Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
   1 '\" te
   2 .\" Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright 2013 Joyent, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH ZONECFG 1M "Feb 28, 2014"
   8 .SH NAME
   9 zonecfg \- set up zone configuration
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fBzonecfg\fR \fB-z\fR \fIzonename\fR
  14 .fi
  15 
  16 .LP
  17 .nf
  18 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fIsubcommand\fR
  19 .fi
  20 
  21 .LP
  22 .nf
  23 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fB-f\fR \fIcommand_file\fR
  24 .fi
  25 
  26 .LP
  27 .nf
  28 \fBzonecfg\fR help
  29 .fi
  30 
  31 .SH DESCRIPTION
  32 .sp
  33 .LP
  34 The \fBzonecfg\fR utility creates and modifies the configuration of a zone.
  35 Zone configuration consists of a number of resources and properties.
  36 .sp
  37 .LP
  38 To simplify the user interface, \fBzonecfg\fR uses the concept of a scope. The
  39 default scope is global.
  40 .sp
  41 .LP
  42 The following synopsis of the \fBzonecfg\fR command is for interactive usage:
  43 .sp
  44 .in +2
  45 .nf
  46 zonecfg \fB-z\fR \fIzonename subcommand\fR
  47 .fi
  48 .in -2
  49 .sp
  50 
  51 .sp
  52 .LP


  55 .sp
  56 .LP
  57 In addition to creating and modifying a zone, the \fBzonecfg\fR utility can
  58 also be used to persistently specify the resource management settings for the
  59 global zone.
  60 .sp
  61 .LP
  62 In the following text, "rctl" is used as an abbreviation for "resource
  63 control". See \fBresource_controls\fR(5).
  64 .sp
  65 .LP
  66 Every zone is configured with an associated brand. The brand determines the
  67 user-level environment used within the zone, as well as various behaviors for
  68 the zone when it is installed, boots, or is shutdown. Once a zone has been
  69 installed the brand cannot be changed. The default brand is determined by the
  70 installed distribution in the global zone. Some brands do not support all of
  71 the \fBzonecfg\fR properties and resources. See the brand-specific man page for
  72 more details on each brand. For an overview of brands, see the \fBbrands\fR(5)
  73 man page.
  74 .SS "Resources"
  75 .sp
  76 .LP
  77 The following resource types are supported:
  78 .sp
  79 .ne 2
  80 .na
  81 \fB\fBattr\fR\fR
  82 .ad
  83 .sp .6
  84 .RS 4n
  85 Generic attribute.
  86 .RE
  87 
  88 .sp
  89 .ne 2
  90 .na
  91 \fB\fBcapped-cpu\fR\fR
  92 .ad
  93 .sp .6
  94 .RS 4n
  95 Limits for CPU usage.


 148 .sp
 149 .ne 2
 150 .na
 151 \fB\fBnet\fR\fR
 152 .ad
 153 .sp .6
 154 .RS 4n
 155 Network interface.
 156 .RE
 157 
 158 .sp
 159 .ne 2
 160 .na
 161 \fB\fBrctl\fR\fR
 162 .ad
 163 .sp .6
 164 .RS 4n
 165 Resource control.
 166 .RE
 167 
 168 .SS "Properties"
 169 .sp










 170 .LP
 171 Each resource type has one or more properties. There are also some global
 172 properties, that is, properties of the configuration as a whole, rather than of
 173 some particular resource.
 174 .sp
 175 .LP
 176 The following properties are supported:
 177 .sp
 178 .ne 2
 179 .na
 180 \fB(global)\fR
 181 .ad
 182 .sp .6
 183 .RS 4n
 184 \fBzonename\fR
 185 .RE
 186 
 187 .sp
 188 .ne 2
 189 .na


 408 .ne 2
 409 .na
 410 \fB\fBcapped-memory\fR\fR
 411 .ad
 412 .sp .6
 413 .RS 4n
 414 \fBphysical\fR, \fBswap\fR, \fBlocked\fR
 415 .RE
 416 
 417 .sp
 418 .ne 2
 419 .na
 420 \fB\fBcapped-cpu\fR\fR
 421 .ad
 422 .sp .6
 423 .RS 4n
 424 \fBncpus\fR
 425 .RE
 426 
 427 .sp










 428 .LP
 429 As for the property values which are paired with these names, they are either
 430 simple, complex, or lists. The type allowed is property-specific. Simple values
 431 are strings, optionally enclosed within quotation marks. Complex values have
 432 the syntax:
 433 .sp
 434 .in +2
 435 .nf
 436 (<\fIname\fR>=<\fIvalue\fR>,<\fIname\fR>=<\fIvalue\fR>,...)
 437 .fi
 438 .in -2
 439 .sp
 440 
 441 .sp
 442 .LP
 443 where each <\fIvalue\fR> is simple, and the <\fIname\fR> strings are unique
 444 within a given property. Lists have the syntax:
 445 .sp
 446 .in +2
 447 .nf


 848 \fB\fBcapped-cpu\fR: ncpus\fR
 849 .ad
 850 .sp .6
 851 .RS 4n
 852 Sets a limit on the amount of CPU time that can be used by a zone. The unit
 853 used translates to the percentage of a single CPU that can be used by all user
 854 threads in a zone, expressed as a fraction (for example, \fB\&.75\fR) or a
 855 mixed number (whole number and fraction, for example, \fB1.25\fR). An
 856 \fBncpu\fR value of \fB1\fR means 100% of a CPU, a value of \fB1.25\fR means
 857 125%, \fB\&.75\fR mean 75%, and so forth. When projects within a capped zone
 858 have their own caps, the minimum value takes precedence.
 859 .sp
 860 The \fBcapped-cpu\fR property is an alias for \fBzone.cpu-cap\fR resource
 861 control and is related to the \fBzone.cpu-cap\fR resource control. See
 862 \fBresource_controls\fR(5).
 863 .RE
 864 
 865 .sp
 866 .ne 2
 867 .na












 868 \fBglobal: \fBfs-allowed\fR\fR
 869 .ad
 870 .sp .6
 871 .RS 4n
 872 A comma-separated list of additional filesystems that may be mounted within
 873 the zone; for example "ufs,pcfs". By default, only hsfs(7fs) and network
 874 filesystems can be mounted. If the first entry in the list is "-" then
 875 that disables all of the default filesystems. If any filesystems are listed
 876 after "-" then only those filesystems can be mounted.
 877 
 878 This property does not apply to filesystems mounted into the zone via "add fs"
 879 or "add dataset".
 880 
 881 WARNING: allowing filesystem mounts other than the default may allow the zone
 882 administrator to compromise the system with a malicious filesystem image, and
 883 is not supported.
 884 .RE
 885 
 886 .sp
 887 .LP


 911                    raw             simple
 912                    type            simple
 913                    options         list of simple
 914 net               address         simple
 915                    physical        simple
 916 device            match           simple
 917 rctl              name            simple
 918                    value           list of complex
 919 attr              name            simple
 920                    type            simple
 921                    value           simple
 922 dataset           name            simple
 923 dedicated-cpu     ncpus           simple or range
 924                    importance      simple
 925 
 926 capped-memory     physical        simple with scale
 927                    swap            simple with scale
 928                    locked          simple with scale
 929 
 930 capped-cpu        ncpus           simple



 931 .fi
 932 .in -2
 933 .sp
 934 
 935 .sp
 936 .LP
 937 To further specify things, the breakdown of the complex property "value" of the
 938 "rctl" resource type, it consists of three name/value pairs, the names being
 939 "priv", "limit" and "action", each of which takes a simple value. The "name"
 940 property of an "attr" resource is syntactically restricted in a fashion similar
 941 but not identical to zone names: it must begin with an alphanumeric, and can
 942 contain alphanumerics plus the hyphen (\fB-\fR), underscore (\fB_\fR), and dot
 943 (\fB\&.\fR) characters. Attribute names beginning with "zone" are reserved for
 944 use by the system. Finally, the "autoboot" global property must have a value of
 945 "true" or "false".
 946 .SS "Using Kernel Statistics to Monitor CPU Caps"
 947 .sp
 948 .LP
 949 Using the kernel statistics (\fBkstat\fR(3KSTAT)) module \fBcaps\fR, the system
 950 maintains information for all capped projects and zones. You can access this
 951 information by reading kernel statistics (\fBkstat\fR(3KSTAT)), specifying
 952 \fBcaps\fR as the \fBkstat\fR module name. The following command displays
 953 kernel statistics for all active CPU caps:
 954 .sp
 955 .in +2
 956 .nf
 957 # \fBkstat caps::'/cpucaps/'\fR
 958 .fi
 959 .in -2
 960 .sp
 961 
 962 .sp
 963 .LP
 964 A \fBkstat\fR(1M) command running in a zone displays only CPU caps relevant for
 965 that zone and for projects in that zone. See \fBEXAMPLES\fR.
 966 .sp
 967 .LP


1080 .ad
1081 .sp .6
1082 .RS 4n
1083 The cap value, in terms of a percentage of a single CPU.
1084 .RE
1085 
1086 .sp
1087 .ne 2
1088 .na
1089 \fB\fBzonename\fR\fR
1090 .ad
1091 .sp .6
1092 .RS 4n
1093 Name of the zone for which statistics are displayed.
1094 .RE
1095 
1096 .sp
1097 .LP
1098 See \fBEXAMPLES\fR for sample output from a \fBkstat\fR command.
1099 .SH OPTIONS
1100 .sp
1101 .LP
1102 The following options are supported:
1103 .sp
1104 .ne 2
1105 .na
1106 \fB\fB-f\fR \fIcommand_file\fR\fR
1107 .ad
1108 .sp .6
1109 .RS 4n
1110 Specify the name of \fBzonecfg\fR command file. \fIcommand_file\fR is a text
1111 file of \fBzonecfg\fR subcommands, one per line.
1112 .RE
1113 
1114 .sp
1115 .ne 2
1116 .na
1117 \fB\fB-z\fR \fIzonename\fR\fR
1118 .ad
1119 .sp .6
1120 .RS 4n
1121 Specify the name of a zone. Zone names are case sensitive. Zone names must
1122 begin with an alphanumeric character and can contain alphanumeric characters,
1123 the underscore (\fB_\fR) the hyphen (\fB-\fR), and the dot (\fB\&.\fR). The
1124 name \fBglobal\fR and all names beginning with \fBSUNW\fR are reserved and
1125 cannot be used.
1126 .RE
1127 
1128 .SH SUBCOMMANDS
1129 .sp
1130 .LP
1131 You can use the \fBadd\fR and \fBselect\fR subcommands to select a specific
1132 resource, at which point the scope changes to that resource. The \fBend\fR and
1133 \fBcancel\fR subcommands are used to complete the resource specification, at
1134 which time the scope is reverted back to global. Certain subcommands, such as
1135 \fBadd\fR, \fBremove\fR and \fBset\fR, have different semantics in each scope.
1136 .sp
1137 .LP
1138 \fBzonecfg\fR supports a semicolon-separated list of subcommands. For example:
1139 .sp
1140 .in +2
1141 .nf
1142 # \fBzonecfg -z myzone "add net; set physical=myvnic; end"\fR
1143 .fi
1144 .in -2
1145 .sp
1146 
1147 .sp
1148 .LP
1149 Subcommands which can result in destructive actions or loss of work have an


1786 
1787 .LP
1788 \fBExample 11 \fRDisplaying CPU Caps for a Specific Zone or Project
1789 .sp
1790 .LP
1791 Using the \fBkstat\fR \fB-c\fR and \fB-i\fR options, you can display CPU caps
1792 for a specific zone or project, as below. The first command produces a display
1793 for a specific project, the second for the same project within zone 1.
1794 
1795 .sp
1796 .in +2
1797 .nf
1798 # \fBkstat -c project_caps\fR
1799 
1800 # \fBkstat -c project_caps -i 1\fR
1801 .fi
1802 .in -2
1803 .sp
1804 
1805 .SH EXIT STATUS
1806 .sp
1807 .LP
1808 The following exit values are returned:
1809 .sp
1810 .ne 2
1811 .na
1812 \fB\fB0\fR\fR
1813 .ad
1814 .sp .6
1815 .RS 4n
1816 Successful completion.
1817 .RE
1818 
1819 .sp
1820 .ne 2
1821 .na
1822 \fB\fB1\fR\fR
1823 .ad
1824 .sp .6
1825 .RS 4n
1826 An error occurred.
1827 .RE
1828 
1829 .sp
1830 .ne 2
1831 .na
1832 \fB\fB2\fR\fR
1833 .ad
1834 .sp .6
1835 .RS 4n
1836 Invalid usage.
1837 .RE
1838 
1839 .SH ATTRIBUTES
1840 .sp
1841 .LP
1842 See \fBattributes\fR(5) for descriptions of the following attributes:
1843 .sp
1844 
1845 .sp
1846 .TS
1847 box;
1848 c | c
1849 l | l .
1850 ATTRIBUTE TYPE  ATTRIBUTE VALUE
1851 _
1852 Interface Stability     Volatile
1853 .TE
1854 
1855 .SH SEE ALSO
1856 .sp
1857 .LP
1858 \fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
1859 \fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
1860 \fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
1861 \fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
1862 \fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
1863 \fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
1864 \fBzones\fR(5)
1865 .sp
1866 .LP
1867 \fISystem Administration Guide: Solaris Containers-Resource Management, and
1868 Solaris Zones\fR
1869 .SH NOTES
1870 .sp
1871 .LP
1872 All character data used by \fBzonecfg\fR must be in US-ASCII encoding.
   1 '\" te
   2 .\" Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright 2013 Joyent, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH ZONECFG 1M "Jun 6, 2016"
   8 .SH NAME
   9 zonecfg \- set up zone configuration
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fBzonecfg\fR \fB-z\fR \fIzonename\fR
  14 .fi
  15 
  16 .LP
  17 .nf
  18 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fIsubcommand\fR
  19 .fi
  20 
  21 .LP
  22 .nf
  23 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fB-f\fR \fIcommand_file\fR
  24 .fi
  25 
  26 .LP
  27 .nf
  28 \fBzonecfg\fR help
  29 .fi
  30 
  31 .SH DESCRIPTION

  32 .LP
  33 The \fBzonecfg\fR utility creates and modifies the configuration of a zone.
  34 Zone configuration consists of a number of resources and properties.
  35 .sp
  36 .LP
  37 To simplify the user interface, \fBzonecfg\fR uses the concept of a scope. The
  38 default scope is global.
  39 .sp
  40 .LP
  41 The following synopsis of the \fBzonecfg\fR command is for interactive usage:
  42 .sp
  43 .in +2
  44 .nf
  45 zonecfg \fB-z\fR \fIzonename subcommand\fR
  46 .fi
  47 .in -2
  48 .sp
  49 
  50 .sp
  51 .LP


  54 .sp
  55 .LP
  56 In addition to creating and modifying a zone, the \fBzonecfg\fR utility can
  57 also be used to persistently specify the resource management settings for the
  58 global zone.
  59 .sp
  60 .LP
  61 In the following text, "rctl" is used as an abbreviation for "resource
  62 control". See \fBresource_controls\fR(5).
  63 .sp
  64 .LP
  65 Every zone is configured with an associated brand. The brand determines the
  66 user-level environment used within the zone, as well as various behaviors for
  67 the zone when it is installed, boots, or is shutdown. Once a zone has been
  68 installed the brand cannot be changed. The default brand is determined by the
  69 installed distribution in the global zone. Some brands do not support all of
  70 the \fBzonecfg\fR properties and resources. See the brand-specific man page for
  71 more details on each brand. For an overview of brands, see the \fBbrands\fR(5)
  72 man page.
  73 .SS "Resources"

  74 .LP
  75 The following resource types are supported:
  76 .sp
  77 .ne 2
  78 .na
  79 \fB\fBattr\fR\fR
  80 .ad
  81 .sp .6
  82 .RS 4n
  83 Generic attribute.
  84 .RE
  85 
  86 .sp
  87 .ne 2
  88 .na
  89 \fB\fBcapped-cpu\fR\fR
  90 .ad
  91 .sp .6
  92 .RS 4n
  93 Limits for CPU usage.


 146 .sp
 147 .ne 2
 148 .na
 149 \fB\fBnet\fR\fR
 150 .ad
 151 .sp .6
 152 .RS 4n
 153 Network interface.
 154 .RE
 155 
 156 .sp
 157 .ne 2
 158 .na
 159 \fB\fBrctl\fR\fR
 160 .ad
 161 .sp .6
 162 .RS 4n
 163 Resource control.
 164 .RE
 165 

 166 .sp
 167 .ne 2
 168 .na
 169 \fB\fBsecurity-flags\fR\fR
 170 .ad
 171 .sp .6
 172 .RS 4n
 173 Process security flag settings.
 174 .RE
 175 
 176 .SS "Properties"
 177 .LP
 178 Each resource type has one or more properties. There are also some global
 179 properties, that is, properties of the configuration as a whole, rather than of
 180 some particular resource.
 181 .sp
 182 .LP
 183 The following properties are supported:
 184 .sp
 185 .ne 2
 186 .na
 187 \fB(global)\fR
 188 .ad
 189 .sp .6
 190 .RS 4n
 191 \fBzonename\fR
 192 .RE
 193 
 194 .sp
 195 .ne 2
 196 .na


 415 .ne 2
 416 .na
 417 \fB\fBcapped-memory\fR\fR
 418 .ad
 419 .sp .6
 420 .RS 4n
 421 \fBphysical\fR, \fBswap\fR, \fBlocked\fR
 422 .RE
 423 
 424 .sp
 425 .ne 2
 426 .na
 427 \fB\fBcapped-cpu\fR\fR
 428 .ad
 429 .sp .6
 430 .RS 4n
 431 \fBncpus\fR
 432 .RE
 433 
 434 .sp
 435 .ne 2
 436 .na
 437 \fB\fBsecurity-flags\fB\fB
 438 .ad
 439 .sp .6
 440 .RS 4n
 441 \fBlower\fR, \fBdefault\fR, \fBupper\fR.
 442 .RE
 443 
 444 .sp
 445 .LP
 446 As for the property values which are paired with these names, they are either
 447 simple, complex, or lists. The type allowed is property-specific. Simple values
 448 are strings, optionally enclosed within quotation marks. Complex values have
 449 the syntax:
 450 .sp
 451 .in +2
 452 .nf
 453 (<\fIname\fR>=<\fIvalue\fR>,<\fIname\fR>=<\fIvalue\fR>,...)
 454 .fi
 455 .in -2
 456 .sp
 457 
 458 .sp
 459 .LP
 460 where each <\fIvalue\fR> is simple, and the <\fIname\fR> strings are unique
 461 within a given property. Lists have the syntax:
 462 .sp
 463 .in +2
 464 .nf


 865 \fB\fBcapped-cpu\fR: ncpus\fR
 866 .ad
 867 .sp .6
 868 .RS 4n
 869 Sets a limit on the amount of CPU time that can be used by a zone. The unit
 870 used translates to the percentage of a single CPU that can be used by all user
 871 threads in a zone, expressed as a fraction (for example, \fB\&.75\fR) or a
 872 mixed number (whole number and fraction, for example, \fB1.25\fR). An
 873 \fBncpu\fR value of \fB1\fR means 100% of a CPU, a value of \fB1.25\fR means
 874 125%, \fB\&.75\fR mean 75%, and so forth. When projects within a capped zone
 875 have their own caps, the minimum value takes precedence.
 876 .sp
 877 The \fBcapped-cpu\fR property is an alias for \fBzone.cpu-cap\fR resource
 878 control and is related to the \fBzone.cpu-cap\fR resource control. See
 879 \fBresource_controls\fR(5).
 880 .RE
 881 
 882 .sp
 883 .ne 2
 884 .na
 885 \fB\fBsecurity-flags\fR: lower, default, upper\fR
 886 .ad
 887 .sp .6
 888 .RS 4n
 889 Set the process security flags associated with the zone.  The \fBlower\fR and
 890 \fBupper\fR fields set the limits, the \fBdefault\fR field is set of flags all
 891 zone processes inherit.
 892 .RE
 893 
 894 .sp
 895 .ne 2
 896 .na
 897 \fBglobal: \fBfs-allowed\fR\fR
 898 .ad
 899 .sp .6
 900 .RS 4n
 901 A comma-separated list of additional filesystems that may be mounted within
 902 the zone; for example "ufs,pcfs". By default, only hsfs(7fs) and network
 903 filesystems can be mounted. If the first entry in the list is "-" then
 904 that disables all of the default filesystems. If any filesystems are listed
 905 after "-" then only those filesystems can be mounted.
 906 
 907 This property does not apply to filesystems mounted into the zone via "add fs"
 908 or "add dataset".
 909 
 910 WARNING: allowing filesystem mounts other than the default may allow the zone
 911 administrator to compromise the system with a malicious filesystem image, and
 912 is not supported.
 913 .RE
 914 
 915 .sp
 916 .LP


 940                    raw             simple
 941                    type            simple
 942                    options         list of simple
 943 net               address         simple
 944                    physical        simple
 945 device            match           simple
 946 rctl              name            simple
 947                    value           list of complex
 948 attr              name            simple
 949                    type            simple
 950                    value           simple
 951 dataset           name            simple
 952 dedicated-cpu     ncpus           simple or range
 953                    importance      simple
 954 
 955 capped-memory     physical        simple with scale
 956                    swap            simple with scale
 957                    locked          simple with scale
 958 
 959 capped-cpu        ncpus           simple
 960 security-flags    lower           simple
 961                    default        simple
 962                    upper          simple
 963 .fi
 964 .in -2
 965 .sp
 966 
 967 .sp
 968 .LP
 969 To further specify things, the breakdown of the complex property "value" of the
 970 "rctl" resource type, it consists of three name/value pairs, the names being
 971 "priv", "limit" and "action", each of which takes a simple value. The "name"
 972 property of an "attr" resource is syntactically restricted in a fashion similar
 973 but not identical to zone names: it must begin with an alphanumeric, and can
 974 contain alphanumerics plus the hyphen (\fB-\fR), underscore (\fB_\fR), and dot
 975 (\fB\&.\fR) characters. Attribute names beginning with "zone" are reserved for
 976 use by the system. Finally, the "autoboot" global property must have a value of
 977 "true" or "false".
 978 .SS "Using Kernel Statistics to Monitor CPU Caps"

 979 .LP
 980 Using the kernel statistics (\fBkstat\fR(3KSTAT)) module \fBcaps\fR, the system
 981 maintains information for all capped projects and zones. You can access this
 982 information by reading kernel statistics (\fBkstat\fR(3KSTAT)), specifying
 983 \fBcaps\fR as the \fBkstat\fR module name. The following command displays
 984 kernel statistics for all active CPU caps:
 985 .sp
 986 .in +2
 987 .nf
 988 # \fBkstat caps::'/cpucaps/'\fR
 989 .fi
 990 .in -2
 991 .sp
 992 
 993 .sp
 994 .LP
 995 A \fBkstat\fR(1M) command running in a zone displays only CPU caps relevant for
 996 that zone and for projects in that zone. See \fBEXAMPLES\fR.
 997 .sp
 998 .LP


1111 .ad
1112 .sp .6
1113 .RS 4n
1114 The cap value, in terms of a percentage of a single CPU.
1115 .RE
1116 
1117 .sp
1118 .ne 2
1119 .na
1120 \fB\fBzonename\fR\fR
1121 .ad
1122 .sp .6
1123 .RS 4n
1124 Name of the zone for which statistics are displayed.
1125 .RE
1126 
1127 .sp
1128 .LP
1129 See \fBEXAMPLES\fR for sample output from a \fBkstat\fR command.
1130 .SH OPTIONS

1131 .LP
1132 The following options are supported:
1133 .sp
1134 .ne 2
1135 .na
1136 \fB\fB-f\fR \fIcommand_file\fR\fR
1137 .ad
1138 .sp .6
1139 .RS 4n
1140 Specify the name of \fBzonecfg\fR command file. \fIcommand_file\fR is a text
1141 file of \fBzonecfg\fR subcommands, one per line.
1142 .RE
1143 
1144 .sp
1145 .ne 2
1146 .na
1147 \fB\fB-z\fR \fIzonename\fR\fR
1148 .ad
1149 .sp .6
1150 .RS 4n
1151 Specify the name of a zone. Zone names are case sensitive. Zone names must
1152 begin with an alphanumeric character and can contain alphanumeric characters,
1153 the underscore (\fB_\fR) the hyphen (\fB-\fR), and the dot (\fB\&.\fR). The
1154 name \fBglobal\fR and all names beginning with \fBSUNW\fR are reserved and
1155 cannot be used.
1156 .RE
1157 
1158 .SH SUBCOMMANDS

1159 .LP
1160 You can use the \fBadd\fR and \fBselect\fR subcommands to select a specific
1161 resource, at which point the scope changes to that resource. The \fBend\fR and
1162 \fBcancel\fR subcommands are used to complete the resource specification, at
1163 which time the scope is reverted back to global. Certain subcommands, such as
1164 \fBadd\fR, \fBremove\fR and \fBset\fR, have different semantics in each scope.
1165 .sp
1166 .LP
1167 \fBzonecfg\fR supports a semicolon-separated list of subcommands. For example:
1168 .sp
1169 .in +2
1170 .nf
1171 # \fBzonecfg -z myzone "add net; set physical=myvnic; end"\fR
1172 .fi
1173 .in -2
1174 .sp
1175 
1176 .sp
1177 .LP
1178 Subcommands which can result in destructive actions or loss of work have an


1815 
1816 .LP
1817 \fBExample 11 \fRDisplaying CPU Caps for a Specific Zone or Project
1818 .sp
1819 .LP
1820 Using the \fBkstat\fR \fB-c\fR and \fB-i\fR options, you can display CPU caps
1821 for a specific zone or project, as below. The first command produces a display
1822 for a specific project, the second for the same project within zone 1.
1823 
1824 .sp
1825 .in +2
1826 .nf
1827 # \fBkstat -c project_caps\fR
1828 
1829 # \fBkstat -c project_caps -i 1\fR
1830 .fi
1831 .in -2
1832 .sp
1833 
1834 .SH EXIT STATUS

1835 .LP
1836 The following exit values are returned:
1837 .sp
1838 .ne 2
1839 .na
1840 \fB\fB0\fR\fR
1841 .ad
1842 .sp .6
1843 .RS 4n
1844 Successful completion.
1845 .RE
1846 
1847 .sp
1848 .ne 2
1849 .na
1850 \fB\fB1\fR\fR
1851 .ad
1852 .sp .6
1853 .RS 4n
1854 An error occurred.
1855 .RE
1856 
1857 .sp
1858 .ne 2
1859 .na
1860 \fB\fB2\fR\fR
1861 .ad
1862 .sp .6
1863 .RS 4n
1864 Invalid usage.
1865 .RE
1866 
1867 .SH ATTRIBUTES

1868 .LP
1869 See \fBattributes\fR(5) for descriptions of the following attributes:
1870 .sp
1871 
1872 .sp
1873 .TS
1874 box;
1875 c | c
1876 l | l .
1877 ATTRIBUTE TYPE  ATTRIBUTE VALUE
1878 _
1879 Interface Stability     Volatile
1880 .TE
1881 
1882 .SH SEE ALSO

1883 .LP
1884 \fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
1885 \fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
1886 \fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
1887 \fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
1888 \fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
1889 \fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
1890 \fBsecurity-flags\fR(5), \fBzones\fR(5)
1891 .sp
1892 .LP
1893 \fISystem Administration Guide: Solaris Containers-Resource Management, and
1894 Solaris Zones\fR
1895 .SH NOTES

1896 .LP
1897 All character data used by \fBzonecfg\fR must be in US-ASCII encoding.