zones/web zonecfg:ex17> set zonepath=/zones/ex17 zonecfg:ex17> exit Equivalently, this could be done in non-interactive mode: example# zonecfg -z ex17 "create -a /export/archives/web.uar; set zonepath=/zones/web" Example 23 Creating a Zone Configuration From a Unified Archive on a Secure Web Server This example shows a non-interactive command that configures a zone from an archive on a secure web server. The -z option is used to spec- ify that a specific archived zone is to be used as the configuration source. The certificate, CA certificate, and key were first transferred to this machine. example# zonecfg -z ex19 create \fR -a https://install.example.com/archives/combo.uar -z database -x cert=/root/install.pem -x cacert=/root/example.com.pem -x key=/root/sslkey.pem ; set zonepath=/zones/ex19 Example 24 Creating a Zone Configuration for p2v of a Global Zone This example shows the creation of a zone configuration from a Unified Archive using an archived global zone as the source. Note that the zone configuration found in the archive was generated with zonep2vchk(1M) and as such may include notes for further customization that is recom- mended. example# zonecfg -z ex20 ex20: No such zone configured Use 'create' to begin configuring a new zone set zonepath=/zones/ex20 zonecfg:ex20> create -a /export/p2v.uar -z global zonecfg:ex20> info attr attr: name: zonep2vchk-info type: string value: "p2v of host m4k" attr: name: zonep2vchk-net-blue0 type: string value: "original system had NIC blue0 with MAC address 0:8:20:9e:eb:8c and IP address 10.147.23.12: consider anet (linkname=blue0 mac-address=0:8:20:9e:eb:8c allowed-address=10.147.23.12)" attr: name: zonep2vchk-num-cpus type: string value: "original system had 4 CPUs: consider capped-cpu (ncpus=4.0) or dedicated-cpu (ncpus=4)" attr: name: zonep2vchk-physmem type: string value: "original system had 32 GB: consider capped-memory (physical=32G)" attr: name: zonep2vchk-swap type: string value: "original system had 48 GB: consider capped-memory (swap=48G)" zonecfg:ex20> select anet linkname=blue0 zonecfg:ex20:anet> set allowed-address=10.147.23.12 zonecfg:ex20:anet> set configure-allowed-address=true zonecfg:ex20:anet> end zonecfg:ex20> add capped-memory zonecfg:ex20:capped-memory> set swap=48G zonecfg:ex20:capped-memory> end zonecfg:ex20> exit Example 25 Creating a Zone That has an anet Resource That Connects to an Elastic Virtual Switch. The following example creates a zone that has a VNIC anet resource that connects to an EVS evsa and VPort vport0 for tenant tenantA. example# zonecfg -z evszone evszone: No such zone configured Use 'create' to begin configuring a new zone zonecfg:evszone> create zonecfg:evszone> set zonepath=/export/zones/evszone zonecfg:evszone> set tenant=tenantA zonecfg:evszone> add anet zonecfg:evszone:net> set evs=EVSA zonecfg:evszone:net> set vport=vport0 zonecfg:rozone:net> end zonecfg:rozone> exit example# zoneadm -z evszone install example# zoneadm -z evszone boot example# dladm show-vnic -c LINK TENANT EVS VPORT OVER MACADDRESS VIDS evszone/net0 tenantA EVSA vport0 net2 2:8:20:1a:c1:e4 0 When the zone boots, evszone/net0 VNIC anet will have the MAC address, IP address, and the SLA properties of the vport EVSA/vport0. Example 26 Changing Verified Boot Settings # zonecfg -z vbzone1 zonecfg:vbzone1> add verified-boot zonecfg:vbzone1:verified-boot> set policy=enforce zonecfg:vbzone1:verified-boot> add cert file:///etc/certs/INTERNALSE zonecfg:vbzone1:verified-boot> add cert http://keyserv.hang10software.com/keydist/hang10se.pem zonecfg:vbzone1:verified-boot> end Example 27 Copying a Zone Configuration to Another System for Zone Migration When migrating a zone from one global zone to another global zone, the zone configuration needs to migrate first. The export subcommand exports all zone configuration such that it can be used with the zonecfg -f option on the new global zone with exact preservation. If a procedure like the one shown in this example is not used, kernel zones will not be able to access any suspend file or properly attach to the new global zone. global1# zonecfg -z ex22 export -f /net/scratch/export/ex22.cfg global2# zonecfg -z ex22 -f /net/scratch/export/ex22.cfg Example 28 Using the anet iov Property for a Kernel Zone In this example, kz1 is a kernel zone with a single anet # zonecfg -z kz1 zonecfg:kz1> select anet id=0 zonecfg:kz1:anet> set iov=auto zonecfg:kz1:anet> end zonecfg:kz1>exit If lower-link is not auto, the user must ensure that the lower-link has iov turned on before booting the kernel zone. If lower-link is auto, the user must ensure that global zone has at least one link with iov turned on. If iov is not on, it can be turned on by: # dladm set-linkprop -p iov=on net1 If a VF is available, after booting the kernel zone, a VF should appear as a physical NIC device within the kernel zone: kz1# dladm show-phys LINK MEDIA STATE SPEED DUPLEX DEVICE net0 Ethernet up 10000 full ixgbevf0 Example 29 Using an NFS SURI for a Device Property in a Kernel Zone # zonecfg -z kz1 zonecfg:kz1> add device zonecfg:kz1> set storage=nfs://user1:staff@testsys1/export/test/kz1_dev1 zonecfg:kz1> end zonecfg:kz1>exit EXIT STATUS The following exit values are returned: 0 Successful completion. 1 An error occurred. 2 Invalid usage. ATTRIBUTES See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |system/zones | +-----------------------------+-----------------------------+ |Interface Stability |Volatile | +-----------------------------+-----------------------------+ SEE ALSO ppriv(1), prctl(1), lgrpinfo(1), zlogin(1), archiveadm(1M), dladm(1M), format(1M), ipadm(1M), kstat(1M), mount(1M), pooladm(1M), poolcfg(1M), poold(1M), psrinfo(1M), rcapd(1M), rctladm(1M), route(1M), suriadm(1M), svcadm(1M), zfs(1M), zoneadm(1M), zonep2vchk(1M), zpool(1M), priv_str_to_set(3C), kstat(3KSTAT), user_attr(4), vfstab(4), attributes(5), brands(5), fnmatch(5), mwac(5), privileges(5), rbac(5), resource-controls (5), solaris-kz(5), suri(5), tpd(5), zones(5), dev(7FS), hsfs(7FS), zfs(7FS), uscsi(7I), evsadm(1M) Resource Management and Oracle Solaris Zones Developer's Guide NOTES All character data used by zonecfg must be in US-ASCII encoding. Adding a device to a zone, in general, can allow the zone to adversely affect the security and stability of the system, as not all devices have been audited for secure use inside a zone. Storage devices using the sd or ssd target driver (this can be checked using prtconf -D /dev/dsk/c2t40d3, for example) can be safely delegated to a zone. This will allow a zone admin to label and partition such devices. In order to allow disk labelling by means of format(1M), an entire disk/LUN should be delegated to a zone, and the allow-partition prop- erty set. For example: zonecfg:myzone> add device zonecfg:myzone> set match=/dev/*dsk/c2t40d3* zonecfg:myzone> set allow-partition=true zonecfg:myzone> end While it is not recommended, it is also possible to delegate just a single slice (for example, match=/dev/dsk/c2t40d3s0) of a disk. In order for this to be safe, the allow-partition property must not be true, and the slice or partition must not overlap the disk header of disk labels (these are located within the first two or last two blocks of the partition or disk). Raw access to storage devices can be enabled by setting the allow-raw- io property to true. This is unsafe, as it allows raw SCSI commands (see uscsi(7I)) to be performed by zone processes. Inside a zone, device-in-use checking does not work, as the /devices/ tree it relies upon is not present. A future project might address this limitation. The mount point for a lofs file system specified by an "add fs" resource must not lie within any filesystem that is mounted by the zone. In particular, such mountpoints must not lie beneath /var and /export. SunOS 5.11 14 Jul 2015 zonecfg(1M)
© Lightnetics 2024