Print this page
Code review comments from jeffpc
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/zonecfg.1m.man.txt
+++ new/usr/src/man/man1m/zonecfg.1m.man.txt
1 1 ZONECFG(1M) Maintenance Commands ZONECFG(1M)
2 2
3 3
4 4
5 5 NAME
6 6 zonecfg - set up zone configuration
7 7
8 8 SYNOPSIS
9 9 zonecfg -z zonename
10 10
11 11
12 12 zonecfg -z zonename subcommand
13 13
14 14
15 15 zonecfg -z zonename -f command_file
16 16
17 17
18 18 zonecfg help
19 19
20 20
21 21 DESCRIPTION
22 22 The zonecfg utility creates and modifies the configuration of a zone.
23 23 Zone configuration consists of a number of resources and properties.
24 24
25 25
26 26 To simplify the user interface, zonecfg uses the concept of a scope.
27 27 The default scope is global.
28 28
29 29
30 30 The following synopsis of the zonecfg command is for interactive usage:
31 31
32 32 zonecfg -z zonename subcommand
33 33
34 34
35 35
36 36
37 37 Parameters changed through zonecfg do not affect a running zone. The
38 38 zone must be rebooted for the changes to take effect.
39 39
40 40
41 41 In addition to creating and modifying a zone, the zonecfg utility can
42 42 also be used to persistently specify the resource management settings
43 43 for the global zone.
44 44
45 45
46 46 In the following text, "rctl" is used as an abbreviation for "resource
47 47 control". See resource_controls(5).
48 48
49 49
50 50 Every zone is configured with an associated brand. The brand determines
51 51 the user-level environment used within the zone, as well as various
52 52 behaviors for the zone when it is installed, boots, or is shutdown.
53 53 Once a zone has been installed the brand cannot be changed. The default
54 54 brand is determined by the installed distribution in the global zone.
55 55 Some brands do not support all of the zonecfg properties and resources.
56 56 See the brand-specific man page for more details on each brand. For an
57 57 overview of brands, see the brands(5) man page.
58 58
59 59 Resources
60 60 The following resource types are supported:
61 61
62 62 attr
63 63
64 64 Generic attribute.
65 65
66 66
67 67 capped-cpu
68 68
69 69 Limits for CPU usage.
70 70
71 71
72 72 capped-memory
73 73
74 74 Limits for physical, swap, and locked memory.
75 75
76 76
77 77 dataset
78 78
79 79 ZFS dataset.
80 80
81 81
82 82 dedicated-cpu
83 83
84 84 Subset of the system's processors dedicated to this zone while it
85 85 is running.
86 86
87 87
88 88 device
89 89
90 90 Device.
91 91
92 92
93 93 fs
94 94
95 95 file-system
96 96
97 97
98 98 net
99 99
100 100 Network interface.
101 101
102 102
103 103 rctl
104 104
105 105 Resource control.
106 106
107 107
108 108 security-flags
109 109
110 110 Process security flag settings.
111 111
112 112
113 113 Properties
114 114 Each resource type has one or more properties. There are also some
115 115 global properties, that is, properties of the configuration as a whole,
116 116 rather than of some particular resource.
117 117
118 118
119 119 The following properties are supported:
120 120
121 121 (global)
122 122
123 123 zonename
124 124
125 125
126 126 (global)
127 127
128 128 zonepath
129 129
130 130
131 131 (global)
132 132
133 133 autoboot
134 134
135 135
136 136 (global)
137 137
138 138 bootargs
139 139
140 140
141 141 (global)
142 142
143 143 pool
144 144
145 145
146 146 (global)
147 147
148 148 limitpriv
149 149
150 150
151 151 (global)
152 152
153 153 brand
154 154
155 155
156 156 (global)
157 157
158 158 cpu-shares
159 159
160 160
161 161 (global)
162 162
163 163 hostid
164 164
165 165
166 166 (global)
167 167
168 168 max-lwps
169 169
170 170
171 171 (global)
172 172
173 173 max-msg-ids
174 174
175 175
176 176 (global)
177 177
178 178 max-sem-ids
179 179
180 180
181 181 (global)
182 182
183 183 max-shm-ids
184 184
185 185
186 186 (global)
187 187
188 188 max-shm-memory
189 189
190 190
191 191 (global)
192 192
193 193 scheduling-class
194 194
195 195
196 196 (global)
197 197
198 198 fs-allowed
199 199
200 200
201 201 fs
202 202
203 203 dir, special, raw, type, options
204 204
205 205
206 206 net
207 207
208 208 address, physical, defrouter
209 209
210 210
211 211 device
212 212
213 213 match
214 214
215 215
216 216 rctl
217 217
218 218 name, value
219 219
220 220
221 221 attr
222 222
223 223 name, type, value
224 224
225 225
226 226 dataset
227 227
228 228 name
229 229
230 230
231 231 dedicated-cpu
232 232
233 233 ncpus, importance
234 234
235 235
236 236 capped-memory
237 237
238 238 physical, swap, locked
239 239
240 240
241 241 capped-cpu
242 242
243 243 ncpus
244 244
245 245
246 246 security-flags
247 247
248 248 lower, default, upper.
249 249
250 250
251 251
252 252 As for the property values which are paired with these names, they are
253 253 either simple, complex, or lists. The type allowed is property-
254 254 specific. Simple values are strings, optionally enclosed within
255 255 quotation marks. Complex values have the syntax:
256 256
257 257 (<name>=<value>,<name>=<value>,...)
258 258
259 259
260 260
261 261
262 262 where each <value> is simple, and the <name> strings are unique within
263 263 a given property. Lists have the syntax:
264 264
265 265 [<value>,...]
266 266
267 267
268 268
269 269
270 270 where each <value> is either simple or complex. A list of a single
271 271 value (either simple or complex) is equivalent to specifying that value
272 272 without the list syntax. That is, "foo" is equivalent to "[foo]". A
273 273 list can be empty (denoted by "[]").
274 274
275 275
276 276 In interpreting property values, zonecfg accepts regular expressions as
277 277 specified in fnmatch(5). See EXAMPLES.
278 278
279 279
280 280 The property types are described as follows:
281 281
282 282 global: zonename
283 283
284 284 The name of the zone.
285 285
286 286
287 287 global: zonepath
288 288
289 289 Path to zone's file system.
290 290
291 291
292 292 global: autoboot
293 293
294 294 Boolean indicating that a zone should be booted automatically at
295 295 system boot. Note that if the zones service is disabled, the zone
296 296 will not autoboot, regardless of the setting of this property. You
297 297 enable the zones service with a svcadm command, such as:
298 298
299 299 # svcadm enable svc:/system/zones:default
300 300
301 301
302 302 Replace enable with disable to disable the zones service. See
303 303 svcadm(1M).
304 304
305 305
306 306 global: bootargs
307 307
308 308 Arguments (options) to be passed to the zone bootup, unless options
309 309 are supplied to the "zoneadm boot" command, in which case those
310 310 take precedence. The valid arguments are described in zoneadm(1M).
311 311
312 312
313 313 global: pool
314 314
315 315 Name of the resource pool that this zone must be bound to when
316 316 booted. This property is incompatible with the dedicated-cpu
317 317 resource.
318 318
319 319
320 320 global: limitpriv
321 321
322 322 The maximum set of privileges any process in this zone can obtain.
323 323 The property should consist of a comma-separated privilege set
324 324 specification as described in priv_str_to_set(3C). Privileges can
325 325 be excluded from the resulting set by preceding their names with a
326 326 dash (-) or an exclamation point (!). The special privilege string
327 327 "zone" is not supported in this context. If the special string
328 328 "default" occurs as the first token in the property, it expands
329 329 into a safe set of privileges that preserve the resource and
330 330 security isolation described in zones(5). A missing or empty
331 331 property is equivalent to this same set of safe privileges.
332 332
333 333 The system administrator must take extreme care when configuring
334 334 privileges for a zone. Some privileges cannot be excluded through
335 335 this mechanism as they are required in order to boot a zone. In
336 336 addition, there are certain privileges which cannot be given to a
337 337 zone as doing so would allow processes inside a zone to unduly
338 338 affect processes in other zones. zoneadm(1M) indicates when an
339 339 invalid privilege has been added or removed from a zone's privilege
340 340 set when an attempt is made to either "boot" or "ready" the zone.
341 341
342 342 See privileges(5) for a description of privileges. The command
343 343 "ppriv -l" (see ppriv(1)) produces a list of all Solaris
344 344 privileges. You can specify privileges as they are displayed by
345 345 ppriv. In privileges(5), privileges are listed in the form
346 346 PRIV_privilege_name. For example, the privilege sys_time, as you
347 347 would specify it in this property, is listed in privileges(5) as
348 348 PRIV_SYS_TIME.
349 349
350 350
351 351 global: brand
352 352
353 353 The zone's brand type.
354 354
355 355
356 356 global: ip-type
357 357
358 358 A zone can either share the IP instance with the global zone, which
359 359 is the default, or have its own exclusive instance of IP.
360 360
361 361 This property takes the values shared and exclusive.
362 362
363 363
364 364 global: hostid
365 365
366 366 A zone can emulate a 32-bit host identifier to ease system
367 367 consolidation. A zone's hostid property is empty by default,
368 368 meaning that the zone does not emulate a host identifier. Zone host
369 369 identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x
370 370 or 0X prefix is optional. Both uppercase and lowercase hexadecimal
371 371 digits are acceptable.
372 372
373 373
374 374 fs: dir, special, raw, type, options
375 375
376 376 Values needed to determine how, where, and so forth to mount file
377 377 systems. See mount(1M), mount(2), fsck(1M), and vfstab(4).
378 378
379 379
380 380 net: address, physical, defrouter
381 381
382 382 The network address and physical interface name of the network
383 383 interface. The network address is one of:
384 384
385 385 o a valid IPv4 address, optionally followed by "/" and a
386 386 prefix length;
387 387
388 388 o a valid IPv6 address, which must be followed by "/" and
389 389 a prefix length;
390 390
391 391 o a host name which resolves to an IPv4 address.
392 392 Note that host names that resolve to IPv6 addresses are not
393 393 supported.
394 394
395 395 The physical interface name is the network interface name.
396 396
397 397 The default router is specified similarly to the network address
398 398 except that it must not be followed by a / (slash) and a network
399 399 prefix length.
400 400
401 401 A zone can be configured to be either exclusive-IP or shared-IP.
402 402 For a shared-IP zone, you must set both the physical and address
403 403 properties; setting the default router is optional. The interface
404 404 specified in the physical property must be plumbed in the global
405 405 zone prior to booting the non-global zone. However, if the
406 406 interface is not used by the global zone, it should be configured
407 407 down in the global zone, and the default router for the interface
408 408 should be specified here.
409 409
410 410 For an exclusive-IP zone, the physical property must be set and the
411 411 address and default router properties cannot be set.
412 412
413 413
414 414 device: match
415 415
416 416 Device name to match.
417 417
418 418
419 419 rctl: name, value
420 420
421 421 The name and priv/limit/action triple of a resource control. See
422 422 prctl(1) and rctladm(1M). The preferred way to set rctl values is
423 423 to use the global property name associated with a specific rctl.
424 424
425 425
426 426 attr: name, type, value
427 427
428 428 The name, type and value of a generic attribute. The type must be
429 429 one of int, uint, boolean or string, and the value must be of that
430 430 type. uint means unsigned , that is, a non-negative integer.
431 431
432 432
433 433 dataset: name
434 434
435 435 The name of a ZFS dataset to be accessed from within the zone. See
436 436 zfs(1M).
437 437
438 438
439 439 global: cpu-shares
440 440
441 441 The number of Fair Share Scheduler (FSS) shares to allocate to this
442 442 zone. This property is incompatible with the dedicated-cpu
443 443 resource. This property is the preferred way to set the zone.cpu-
444 444 shares rctl.
445 445
446 446
447 447 global: max-lwps
448 448
449 449 The maximum number of LWPs simultaneously available to this zone.
450 450 This property is the preferred way to set the zone.max-lwps rctl.
451 451
452 452
453 453 global: max-msg-ids
454 454
455 455 The maximum number of message queue IDs allowed for this zone. This
456 456 property is the preferred way to set the zone.max-msg-ids rctl.
457 457
458 458
459 459 global: max-sem-ids
460 460
461 461 The maximum number of semaphore IDs allowed for this zone. This
462 462 property is the preferred way to set the zone.max-sem-ids rctl.
463 463
464 464
465 465 global: max-shm-ids
466 466
467 467 The maximum number of shared memory IDs allowed for this zone. This
468 468 property is the preferred way to set the zone.max-shm-ids rctl.
469 469
470 470
471 471 global: max-shm-memory
472 472
473 473 The maximum amount of shared memory allowed for this zone. This
474 474 property is the preferred way to set the zone.max-shm-memory rctl.
475 475 A scale (K, M, G, T) can be applied to the value for this number
476 476 (for example, 1M is one megabyte).
477 477
478 478
479 479 global: scheduling-class
480 480
481 481 Specifies the scheduling class used for processes running in a
482 482 zone. When this property is not specified, the scheduling class is
483 483 established as follows:
484 484
485 485 o If the cpu-shares property or equivalent rctl is set,
486 486 the scheduling class FSS is used.
487 487
488 488 o If neither cpu-shares nor the equivalent rctl is set and
489 489 the zone's pool property references a pool that has a
490 490 default scheduling class, that class is used.
491 491
492 492 o Under any other conditions, the system default
493 493 scheduling class is used.
494 494
495 495
496 496
497 497
498 498 dedicated-cpu: ncpus, importance
499 499
500 500 The number of CPUs that should be assigned for this zone's
501 501 exclusive use. The zone will create a pool and processor set when
502 502 it boots. See pooladm(1M) and poolcfg(1M) for more information on
503 503 resource pools. The ncpu property can specify a single value or a
504 504 range (for example, 1-4) of processors. The importance property is
505 505 optional; if set, it will specify the pset.importance value for use
506 506 by poold(1M). If this resource is used, there must be enough free
507 507 processors to allocate to this zone when it boots or the zone will
508 508 not boot. The processors assigned to this zone will not be
509 509 available for the use of the global zone or other zones. This
510 510 resource is incompatible with both the pool and cpu-shares
511 511 properties. Only a single instance of this resource can be added to
512 512 the zone.
513 513
514 514
515 515 capped-memory: physical, swap, locked
516 516
517 517 The caps on the memory that can be used by this zone. A scale (K,
518 518 M, G, T) can be applied to the value for each of these numbers (for
519 519 example, 1M is one megabyte). Each of these properties is optional
520 520 but at least one property must be set when adding this resource.
521 521 Only a single instance of this resource can be added to the zone.
522 522 The physical property sets the max-rss for this zone. This will be
523 523 enforced by rcapd(1M) running in the global zone. The swap
524 524 property is the preferred way to set the zone.max-swap rctl. The
525 525 locked property is the preferred way to set the zone.max-locked-
526 526 memory rctl.
527 527
528 528
529 529 capped-cpu: ncpus
530 530
531 531 Sets a limit on the amount of CPU time that can be used by a zone.
532 532 The unit used translates to the percentage of a single CPU that can
533 533 be used by all user threads in a zone, expressed as a fraction (for
534 534 example, .75) or a mixed number (whole number and fraction, for
535 535 example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
536 536 1.25 means 125%, .75 mean 75%, and so forth. When projects within a
537 537 capped zone have their own caps, the minimum value takes
538 538 precedence.
539 539
540 540 The capped-cpu property is an alias for zone.cpu-cap resource
541 541 control and is related to the zone.cpu-cap resource control. See
542 542 resource_controls(5).
543 543
544 544
545 545 security-flags: lower, default, upper
546 546
547 547 Set the process security flags associated with the zone. The lower
548 548 and upper fields set the limits, the default field is set of flags
549 549 all zone processes inherit.
550 550
551 551
552 552 global: fs-allowed
553 553
554 554 A comma-separated list of additional filesystems that may be
555 555 mounted within the zone; for example "ufs,pcfs". By default, only
556 556 hsfs(7fs) and network filesystems can be mounted. If the first
557 557 entry in the list is "-" then that disables all of the default
558 558 filesystems. If any filesystems are listed after "-" then only
559 559 those filesystems can be mounted.
560 560
561 561 This property does not apply to filesystems mounted into the zone
562 562 via "add fs" or "add dataset".
563 563
564 564 WARNING: allowing filesystem mounts other than the default may
565 565 allow the zone administrator to compromise the system with a
566 566 malicious filesystem image, and is not supported.
567 567
568 568
569 569
570 570 The following table summarizes resources, property-names, and types:
571 571
572 572 resource property-name type
573 573 (global) zonename simple
574 574 (global) zonepath simple
575 575 (global) autoboot simple
576 576 (global) bootargs simple
577 577 (global) pool simple
578 578 (global) limitpriv simple
579 579 (global) brand simple
580 580 (global) ip-type simple
581 581 (global) hostid simple
582 582 (global) cpu-shares simple
583 583 (global) max-lwps simple
584 584 (global) max-msg-ids simple
585 585 (global) max-sem-ids simple
586 586 (global) max-shm-ids simple
587 587 (global) max-shm-memory simple
588 588 (global) scheduling-class simple
589 589 fs dir simple
590 590 special simple
591 591 raw simple
592 592 type simple
593 593 options list of simple
594 594 net address simple
595 595 physical simple
596 596 device match simple
597 597 rctl name simple
598 598 value list of complex
599 599 attr name simple
600 600 type simple
601 601 value simple
602 602 dataset name simple
603 603 dedicated-cpu ncpus simple or range
604 604 importance simple
605 605
606 606 capped-memory physical simple with scale
607 607 swap simple with scale
608 608 locked simple with scale
609 609
610 610 capped-cpu ncpus simple
611 611 security-flags lower simple
612 612 default simple
613 613 upper simple
614 614
615 615
616 616
617 617
618 618 To further specify things, the breakdown of the complex property
619 619 "value" of the "rctl" resource type, it consists of three name/value
620 620 pairs, the names being "priv", "limit" and "action", each of which
621 621 takes a simple value. The "name" property of an "attr" resource is
622 622 syntactically restricted in a fashion similar but not identical to zone
623 623 names: it must begin with an alphanumeric, and can contain
624 624 alphanumerics plus the hyphen (-), underscore (_), and dot (.)
625 625 characters. Attribute names beginning with "zone" are reserved for use
626 626 by the system. Finally, the "autoboot" global property must have a
627 627 value of "true" or "false".
628 628
629 629 Using Kernel Statistics to Monitor CPU Caps
630 630 Using the kernel statistics (kstat(3KSTAT)) module caps, the system
631 631 maintains information for all capped projects and zones. You can access
632 632 this information by reading kernel statistics (kstat(3KSTAT)),
633 633 specifying caps as the kstat module name. The following command
634 634 displays kernel statistics for all active CPU caps:
635 635
636 636 # kstat caps::'/cpucaps/'
637 637
638 638
639 639
640 640
641 641 A kstat(1M) command running in a zone displays only CPU caps relevant
642 642 for that zone and for projects in that zone. See EXAMPLES.
643 643
644 644
645 645 The following are cap-related arguments for use with kstat(1M):
646 646
647 647 caps
648 648
649 649 The kstat module.
650 650
651 651
652 652 project_caps or zone_caps
653 653
654 654 kstat class, for use with the kstat -c option.
655 655
656 656
657 657 cpucaps_project_id or cpucaps_zone_id
658 658
659 659 kstat name, for use with the kstat -n option. id is the project or
660 660 zone identifier.
661 661
662 662
663 663
664 664 The following fields are displayed in response to a kstat(1M) command
665 665 requesting statistics for all CPU caps.
666 666
667 667 module
668 668
669 669 In this usage of kstat, this field will have the value caps.
670 670
671 671
672 672 name
673 673
674 674 As described above, cpucaps_project_id or cpucaps_zone_id
675 675
676 676
677 677 above_sec
678 678
679 679 Total time, in seconds, spent above the cap.
680 680
681 681
682 682 below_sec
683 683
684 684 Total time, in seconds, spent below the cap.
685 685
686 686
687 687 maxusage
688 688
689 689 Maximum observed CPU usage.
690 690
691 691
692 692 nwait
693 693
694 694 Number of threads on cap wait queue.
695 695
696 696
697 697 usage
698 698
699 699 Current aggregated CPU usage for all threads belonging to a capped
700 700 project or zone, in terms of a percentage of a single CPU.
701 701
702 702
703 703 value
704 704
705 705 The cap value, in terms of a percentage of a single CPU.
706 706
707 707
708 708 zonename
709 709
710 710 Name of the zone for which statistics are displayed.
711 711
712 712
713 713
714 714 See EXAMPLES for sample output from a kstat command.
715 715
716 716 OPTIONS
717 717 The following options are supported:
718 718
719 719 -f command_file
720 720
721 721 Specify the name of zonecfg command file. command_file is a text
722 722 file of zonecfg subcommands, one per line.
723 723
724 724
725 725 -z zonename
726 726
727 727 Specify the name of a zone. Zone names are case sensitive. Zone
728 728 names must begin with an alphanumeric character and can contain
729 729 alphanumeric characters, the underscore (_) the hyphen (-), and the
730 730 dot (.). The name global and all names beginning with SUNW are
731 731 reserved and cannot be used.
732 732
733 733
734 734 SUBCOMMANDS
735 735 You can use the add and select subcommands to select a specific
736 736 resource, at which point the scope changes to that resource. The end
737 737 and cancel subcommands are used to complete the resource specification,
738 738 at which time the scope is reverted back to global. Certain
739 739 subcommands, such as add, remove and set, have different semantics in
740 740 each scope.
741 741
742 742
743 743 zonecfg supports a semicolon-separated list of subcommands. For
744 744 example:
745 745
746 746 # zonecfg -z myzone "add net; set physical=myvnic; end"
747 747
748 748
749 749
750 750
751 751 Subcommands which can result in destructive actions or loss of work
752 752 have an -F option to force the action. If input is from a terminal
753 753 device, the user is prompted when appropriate if such a command is
754 754 given without the -F option otherwise, if such a command is given
755 755 without the -F option, the action is disallowed, with a diagnostic
756 756 message written to standard error.
757 757
758 758
759 759 The following subcommands are supported:
760 760
761 761 add resource-type (global scope)
762 762 add property-name property-value (resource scope)
763 763
764 764 In the global scope, begin the specification for a given resource
765 765 type. The scope is changed to that resource type.
766 766
767 767 In the resource scope, add a property of the given name with the
768 768 given value. The syntax for property values varies with different
769 769 property types. In general, it is a simple value or a list of
770 770 simple values enclosed in square brackets, separated by commas
771 771 ([foo,bar,baz]). See PROPERTIES.
772 772
773 773
774 774 cancel
775 775
776 776 End the resource specification and reset scope to global. Abandons
777 777 any partially specified resources. cancel is only applicable in the
778 778 resource scope.
779 779
780 780
781 781 clear property-name
782 782
783 783 Clear the value for the property.
784 784
785 785
786 786 commit
787 787
788 788 Commit the current configuration from memory to stable storage. The
789 789 configuration must be committed to be used by zoneadm. Until the
790 790 in-memory configuration is committed, you can remove changes with
791 791 the revert subcommand. The commit operation is attempted
792 792 automatically upon completion of a zonecfg session. Since a
793 793 configuration must be correct to be committed, this operation
794 794 automatically does a verify.
795 795
796 796
797 797 create [-F] [ -a path |-b | -t template]
798 798
799 799 Create an in-memory configuration for the specified zone. Use
800 800 create to begin to configure a new zone. See commit for saving this
801 801 to stable storage.
802 802
803 803 If you are overwriting an existing configuration, specify the -F
804 804 option to force the action. Specify the -t template option to
805 805 create a configuration identical to template, where template is the
806 806 name of a configured zone.
807 807
808 808 Use the -a path option to facilitate configuring a detached zone on
809 809 a new host. The path parameter is the zonepath location of a
810 810 detached zone that has been moved on to this new host. Once the
811 811 detached zone is configured, it should be installed using the
812 812 "zoneadm attach" command (see zoneadm(1M)). All validation of the
813 813 new zone happens during the attach process, not during zone
814 814 configuration.
815 815
816 816 Use the -b option to create a blank configuration. Without
817 817 arguments, create applies the Sun default settings.
818 818
819 819
820 820 delete [-F]
821 821
822 822 Delete the specified configuration from memory and stable storage.
823 823 This action is instantaneous, no commit is necessary. A deleted
824 824 configuration cannot be reverted.
825 825
826 826 Specify the -F option to force the action.
827 827
828 828
829 829 end
830 830
831 831 End the resource specification. This subcommand is only applicable
832 832 in the resource scope. zonecfg checks to make sure the current
833 833 resource is completely specified. If so, it is added to the in-
834 834 memory configuration (see commit for saving this to stable storage)
835 835 and the scope reverts to global. If the specification is
836 836 incomplete, it issues an appropriate error message.
837 837
838 838
839 839 export [-f output-file]
840 840
841 841 Print configuration to standard output. Use the -f option to print
842 842 the configuration to output-file. This option produces output in a
843 843 form suitable for use in a command file.
844 844
845 845
846 846 help [usage] [subcommand] [syntax] [command-name]
847 847
848 848 Print general help or help about given topic.
849 849
850 850
851 851 info zonename | zonepath | autoboot | brand | pool | limitpriv
852 852 info [resource-type [property-name=property-value]*]
853 853
854 854 Display information about the current configuration. If resource-
855 855 type is specified, displays only information about resources of the
856 856 relevant type. If any property-name value pairs are specified,
857 857 displays only information about resources meeting the given
858 858 criteria. In the resource scope, any arguments are ignored, and
859 859 info displays information about the resource which is currently
860 860 being added or modified.
861 861
862 862
863 863 remove resource-type{property-name=property -value}(global scope)
864 864
865 865 In the global scope, removes the specified resource. The [] syntax
866 866 means 0 or more of whatever is inside the square braces. If you
867 867 want only to remove a single instance of the resource, you must
868 868 specify enough property name-value pairs for the resource to be
869 869 uniquely identified. If no property name-value pairs are specified,
870 870 all instances will be removed. If there is more than one pair is
871 871 specified, a confirmation is required, unless you use the -F
872 872 option.
873 873
874 874
875 875 select resource-type {property-name=property-value}
876 876
877 877 Select the resource of the given type which matches the given
878 878 property-name property-value pair criteria, for modification. This
879 879 subcommand is applicable only in the global scope. The scope is
880 880 changed to that resource type. The {} syntax means 1 or more of
881 881 whatever is inside the curly braces. You must specify enough
882 882 property -name property-value pairs for the resource to be uniquely
883 883 identified.
884 884
885 885
886 886 set property-name=property-value
887 887
888 888 Set a given property name to the given value. Some properties (for
889 889 example, zonename and zonepath) are global while others are
890 890 resource-specific. This subcommand is applicable in both the global
891 891 and resource scopes.
892 892
893 893
894 894 verify
895 895
896 896 Verify the current configuration for correctness:
897 897
898 898 o All resources have all of their required properties
899 899 specified.
900 900
901 901 o A zonepath is specified.
902 902
903 903
904 904 revert [-F]
905 905
906 906 Revert the configuration back to the last committed state. The -F
907 907 option can be used to force the action.
908 908
909 909
910 910 exit [-F]
911 911
912 912 Exit the zonecfg session. A commit is automatically attempted if
913 913 needed. You can also use an EOF character to exit zonecfg. The -F
914 914 option can be used to force the action.
915 915
916 916
917 917 EXAMPLES
918 918 Example 1 Creating the Environment for a New Zone
919 919
920 920
921 921 In the following example, zonecfg creates the environment for a new
922 922 zone. /usr/local is loopback mounted from the global zone into
923 923 /opt/local. /opt/sfw is loopback mounted from the global zone, three
924 924 logical network interfaces are added, and a limit on the number of
925 925 fair-share scheduler (FSS) CPU shares for a zone is set using the rctl
926 926 resource type. The example also shows how to select a given resource
927 927 for modification.
928 928
929 929
930 930 example# zonecfg -z myzone3
931 931 my-zone3: No such zone configured
932 932 Use 'create' to begin configuring a new zone.
933 933 zonecfg:myzone3> create
934 934 zonecfg:myzone3> set zonepath=/export/home/my-zone3
935 935 zonecfg:myzone3> set autoboot=true
936 936 zonecfg:myzone3> add fs
937 937 zonecfg:myzone3:fs> set dir=/usr/local
938 938 zonecfg:myzone3:fs> set special=/opt/local
939 939 zonecfg:myzone3:fs> set type=lofs
940 940 zonecfg:myzone3:fs> add options [ro,nodevices]
941 941 zonecfg:myzone3:fs> end
942 942 zonecfg:myzone3> add fs
943 943 zonecfg:myzone3:fs> set dir=/mnt
944 944 zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7
945 945 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7
946 946 zonecfg:myzone3:fs> set type=ufs
947 947 zonecfg:myzone3:fs> end
948 948 zonecfg:myzone3> add net
949 949 zonecfg:myzone3:net> set address=192.168.0.1/24
950 950 zonecfg:myzone3:net> set physical=eri0
951 951 zonecfg:myzone3:net> end
952 952 zonecfg:myzone3> add net
953 953 zonecfg:myzone3:net> set address=192.168.1.2/24
954 954 zonecfg:myzone3:net> set physical=eri0
955 955 zonecfg:myzone3:net> end
956 956 zonecfg:myzone3> add net
957 957 zonecfg:myzone3:net> set address=192.168.2.3/24
958 958 zonecfg:myzone3:net> set physical=eri0
959 959 zonecfg:myzone3:net> end
960 960 zonecfg:my-zone3> set cpu-shares=5
961 961 zonecfg:my-zone3> add capped-memory
962 962 zonecfg:my-zone3:capped-memory> set physical=50m
963 963 zonecfg:my-zone3:capped-memory> set swap=100m
964 964 zonecfg:my-zone3:capped-memory> end
965 965 zonecfg:myzone3> exit
966 966
967 967
968 968
969 969 Example 2 Creating a Non-Native Zone
970 970
971 971
972 972 The following example creates a new Linux zone:
973 973
974 974
975 975 example# zonecfg -z lxzone
976 976 lxzone: No such zone configured
977 977 Use 'create' to begin configuring a new zone
978 978 zonecfg:lxzone> create -t SUNWlx
979 979 zonecfg:lxzone> set zonepath=/export/zones/lxzone
980 980 zonecfg:lxzone> set autoboot=true
981 981 zonecfg:lxzone> exit
982 982
983 983
984 984
985 985 Example 3 Creating an Exclusive-IP Zone
986 986
987 987
988 988 The following example creates a zone that is granted exclusive access
989 989 to bge1 and bge33000 and that is isolated at the IP layer from the
990 990 other zones configured on the system.
991 991
992 992
993 993
994 994 The IP addresses and routing is configured inside the new zone using
995 995 sysidtool(1M).
996 996
997 997
998 998 example# zonecfg -z excl
999 999 excl: No such zone configured
1000 1000 Use 'create' to begin configuring a new zone
1001 1001 zonecfg:excl> create
1002 1002 zonecfg:excl> set zonepath=/export/zones/excl
1003 1003 zonecfg:excl> set ip-type=exclusive
1004 1004 zonecfg:excl> add net
1005 1005 zonecfg:excl:net> set physical=bge1
1006 1006 zonecfg:excl:net> end
1007 1007 zonecfg:excl> add net
1008 1008 zonecfg:excl:net> set physical=bge33000
1009 1009 zonecfg:excl:net> end
1010 1010 zonecfg:excl> exit
1011 1011
1012 1012
1013 1013
1014 1014 Example 4 Associating a Zone with a Resource Pool
1015 1015
1016 1016
1017 1017 The following example shows how to associate an existing zone with an
1018 1018 existing resource pool:
1019 1019
1020 1020
1021 1021 example# zonecfg -z myzone
1022 1022 zonecfg:myzone> set pool=mypool
1023 1023 zonecfg:myzone> exit
1024 1024
1025 1025
1026 1026
1027 1027
1028 1028 For more information about resource pools, see pooladm(1M) and
1029 1029 poolcfg(1M).
1030 1030
1031 1031
1032 1032 Example 5 Changing the Name of a Zone
1033 1033
1034 1034
1035 1035 The following example shows how to change the name of an existing zone:
1036 1036
1037 1037
1038 1038 example# zonecfg -z myzone
1039 1039 zonecfg:myzone> set zonename=myzone2
1040 1040 zonecfg:myzone2> exit
1041 1041
1042 1042
1043 1043
1044 1044 Example 6 Changing the Privilege Set of a Zone
1045 1045
1046 1046
1047 1047 The following example shows how to change the set of privileges an
1048 1048 existing zone's processes will be limited to the next time the zone is
1049 1049 booted. In this particular case, the privilege set will be the standard
1050 1050 safe set of privileges a zone normally has along with the privilege to
1051 1051 change the system date and time:
1052 1052
1053 1053
1054 1054 example# zonecfg -z myzone
1055 1055 zonecfg:myzone> set limitpriv="default,sys_time"
1056 1056 zonecfg:myzone2> exit
1057 1057
1058 1058
1059 1059
1060 1060 Example 7 Setting the zone.cpu-shares Property for the Global Zone
1061 1061
1062 1062
1063 1063 The following command sets the zone.cpu-shares property for the global
1064 1064 zone:
1065 1065
1066 1066
1067 1067 example# zonecfg -z global
1068 1068 zonecfg:global> set cpu-shares=5
1069 1069 zonecfg:global> exit
1070 1070
1071 1071
1072 1072
1073 1073 Example 8 Using Pattern Matching
1074 1074
1075 1075
1076 1076 The following commands illustrate zonecfg support for pattern matching.
1077 1077 In the zone flexlm, enter:
1078 1078
1079 1079
1080 1080 zonecfg:flexlm> add device
1081 1081 zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]"
1082 1082 zonecfg:flexlm:device> end
1083 1083
1084 1084
1085 1085
1086 1086
1087 1087 In the global zone, enter:
1088 1088
1089 1089
1090 1090 global# ls /dev/cua
1091 1091 a a000 a001 a002 a003 a004 a005 a006 a007 b
1092 1092
1093 1093
1094 1094
1095 1095
1096 1096 In the zone flexlm, enter:
1097 1097
1098 1098
1099 1099 flexlm# ls /dev/cua
1100 1100 a002 a003 a004 a005
1101 1101
1102 1102
1103 1103
1104 1104 Example 9 Setting a Cap for a Zone to Three CPUs
1105 1105
1106 1106
1107 1107 The following sequence uses the zonecfg command to set the CPU cap for
1108 1108 a zone to three CPUs.
1109 1109
1110 1110
1111 1111 zonecfg:myzone> add capped-cpu
1112 1112 zonecfg:myzone>capped-cpu> set ncpus=3
1113 1113 zonecfg:myzone>capped-cpu>capped-cpu> end
1114 1114
1115 1115
1116 1116
1117 1117
1118 1118 The preceding sequence, which uses the capped-cpu property, is
1119 1119 equivalent to the following sequence, which makes use of the zone.cpu-
1120 1120 cap resource control.
1121 1121
1122 1122
1123 1123 zonecfg:myzone> add rctl
1124 1124 zonecfg:myzone:rctl> set name=zone.cpu-cap
1125 1125 zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none)
1126 1126 zonecfg:myzone:rctl> end
1127 1127
1128 1128
1129 1129
1130 1130 Example 10 Using kstat to Monitor CPU Caps
1131 1131
1132 1132
1133 1133 The following command displays information about all CPU caps.
1134 1134
1135 1135
1136 1136 # kstat -n /cpucaps/
1137 1137 module: caps instance: 0
1138 1138 name: cpucaps_project_0 class: project_caps
1139 1139 above_sec 0
1140 1140 below_sec 2157
1141 1141 crtime 821.048183159
1142 1142 maxusage 2
1143 1143 nwait 0
1144 1144 snaptime 235885.637253027
1145 1145 usage 0
1146 1146 value 18446743151372347932
1147 1147 zonename global
1148 1148
1149 1149 module: caps instance: 0
1150 1150 name: cpucaps_project_1 class: project_caps
1151 1151 above_sec 0
1152 1152 below_sec 0
1153 1153 crtime 225339.192787265
1154 1154 maxusage 5
1155 1155 nwait 0
1156 1156 snaptime 235885.637591677
1157 1157 usage 5
1158 1158 value 18446743151372347932
1159 1159 zonename global
1160 1160
1161 1161 module: caps instance: 0
1162 1162 name: cpucaps_project_201 class: project_caps
1163 1163 above_sec 0
1164 1164 below_sec 235105
1165 1165 crtime 780.37961782
1166 1166 maxusage 100
1167 1167 nwait 0
1168 1168 snaptime 235885.637789687
1169 1169 usage 43
1170 1170 value 100
1171 1171 zonename global
1172 1172
1173 1173 module: caps instance: 0
1174 1174 name: cpucaps_project_202 class: project_caps
1175 1175 above_sec 0
1176 1176 below_sec 235094
1177 1177 crtime 791.72983782
1178 1178 maxusage 100
1179 1179 nwait 0
1180 1180 snaptime 235885.637967512
1181 1181 usage 48
1182 1182 value 100
1183 1183 zonename global
1184 1184
1185 1185 module: caps instance: 0
1186 1186 name: cpucaps_project_203 class: project_caps
1187 1187 above_sec 0
1188 1188 below_sec 235034
1189 1189 crtime 852.104401481
1190 1190 maxusage 75
1191 1191 nwait 0
1192 1192 snaptime 235885.638144304
1193 1193 usage 47
1194 1194 value 100
1195 1195 zonename global
1196 1196
1197 1197 module: caps instance: 0
1198 1198 name: cpucaps_project_86710 class: project_caps
1199 1199 above_sec 22
1200 1200 below_sec 235166
1201 1201 crtime 698.441717859
1202 1202 maxusage 101
1203 1203 nwait 0
1204 1204 snaptime 235885.638319871
1205 1205 usage 54
1206 1206 value 100
1207 1207 zonename global
1208 1208
1209 1209 module: caps instance: 0
1210 1210 name: cpucaps_zone_0 class: zone_caps
1211 1211 above_sec 100733
1212 1212 below_sec 134332
1213 1213 crtime 821.048177123
1214 1214 maxusage 207
1215 1215 nwait 2
1216 1216 snaptime 235885.638497731
1217 1217 usage 199
1218 1218 value 200
1219 1219 zonename global
1220 1220
1221 1221 module: caps instance: 1
1222 1222 name: cpucaps_project_0 class: project_caps
1223 1223 above_sec 0
1224 1224 below_sec 0
1225 1225 crtime 225360.256448422
1226 1226 maxusage 7
1227 1227 nwait 0
1228 1228 snaptime 235885.638714404
1229 1229 usage 7
1230 1230 value 18446743151372347932
1231 1231 zonename test_001
1232 1232
1233 1233 module: caps instance: 1
1234 1234 name: cpucaps_zone_1 class: zone_caps
1235 1235 above_sec 2
1236 1236 below_sec 10524
1237 1237 crtime 225360.256440278
1238 1238 maxusage 106
1239 1239 nwait 0
1240 1240 snaptime 235885.638896443
1241 1241 usage 7
1242 1242 value 100
1243 1243 zonename test_001
1244 1244
1245 1245
1246 1246
1247 1247 Example 11 Displaying CPU Caps for a Specific Zone or Project
1248 1248
1249 1249
1250 1250 Using the kstat -c and -i options, you can display CPU caps for a
1251 1251 specific zone or project, as below. The first command produces a
1252 1252 display for a specific project, the second for the same project within
1253 1253 zone 1.
1254 1254
1255 1255
1256 1256 # kstat -c project_caps
1257 1257
1258 1258 # kstat -c project_caps -i 1
1259 1259
1260 1260
1261 1261
1262 1262 EXIT STATUS
1263 1263 The following exit values are returned:
1264 1264
1265 1265 0
1266 1266
1267 1267 Successful completion.
1268 1268
1269 1269
1270 1270 1
1271 1271
1272 1272 An error occurred.
1273 1273
1274 1274
1275 1275 2
1276 1276
1277 1277 Invalid usage.
1278 1278
1279 1279
1280 1280 ATTRIBUTES
1281 1281 See attributes(5) for descriptions of the following attributes:
1282 1282
1283 1283
1284 1284
1285 1285
1286 1286 +--------------------+-----------------+
1287 1287 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
1288 1288 +--------------------+-----------------+
1289 1289 |Interface Stability | Volatile |
1290 1290 +--------------------+-----------------+
1291 1291
1292 1292 SEE ALSO
1293 1293 ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1294 1294 poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1295 1295 sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1296 1296 kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1297 1297 privileges(5), resource_controls(5), security-flags(5), zones(5)
|
↓ open down ↓ |
1297 lines elided |
↑ open up ↑ |
1298 1298
1299 1299
1300 1300 System Administration Guide: Solaris Containers-Resource Management,
1301 1301 and Solaris Zones
1302 1302
1303 1303 NOTES
1304 1304 All character data used by zonecfg must be in US-ASCII encoding.
1305 1305
1306 1306
1307 1307
1308 - February 28, 2014 ZONECFG(1M)
1308 + June 6, 2016 ZONECFG(1M)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX