ZONECFG(1M) Maintenance Commands ZONECFG(1M) NNAAMMEE zonecfg - set up zone configuration SSYYNNOOPPSSIISS zzoonneeccffgg --zz _z_o_n_e_n_a_m_e zzoonneeccffgg --zz _z_o_n_e_n_a_m_e _s_u_b_c_o_m_m_a_n_d zzoonneeccffgg --zz _z_o_n_e_n_a_m_e --ff _c_o_m_m_a_n_d___f_i_l_e zzoonneeccffgg help DDEESSCCRRIIPPTTIIOONN The zzoonneeccffgg utility creates and modifies the configuration of a zone. Zone configuration consists of a number of resources and properties. To simplify the user interface, zzoonneeccffgg uses the concept of a scope. The default scope is global. The following synopsis of the zzoonneeccffgg command is for interactive usage: zonecfg --zz _z_o_n_e_n_a_m_e _s_u_b_c_o_m_m_a_n_d Parameters changed through zzoonneeccffgg do not affect a running zone. The zone must be rebooted for the changes to take effect. In addition to creating and modifying a zone, the zzoonneeccffgg utility can also be used to persistently specify the resource management settings for the global zone. In the following text, "rctl" is used as an abbreviation for "resource control". See rreessoouurrccee__ccoonnttrroollss(5). Every zone is configured with an associated brand. The brand determines the user-level environment used within the zone, as well as various behaviors for the zone when it is installed, boots, or is shutdown. Once a zone has been installed the brand cannot be changed. The default brand is determined by the installed distribution in the global zone. Some brands do not support all of the zzoonneeccffgg properties and resources. See the brand-specific man page for more details on each brand. For an overview of brands, see the bbrraannddss(5) man page. RReessoouurrcceess The following resource types are supported: aattttrr Generic attribute. ccaappppeedd--ccppuu Limits for CPU usage. ccaappppeedd--mmeemmoorryy Limits for physical, swap, and locked memory. ddaattaasseett ZZFFSS dataset. ddeeddiiccaatteedd--ccppuu Subset of the system's processors dedicated to this zone while it is running. ddeevviiccee Device. ffss file-system nneett Network interface. rrccttll Resource control. sseeccuurriittyy--ffllaaggss Process security flag settings. PPrrooppeerrttiieess Each resource type has one or more properties. There are also some global properties, that is, properties of the configuration as a whole, rather than of some particular resource. The following properties are supported: ((gglloobbaall)) zzoonneennaammee ((gglloobbaall)) zzoonneeppaatthh ((gglloobbaall)) aauuttoobboooott ((gglloobbaall)) bboooottaarrggss ((gglloobbaall)) ppooooll ((gglloobbaall)) lliimmiittpprriivv ((gglloobbaall)) bbrraanndd ((gglloobbaall)) ccppuu--sshhaarreess ((gglloobbaall)) hhoossttiidd ((gglloobbaall)) mmaaxx--llwwppss ((gglloobbaall)) mmaaxx--mmssgg--iiddss ((gglloobbaall)) mmaaxx--sseemm--iiddss ((gglloobbaall)) mmaaxx--sshhmm--iiddss ((gglloobbaall)) mmaaxx--sshhmm--mmeemmoorryy ((gglloobbaall)) sscchheedduulliinngg--ccllaassss ((gglloobbaall)) ffss--aalllloowweedd ffss ddiirr, ssppeecciiaall, rraaww, ttyyppee, ooppttiioonnss nneett aaddddrreessss, pphhyyssiiccaall, ddeeffrroouutteerr ddeevviiccee mmaattcchh rrccttll nnaammee, vvaalluuee aattttrr nnaammee, ttyyppee, vvaalluuee ddaattaasseett nnaammee ddeeddiiccaatteedd--ccppuu nnccppuuss, iimmppoorrttaannccee ccaappppeedd--mmeemmoorryy pphhyyssiiccaall, sswwaapp, lloocckkeedd ccaappppeedd--ccppuu nnccppuuss sseeccuurriittyy--ffllaaggss lloowweerr, ddeeffaauulltt, uuppppeerr. As for the property values which are paired with these names, they are either simple, complex, or lists. The type allowed is property- specific. Simple values are strings, optionally enclosed within quotation marks. Complex values have the syntax: (<_n_a_m_e>=<_v_a_l_u_e>,<_n_a_m_e>=<_v_a_l_u_e>,...) where each <_v_a_l_u_e> is simple, and the <_n_a_m_e> strings are unique within a given property. Lists have the syntax: [<_v_a_l_u_e>,...] where each <_v_a_l_u_e> is either simple or complex. A list of a single value (either simple or complex) is equivalent to specifying that value without the list syntax. That is, "foo" is equivalent to "[foo]". A list can be empty (denoted by "[]"). In interpreting property values, zzoonneeccffgg accepts regular expressions as specified in ffnnmmaattcchh(5). See EEXXAAMMPPLLEESS. The property types are described as follows: gglloobbaall:: zzoonneennaammee The name of the zone. gglloobbaall:: zzoonneeppaatthh Path to zone's file system. gglloobbaall:: aauuttoobboooott Boolean indicating that a zone should be booted automatically at system boot. Note that if the zones service is disabled, the zone will not autoboot, regardless of the setting of this property. You enable the zones service with a ssvvccaaddmm command, such as: # ssvvccaaddmm eennaabbllee ssvvcc:://ssyysstteemm//zzoonneess::ddeeffaauulltt Replace eennaabbllee with ddiissaabbllee to disable the zones service. See ssvvccaaddmm(1M). gglloobbaall:: bboooottaarrggss Arguments (options) to be passed to the zone bootup, unless options are supplied to the "zzoonneeaaddmm bboooott" command, in which case those take precedence. The valid arguments are described in zzoonneeaaddmm(1M). gglloobbaall:: ppooooll Name of the resource pool that this zone must be bound to when booted. This property is incompatible with the ddeeddiiccaatteedd--ccppuu resource. gglloobbaall:: lliimmiittpprriivv The maximum set of privileges any process in this zone can obtain. The property should consist of a comma-separated privilege set specification as described in pprriivv__ssttrr__ttoo__sseett(3C). Privileges can be excluded from the resulting set by preceding their names with a dash (-) or an exclamation point (!). The special privilege string "zone" is not supported in this context. If the special string "default" occurs as the first token in the property, it expands into a safe set of privileges that preserve the resource and security isolation described in zzoonneess(5). A missing or empty property is equivalent to this same set of safe privileges. The system administrator must take extreme care when configuring privileges for a zone. Some privileges cannot be excluded through this mechanism as they are required in order to boot a zone. In addition, there are certain privileges which cannot be given to a zone as doing so would allow processes inside a zone to unduly affect processes in other zones. zzoonneeaaddmm(1M) indicates when an invalid privilege has been added or removed from a zone's privilege set when an attempt is made to either "boot" or "ready" the zone. See pprriivviilleeggeess(5) for a description of privileges. The command "pppprriivv --ll" (see pppprriivv(1)) produces a list of all Solaris privileges. You can specify privileges as they are displayed by pppprriivv. In pprriivviilleeggeess(5), privileges are listed in the form PRIV__p_r_i_v_i_l_e_g_e___n_a_m_e. For example, the privilege _s_y_s___t_i_m_e, as you would specify it in this property, is listed in pprriivviilleeggeess(5) as PPRRIIVV__SSYYSS__TTIIMMEE. gglloobbaall:: bbrraanndd The zone's brand type. gglloobbaall:: iipp--ttyyppee A zone can either share the IP instance with the global zone, which is the default, or have its own exclusive instance of IP. This property takes the values sshhaarreedd and eexxcclluussiivvee. gglloobbaall:: hhoossttiidd A zone can emulate a 32-bit host identifier to ease system consolidation. A zone's hhoossttiidd property is empty by default, meaning that the zone does not emulate a host identifier. Zone host identifiers must be hexadecimal values between 0 and FFFFFFFE. A 00xx or 00XX prefix is optional. Both uppercase and lowercase hexadecimal digits are acceptable. ffss: dir, special, raw, type, options Values needed to determine how, where, and so forth to mount file systems. See mmoouunntt(1M), mmoouunntt(2), ffsscckk(1M), and vvffssttaabb(4). nneett: address, physical, defrouter The network address and physical interface name of the network interface. The network address is one of: o a valid IPv4 address, optionally followed by "//" and a prefix length; o a valid IPv6 address, which must be followed by "//" and a prefix length; o a host name which resolves to an IPv4 address. Note that host names that resolve to IPv6 addresses are not supported. The physical interface name is the network interface name. The default router is specified similarly to the network address except that it must not be followed by a // (slash) and a network prefix length. A zone can be configured to be either exclusive-IP or shared-IP. For a shared-IP zone, you must set both the physical and address properties; setting the default router is optional. The interface specified in the physical property must be plumbed in the global zone prior to booting the non-global zone. However, if the interface is not used by the global zone, it should be configured ddoowwnn in the global zone, and the default router for the interface should be specified here. For an exclusive-IP zone, the physical property must be set and the address and default router properties cannot be set. ddeevviiccee: match Device name to match. rrccttll: name, value The name and _p_r_i_v/_l_i_m_i_t/_a_c_t_i_o_n triple of a resource control. See pprrccttll(1) and rrccttllaaddmm(1M). The preferred way to set rctl values is to use the global property name associated with a specific rctl. aattttrr: name, type, value The name, type and value of a generic attribute. The ttyyppee must be one of iinntt, uuiinntt, bboooolleeaann or ssttrriinngg, and the value must be of that type. uuiinntt means unsigned , that is, a non-negative integer. ddaattaasseett: name The name of a ZZFFSS dataset to be accessed from within the zone. See zzffss(1M). gglloobbaall:: ccppuu--sshhaarreess The number of Fair Share Scheduler (FSS) shares to allocate to this zone. This property is incompatible with the ddeeddiiccaatteedd--ccppuu resource. This property is the preferred way to set the zzoonnee..ccppuu-- sshhaarreess rctl. gglloobbaall:: mmaaxx--llwwppss The maximum number of LWPs simultaneously available to this zone. This property is the preferred way to set the zzoonnee..mmaaxx--llwwppss rctl. gglloobbaall:: mmaaxx--mmssgg--iiddss The maximum number of message queue IDs allowed for this zone. This property is the preferred way to set the zzoonnee..mmaaxx--mmssgg--iiddss rctl. gglloobbaall:: mmaaxx--sseemm--iiddss The maximum number of semaphore IDs allowed for this zone. This property is the preferred way to set the zzoonnee..mmaaxx--sseemm--iiddss rctl. gglloobbaall:: mmaaxx--sshhmm--iiddss The maximum number of shared memory IDs allowed for this zone. This property is the preferred way to set the zzoonnee..mmaaxx--sshhmm--iiddss rctl. gglloobbaall:: mmaaxx--sshhmm--mmeemmoorryy The maximum amount of shared memory allowed for this zone. This property is the preferred way to set the zzoonnee..mmaaxx--sshhmm--mmeemmoorryy rctl. A scale (K, M, G, T) can be applied to the value for this number (for example, 1M is one megabyte). gglloobbaall:: sscchheedduulliinngg--ccllaassss Specifies the scheduling class used for processes running in a zone. When this property is not specified, the scheduling class is established as follows: o If the ccppuu--sshhaarreess property or equivalent rctl is set, the scheduling class FSS is used. o If neither ccppuu--sshhaarreess nor the equivalent rctl is set and the zone's pool property references a pool that has a default scheduling class, that class is used. o Under any other conditions, the system default scheduling class is used. ddeeddiiccaatteedd--ccppuu: ncpus, importance The number of CPUs that should be assigned for this zone's exclusive use. The zone will create a pool and processor set when it boots. See ppoooollaaddmm(1M) and ppoooollccffgg(1M) for more information on resource pools. The nnccppuu property can specify a single value or a range (for example, 1-4) of processors. The iimmppoorrttaannccee property is optional; if set, it will specify the ppsseett..iimmppoorrttaannccee value for use by ppoooolldd(1M). If this resource is used, there must be enough free processors to allocate to this zone when it boots or the zone will not boot. The processors assigned to this zone will not be available for the use of the global zone or other zones. This resource is incompatible with both the ppooooll and ccppuu--sshhaarreess properties. Only a single instance of this resource can be added to the zone. ccaappppeedd--mmeemmoorryy: physical, swap, locked The caps on the memory that can be used by this zone. A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). Each of these properties is optional but at least one property must be set when adding this resource. Only a single instance of this resource can be added to the zone. The pphhyyssiiccaall property sets the mmaaxx--rrssss for this zone. This will be enforced by rrccaappdd(1M) running in the global zone. The sswwaapp property is the preferred way to set the zzoonnee..mmaaxx--sswwaapp rctl. The lloocckkeedd property is the preferred way to set the zzoonnee..mmaaxx--lloocckkeedd-- mmeemmoorryy rctl. ccaappppeedd--ccppuu: ncpus Sets a limit on the amount of CPU time that can be used by a zone. The unit used translates to the percentage of a single CPU that can be used by all user threads in a zone, expressed as a fraction (for example, ..7755) or a mixed number (whole number and fraction, for example, 11..2255). An nnccppuu value of 11 means 100% of a CPU, a value of 11..2255 means 125%, ..7755 mean 75%, and so forth. When projects within a capped zone have their own caps, the minimum value takes precedence. The ccaappppeedd--ccppuu property is an alias for zzoonnee..ccppuu--ccaapp resource control and is related to the zzoonnee..ccppuu--ccaapp resource control. See rreessoouurrccee__ccoonnttrroollss(5). sseeccuurriittyy--ffllaaggss: lower, default, upper Set the process security flags associated with the zone. The lloowweerr and uuppppeerr fields set the limits, the ddeeffaauulltt field is set of flags all zone processes inherit. gglloobbaall:: ffss--aalllloowweedd A comma-separated list of additional filesystems that may be mounted within the zone; for example "ufs,pcfs". By default, only hsfs(7fs) and network filesystems can be mounted. If the first entry in the list is "-" then that disables all of the default filesystems. If any filesystems are listed after "-" then only those filesystems can be mounted. This property does not apply to filesystems mounted into the zone via "add fs" or "add dataset". WARNING: allowing filesystem mounts other than the default may allow the zone administrator to compromise the system with a malicious filesystem image, and is not supported. The following table summarizes resources, property-names, and types: resource property-name type (global) zonename simple (global) zonepath simple (global) autoboot simple (global) bootargs simple (global) pool simple (global) limitpriv simple (global) brand simple (global) ip-type simple (global) hostid simple (global) cpu-shares simple (global) max-lwps simple (global) max-msg-ids simple (global) max-sem-ids simple (global) max-shm-ids simple (global) max-shm-memory simple (global) scheduling-class simple fs dir simple special simple raw simple type simple options list of simple net address simple physical simple device match simple rctl name simple value list of complex attr name simple type simple value simple dataset name simple dedicated-cpu ncpus simple or range importance simple capped-memory physical simple with scale swap simple with scale locked simple with scale capped-cpu ncpus simple security-flags lower simple default simple upper simple To further specify things, the breakdown of the complex property "value" of the "rctl" resource type, it consists of three name/value pairs, the names being "priv", "limit" and "action", each of which takes a simple value. The "name" property of an "attr" resource is syntactically restricted in a fashion similar but not identical to zone names: it must begin with an alphanumeric, and can contain alphanumerics plus the hyphen (--), underscore (__), and dot (..) characters. Attribute names beginning with "zone" are reserved for use by the system. Finally, the "autoboot" global property must have a value of "true" or "false". UUssiinngg KKeerrnneell SSttaattiissttiiccss ttoo MMoonniittoorr CCPPUU CCaappss Using the kernel statistics (kkssttaatt(3KSTAT)) module ccaappss, the system maintains information for all capped projects and zones. You can access this information by reading kernel statistics (kkssttaatt(3KSTAT)), specifying ccaappss as the kkssttaatt module name. The following command displays kernel statistics for all active CPU caps: # kkssttaatt ccaappss::::''//ccppuuccaappss//'' A kkssttaatt(1M) command running in a zone displays only CPU caps relevant for that zone and for projects in that zone. See EEXXAAMMPPLLEESS. The following are cap-related arguments for use with kkssttaatt(1M): ccaappss The kkssttaatt module. pprroojjeecctt__ccaappss or zzoonnee__ccaappss kkssttaatt class, for use with the kkssttaatt --cc option. ccppuuccaappss__pprroojjeecctt___i_d or ccppuuccaappss__zzoonnee___i_d kkssttaatt name, for use with the kkssttaatt --nn option. _i_d is the project or zone identifier. The following fields are displayed in response to a kkssttaatt(1M) command requesting statistics for all CPU caps. mmoodduullee In this usage of kkssttaatt, this field will have the value ccaappss. nnaammee As described above, ccppuuccaappss__pprroojjeecctt___i_d or ccppuuccaappss__zzoonnee___i_d aabboovvee__sseecc Total time, in seconds, spent above the cap. bbeellooww__sseecc Total time, in seconds, spent below the cap. mmaaxxuussaaggee Maximum observed CPU usage. nnwwaaiitt Number of threads on cap wait queue. uussaaggee Current aggregated CPU usage for all threads belonging to a capped project or zone, in terms of a percentage of a single CPU. vvaalluuee The cap value, in terms of a percentage of a single CPU. zzoonneennaammee Name of the zone for which statistics are displayed. See EEXXAAMMPPLLEESS for sample output from a kkssttaatt command. OOPPTTIIOONNSS The following options are supported: --ff _c_o_m_m_a_n_d___f_i_l_e Specify the name of zzoonneeccffgg command file. _c_o_m_m_a_n_d___f_i_l_e is a text file of zzoonneeccffgg subcommands, one per line. --zz _z_o_n_e_n_a_m_e Specify the name of a zone. Zone names are case sensitive. Zone names must begin with an alphanumeric character and can contain alphanumeric characters, the underscore (__) the hyphen (--), and the dot (..). The name gglloobbaall and all names beginning with SSUUNNWW are reserved and cannot be used. SSUUBBCCOOMMMMAANNDDSS You can use the aadddd and sseelleecctt subcommands to select a specific resource, at which point the scope changes to that resource. The eenndd and ccaanncceell subcommands are used to complete the resource specification, at which time the scope is reverted back to global. Certain subcommands, such as aadddd, rreemmoovvee and sseett, have different semantics in each scope. zzoonneeccffgg supports a semicolon-separated list of subcommands. For example: # zzoonneeccffgg --zz mmyyzzoonnee ""aadddd nneett;; sseett pphhyyssiiccaall==mmyyvvnniicc;; eenndd"" Subcommands which can result in destructive actions or loss of work have an --FF option to force the action. If input is from a terminal device, the user is prompted when appropriate if such a command is given without the --FF option otherwise, if such a command is given without the --FF option, the action is disallowed, with a diagnostic message written to standard error. The following subcommands are supported: aadddd _r_e_s_o_u_r_c_e_-_t_y_p_e (global scope) aadddd _p_r_o_p_e_r_t_y_-_n_a_m_e _p_r_o_p_e_r_t_y_-_v_a_l_u_e (resource scope) In the global scope, begin the specification for a given resource type. The scope is changed to that resource type. In the resource scope, add a property of the given name with the given value. The syntax for property values varies with different property types. In general, it is a simple value or a list of simple values enclosed in square brackets, separated by commas ([[ffoooo,,bbaarr,,bbaazz]]). See PPRROOPPEERRTTIIEESS. ccaanncceell End the resource specification and reset scope to global. Abandons any partially specified resources. ccaanncceell is only applicable in the resource scope. cclleeaarr _p_r_o_p_e_r_t_y_-_n_a_m_e Clear the value for the property. ccoommmmiitt Commit the current configuration from memory to stable storage. The configuration must be committed to be used by zzoonneeaaddmm. Until the in-memory configuration is committed, you can remove changes with the rreevveerrtt subcommand. The ccoommmmiitt operation is attempted automatically upon completion of a zzoonneeccffgg session. Since a configuration must be correct to be committed, this operation automatically does a verify. ccrreeaattee [[--FF]] [[ --aa _p_a_t_h |--bb || --tt _t_e_m_p_l_a_t_e]] Create an in-memory configuration for the specified zone. Use ccrreeaattee to begin to configure a new zone. See ccoommmmiitt for saving this to stable storage. If you are overwriting an existing configuration, specify the --FF option to force the action. Specify the --tt _t_e_m_p_l_a_t_e option to create a configuration identical to _t_e_m_p_l_a_t_e, where _t_e_m_p_l_a_t_e is the name of a configured zone. Use the --aa _p_a_t_h option to facilitate configuring a detached zone on a new host. The _p_a_t_h parameter is the zonepath location of a detached zone that has been moved on to this new host. Once the detached zone is configured, it should be installed using the "zzoonneeaaddmm aattttaacchh" command (see zzoonneeaaddmm(1M)). All validation of the new zone happens during the aattttaacchh process, not during zone configuration. Use the --bb option to create a blank configuration. Without arguments, ccrreeaattee applies the Sun default settings. ddeelleettee [[--FF]] Delete the specified configuration from memory and stable storage. This action is instantaneous, no commit is necessary. A deleted configuration cannot be reverted. Specify the --FF option to force the action. eenndd End the resource specification. This subcommand is only applicable in the resource scope. zzoonneeccffgg checks to make sure the current resource is completely specified. If so, it is added to the in- memory configuration (see ccoommmmiitt for saving this to stable storage) and the scope reverts to global. If the specification is incomplete, it issues an appropriate error message. eexxppoorrtt [[--ff _o_u_t_p_u_t_-_f_i_l_e]] Print configuration to standard output. Use the --ff option to print the configuration to _o_u_t_p_u_t_-_f_i_l_e. This option produces output in a form suitable for use in a command file. hheellpp [[uussaaggee]] [[_s_u_b_c_o_m_m_a_n_d] [syntax] [_c_o_m_m_a_n_d_-_n_a_m_e]] Print general help or help about given topic. iinnffoo zzoonneennaammee || zzoonneeppaatthh || aauuttoobboooott || bbrraanndd || ppooooll || lliimmiittpprriivv iinnffoo [[_r_e_s_o_u_r_c_e_-_t_y_p_e [[_p_r_o_p_e_r_t_y_-_n_a_m_e==_p_r_o_p_e_r_t_y_-_v_a_l_u_e]]**]] Display information about the current configuration. If _r_e_s_o_u_r_c_e_- _t_y_p_e is specified, displays only information about resources of the relevant type. If any _p_r_o_p_e_r_t_y_-_n_a_m_e value pairs are specified, displays only information about resources meeting the given criteria. In the resource scope, any arguments are ignored, and iinnffoo displays information about the resource which is currently being added or modified. rreemmoovvee _r_e_s_o_u_r_c_e_-_t_y_p_e{{_p_r_o_p_e_r_t_y_-_n_a_m_e==_p_r_o_p_e_r_t_y _-_v_a_l_u_e}}(global scope) In the global scope, removes the specified resource. The [[]] syntax means 0 or more of whatever is inside the square braces. If you want only to remove a single instance of the resource, you must specify enough property name-value pairs for the resource to be uniquely identified. If no property name-value pairs are specified, all instances will be removed. If there is more than one pair is specified, a confirmation is required, unless you use the --FF option. sseelleecctt _r_e_s_o_u_r_c_e_-_t_y_p_e {{_p_r_o_p_e_r_t_y_-_n_a_m_e==_p_r_o_p_e_r_t_y_-_v_a_l_u_e}} Select the resource of the given type which matches the given _p_r_o_p_e_r_t_y_-_n_a_m_e _p_r_o_p_e_r_t_y_-_v_a_l_u_e pair criteria, for modification. This subcommand is applicable only in the global scope. The scope is changed to that resource type. The {{}} syntax means 1 or more of whatever is inside the curly braces. You must specify enough _p_r_o_p_e_r_t_y _-_n_a_m_e _p_r_o_p_e_r_t_y_-_v_a_l_u_e pairs for the resource to be uniquely identified. sseett _p_r_o_p_e_r_t_y_-_n_a_m_e==_p_r_o_p_e_r_t_y--_v_a_l_u_e Set a given property name to the given value. Some properties (for example, zzoonneennaammee and zzoonneeppaatthh) are global while others are resource-specific. This subcommand is applicable in both the global and resource scopes. vveerriiffyy Verify the current configuration for correctness: o All resources have all of their required properties specified. o A zzoonneeppaatthh is specified. rreevveerrtt [[--FF]] Revert the configuration back to the last committed state. The --FF option can be used to force the action. eexxiitt [[--FF]] Exit the zzoonneeccffgg session. A commit is automatically attempted if needed. You can also use an EEOOFF character to exit zzoonneeccffgg. The --FF option can be used to force the action. EEXXAAMMPPLLEESS EExxaammppllee 11 Creating the Environment for a New Zone In the following example, zzoonneeccffgg creates the environment for a new zone. //uussrr//llooccaall is loopback mounted from the global zone into //oopptt//llooccaall. //oopptt//ssffww is loopback mounted from the global zone, three logical network interfaces are added, and a limit on the number of fair-share scheduler (FSS) CPU shares for a zone is set using the rrccttll resource type. The example also shows how to select a given resource for modification. example# zzoonneeccffgg --zz mmyyzzoonnee33 my-zone3: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:myzone3> ccrreeaattee zonecfg:myzone3> sseett zzoonneeppaatthh==//eexxppoorrtt//hhoommee//mmyy--zzoonnee33 zonecfg:myzone3> sseett aauuttoobboooott==ttrruuee zonecfg:myzone3> aadddd ffss zonecfg:myzone3:fs> sseett ddiirr==//uussrr//llooccaall zonecfg:myzone3:fs> sseett ssppeecciiaall==//oopptt//llooccaall zonecfg:myzone3:fs> sseett ttyyppee==llooffss zonecfg:myzone3:fs> aadddd ooppttiioonnss [[rroo,,nnooddeevviicceess]] zonecfg:myzone3:fs> eenndd zonecfg:myzone3> aadddd ffss zonecfg:myzone3:fs> sseett ddiirr==//mmnntt zonecfg:myzone3:fs> sseett ssppeecciiaall==//ddeevv//ddsskk//cc00tt00dd00ss77 zonecfg:myzone3:fs> sseett rraaww==//ddeevv//rrddsskk//cc00tt00dd00ss77 zonecfg:myzone3:fs> sseett ttyyppee==uuffss zonecfg:myzone3:fs> eenndd zonecfg:myzone3> aadddd nneett zonecfg:myzone3:net> sseett aaddddrreessss==119922..116688..00..11//2244 zonecfg:myzone3:net> sseett pphhyyssiiccaall==eerrii00 zonecfg:myzone3:net> eenndd zonecfg:myzone3> aadddd nneett zonecfg:myzone3:net> sseett aaddddrreessss==119922..116688..11..22//2244 zonecfg:myzone3:net> sseett pphhyyssiiccaall==eerrii00 zonecfg:myzone3:net> eenndd zonecfg:myzone3> aadddd nneett zonecfg:myzone3:net> sseett aaddddrreessss==119922..116688..22..33//2244 zonecfg:myzone3:net> sseett pphhyyssiiccaall==eerrii00 zonecfg:myzone3:net> eenndd zonecfg:my-zone3> sseett ccppuu--sshhaarreess==55 zonecfg:my-zone3> aadddd ccaappppeedd--mmeemmoorryy zonecfg:my-zone3:capped-memory> sseett pphhyyssiiccaall==5500mm zonecfg:my-zone3:capped-memory> sseett sswwaapp==110000mm zonecfg:my-zone3:capped-memory> eenndd zonecfg:myzone3> eexxiitt EExxaammppllee 22 Creating a Non-Native Zone The following example creates a new Linux zone: example# zzoonneeccffgg --zz llxxzzoonnee lxzone: No such zone configured Use 'create' to begin configuring a new zone zonecfg:lxzone> ccrreeaattee --tt SSUUNNWWllxx zonecfg:lxzone> sseett zzoonneeppaatthh==//eexxppoorrtt//zzoonneess//llxxzzoonnee zonecfg:lxzone> sseett aauuttoobboooott==ttrruuee zonecfg:lxzone> eexxiitt EExxaammppllee 33 Creating an Exclusive-IP Zone The following example creates a zone that is granted exclusive access to bbggee11 and bbggee3333000000 and that is isolated at the IP layer from the other zones configured on the system. The IP addresses and routing is configured inside the new zone using ssyyssiiddttooooll(1M). example# zzoonneeccffgg --zz eexxccll excl: No such zone configured Use 'create' to begin configuring a new zone zonecfg:excl> ccrreeaattee zonecfg:excl> sseett zzoonneeppaatthh==//eexxppoorrtt//zzoonneess//eexxccll zonecfg:excl> sseett iipp--ttyyppee==eexxcclluussiivvee zonecfg:excl> aadddd nneett zonecfg:excl:net> sseett pphhyyssiiccaall==bbggee11 zonecfg:excl:net> eenndd zonecfg:excl> aadddd nneett zonecfg:excl:net> sseett pphhyyssiiccaall==bbggee3333000000 zonecfg:excl:net> eenndd zonecfg:excl> eexxiitt EExxaammppllee 44 Associating a Zone with a Resource Pool The following example shows how to associate an existing zone with an existing resource pool: example# zzoonneeccffgg --zz mmyyzzoonnee zonecfg:myzone> sseett ppooooll==mmyyppooooll zonecfg:myzone> eexxiitt For more information about resource pools, see ppoooollaaddmm(1M) and ppoooollccffgg(1M). EExxaammppllee 55 Changing the Name of a Zone The following example shows how to change the name of an existing zone: example# zzoonneeccffgg --zz mmyyzzoonnee zonecfg:myzone> sseett zzoonneennaammee==mmyyzzoonnee22 zonecfg:myzone2> eexxiitt EExxaammppllee 66 Changing the Privilege Set of a Zone The following example shows how to change the set of privileges an existing zone's processes will be limited to the next time the zone is booted. In this particular case, the privilege set will be the standard safe set of privileges a zone normally has along with the privilege to change the system date and time: example# zzoonneeccffgg --zz mmyyzzoonnee zonecfg:myzone> sseett lliimmiittpprriivv==""ddeeffaauulltt,,ssyyss__ttiimmee"" zonecfg:myzone2> eexxiitt EExxaammppllee 77 Setting the zzoonnee..ccppuu--sshhaarreess Property for the Global Zone The following command sets the zzoonnee..ccppuu--sshhaarreess property for the global zone: example# zzoonneeccffgg --zz gglloobbaall zonecfg:global> sseett ccppuu--sshhaarreess==55 zonecfg:global> eexxiitt EExxaammppllee 88 Using Pattern Matching The following commands illustrate zzoonneeccffgg support for pattern matching. In the zone fflleexxllmm, enter: zonecfg:flexlm> aadddd ddeevviiccee zonecfg:flexlm:device> sseett mmaattcchh==""//ddeevv//ccuuaa//aa0000[[22--55]]"" zonecfg:flexlm:device> eenndd In the global zone, enter: global# llss //ddeevv//ccuuaa a a000 a001 a002 a003 a004 a005 a006 a007 b In the zone fflleexxllmm, enter: flexlm# llss //ddeevv//ccuuaa a002 a003 a004 a005 EExxaammppllee 99 Setting a Cap for a Zone to Three CPUs The following sequence uses the zzoonneeccffgg command to set the CPU cap for a zone to three CPUs. zonecfg:myzone> aadddd ccaappppeedd--ccppuu zonecfg:myzone>capped-cpu> sseett nnccppuuss==33 zonecfg:myzone>capped-cpu>capped-cpu> eenndd The preceding sequence, which uses the capped-cpu property, is equivalent to the following sequence, which makes use of the zzoonnee..ccppuu-- ccaapp resource control. zonecfg:myzone> aadddd rrccttll zonecfg:myzone:rctl> sseett nnaammee==zzoonnee..ccppuu--ccaapp zonecfg:myzone:rctl> aadddd vvaalluuee ((pprriivv==pprriivviilleeggeedd,,lliimmiitt==330000,,aaccttiioonn==nnoonnee)) zonecfg:myzone:rctl> eenndd EExxaammppllee 1100 Using kkssttaatt to Monitor CPU Caps The following command displays information about all CPU caps. # kkssttaatt --nn //ccppuuccaappss// module: caps instance: 0 name: cpucaps_project_0 class: project_caps above_sec 0 below_sec 2157 crtime 821.048183159 maxusage 2 nwait 0 snaptime 235885.637253027 usage 0 value 18446743151372347932 zonename global module: caps instance: 0 name: cpucaps_project_1 class: project_caps above_sec 0 below_sec 0 crtime 225339.192787265 maxusage 5 nwait 0 snaptime 235885.637591677 usage 5 value 18446743151372347932 zonename global module: caps instance: 0 name: cpucaps_project_201 class: project_caps above_sec 0 below_sec 235105 crtime 780.37961782 maxusage 100 nwait 0 snaptime 235885.637789687 usage 43 value 100 zonename global module: caps instance: 0 name: cpucaps_project_202 class: project_caps above_sec 0 below_sec 235094 crtime 791.72983782 maxusage 100 nwait 0 snaptime 235885.637967512 usage 48 value 100 zonename global module: caps instance: 0 name: cpucaps_project_203 class: project_caps above_sec 0 below_sec 235034 crtime 852.104401481 maxusage 75 nwait 0 snaptime 235885.638144304 usage 47 value 100 zonename global module: caps instance: 0 name: cpucaps_project_86710 class: project_caps above_sec 22 below_sec 235166 crtime 698.441717859 maxusage 101 nwait 0 snaptime 235885.638319871 usage 54 value 100 zonename global module: caps instance: 0 name: cpucaps_zone_0 class: zone_caps above_sec 100733 below_sec 134332 crtime 821.048177123 maxusage 207 nwait 2 snaptime 235885.638497731 usage 199 value 200 zonename global module: caps instance: 1 name: cpucaps_project_0 class: project_caps above_sec 0 below_sec 0 crtime 225360.256448422 maxusage 7 nwait 0 snaptime 235885.638714404 usage 7 value 18446743151372347932 zonename test_001 module: caps instance: 1 name: cpucaps_zone_1 class: zone_caps above_sec 2 below_sec 10524 crtime 225360.256440278 maxusage 106 nwait 0 snaptime 235885.638896443 usage 7 value 100 zonename test_001 EExxaammppllee 1111 Displaying CPU Caps for a Specific Zone or Project Using the kkssttaatt --cc and --ii options, you can display CPU caps for a specific zone or project, as below. The first command produces a display for a specific project, the second for the same project within zone 1. # kkssttaatt --cc pprroojjeecctt__ccaappss # kkssttaatt --cc pprroojjeecctt__ccaappss --ii 11 EEXXIITT SSTTAATTUUSS The following exit values are returned: 00 Successful completion. 11 An error occurred. 22 Invalid usage. AATTTTRRIIBBUUTTEESS See aattttrriibbuutteess(5) for descriptions of the following attributes: +--------------------+-----------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +--------------------+-----------------+ |Interface Stability | Volatile | +--------------------+-----------------+ SSEEEE AALLSSOO pppprriivv(1), pprrccttll(1), zzllooggiinn(1), kkssttaatt(1M), mmoouunntt(1M), ppoooollaaddmm(1M), ppoooollccffgg(1M), ppoooolldd(1M), rrccaappdd(1M), rrccttllaaddmm(1M), ssvvccaaddmm(1M), ssyyssiiddttooooll(1M), zzffss(1M), zzoonneeaaddmm(1M), pprriivv__ssttrr__ttoo__sseett(3C), kkssttaatt(3KSTAT), vvffssttaabb(4), aattttrriibbuutteess(5), bbrraannddss(5), ffnnmmaattcchh(5), llxx(5), pprriivviilleeggeess(5), rreessoouurrccee__ccoonnttrroollss(5), sseeccuurriittyy--ffllaaggss(5), zzoonneess(5) _S_y_s_t_e_m _A_d_m_i_n_i_s_t_r_a_t_i_o_n _G_u_i_d_e_: _S_o_l_a_r_i_s _C_o_n_t_a_i_n_e_r_s_-_R_e_s_o_u_r_c_e _M_a_n_a_g_e_m_e_n_t_, _a_n_d _S_o_l_a_r_i_s _Z_o_n_e_s NNOOTTEESS All character data used by zzoonneeccffgg must be in US-ASCII encoding. June 6, 2016 ZONECFG(1M)