1 '\" te
2 .\" Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright 2013 Joyent, Inc. All Rights Reserved.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH ZONECFG 1M "Jun 6, 2016"
8 .SH NAME
9 zonecfg \- set up zone configuration
10 .SH SYNOPSIS
11 .LP
12 .nf
13 \fBzonecfg\fR \fB-z\fR \fIzonename\fR
14 .fi
15
16 .LP
17 .nf
18 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fIsubcommand\fR
19 .fi
20
21 .LP
22 .nf
23 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fB-f\fR \fIcommand_file\fR
24 .fi
25
26 .LP
27 .nf
28 \fBzonecfg\fR help
29 .fi
30
31 .SH DESCRIPTION
32 .LP
33 The \fBzonecfg\fR utility creates and modifies the configuration of a zone.
34 Zone configuration consists of a number of resources and properties.
35 .sp
36 .LP
37 To simplify the user interface, \fBzonecfg\fR uses the concept of a scope. The
38 default scope is global.
39 .sp
40 .LP
41 The following synopsis of the \fBzonecfg\fR command is for interactive usage:
42 .sp
43 .in +2
44 .nf
45 zonecfg \fB-z\fR \fIzonename subcommand\fR
46 .fi
47 .in -2
48 .sp
49
50 .sp
51 .LP
52 Parameters changed through \fBzonecfg\fR do not affect a running zone. The zone
53 must be rebooted for the changes to take effect.
54 .sp
55 .LP
56 In addition to creating and modifying a zone, the \fBzonecfg\fR utility can
57 also be used to persistently specify the resource management settings for the
58 global zone.
59 .sp
60 .LP
61 In the following text, "rctl" is used as an abbreviation for "resource
62 control". See \fBresource_controls\fR(5).
63 .sp
64 .LP
65 Every zone is configured with an associated brand. The brand determines the
66 user-level environment used within the zone, as well as various behaviors for
67 the zone when it is installed, boots, or is shutdown. Once a zone has been
68 installed the brand cannot be changed. The default brand is determined by the
69 installed distribution in the global zone. Some brands do not support all of
70 the \fBzonecfg\fR properties and resources. See the brand-specific man page for
71 more details on each brand. For an overview of brands, see the \fBbrands\fR(5)
72 man page.
73 .SS "Resources"
74 .LP
75 The following resource types are supported:
76 .sp
77 .ne 2
78 .na
79 \fB\fBattr\fR\fR
80 .ad
81 .sp .6
82 .RS 4n
83 Generic attribute.
84 .RE
85
86 .sp
87 .ne 2
88 .na
89 \fB\fBcapped-cpu\fR\fR
90 .ad
91 .sp .6
92 .RS 4n
93 Limits for CPU usage.
94 .RE
95
96 .sp
97 .ne 2
98 .na
99 \fB\fBcapped-memory\fR\fR
100 .ad
101 .sp .6
102 .RS 4n
103 Limits for physical, swap, and locked memory.
104 .RE
105
106 .sp
107 .ne 2
108 .na
109 \fB\fBdataset\fR\fR
110 .ad
111 .sp .6
112 .RS 4n
113 \fBZFS\fR dataset.
114 .RE
115
116 .sp
117 .ne 2
118 .na
119 \fB\fBdedicated-cpu\fR\fR
120 .ad
121 .sp .6
122 .RS 4n
123 Subset of the system's processors dedicated to this zone while it is running.
124 .RE
125
126 .sp
127 .ne 2
128 .na
129 \fB\fBdevice\fR\fR
130 .ad
131 .sp .6
132 .RS 4n
133 Device.
134 .RE
135
136 .sp
137 .ne 2
138 .na
139 \fB\fBfs\fR\fR
140 .ad
141 .sp .6
142 .RS 4n
143 file-system
144 .RE
145
146 .sp
147 .ne 2
148 .na
149 \fB\fBnet\fR\fR
150 .ad
151 .sp .6
152 .RS 4n
153 Network interface.
154 .RE
155
156 .sp
157 .ne 2
158 .na
159 \fB\fBrctl\fR\fR
160 .ad
161 .sp .6
162 .RS 4n
163 Resource control.
164 .RE
165
166 .sp
167 .ne 2
168 .na
169 \fB\fBsecurity-flags\fR\fR
170 .ad
171 .sp .6
172 .RS 4n
173 Process security flag settings.
174 .RE
175
176 .SS "Properties"
177 .LP
178 Each resource type has one or more properties. There are also some global
179 properties, that is, properties of the configuration as a whole, rather than of
180 some particular resource.
181 .sp
182 .LP
183 The following properties are supported:
184 .sp
185 .ne 2
186 .na
187 \fB(global)\fR
188 .ad
189 .sp .6
190 .RS 4n
191 \fBzonename\fR
192 .RE
193
194 .sp
195 .ne 2
196 .na
197 \fB(global)\fR
198 .ad
199 .sp .6
200 .RS 4n
201 \fBzonepath\fR
202 .RE
203
204 .sp
205 .ne 2
206 .na
207 \fB(global)\fR
208 .ad
209 .sp .6
210 .RS 4n
211 \fBautoboot\fR
212 .RE
213
214 .sp
215 .ne 2
216 .na
217 \fB(global)\fR
218 .ad
219 .sp .6
220 .RS 4n
221 \fBbootargs\fR
222 .RE
223
224 .sp
225 .ne 2
226 .na
227 \fB(global)\fR
228 .ad
229 .sp .6
230 .RS 4n
231 \fBpool\fR
232 .RE
233
234 .sp
235 .ne 2
236 .na
237 \fB(global)\fR
238 .ad
239 .sp .6
240 .RS 4n
241 \fBlimitpriv\fR
242 .RE
243
244 .sp
245 .ne 2
246 .na
247 \fB(global)\fR
248 .ad
249 .sp .6
250 .RS 4n
251 \fBbrand\fR
252 .RE
253
254 .sp
255 .ne 2
256 .na
257 \fB(global)\fR
258 .ad
259 .sp .6
260 .RS 4n
261 \fBcpu-shares\fR
262 .RE
263
264 .sp
265 .ne 2
266 .na
267 \fB(global)\fR
268 .ad
269 .sp .6
270 .RS 4n
271 \fBhostid\fR
272 .RE
273
274 .sp
275 .ne 2
276 .na
277 \fB(global)\fR
278 .ad
279 .sp .6
280 .RS 4n
281 \fBmax-lwps\fR
282 .RE
283
284 .sp
285 .ne 2
286 .na
287 \fB(global)\fR
288 .ad
289 .sp .6
290 .RS 4n
291 \fBmax-msg-ids\fR
292 .RE
293
294 .sp
295 .ne 2
296 .na
297 \fB(global)\fR
298 .ad
299 .sp .6
300 .RS 4n
301 \fBmax-sem-ids\fR
302 .RE
303
304 .sp
305 .ne 2
306 .na
307 \fB(global)\fR
308 .ad
309 .sp .6
310 .RS 4n
311 \fBmax-shm-ids\fR
312 .RE
313
314 .sp
315 .ne 2
316 .na
317 \fB(global)\fR
318 .ad
319 .sp .6
320 .RS 4n
321 \fBmax-shm-memory\fR
322 .RE
323
324 .sp
325 .ne 2
326 .na
327 \fB(global)\fR
328 .ad
329 .sp .6
330 .RS 4n
331 \fBscheduling-class\fR
332 .RE
333
334 .sp
335 .ne 2
336 .na
337 .B (global)
338 .ad
339 .sp .6
340 .RS 4n
341 .B fs-allowed
342 .RE
343
344 .sp
345 .ne 2
346 .na
347 \fB\fBfs\fR\fR
348 .ad
349 .sp .6
350 .RS 4n
351 \fBdir\fR, \fBspecial\fR, \fBraw\fR, \fBtype\fR, \fBoptions\fR
352 .RE
353
354 .sp
355 .ne 2
356 .na
357 \fB\fBnet\fR\fR
358 .ad
359 .sp .6
360 .RS 4n
361 \fBaddress\fR, \fBphysical\fR, \fBdefrouter\fR
362 .RE
363
364 .sp
365 .ne 2
366 .na
367 \fB\fBdevice\fR\fR
368 .ad
369 .sp .6
370 .RS 4n
371 \fBmatch\fR
372 .RE
373
374 .sp
375 .ne 2
376 .na
377 \fB\fBrctl\fR\fR
378 .ad
379 .sp .6
380 .RS 4n
381 \fBname\fR, \fBvalue\fR
382 .RE
383
384 .sp
385 .ne 2
386 .na
387 \fB\fBattr\fR\fR
388 .ad
389 .sp .6
390 .RS 4n
391 \fBname\fR, \fBtype\fR, \fBvalue\fR
392 .RE
393
394 .sp
395 .ne 2
396 .na
397 \fB\fBdataset\fR\fR
398 .ad
399 .sp .6
400 .RS 4n
401 \fBname\fR
402 .RE
403
404 .sp
405 .ne 2
406 .na
407 \fB\fBdedicated-cpu\fR\fR
408 .ad
409 .sp .6
410 .RS 4n
411 \fBncpus\fR, \fBimportance\fR
412 .RE
413
414 .sp
415 .ne 2
416 .na
417 \fB\fBcapped-memory\fR\fR
418 .ad
419 .sp .6
420 .RS 4n
421 \fBphysical\fR, \fBswap\fR, \fBlocked\fR
422 .RE
423
424 .sp
425 .ne 2
426 .na
427 \fB\fBcapped-cpu\fR\fR
428 .ad
429 .sp .6
430 .RS 4n
431 \fBncpus\fR
432 .RE
433
434 .sp
435 .ne 2
436 .na
437 \fB\fBsecurity-flags\fB\fB
438 .ad
439 .sp .6
440 .RS 4n
441 \fBlower\fR, \fBdefault\fR, \fBupper\fR.
442 .RE
443
444 .sp
445 .LP
446 As for the property values which are paired with these names, they are either
447 simple, complex, or lists. The type allowed is property-specific. Simple values
448 are strings, optionally enclosed within quotation marks. Complex values have
449 the syntax:
450 .sp
451 .in +2
452 .nf
453 (<\fIname\fR>=<\fIvalue\fR>,<\fIname\fR>=<\fIvalue\fR>,...)
454 .fi
455 .in -2
456 .sp
457
458 .sp
459 .LP
460 where each <\fIvalue\fR> is simple, and the <\fIname\fR> strings are unique
461 within a given property. Lists have the syntax:
462 .sp
463 .in +2
464 .nf
465 [<\fIvalue\fR>,...]
466 .fi
467 .in -2
468 .sp
469
470 .sp
471 .LP
472 where each <\fIvalue\fR> is either simple or complex. A list of a single value
473 (either simple or complex) is equivalent to specifying that value without the
474 list syntax. That is, "foo" is equivalent to "[foo]". A list can be empty
475 (denoted by "[]").
476 .sp
477 .LP
478 In interpreting property values, \fBzonecfg\fR accepts regular expressions as
479 specified in \fBfnmatch\fR(5). See \fBEXAMPLES\fR.
480 .sp
481 .LP
482 The property types are described as follows:
483 .sp
484 .ne 2
485 .na
486 \fBglobal: \fBzonename\fR\fR
487 .ad
488 .sp .6
489 .RS 4n
490 The name of the zone.
491 .RE
492
493 .sp
494 .ne 2
495 .na
496 \fBglobal: \fBzonepath\fR\fR
497 .ad
498 .sp .6
499 .RS 4n
500 Path to zone's file system.
501 .RE
502
503 .sp
504 .ne 2
505 .na
506 \fBglobal: \fBautoboot\fR\fR
507 .ad
508 .sp .6
509 .RS 4n
510 Boolean indicating that a zone should be booted automatically at system boot.
511 Note that if the zones service is disabled, the zone will not autoboot,
512 regardless of the setting of this property. You enable the zones service with a
513 \fBsvcadm\fR command, such as:
514 .sp
515 .in +2
516 .nf
517 # \fBsvcadm enable svc:/system/zones:default\fR
518 .fi
519 .in -2
520 .sp
521
522 Replace \fBenable\fR with \fBdisable\fR to disable the zones service. See
523 \fBsvcadm\fR(1M).
524 .RE
525
526 .sp
527 .ne 2
528 .na
529 \fBglobal: \fBbootargs\fR\fR
530 .ad
531 .sp .6
532 .RS 4n
533 Arguments (options) to be passed to the zone bootup, unless options are
534 supplied to the "\fBzoneadm boot\fR" command, in which case those take
535 precedence. The valid arguments are described in \fBzoneadm\fR(1M).
536 .RE
537
538 .sp
539 .ne 2
540 .na
541 \fBglobal: \fBpool\fR\fR
542 .ad
543 .sp .6
544 .RS 4n
545 Name of the resource pool that this zone must be bound to when booted. This
546 property is incompatible with the \fBdedicated-cpu\fR resource.
547 .RE
548
549 .sp
550 .ne 2
551 .na
552 \fBglobal: \fBlimitpriv\fR\fR
553 .ad
554 .sp .6
555 .RS 4n
556 The maximum set of privileges any process in this zone can obtain. The property
557 should consist of a comma-separated privilege set specification as described in
558 \fBpriv_str_to_set\fR(3C). Privileges can be excluded from the resulting set by
559 preceding their names with a dash (-) or an exclamation point (!). The special
560 privilege string "zone" is not supported in this context. If the special string
561 "default" occurs as the first token in the property, it expands into a safe set
562 of privileges that preserve the resource and security isolation described in
563 \fBzones\fR(5). A missing or empty property is equivalent to this same set of
564 safe privileges.
565 .sp
566 The system administrator must take extreme care when configuring privileges for
567 a zone. Some privileges cannot be excluded through this mechanism as they are
568 required in order to boot a zone. In addition, there are certain privileges
569 which cannot be given to a zone as doing so would allow processes inside a zone
570 to unduly affect processes in other zones. \fBzoneadm\fR(1M) indicates when an
571 invalid privilege has been added or removed from a zone's privilege set when an
572 attempt is made to either "boot" or "ready" the zone.
573 .sp
574 See \fBprivileges\fR(5) for a description of privileges. The command "\fBppriv
575 -l\fR" (see \fBppriv\fR(1)) produces a list of all Solaris privileges. You can
576 specify privileges as they are displayed by \fBppriv\fR. In
577 \fBprivileges\fR(5), privileges are listed in the form
578 PRIV_\fIprivilege_name\fR. For example, the privilege \fIsys_time\fR, as you
579 would specify it in this property, is listed in \fBprivileges\fR(5) as
580 \fBPRIV_SYS_TIME\fR.
581 .RE
582
583 .sp
584 .ne 2
585 .na
586 \fBglobal: \fBbrand\fR\fR
587 .ad
588 .sp .6
589 .RS 4n
590 The zone's brand type.
591 .RE
592
593 .sp
594 .ne 2
595 .na
596 \fBglobal: \fBip-type\fR\fR
597 .ad
598 .sp .6
599 .RS 4n
600 A zone can either share the IP instance with the global zone, which is the
601 default, or have its own exclusive instance of IP.
602 .sp
603 This property takes the values \fBshared\fR and \fBexclusive\fR.
604 .RE
605
606 .sp
607 .ne 2
608 .na
609 \fBglobal: \fBhostid\fR\fR
610 .ad
611 .sp .6
612 .RS 4n
613 A zone can emulate a 32-bit host identifier to ease system consolidation. A
614 zone's \fBhostid\fR property is empty by default, meaning that the zone does
615 not emulate a host identifier. Zone host identifiers must be hexadecimal values
616 between 0 and FFFFFFFE. A \fB0x\fR or \fB0X\fR prefix is optional. Both
617 uppercase and lowercase hexadecimal digits are acceptable.
618 .RE
619
620 .sp
621 .ne 2
622 .na
623 \fB\fBfs\fR: dir, special, raw, type, options\fR
624 .ad
625 .sp .6
626 .RS 4n
627 Values needed to determine how, where, and so forth to mount file systems. See
628 \fBmount\fR(1M), \fBmount\fR(2), \fBfsck\fR(1M), and \fBvfstab\fR(4).
629 .RE
630
631 .sp
632 .ne 2
633 .na
634 \fB\fBnet\fR: address, physical, defrouter\fR
635 .ad
636 .sp .6
637 .RS 4n
638 The network address and physical interface name of the network interface. The
639 network address is one of:
640 .RS +4
641 .TP
642 .ie t \(bu
643 .el o
644 a valid IPv4 address, optionally followed by "\fB/\fR" and a prefix length;
645 .RE
646 .RS +4
647 .TP
648 .ie t \(bu
649 .el o
650 a valid IPv6 address, which must be followed by "\fB/\fR" and a prefix length;
651 .RE
652 .RS +4
653 .TP
654 .ie t \(bu
655 .el o
656 a host name which resolves to an IPv4 address.
657 .RE
658 Note that host names that resolve to IPv6 addresses are not supported.
659 .sp
660 The physical interface name is the network interface name.
661 .sp
662 The default router is specified similarly to the network address except that it
663 must not be followed by a \fB/\fR (slash) and a network prefix length.
664 .sp
665 A zone can be configured to be either exclusive-IP or shared-IP. For a
666 shared-IP zone, you must set both the physical and address properties; setting
667 the default router is optional. The interface specified in the physical
668 property must be plumbed in the global zone prior to booting the non-global
669 zone. However, if the interface is not used by the global zone, it should be
670 configured \fBdown\fR in the global zone, and the default router for the
671 interface should be specified here.
672 .sp
673 For an exclusive-IP zone, the physical property must be set and the address and
674 default router properties cannot be set.
675 .RE
676
677 .sp
678 .ne 2
679 .na
680 \fB\fBdevice\fR: match\fR
681 .ad
682 .sp .6
683 .RS 4n
684 Device name to match.
685 .RE
686
687 .sp
688 .ne 2
689 .na
690 \fB\fBrctl\fR: name, value\fR
691 .ad
692 .sp .6
693 .RS 4n
694 The name and \fIpriv\fR/\fIlimit\fR/\fIaction\fR triple of a resource control.
695 See \fBprctl\fR(1) and \fBrctladm\fR(1M). The preferred way to set rctl values
696 is to use the global property name associated with a specific rctl.
697 .RE
698
699 .sp
700 .ne 2
701 .na
702 \fB\fBattr\fR: name, type, value\fR
703 .ad
704 .sp .6
705 .RS 4n
706 The name, type and value of a generic attribute. The \fBtype\fR must be one of
707 \fBint\fR, \fBuint\fR, \fBboolean\fR or \fBstring\fR, and the value must be of
708 that type. \fBuint\fR means unsigned , that is, a non-negative integer.
709 .RE
710
711 .sp
712 .ne 2
713 .na
714 \fB\fBdataset\fR: name\fR
715 .ad
716 .sp .6
717 .RS 4n
718 The name of a \fBZFS\fR dataset to be accessed from within the zone. See
719 \fBzfs\fR(1M).
720 .RE
721
722 .sp
723 .ne 2
724 .na
725 \fBglobal: \fBcpu-shares\fR\fR
726 .ad
727 .sp .6
728 .RS 4n
729 The number of Fair Share Scheduler (FSS) shares to allocate to this zone. This
730 property is incompatible with the \fBdedicated-cpu\fR resource. This property
731 is the preferred way to set the \fBzone.cpu-shares\fR rctl.
732 .RE
733
734 .sp
735 .ne 2
736 .na
737 \fBglobal: \fBmax-lwps\fR\fR
738 .ad
739 .sp .6
740 .RS 4n
741 The maximum number of LWPs simultaneously available to this zone. This property
742 is the preferred way to set the \fBzone.max-lwps\fR rctl.
743 .RE
744
745 .sp
746 .ne 2
747 .na
748 \fBglobal: \fBmax-msg-ids\fR\fR
749 .ad
750 .sp .6
751 .RS 4n
752 The maximum number of message queue IDs allowed for this zone. This property is
753 the preferred way to set the \fBzone.max-msg-ids\fR rctl.
754 .RE
755
756 .sp
757 .ne 2
758 .na
759 \fBglobal: \fBmax-sem-ids\fR\fR
760 .ad
761 .sp .6
762 .RS 4n
763 The maximum number of semaphore IDs allowed for this zone. This property is the
764 preferred way to set the \fBzone.max-sem-ids\fR rctl.
765 .RE
766
767 .sp
768 .ne 2
769 .na
770 \fBglobal: \fBmax-shm-ids\fR\fR
771 .ad
772 .sp .6
773 .RS 4n
774 The maximum number of shared memory IDs allowed for this zone. This property is
775 the preferred way to set the \fBzone.max-shm-ids\fR rctl.
776 .RE
777
778 .sp
779 .ne 2
780 .na
781 \fBglobal: \fBmax-shm-memory\fR\fR
782 .ad
783 .sp .6
784 .RS 4n
785 The maximum amount of shared memory allowed for this zone. This property is the
786 preferred way to set the \fBzone.max-shm-memory\fR rctl. A scale (K, M, G, T)
787 can be applied to the value for this number (for example, 1M is one megabyte).
788 .RE
789
790 .sp
791 .ne 2
792 .na
793 \fBglobal: \fBscheduling-class\fR\fR
794 .ad
795 .sp .6
796 .RS 4n
797 Specifies the scheduling class used for processes running in a zone. When this
798 property is not specified, the scheduling class is established as follows:
799 .RS +4
800 .TP
801 .ie t \(bu
802 .el o
803 If the \fBcpu-shares\fR property or equivalent rctl is set, the scheduling
804 class FSS is used.
805 .RE
806 .RS +4
807 .TP
808 .ie t \(bu
809 .el o
810 If neither \fBcpu-shares\fR nor the equivalent rctl is set and the zone's pool
811 property references a pool that has a default scheduling class, that class is
812 used.
813 .RE
814 .RS +4
815 .TP
816 .ie t \(bu
817 .el o
818 Under any other conditions, the system default scheduling class is used.
819 .RE
820 .RE
821
822
823
824 .sp
825 .ne 2
826 .na
827 \fB\fBdedicated-cpu\fR: ncpus, importance\fR
828 .ad
829 .sp .6
830 .RS 4n
831 The number of CPUs that should be assigned for this zone's exclusive use. The
832 zone will create a pool and processor set when it boots. See \fBpooladm\fR(1M)
833 and \fBpoolcfg\fR(1M) for more information on resource pools. The \fBncpu\fR
834 property can specify a single value or a range (for example, 1-4) of
835 processors. The \fBimportance\fR property is optional; if set, it will specify
836 the \fBpset.importance\fR value for use by \fBpoold\fR(1M). If this resource is
837 used, there must be enough free processors to allocate to this zone when it
838 boots or the zone will not boot. The processors assigned to this zone will not
839 be available for the use of the global zone or other zones. This resource is
840 incompatible with both the \fBpool\fR and \fBcpu-shares\fR properties. Only a
841 single instance of this resource can be added to the zone.
842 .RE
843
844 .sp
845 .ne 2
846 .na
847 \fB\fBcapped-memory\fR: physical, swap, locked\fR
848 .ad
849 .sp .6
850 .RS 4n
851 The caps on the memory that can be used by this zone. A scale (K, M, G, T) can
852 be applied to the value for each of these numbers (for example, 1M is one
853 megabyte). Each of these properties is optional but at least one property must
854 be set when adding this resource. Only a single instance of this resource can
855 be added to the zone. The \fBphysical\fR property sets the \fBmax-rss\fR for
856 this zone. This will be enforced by \fBrcapd\fR(1M) running in the global zone.
857 The \fBswap\fR property is the preferred way to set the \fBzone.max-swap\fR
858 rctl. The \fBlocked\fR property is the preferred way to set the
859 \fBzone.max-locked-memory\fR rctl.
860 .RE
861
862 .sp
863 .ne 2
864 .na
865 \fB\fBcapped-cpu\fR: ncpus\fR
866 .ad
867 .sp .6
868 .RS 4n
869 Sets a limit on the amount of CPU time that can be used by a zone. The unit
870 used translates to the percentage of a single CPU that can be used by all user
871 threads in a zone, expressed as a fraction (for example, \fB\&.75\fR) or a
872 mixed number (whole number and fraction, for example, \fB1.25\fR). An
873 \fBncpu\fR value of \fB1\fR means 100% of a CPU, a value of \fB1.25\fR means
874 125%, \fB\&.75\fR mean 75%, and so forth. When projects within a capped zone
875 have their own caps, the minimum value takes precedence.
876 .sp
877 The \fBcapped-cpu\fR property is an alias for \fBzone.cpu-cap\fR resource
878 control and is related to the \fBzone.cpu-cap\fR resource control. See
879 \fBresource_controls\fR(5).
880 .RE
881
882 .sp
883 .ne 2
884 .na
885 \fB\fBsecurity-flags\fR: lower, default, upper\fR
886 .ad
887 .sp .6
888 .RS 4n
889 Set the process security flags associated with the zone. The \fBlower\fR and
890 \fBupper\fR fields set the limits, the \fBdefault\fR field is set of flags all
891 zone processes inherit.
892 .RE
893
894 .sp
895 .ne 2
896 .na
897 \fBglobal: \fBfs-allowed\fR\fR
898 .ad
899 .sp .6
900 .RS 4n
901 A comma-separated list of additional filesystems that may be mounted within
902 the zone; for example "ufs,pcfs". By default, only hsfs(7fs) and network
903 filesystems can be mounted. If the first entry in the list is "-" then
904 that disables all of the default filesystems. If any filesystems are listed
905 after "-" then only those filesystems can be mounted.
906
907 This property does not apply to filesystems mounted into the zone via "add fs"
908 or "add dataset".
909
910 WARNING: allowing filesystem mounts other than the default may allow the zone
911 administrator to compromise the system with a malicious filesystem image, and
912 is not supported.
913 .RE
914
915 .sp
916 .LP
917 The following table summarizes resources, property-names, and types:
918 .sp
919 .in +2
920 .nf
921 resource property-name type
922 (global) zonename simple
923 (global) zonepath simple
924 (global) autoboot simple
925 (global) bootargs simple
926 (global) pool simple
927 (global) limitpriv simple
928 (global) brand simple
929 (global) ip-type simple
930 (global) hostid simple
931 (global) cpu-shares simple
932 (global) max-lwps simple
933 (global) max-msg-ids simple
934 (global) max-sem-ids simple
935 (global) max-shm-ids simple
936 (global) max-shm-memory simple
937 (global) scheduling-class simple
938 fs dir simple
939 special simple
940 raw simple
941 type simple
942 options list of simple
943 net address simple
944 physical simple
945 device match simple
946 rctl name simple
947 value list of complex
948 attr name simple
949 type simple
950 value simple
951 dataset name simple
952 dedicated-cpu ncpus simple or range
953 importance simple
954
955 capped-memory physical simple with scale
956 swap simple with scale
957 locked simple with scale
958
959 capped-cpu ncpus simple
960 security-flags lower simple
961 default simple
962 upper simple
963 .fi
964 .in -2
965 .sp
966
967 .sp
968 .LP
969 To further specify things, the breakdown of the complex property "value" of the
970 "rctl" resource type, it consists of three name/value pairs, the names being
971 "priv", "limit" and "action", each of which takes a simple value. The "name"
972 property of an "attr" resource is syntactically restricted in a fashion similar
973 but not identical to zone names: it must begin with an alphanumeric, and can
974 contain alphanumerics plus the hyphen (\fB-\fR), underscore (\fB_\fR), and dot
975 (\fB\&.\fR) characters. Attribute names beginning with "zone" are reserved for
976 use by the system. Finally, the "autoboot" global property must have a value of
977 "true" or "false".
978 .SS "Using Kernel Statistics to Monitor CPU Caps"
979 .LP
980 Using the kernel statistics (\fBkstat\fR(3KSTAT)) module \fBcaps\fR, the system
981 maintains information for all capped projects and zones. You can access this
982 information by reading kernel statistics (\fBkstat\fR(3KSTAT)), specifying
983 \fBcaps\fR as the \fBkstat\fR module name. The following command displays
984 kernel statistics for all active CPU caps:
985 .sp
986 .in +2
987 .nf
988 # \fBkstat caps::'/cpucaps/'\fR
989 .fi
990 .in -2
991 .sp
992
993 .sp
994 .LP
995 A \fBkstat\fR(1M) command running in a zone displays only CPU caps relevant for
996 that zone and for projects in that zone. See \fBEXAMPLES\fR.
997 .sp
998 .LP
999 The following are cap-related arguments for use with \fBkstat\fR(1M):
1000 .sp
1001 .ne 2
1002 .na
1003 \fB\fBcaps\fR\fR
1004 .ad
1005 .sp .6
1006 .RS 4n
1007 The \fBkstat\fR module.
1008 .RE
1009
1010 .sp
1011 .ne 2
1012 .na
1013 \fB\fBproject_caps\fR or \fBzone_caps\fR\fR
1014 .ad
1015 .sp .6
1016 .RS 4n
1017 \fBkstat\fR class, for use with the \fBkstat\fR \fB-c\fR option.
1018 .RE
1019
1020 .sp
1021 .ne 2
1022 .na
1023 \fB\fBcpucaps_project_\fR\fIid\fR or \fBcpucaps_zone_\fR\fIid\fR\fR
1024 .ad
1025 .sp .6
1026 .RS 4n
1027 \fBkstat\fR name, for use with the \fBkstat\fR \fB-n\fR option. \fIid\fR is the
1028 project or zone identifier.
1029 .RE
1030
1031 .sp
1032 .LP
1033 The following fields are displayed in response to a \fBkstat\fR(1M) command
1034 requesting statistics for all CPU caps.
1035 .sp
1036 .ne 2
1037 .na
1038 \fB\fBmodule\fR\fR
1039 .ad
1040 .sp .6
1041 .RS 4n
1042 In this usage of \fBkstat\fR, this field will have the value \fBcaps\fR.
1043 .RE
1044
1045 .sp
1046 .ne 2
1047 .na
1048 \fB\fBname\fR\fR
1049 .ad
1050 .sp .6
1051 .RS 4n
1052 As described above, \fBcpucaps_project_\fR\fIid\fR or
1053 \fBcpucaps_zone_\fR\fIid\fR
1054 .RE
1055
1056 .sp
1057 .ne 2
1058 .na
1059 \fB\fBabove_sec\fR\fR
1060 .ad
1061 .sp .6
1062 .RS 4n
1063 Total time, in seconds, spent above the cap.
1064 .RE
1065
1066 .sp
1067 .ne 2
1068 .na
1069 \fB\fBbelow_sec\fR\fR
1070 .ad
1071 .sp .6
1072 .RS 4n
1073 Total time, in seconds, spent below the cap.
1074 .RE
1075
1076 .sp
1077 .ne 2
1078 .na
1079 \fB\fBmaxusage\fR\fR
1080 .ad
1081 .sp .6
1082 .RS 4n
1083 Maximum observed CPU usage.
1084 .RE
1085
1086 .sp
1087 .ne 2
1088 .na
1089 \fB\fBnwait\fR\fR
1090 .ad
1091 .sp .6
1092 .RS 4n
1093 Number of threads on cap wait queue.
1094 .RE
1095
1096 .sp
1097 .ne 2
1098 .na
1099 \fB\fBusage\fR\fR
1100 .ad
1101 .sp .6
1102 .RS 4n
1103 Current aggregated CPU usage for all threads belonging to a capped project or
1104 zone, in terms of a percentage of a single CPU.
1105 .RE
1106
1107 .sp
1108 .ne 2
1109 .na
1110 \fB\fBvalue\fR\fR
1111 .ad
1112 .sp .6
1113 .RS 4n
1114 The cap value, in terms of a percentage of a single CPU.
1115 .RE
1116
1117 .sp
1118 .ne 2
1119 .na
1120 \fB\fBzonename\fR\fR
1121 .ad
1122 .sp .6
1123 .RS 4n
1124 Name of the zone for which statistics are displayed.
1125 .RE
1126
1127 .sp
1128 .LP
1129 See \fBEXAMPLES\fR for sample output from a \fBkstat\fR command.
1130 .SH OPTIONS
1131 .LP
1132 The following options are supported:
1133 .sp
1134 .ne 2
1135 .na
1136 \fB\fB-f\fR \fIcommand_file\fR\fR
1137 .ad
1138 .sp .6
1139 .RS 4n
1140 Specify the name of \fBzonecfg\fR command file. \fIcommand_file\fR is a text
1141 file of \fBzonecfg\fR subcommands, one per line.
1142 .RE
1143
1144 .sp
1145 .ne 2
1146 .na
1147 \fB\fB-z\fR \fIzonename\fR\fR
1148 .ad
1149 .sp .6
1150 .RS 4n
1151 Specify the name of a zone. Zone names are case sensitive. Zone names must
1152 begin with an alphanumeric character and can contain alphanumeric characters,
1153 the underscore (\fB_\fR) the hyphen (\fB-\fR), and the dot (\fB\&.\fR). The
1154 name \fBglobal\fR and all names beginning with \fBSUNW\fR are reserved and
1155 cannot be used.
1156 .RE
1157
1158 .SH SUBCOMMANDS
1159 .LP
1160 You can use the \fBadd\fR and \fBselect\fR subcommands to select a specific
1161 resource, at which point the scope changes to that resource. The \fBend\fR and
1162 \fBcancel\fR subcommands are used to complete the resource specification, at
1163 which time the scope is reverted back to global. Certain subcommands, such as
1164 \fBadd\fR, \fBremove\fR and \fBset\fR, have different semantics in each scope.
1165 .sp
1166 .LP
1167 \fBzonecfg\fR supports a semicolon-separated list of subcommands. For example:
1168 .sp
1169 .in +2
1170 .nf
1171 # \fBzonecfg -z myzone "add net; set physical=myvnic; end"\fR
1172 .fi
1173 .in -2
1174 .sp
1175
1176 .sp
1177 .LP
1178 Subcommands which can result in destructive actions or loss of work have an
1179 \fB-F\fR option to force the action. If input is from a terminal device, the
1180 user is prompted when appropriate if such a command is given without the
1181 \fB-F\fR option otherwise, if such a command is given without the \fB-F\fR
1182 option, the action is disallowed, with a diagnostic message written to standard
1183 error.
1184 .sp
1185 .LP
1186 The following subcommands are supported:
1187 .sp
1188 .ne 2
1189 .na
1190 \fB\fBadd\fR \fIresource-type\fR (global scope)\fR
1191 .ad
1192 .br
1193 .na
1194 \fB\fBadd\fR \fIproperty-name property-value\fR (resource scope)\fR
1195 .ad
1196 .sp .6
1197 .RS 4n
1198 In the global scope, begin the specification for a given resource type. The
1199 scope is changed to that resource type.
1200 .sp
1201 In the resource scope, add a property of the given name with the given value.
1202 The syntax for property values varies with different property types. In
1203 general, it is a simple value or a list of simple values enclosed in square
1204 brackets, separated by commas (\fB[foo,bar,baz]\fR). See \fBPROPERTIES\fR.
1205 .RE
1206
1207 .sp
1208 .ne 2
1209 .na
1210 \fB\fBcancel\fR\fR
1211 .ad
1212 .sp .6
1213 .RS 4n
1214 End the resource specification and reset scope to global. Abandons any
1215 partially specified resources. \fBcancel\fR is only applicable in the resource
1216 scope.
1217 .RE
1218
1219 .sp
1220 .ne 2
1221 .na
1222 \fB\fBclear\fR \fIproperty-name\fR\fR
1223 .ad
1224 .sp .6
1225 .RS 4n
1226 Clear the value for the property.
1227 .RE
1228
1229 .sp
1230 .ne 2
1231 .na
1232 \fB\fBcommit\fR\fR
1233 .ad
1234 .sp .6
1235 .RS 4n
1236 Commit the current configuration from memory to stable storage. The
1237 configuration must be committed to be used by \fBzoneadm\fR. Until the
1238 in-memory configuration is committed, you can remove changes with the
1239 \fBrevert\fR subcommand. The \fBcommit\fR operation is attempted automatically
1240 upon completion of a \fBzonecfg\fR session. Since a configuration must be
1241 correct to be committed, this operation automatically does a verify.
1242 .RE
1243
1244 .sp
1245 .ne 2
1246 .na
1247 \fB\fBcreate [\fR\fB-F\fR\fB] [\fR \fB-a\fR \fIpath\fR |\fB-b\fR \fB|\fR
1248 \fB-t\fR \fItemplate\fR\fB]\fR\fR
1249 .ad
1250 .sp .6
1251 .RS 4n
1252 Create an in-memory configuration for the specified zone. Use \fBcreate\fR to
1253 begin to configure a new zone. See \fBcommit\fR for saving this to stable
1254 storage.
1255 .sp
1256 If you are overwriting an existing configuration, specify the \fB-F\fR option
1257 to force the action. Specify the \fB-t\fR \fItemplate\fR option to create a
1258 configuration identical to \fItemplate\fR, where \fItemplate\fR is the name of
1259 a configured zone.
1260 .sp
1261 Use the \fB-a\fR \fIpath\fR option to facilitate configuring a detached zone on
1262 a new host. The \fIpath\fR parameter is the zonepath location of a detached
1263 zone that has been moved on to this new host. Once the detached zone is
1264 configured, it should be installed using the "\fBzoneadm attach\fR" command
1265 (see \fBzoneadm\fR(1M)). All validation of the new zone happens during the
1266 \fBattach\fR process, not during zone configuration.
1267 .sp
1268 Use the \fB-b\fR option to create a blank configuration. Without arguments,
1269 \fBcreate\fR applies the Sun default settings.
1270 .RE
1271
1272 .sp
1273 .ne 2
1274 .na
1275 \fB\fBdelete [\fR\fB-F\fR\fB]\fR\fR
1276 .ad
1277 .sp .6
1278 .RS 4n
1279 Delete the specified configuration from memory and stable storage. This action
1280 is instantaneous, no commit is necessary. A deleted configuration cannot be
1281 reverted.
1282 .sp
1283 Specify the \fB-F\fR option to force the action.
1284 .RE
1285
1286 .sp
1287 .ne 2
1288 .na
1289 \fB\fBend\fR\fR
1290 .ad
1291 .sp .6
1292 .RS 4n
1293 End the resource specification. This subcommand is only applicable in the
1294 resource scope. \fBzonecfg\fR checks to make sure the current resource is
1295 completely specified. If so, it is added to the in-memory configuration (see
1296 \fBcommit\fR for saving this to stable storage) and the scope reverts to
1297 global. If the specification is incomplete, it issues an appropriate error
1298 message.
1299 .RE
1300
1301 .sp
1302 .ne 2
1303 .na
1304 \fB\fBexport [\fR\fB-f\fR \fIoutput-file\fR\fB]\fR\fR
1305 .ad
1306 .sp .6
1307 .RS 4n
1308 Print configuration to standard output. Use the \fB-f\fR option to print the
1309 configuration to \fIoutput-file\fR. This option produces output in a form
1310 suitable for use in a command file.
1311 .RE
1312
1313 .sp
1314 .ne 2
1315 .na
1316 \fB\fBhelp [usage] [\fIsubcommand\fR] [syntax] [\fR\fIcommand-name\fR\fB]\fR\fR
1317 .ad
1318 .sp .6
1319 .RS 4n
1320 Print general help or help about given topic.
1321 .RE
1322
1323 .sp
1324 .ne 2
1325 .na
1326 \fB\fBinfo zonename | zonepath | autoboot | brand | pool | limitpriv\fR\fR
1327 .ad
1328 .br
1329 .na
1330 \fB\fBinfo [\fR\fIresource-type\fR
1331 \fB[\fR\fIproperty-name\fR\fB=\fR\fIproperty-value\fR\fB]*]\fR\fR
1332 .ad
1333 .sp .6
1334 .RS 4n
1335 Display information about the current configuration. If \fIresource-type\fR is
1336 specified, displays only information about resources of the relevant type. If
1337 any \fIproperty-name\fR value pairs are specified, displays only information
1338 about resources meeting the given criteria. In the resource scope, any
1339 arguments are ignored, and \fBinfo\fR displays information about the resource
1340 which is currently being added or modified.
1341 .RE
1342
1343 .sp
1344 .ne 2
1345 .na
1346 \fB\fBremove\fR \fIresource-type\fR\fB{\fR\fIproperty-name\fR\fB=\fR\fIproperty
1347 -value\fR\fB}\fR(global scope)\fR
1348 .ad
1349 .sp .6
1350 .RS 4n
1351 In the global scope, removes the specified resource. The \fB[]\fR syntax means
1352 0 or more of whatever is inside the square braces. If you want only to remove a
1353 single instance of the resource, you must specify enough property name-value
1354 pairs for the resource to be uniquely identified. If no property name-value
1355 pairs are specified, all instances will be removed. If there is more than one
1356 pair is specified, a confirmation is required, unless you use the \fB-F\fR
1357 option.
1358 .RE
1359
1360 .sp
1361 .ne 2
1362 .na
1363 \fB\fBselect\fR \fIresource-type\fR
1364 \fB{\fR\fIproperty-name\fR\fB=\fR\fIproperty-value\fR\fB}\fR\fR
1365 .ad
1366 .sp .6
1367 .RS 4n
1368 Select the resource of the given type which matches the given
1369 \fIproperty-name\fR \fIproperty-value\fR pair criteria, for modification. This
1370 subcommand is applicable only in the global scope. The scope is changed to that
1371 resource type. The \fB{}\fR syntax means 1 or more of whatever is inside the
1372 curly braces. You must specify enough \fIproperty -name property-value\fR pairs
1373 for the resource to be uniquely identified.
1374 .RE
1375
1376 .sp
1377 .ne 2
1378 .na
1379 \fB\fBset\fR \fIproperty-name\fR\fB=\fR\fIproperty\fR\fB-\fR\fIvalue\fR\fR
1380 .ad
1381 .sp .6
1382 .RS 4n
1383 Set a given property name to the given value. Some properties (for example,
1384 \fBzonename\fR and \fBzonepath\fR) are global while others are
1385 resource-specific. This subcommand is applicable in both the global and
1386 resource scopes.
1387 .RE
1388
1389 .sp
1390 .ne 2
1391 .na
1392 \fB\fBverify\fR\fR
1393 .ad
1394 .sp .6
1395 .RS 4n
1396 Verify the current configuration for correctness:
1397 .RS +4
1398 .TP
1399 .ie t \(bu
1400 .el o
1401 All resources have all of their required properties specified.
1402 .RE
1403 .RS +4
1404 .TP
1405 .ie t \(bu
1406 .el o
1407 A \fBzonepath\fR is specified.
1408 .RE
1409 .RE
1410
1411 .sp
1412 .ne 2
1413 .na
1414 \fB\fBrevert\fR \fB[\fR\fB-F\fR\fB]\fR\fR
1415 .ad
1416 .sp .6
1417 .RS 4n
1418 Revert the configuration back to the last committed state. The \fB-F\fR option
1419 can be used to force the action.
1420 .RE
1421
1422 .sp
1423 .ne 2
1424 .na
1425 \fB\fBexit [\fR\fB-F\fR\fB]\fR\fR
1426 .ad
1427 .sp .6
1428 .RS 4n
1429 Exit the \fBzonecfg\fR session. A commit is automatically attempted if needed.
1430 You can also use an \fBEOF\fR character to exit \fBzonecfg\fR. The \fB-F\fR
1431 option can be used to force the action.
1432 .RE
1433
1434 .SH EXAMPLES
1435 .LP
1436 \fBExample 1 \fRCreating the Environment for a New Zone
1437 .sp
1438 .LP
1439 In the following example, \fBzonecfg\fR creates the environment for a new zone.
1440 \fB/usr/local\fR is loopback mounted from the global zone into
1441 \fB/opt/local\fR. \fB/opt/sfw\fR is loopback mounted from the global zone,
1442 three logical network interfaces are added, and a limit on the number of
1443 fair-share scheduler (FSS) CPU shares for a zone is set using the \fBrctl\fR
1444 resource type. The example also shows how to select a given resource for
1445 modification.
1446
1447 .sp
1448 .in +2
1449 .nf
1450 example# \fBzonecfg -z myzone3\fR
1451 my-zone3: No such zone configured
1452 Use 'create' to begin configuring a new zone.
1453 zonecfg:myzone3> \fBcreate\fR
1454 zonecfg:myzone3> \fBset zonepath=/export/home/my-zone3\fR
1455 zonecfg:myzone3> \fBset autoboot=true\fR
1456 zonecfg:myzone3> \fBadd fs\fR
1457 zonecfg:myzone3:fs> \fBset dir=/usr/local\fR
1458 zonecfg:myzone3:fs> \fBset special=/opt/local\fR
1459 zonecfg:myzone3:fs> \fBset type=lofs\fR
1460 zonecfg:myzone3:fs> \fBadd options [ro,nodevices]\fR
1461 zonecfg:myzone3:fs> \fBend\fR
1462 zonecfg:myzone3> \fBadd fs\fR
1463 zonecfg:myzone3:fs> \fBset dir=/mnt\fR
1464 zonecfg:myzone3:fs> \fBset special=/dev/dsk/c0t0d0s7\fR
1465 zonecfg:myzone3:fs> \fBset raw=/dev/rdsk/c0t0d0s7\fR
1466 zonecfg:myzone3:fs> \fBset type=ufs\fR
1467 zonecfg:myzone3:fs> \fBend\fR
1468 zonecfg:myzone3> \fBadd net\fR
1469 zonecfg:myzone3:net> \fBset address=192.168.0.1/24\fR
1470 zonecfg:myzone3:net> \fBset physical=eri0\fR
1471 zonecfg:myzone3:net> \fBend\fR
1472 zonecfg:myzone3> \fBadd net\fR
1473 zonecfg:myzone3:net> \fBset address=192.168.1.2/24\fR
1474 zonecfg:myzone3:net> \fBset physical=eri0\fR
1475 zonecfg:myzone3:net> \fBend\fR
1476 zonecfg:myzone3> \fBadd net\fR
1477 zonecfg:myzone3:net> \fBset address=192.168.2.3/24\fR
1478 zonecfg:myzone3:net> \fBset physical=eri0\fR
1479 zonecfg:myzone3:net> \fBend\fR
1480 zonecfg:my-zone3> \fBset cpu-shares=5\fR
1481 zonecfg:my-zone3> \fBadd capped-memory\fR
1482 zonecfg:my-zone3:capped-memory> \fBset physical=50m\fR
1483 zonecfg:my-zone3:capped-memory> \fBset swap=100m\fR
1484 zonecfg:my-zone3:capped-memory> \fBend\fR
1485 zonecfg:myzone3> \fBexit\fR
1486 .fi
1487 .in -2
1488 .sp
1489
1490 .LP
1491 \fBExample 2 \fRCreating a Non-Native Zone
1492 .sp
1493 .LP
1494 The following example creates a new Linux zone:
1495
1496 .sp
1497 .in +2
1498 .nf
1499 example# \fBzonecfg -z lxzone\fR
1500 lxzone: No such zone configured
1501 Use 'create' to begin configuring a new zone
1502 zonecfg:lxzone> \fBcreate -t SUNWlx\fR
1503 zonecfg:lxzone> \fBset zonepath=/export/zones/lxzone\fR
1504 zonecfg:lxzone> \fBset autoboot=true\fR
1505 zonecfg:lxzone> \fBexit\fR
1506 .fi
1507 .in -2
1508 .sp
1509
1510 .LP
1511 \fBExample 3 \fRCreating an Exclusive-IP Zone
1512 .sp
1513 .LP
1514 The following example creates a zone that is granted exclusive access to
1515 \fBbge1\fR and \fBbge33000\fR and that is isolated at the IP layer from the
1516 other zones configured on the system.
1517
1518 .sp
1519 .LP
1520 The IP addresses and routing is configured inside the new zone using
1521 \fBsysidtool\fR(1M).
1522
1523 .sp
1524 .in +2
1525 .nf
1526 example# \fBzonecfg -z excl\fR
1527 excl: No such zone configured
1528 Use 'create' to begin configuring a new zone
1529 zonecfg:excl> \fBcreate\fR
1530 zonecfg:excl> \fBset zonepath=/export/zones/excl\fR
1531 zonecfg:excl> \fBset ip-type=exclusive\fR
1532 zonecfg:excl> \fBadd net\fR
1533 zonecfg:excl:net> \fBset physical=bge1\fR
1534 zonecfg:excl:net> \fBend\fR
1535 zonecfg:excl> \fBadd net\fR
1536 zonecfg:excl:net> \fBset physical=bge33000\fR
1537 zonecfg:excl:net> \fBend\fR
1538 zonecfg:excl> \fBexit\fR
1539 .fi
1540 .in -2
1541 .sp
1542
1543 .LP
1544 \fBExample 4 \fRAssociating a Zone with a Resource Pool
1545 .sp
1546 .LP
1547 The following example shows how to associate an existing zone with an existing
1548 resource pool:
1549
1550 .sp
1551 .in +2
1552 .nf
1553 example# \fBzonecfg -z myzone\fR
1554 zonecfg:myzone> \fBset pool=mypool\fR
1555 zonecfg:myzone> \fBexit\fR
1556 .fi
1557 .in -2
1558 .sp
1559
1560 .sp
1561 .LP
1562 For more information about resource pools, see \fBpooladm\fR(1M) and
1563 \fBpoolcfg\fR(1M).
1564
1565 .LP
1566 \fBExample 5 \fRChanging the Name of a Zone
1567 .sp
1568 .LP
1569 The following example shows how to change the name of an existing zone:
1570
1571 .sp
1572 .in +2
1573 .nf
1574 example# \fBzonecfg -z myzone\fR
1575 zonecfg:myzone> \fBset zonename=myzone2\fR
1576 zonecfg:myzone2> \fBexit\fR
1577 .fi
1578 .in -2
1579 .sp
1580
1581 .LP
1582 \fBExample 6 \fRChanging the Privilege Set of a Zone
1583 .sp
1584 .LP
1585 The following example shows how to change the set of privileges an existing
1586 zone's processes will be limited to the next time the zone is booted. In this
1587 particular case, the privilege set will be the standard safe set of privileges
1588 a zone normally has along with the privilege to change the system date and
1589 time:
1590
1591 .sp
1592 .in +2
1593 .nf
1594 example# \fBzonecfg -z myzone\fR
1595 zonecfg:myzone> \fBset limitpriv="default,sys_time"\fR
1596 zonecfg:myzone2> \fBexit\fR
1597 .fi
1598 .in -2
1599 .sp
1600
1601 .LP
1602 \fBExample 7 \fRSetting the \fBzone.cpu-shares\fR Property for the Global Zone
1603 .sp
1604 .LP
1605 The following command sets the \fBzone.cpu-shares\fR property for the global
1606 zone:
1607
1608 .sp
1609 .in +2
1610 .nf
1611 example# \fBzonecfg -z global\fR
1612 zonecfg:global> \fBset cpu-shares=5\fR
1613 zonecfg:global> \fBexit\fR
1614 .fi
1615 .in -2
1616 .sp
1617
1618 .LP
1619 \fBExample 8 \fRUsing Pattern Matching
1620 .sp
1621 .LP
1622 The following commands illustrate \fBzonecfg\fR support for pattern matching.
1623 In the zone \fBflexlm\fR, enter:
1624
1625 .sp
1626 .in +2
1627 .nf
1628 zonecfg:flexlm> \fBadd device\fR
1629 zonecfg:flexlm:device> \fBset match="/dev/cua/a00[2-5]"\fR
1630 zonecfg:flexlm:device> \fBend\fR
1631 .fi
1632 .in -2
1633 .sp
1634
1635 .sp
1636 .LP
1637 In the global zone, enter:
1638
1639 .sp
1640 .in +2
1641 .nf
1642 global# \fBls /dev/cua\fR
1643 a a000 a001 a002 a003 a004 a005 a006 a007 b
1644 .fi
1645 .in -2
1646 .sp
1647
1648 .sp
1649 .LP
1650 In the zone \fBflexlm\fR, enter:
1651
1652 .sp
1653 .in +2
1654 .nf
1655 flexlm# \fBls /dev/cua\fR
1656 a002 a003 a004 a005
1657 .fi
1658 .in -2
1659 .sp
1660
1661 .LP
1662 \fBExample 9 \fRSetting a Cap for a Zone to Three CPUs
1663 .sp
1664 .LP
1665 The following sequence uses the \fBzonecfg\fR command to set the CPU cap for a
1666 zone to three CPUs.
1667
1668 .sp
1669 .in +2
1670 .nf
1671 zonecfg:myzone> \fBadd capped-cpu\fR
1672 zonecfg:myzone>capped-cpu> \fBset ncpus=3\fR
1673 zonecfg:myzone>capped-cpu>capped-cpu> \fBend\fR
1674 .fi
1675 .in -2
1676 .sp
1677
1678 .sp
1679 .LP
1680 The preceding sequence, which uses the capped-cpu property, is equivalent to
1681 the following sequence, which makes use of the \fBzone.cpu-cap\fR resource
1682 control.
1683
1684 .sp
1685 .in +2
1686 .nf
1687 zonecfg:myzone> \fBadd rctl\fR
1688 zonecfg:myzone:rctl> \fBset name=zone.cpu-cap\fR
1689 zonecfg:myzone:rctl> \fBadd value (priv=privileged,limit=300,action=none)\fR
1690 zonecfg:myzone:rctl> \fBend\fR
1691 .fi
1692 .in -2
1693 .sp
1694
1695 .LP
1696 \fBExample 10 \fRUsing \fBkstat\fR to Monitor CPU Caps
1697 .sp
1698 .LP
1699 The following command displays information about all CPU caps.
1700
1701 .sp
1702 .in +2
1703 .nf
1704 # \fBkstat -n /cpucaps/\fR
1705 module: caps instance: 0
1706 name: cpucaps_project_0 class: project_caps
1707 above_sec 0
1708 below_sec 2157
1709 crtime 821.048183159
1710 maxusage 2
1711 nwait 0
1712 snaptime 235885.637253027
1713 usage 0
1714 value 18446743151372347932
1715 zonename global
1716
1717 module: caps instance: 0
1718 name: cpucaps_project_1 class: project_caps
1719 above_sec 0
1720 below_sec 0
1721 crtime 225339.192787265
1722 maxusage 5
1723 nwait 0
1724 snaptime 235885.637591677
1725 usage 5
1726 value 18446743151372347932
1727 zonename global
1728
1729 module: caps instance: 0
1730 name: cpucaps_project_201 class: project_caps
1731 above_sec 0
1732 below_sec 235105
1733 crtime 780.37961782
1734 maxusage 100
1735 nwait 0
1736 snaptime 235885.637789687
1737 usage 43
1738 value 100
1739 zonename global
1740
1741 module: caps instance: 0
1742 name: cpucaps_project_202 class: project_caps
1743 above_sec 0
1744 below_sec 235094
1745 crtime 791.72983782
1746 maxusage 100
1747 nwait 0
1748 snaptime 235885.637967512
1749 usage 48
1750 value 100
1751 zonename global
1752
1753 module: caps instance: 0
1754 name: cpucaps_project_203 class: project_caps
1755 above_sec 0
1756 below_sec 235034
1757 crtime 852.104401481
1758 maxusage 75
1759 nwait 0
1760 snaptime 235885.638144304
1761 usage 47
1762 value 100
1763 zonename global
1764
1765 module: caps instance: 0
1766 name: cpucaps_project_86710 class: project_caps
1767 above_sec 22
1768 below_sec 235166
1769 crtime 698.441717859
1770 maxusage 101
1771 nwait 0
1772 snaptime 235885.638319871
1773 usage 54
1774 value 100
1775 zonename global
1776
1777 module: caps instance: 0
1778 name: cpucaps_zone_0 class: zone_caps
1779 above_sec 100733
1780 below_sec 134332
1781 crtime 821.048177123
1782 maxusage 207
1783 nwait 2
1784 snaptime 235885.638497731
1785 usage 199
1786 value 200
1787 zonename global
1788
1789 module: caps instance: 1
1790 name: cpucaps_project_0 class: project_caps
1791 above_sec 0
1792 below_sec 0
1793 crtime 225360.256448422
1794 maxusage 7
1795 nwait 0
1796 snaptime 235885.638714404
1797 usage 7
1798 value 18446743151372347932
1799 zonename test_001
1800
1801 module: caps instance: 1
1802 name: cpucaps_zone_1 class: zone_caps
1803 above_sec 2
1804 below_sec 10524
1805 crtime 225360.256440278
1806 maxusage 106
1807 nwait 0
1808 snaptime 235885.638896443
1809 usage 7
1810 value 100
1811 zonename test_001
1812 .fi
1813 .in -2
1814 .sp
1815
1816 .LP
1817 \fBExample 11 \fRDisplaying CPU Caps for a Specific Zone or Project
1818 .sp
1819 .LP
1820 Using the \fBkstat\fR \fB-c\fR and \fB-i\fR options, you can display CPU caps
1821 for a specific zone or project, as below. The first command produces a display
1822 for a specific project, the second for the same project within zone 1.
1823
1824 .sp
1825 .in +2
1826 .nf
1827 # \fBkstat -c project_caps\fR
1828
1829 # \fBkstat -c project_caps -i 1\fR
1830 .fi
1831 .in -2
1832 .sp
1833
1834 .SH EXIT STATUS
1835 .LP
1836 The following exit values are returned:
1837 .sp
1838 .ne 2
1839 .na
1840 \fB\fB0\fR\fR
1841 .ad
1842 .sp .6
1843 .RS 4n
1844 Successful completion.
1845 .RE
1846
1847 .sp
1848 .ne 2
1849 .na
1850 \fB\fB1\fR\fR
1851 .ad
1852 .sp .6
1853 .RS 4n
1854 An error occurred.
1855 .RE
1856
1857 .sp
1858 .ne 2
1859 .na
1860 \fB\fB2\fR\fR
1861 .ad
1862 .sp .6
1863 .RS 4n
1864 Invalid usage.
1865 .RE
1866
1867 .SH ATTRIBUTES
1868 .LP
1869 See \fBattributes\fR(5) for descriptions of the following attributes:
1870 .sp
1871
1872 .sp
1873 .TS
1874 box;
1875 c | c
1876 l | l .
1877 ATTRIBUTE TYPE ATTRIBUTE VALUE
1878 _
1879 Interface Stability Volatile
1880 .TE
1881
1882 .SH SEE ALSO
1883 .LP
1884 \fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
1885 \fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
1886 \fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
1887 \fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
1888 \fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
1889 \fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
1890 \fBsecurity-flags\fR(5), \fBzones\fR(5)
1891 .sp
1892 .LP
1893 \fISystem Administration Guide: Solaris Containers-Resource Management, and
1894 Solaris Zones\fR
1895 .SH NOTES
1896 .LP
1897 All character data used by \fBzonecfg\fR must be in US-ASCII encoding.