1 ZONECFG(1M) Maintenance Commands ZONECFG(1M)
2
3
4
5 NAME
6 zonecfg - set up zone configuration
7
8 SYNOPSIS
9 zonecfg -z zonename
10
11
12 zonecfg -z zonename subcommand
13
14
15 zonecfg -z zonename -f command_file
16
17
18 zonecfg help
19
20
21 DESCRIPTION
22 The zonecfg utility creates and modifies the configuration of a zone.
23 Zone configuration consists of a number of resources and properties.
24
25
26 To simplify the user interface, zonecfg uses the concept of a scope.
27 The default scope is global.
28
29
30 The following synopsis of the zonecfg command is for interactive usage:
31
32 zonecfg -z zonename subcommand
33
34
35
36
37 Parameters changed through zonecfg do not affect a running zone. The
38 zone must be rebooted for the changes to take effect.
39
40
41 In addition to creating and modifying a zone, the zonecfg utility can
42 also be used to persistently specify the resource management settings
43 for the global zone.
44
45
46 In the following text, "rctl" is used as an abbreviation for "resource
47 control". See resource_controls(5).
48
49
50 Every zone is configured with an associated brand. The brand determines
51 the user-level environment used within the zone, as well as various
52 behaviors for the zone when it is installed, boots, or is shutdown.
53 Once a zone has been installed the brand cannot be changed. The default
54 brand is determined by the installed distribution in the global zone.
55 Some brands do not support all of the zonecfg properties and resources.
56 See the brand-specific man page for more details on each brand. For an
57 overview of brands, see the brands(5) man page.
58
59 Resources
60 The following resource types are supported:
61
62 attr
63
64 Generic attribute.
65
66
67 capped-cpu
68
69 Limits for CPU usage.
70
71
72 capped-memory
73
74 Limits for physical, swap, and locked memory.
75
76
77 dataset
78
79 ZFS dataset.
80
81
82 dedicated-cpu
83
84 Subset of the system's processors dedicated to this zone while it
85 is running.
86
87
88 device
89
90 Device.
91
92
93 fs
94
95 file-system
96
97
98 net
99
100 Network interface.
101
102
103 rctl
104
105 Resource control.
106
107
108 security-flags
109
110 Process security flag settings.
111
112
113 Properties
114 Each resource type has one or more properties. There are also some
115 global properties, that is, properties of the configuration as a whole,
116 rather than of some particular resource.
117
118
119 The following properties are supported:
120
121 (global)
122
123 zonename
124
125
126 (global)
127
128 zonepath
129
130
131 (global)
132
133 autoboot
134
135
136 (global)
137
138 bootargs
139
140
141 (global)
142
143 pool
144
145
146 (global)
147
148 limitpriv
149
150
151 (global)
152
153 brand
154
155
156 (global)
157
158 cpu-shares
159
160
161 (global)
162
163 hostid
164
165
166 (global)
167
168 max-lwps
169
170
171 (global)
172
173 max-msg-ids
174
175
176 (global)
177
178 max-sem-ids
179
180
181 (global)
182
183 max-shm-ids
184
185
186 (global)
187
188 max-shm-memory
189
190
191 (global)
192
193 scheduling-class
194
195
196 (global)
197
198 fs-allowed
199
200
201 fs
202
203 dir, special, raw, type, options
204
205
206 net
207
208 address, physical, defrouter
209
210
211 device
212
213 match
214
215
216 rctl
217
218 name, value
219
220
221 attr
222
223 name, type, value
224
225
226 dataset
227
228 name
229
230
231 dedicated-cpu
232
233 ncpus, importance
234
235
236 capped-memory
237
238 physical, swap, locked
239
240
241 capped-cpu
242
243 ncpus
244
245
246 security-flags
247
248 lower, default, upper.
249
250
251
252 As for the property values which are paired with these names, they are
253 either simple, complex, or lists. The type allowed is property-
254 specific. Simple values are strings, optionally enclosed within
255 quotation marks. Complex values have the syntax:
256
257 (<name>=<value>,<name>=<value>,...)
258
259
260
261
262 where each <value> is simple, and the <name> strings are unique within
263 a given property. Lists have the syntax:
264
265 [<value>,...]
266
267
268
269
270 where each <value> is either simple or complex. A list of a single
271 value (either simple or complex) is equivalent to specifying that value
272 without the list syntax. That is, "foo" is equivalent to "[foo]". A
273 list can be empty (denoted by "[]").
274
275
276 In interpreting property values, zonecfg accepts regular expressions as
277 specified in fnmatch(5). See EXAMPLES.
278
279
280 The property types are described as follows:
281
282 global: zonename
283
284 The name of the zone.
285
286
287 global: zonepath
288
289 Path to zone's file system.
290
291
292 global: autoboot
293
294 Boolean indicating that a zone should be booted automatically at
295 system boot. Note that if the zones service is disabled, the zone
296 will not autoboot, regardless of the setting of this property. You
297 enable the zones service with a svcadm command, such as:
298
299 # svcadm enable svc:/system/zones:default
300
301
302 Replace enable with disable to disable the zones service. See
303 svcadm(1M).
304
305
306 global: bootargs
307
308 Arguments (options) to be passed to the zone bootup, unless options
309 are supplied to the "zoneadm boot" command, in which case those
310 take precedence. The valid arguments are described in zoneadm(1M).
311
312
313 global: pool
314
315 Name of the resource pool that this zone must be bound to when
316 booted. This property is incompatible with the dedicated-cpu
317 resource.
318
319
320 global: limitpriv
321
322 The maximum set of privileges any process in this zone can obtain.
323 The property should consist of a comma-separated privilege set
324 specification as described in priv_str_to_set(3C). Privileges can
325 be excluded from the resulting set by preceding their names with a
326 dash (-) or an exclamation point (!). The special privilege string
327 "zone" is not supported in this context. If the special string
328 "default" occurs as the first token in the property, it expands
329 into a safe set of privileges that preserve the resource and
330 security isolation described in zones(5). A missing or empty
331 property is equivalent to this same set of safe privileges.
332
333 The system administrator must take extreme care when configuring
334 privileges for a zone. Some privileges cannot be excluded through
335 this mechanism as they are required in order to boot a zone. In
336 addition, there are certain privileges which cannot be given to a
337 zone as doing so would allow processes inside a zone to unduly
338 affect processes in other zones. zoneadm(1M) indicates when an
339 invalid privilege has been added or removed from a zone's privilege
340 set when an attempt is made to either "boot" or "ready" the zone.
341
342 See privileges(5) for a description of privileges. The command
343 "ppriv -l" (see ppriv(1)) produces a list of all Solaris
344 privileges. You can specify privileges as they are displayed by
345 ppriv. In privileges(5), privileges are listed in the form
346 PRIV_privilege_name. For example, the privilege sys_time, as you
347 would specify it in this property, is listed in privileges(5) as
348 PRIV_SYS_TIME.
349
350
351 global: brand
352
353 The zone's brand type.
354
355
356 global: ip-type
357
358 A zone can either share the IP instance with the global zone, which
359 is the default, or have its own exclusive instance of IP.
360
361 This property takes the values shared and exclusive.
362
363
364 global: hostid
365
366 A zone can emulate a 32-bit host identifier to ease system
367 consolidation. A zone's hostid property is empty by default,
368 meaning that the zone does not emulate a host identifier. Zone host
369 identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x
370 or 0X prefix is optional. Both uppercase and lowercase hexadecimal
371 digits are acceptable.
372
373
374 fs: dir, special, raw, type, options
375
376 Values needed to determine how, where, and so forth to mount file
377 systems. See mount(1M), mount(2), fsck(1M), and vfstab(4).
378
379
380 net: address, physical, defrouter
381
382 The network address and physical interface name of the network
383 interface. The network address is one of:
384
385 o a valid IPv4 address, optionally followed by "/" and a
386 prefix length;
387
388 o a valid IPv6 address, which must be followed by "/" and
389 a prefix length;
390
391 o a host name which resolves to an IPv4 address.
392 Note that host names that resolve to IPv6 addresses are not
393 supported.
394
395 The physical interface name is the network interface name.
396
397 The default router is specified similarly to the network address
398 except that it must not be followed by a / (slash) and a network
399 prefix length.
400
401 A zone can be configured to be either exclusive-IP or shared-IP.
402 For a shared-IP zone, you must set both the physical and address
403 properties; setting the default router is optional. The interface
404 specified in the physical property must be plumbed in the global
405 zone prior to booting the non-global zone. However, if the
406 interface is not used by the global zone, it should be configured
407 down in the global zone, and the default router for the interface
408 should be specified here.
409
410 For an exclusive-IP zone, the physical property must be set and the
411 address and default router properties cannot be set.
412
413
414 device: match
415
416 Device name to match.
417
418
419 rctl: name, value
420
421 The name and priv/limit/action triple of a resource control. See
422 prctl(1) and rctladm(1M). The preferred way to set rctl values is
423 to use the global property name associated with a specific rctl.
424
425
426 attr: name, type, value
427
428 The name, type and value of a generic attribute. The type must be
429 one of int, uint, boolean or string, and the value must be of that
430 type. uint means unsigned , that is, a non-negative integer.
431
432
433 dataset: name
434
435 The name of a ZFS dataset to be accessed from within the zone. See
436 zfs(1M).
437
438
439 global: cpu-shares
440
441 The number of Fair Share Scheduler (FSS) shares to allocate to this
442 zone. This property is incompatible with the dedicated-cpu
443 resource. This property is the preferred way to set the zone.cpu-
444 shares rctl.
445
446
447 global: max-lwps
448
449 The maximum number of LWPs simultaneously available to this zone.
450 This property is the preferred way to set the zone.max-lwps rctl.
451
452
453 global: max-msg-ids
454
455 The maximum number of message queue IDs allowed for this zone. This
456 property is the preferred way to set the zone.max-msg-ids rctl.
457
458
459 global: max-sem-ids
460
461 The maximum number of semaphore IDs allowed for this zone. This
462 property is the preferred way to set the zone.max-sem-ids rctl.
463
464
465 global: max-shm-ids
466
467 The maximum number of shared memory IDs allowed for this zone. This
468 property is the preferred way to set the zone.max-shm-ids rctl.
469
470
471 global: max-shm-memory
472
473 The maximum amount of shared memory allowed for this zone. This
474 property is the preferred way to set the zone.max-shm-memory rctl.
475 A scale (K, M, G, T) can be applied to the value for this number
476 (for example, 1M is one megabyte).
477
478
479 global: scheduling-class
480
481 Specifies the scheduling class used for processes running in a
482 zone. When this property is not specified, the scheduling class is
483 established as follows:
484
485 o If the cpu-shares property or equivalent rctl is set,
486 the scheduling class FSS is used.
487
488 o If neither cpu-shares nor the equivalent rctl is set and
489 the zone's pool property references a pool that has a
490 default scheduling class, that class is used.
491
492 o Under any other conditions, the system default
493 scheduling class is used.
494
495
496
497
498 dedicated-cpu: ncpus, importance
499
500 The number of CPUs that should be assigned for this zone's
501 exclusive use. The zone will create a pool and processor set when
502 it boots. See pooladm(1M) and poolcfg(1M) for more information on
503 resource pools. The ncpu property can specify a single value or a
504 range (for example, 1-4) of processors. The importance property is
505 optional; if set, it will specify the pset.importance value for use
506 by poold(1M). If this resource is used, there must be enough free
507 processors to allocate to this zone when it boots or the zone will
508 not boot. The processors assigned to this zone will not be
509 available for the use of the global zone or other zones. This
510 resource is incompatible with both the pool and cpu-shares
511 properties. Only a single instance of this resource can be added to
512 the zone.
513
514
515 capped-memory: physical, swap, locked
516
517 The caps on the memory that can be used by this zone. A scale (K,
518 M, G, T) can be applied to the value for each of these numbers (for
519 example, 1M is one megabyte). Each of these properties is optional
520 but at least one property must be set when adding this resource.
521 Only a single instance of this resource can be added to the zone.
522 The physical property sets the max-rss for this zone. This will be
523 enforced by rcapd(1M) running in the global zone. The swap
524 property is the preferred way to set the zone.max-swap rctl. The
525 locked property is the preferred way to set the zone.max-locked-
526 memory rctl.
527
528
529 capped-cpu: ncpus
530
531 Sets a limit on the amount of CPU time that can be used by a zone.
532 The unit used translates to the percentage of a single CPU that can
533 be used by all user threads in a zone, expressed as a fraction (for
534 example, .75) or a mixed number (whole number and fraction, for
535 example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
536 1.25 means 125%, .75 mean 75%, and so forth. When projects within a
537 capped zone have their own caps, the minimum value takes
538 precedence.
539
540 The capped-cpu property is an alias for zone.cpu-cap resource
541 control and is related to the zone.cpu-cap resource control. See
542 resource_controls(5).
543
544
545 security-flags: lower, default, upper
546
547 Set the process security flags associated with the zone. The lower
548 and upper fields set the limits, the default field is set of flags
549 all zone processes inherit.
550
551
552 global: fs-allowed
553
554 A comma-separated list of additional filesystems that may be
555 mounted within the zone; for example "ufs,pcfs". By default, only
556 hsfs(7fs) and network filesystems can be mounted. If the first
557 entry in the list is "-" then that disables all of the default
558 filesystems. If any filesystems are listed after "-" then only
559 those filesystems can be mounted.
560
561 This property does not apply to filesystems mounted into the zone
562 via "add fs" or "add dataset".
563
564 WARNING: allowing filesystem mounts other than the default may
565 allow the zone administrator to compromise the system with a
566 malicious filesystem image, and is not supported.
567
568
569
570 The following table summarizes resources, property-names, and types:
571
572 resource property-name type
573 (global) zonename simple
574 (global) zonepath simple
575 (global) autoboot simple
576 (global) bootargs simple
577 (global) pool simple
578 (global) limitpriv simple
579 (global) brand simple
580 (global) ip-type simple
581 (global) hostid simple
582 (global) cpu-shares simple
583 (global) max-lwps simple
584 (global) max-msg-ids simple
585 (global) max-sem-ids simple
586 (global) max-shm-ids simple
587 (global) max-shm-memory simple
588 (global) scheduling-class simple
589 fs dir simple
590 special simple
591 raw simple
592 type simple
593 options list of simple
594 net address simple
595 physical simple
596 device match simple
597 rctl name simple
598 value list of complex
599 attr name simple
600 type simple
601 value simple
602 dataset name simple
603 dedicated-cpu ncpus simple or range
604 importance simple
605
606 capped-memory physical simple with scale
607 swap simple with scale
608 locked simple with scale
609
610 capped-cpu ncpus simple
611 security-flags lower simple
612 default simple
613 upper simple
614
615
616
617
618 To further specify things, the breakdown of the complex property
619 "value" of the "rctl" resource type, it consists of three name/value
620 pairs, the names being "priv", "limit" and "action", each of which
621 takes a simple value. The "name" property of an "attr" resource is
622 syntactically restricted in a fashion similar but not identical to zone
623 names: it must begin with an alphanumeric, and can contain
624 alphanumerics plus the hyphen (-), underscore (_), and dot (.)
625 characters. Attribute names beginning with "zone" are reserved for use
626 by the system. Finally, the "autoboot" global property must have a
627 value of "true" or "false".
628
629 Using Kernel Statistics to Monitor CPU Caps
630 Using the kernel statistics (kstat(3KSTAT)) module caps, the system
631 maintains information for all capped projects and zones. You can access
632 this information by reading kernel statistics (kstat(3KSTAT)),
633 specifying caps as the kstat module name. The following command
634 displays kernel statistics for all active CPU caps:
635
636 # kstat caps::'/cpucaps/'
637
638
639
640
641 A kstat(1M) command running in a zone displays only CPU caps relevant
642 for that zone and for projects in that zone. See EXAMPLES.
643
644
645 The following are cap-related arguments for use with kstat(1M):
646
647 caps
648
649 The kstat module.
650
651
652 project_caps or zone_caps
653
654 kstat class, for use with the kstat -c option.
655
656
657 cpucaps_project_id or cpucaps_zone_id
658
659 kstat name, for use with the kstat -n option. id is the project or
660 zone identifier.
661
662
663
664 The following fields are displayed in response to a kstat(1M) command
665 requesting statistics for all CPU caps.
666
667 module
668
669 In this usage of kstat, this field will have the value caps.
670
671
672 name
673
674 As described above, cpucaps_project_id or cpucaps_zone_id
675
676
677 above_sec
678
679 Total time, in seconds, spent above the cap.
680
681
682 below_sec
683
684 Total time, in seconds, spent below the cap.
685
686
687 maxusage
688
689 Maximum observed CPU usage.
690
691
692 nwait
693
694 Number of threads on cap wait queue.
695
696
697 usage
698
699 Current aggregated CPU usage for all threads belonging to a capped
700 project or zone, in terms of a percentage of a single CPU.
701
702
703 value
704
705 The cap value, in terms of a percentage of a single CPU.
706
707
708 zonename
709
710 Name of the zone for which statistics are displayed.
711
712
713
714 See EXAMPLES for sample output from a kstat command.
715
716 OPTIONS
717 The following options are supported:
718
719 -f command_file
720
721 Specify the name of zonecfg command file. command_file is a text
722 file of zonecfg subcommands, one per line.
723
724
725 -z zonename
726
727 Specify the name of a zone. Zone names are case sensitive. Zone
728 names must begin with an alphanumeric character and can contain
729 alphanumeric characters, the underscore (_) the hyphen (-), and the
730 dot (.). The name global and all names beginning with SUNW are
731 reserved and cannot be used.
732
733
734 SUBCOMMANDS
735 You can use the add and select subcommands to select a specific
736 resource, at which point the scope changes to that resource. The end
737 and cancel subcommands are used to complete the resource specification,
738 at which time the scope is reverted back to global. Certain
739 subcommands, such as add, remove and set, have different semantics in
740 each scope.
741
742
743 zonecfg supports a semicolon-separated list of subcommands. For
744 example:
745
746 # zonecfg -z myzone "add net; set physical=myvnic; end"
747
748
749
750
751 Subcommands which can result in destructive actions or loss of work
752 have an -F option to force the action. If input is from a terminal
753 device, the user is prompted when appropriate if such a command is
754 given without the -F option otherwise, if such a command is given
755 without the -F option, the action is disallowed, with a diagnostic
756 message written to standard error.
757
758
759 The following subcommands are supported:
760
761 add resource-type (global scope)
762 add property-name property-value (resource scope)
763
764 In the global scope, begin the specification for a given resource
765 type. The scope is changed to that resource type.
766
767 In the resource scope, add a property of the given name with the
768 given value. The syntax for property values varies with different
769 property types. In general, it is a simple value or a list of
770 simple values enclosed in square brackets, separated by commas
771 ([foo,bar,baz]). See PROPERTIES.
772
773
774 cancel
775
776 End the resource specification and reset scope to global. Abandons
777 any partially specified resources. cancel is only applicable in the
778 resource scope.
779
780
781 clear property-name
782
783 Clear the value for the property.
784
785
786 commit
787
788 Commit the current configuration from memory to stable storage. The
789 configuration must be committed to be used by zoneadm. Until the
790 in-memory configuration is committed, you can remove changes with
791 the revert subcommand. The commit operation is attempted
792 automatically upon completion of a zonecfg session. Since a
793 configuration must be correct to be committed, this operation
794 automatically does a verify.
795
796
797 create [-F] [ -a path |-b | -t template]
798
799 Create an in-memory configuration for the specified zone. Use
800 create to begin to configure a new zone. See commit for saving this
801 to stable storage.
802
803 If you are overwriting an existing configuration, specify the -F
804 option to force the action. Specify the -t template option to
805 create a configuration identical to template, where template is the
806 name of a configured zone.
807
808 Use the -a path option to facilitate configuring a detached zone on
809 a new host. The path parameter is the zonepath location of a
810 detached zone that has been moved on to this new host. Once the
811 detached zone is configured, it should be installed using the
812 "zoneadm attach" command (see zoneadm(1M)). All validation of the
813 new zone happens during the attach process, not during zone
814 configuration.
815
816 Use the -b option to create a blank configuration. Without
817 arguments, create applies the Sun default settings.
818
819
820 delete [-F]
821
822 Delete the specified configuration from memory and stable storage.
823 This action is instantaneous, no commit is necessary. A deleted
824 configuration cannot be reverted.
825
826 Specify the -F option to force the action.
827
828
829 end
830
831 End the resource specification. This subcommand is only applicable
832 in the resource scope. zonecfg checks to make sure the current
833 resource is completely specified. If so, it is added to the in-
834 memory configuration (see commit for saving this to stable storage)
835 and the scope reverts to global. If the specification is
836 incomplete, it issues an appropriate error message.
837
838
839 export [-f output-file]
840
841 Print configuration to standard output. Use the -f option to print
842 the configuration to output-file. This option produces output in a
843 form suitable for use in a command file.
844
845
846 help [usage] [subcommand] [syntax] [command-name]
847
848 Print general help or help about given topic.
849
850
851 info zonename | zonepath | autoboot | brand | pool | limitpriv
852 info [resource-type [property-name=property-value]*]
853
854 Display information about the current configuration. If resource-
855 type is specified, displays only information about resources of the
856 relevant type. If any property-name value pairs are specified,
857 displays only information about resources meeting the given
858 criteria. In the resource scope, any arguments are ignored, and
859 info displays information about the resource which is currently
860 being added or modified.
861
862
863 remove resource-type{property-name=property -value}(global scope)
864
865 In the global scope, removes the specified resource. The [] syntax
866 means 0 or more of whatever is inside the square braces. If you
867 want only to remove a single instance of the resource, you must
868 specify enough property name-value pairs for the resource to be
869 uniquely identified. If no property name-value pairs are specified,
870 all instances will be removed. If there is more than one pair is
871 specified, a confirmation is required, unless you use the -F
872 option.
873
874
875 select resource-type {property-name=property-value}
876
877 Select the resource of the given type which matches the given
878 property-name property-value pair criteria, for modification. This
879 subcommand is applicable only in the global scope. The scope is
880 changed to that resource type. The {} syntax means 1 or more of
881 whatever is inside the curly braces. You must specify enough
882 property -name property-value pairs for the resource to be uniquely
883 identified.
884
885
886 set property-name=property-value
887
888 Set a given property name to the given value. Some properties (for
889 example, zonename and zonepath) are global while others are
890 resource-specific. This subcommand is applicable in both the global
891 and resource scopes.
892
893
894 verify
895
896 Verify the current configuration for correctness:
897
898 o All resources have all of their required properties
899 specified.
900
901 o A zonepath is specified.
902
903
904 revert [-F]
905
906 Revert the configuration back to the last committed state. The -F
907 option can be used to force the action.
908
909
910 exit [-F]
911
912 Exit the zonecfg session. A commit is automatically attempted if
913 needed. You can also use an EOF character to exit zonecfg. The -F
914 option can be used to force the action.
915
916
917 EXAMPLES
918 Example 1 Creating the Environment for a New Zone
919
920
921 In the following example, zonecfg creates the environment for a new
922 zone. /usr/local is loopback mounted from the global zone into
923 /opt/local. /opt/sfw is loopback mounted from the global zone, three
924 logical network interfaces are added, and a limit on the number of
925 fair-share scheduler (FSS) CPU shares for a zone is set using the rctl
926 resource type. The example also shows how to select a given resource
927 for modification.
928
929
930 example# zonecfg -z myzone3
931 my-zone3: No such zone configured
932 Use 'create' to begin configuring a new zone.
933 zonecfg:myzone3> create
934 zonecfg:myzone3> set zonepath=/export/home/my-zone3
935 zonecfg:myzone3> set autoboot=true
936 zonecfg:myzone3> add fs
937 zonecfg:myzone3:fs> set dir=/usr/local
938 zonecfg:myzone3:fs> set special=/opt/local
939 zonecfg:myzone3:fs> set type=lofs
940 zonecfg:myzone3:fs> add options [ro,nodevices]
941 zonecfg:myzone3:fs> end
942 zonecfg:myzone3> add fs
943 zonecfg:myzone3:fs> set dir=/mnt
944 zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7
945 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7
946 zonecfg:myzone3:fs> set type=ufs
947 zonecfg:myzone3:fs> end
948 zonecfg:myzone3> add net
949 zonecfg:myzone3:net> set address=192.168.0.1/24
950 zonecfg:myzone3:net> set physical=eri0
951 zonecfg:myzone3:net> end
952 zonecfg:myzone3> add net
953 zonecfg:myzone3:net> set address=192.168.1.2/24
954 zonecfg:myzone3:net> set physical=eri0
955 zonecfg:myzone3:net> end
956 zonecfg:myzone3> add net
957 zonecfg:myzone3:net> set address=192.168.2.3/24
958 zonecfg:myzone3:net> set physical=eri0
959 zonecfg:myzone3:net> end
960 zonecfg:my-zone3> set cpu-shares=5
961 zonecfg:my-zone3> add capped-memory
962 zonecfg:my-zone3:capped-memory> set physical=50m
963 zonecfg:my-zone3:capped-memory> set swap=100m
964 zonecfg:my-zone3:capped-memory> end
965 zonecfg:myzone3> exit
966
967
968
969 Example 2 Creating a Non-Native Zone
970
971
972 The following example creates a new Linux zone:
973
974
975 example# zonecfg -z lxzone
976 lxzone: No such zone configured
977 Use 'create' to begin configuring a new zone
978 zonecfg:lxzone> create -t SUNWlx
979 zonecfg:lxzone> set zonepath=/export/zones/lxzone
980 zonecfg:lxzone> set autoboot=true
981 zonecfg:lxzone> exit
982
983
984
985 Example 3 Creating an Exclusive-IP Zone
986
987
988 The following example creates a zone that is granted exclusive access
989 to bge1 and bge33000 and that is isolated at the IP layer from the
990 other zones configured on the system.
991
992
993
994 The IP addresses and routing is configured inside the new zone using
995 sysidtool(1M).
996
997
998 example# zonecfg -z excl
999 excl: No such zone configured
1000 Use 'create' to begin configuring a new zone
1001 zonecfg:excl> create
1002 zonecfg:excl> set zonepath=/export/zones/excl
1003 zonecfg:excl> set ip-type=exclusive
1004 zonecfg:excl> add net
1005 zonecfg:excl:net> set physical=bge1
1006 zonecfg:excl:net> end
1007 zonecfg:excl> add net
1008 zonecfg:excl:net> set physical=bge33000
1009 zonecfg:excl:net> end
1010 zonecfg:excl> exit
1011
1012
1013
1014 Example 4 Associating a Zone with a Resource Pool
1015
1016
1017 The following example shows how to associate an existing zone with an
1018 existing resource pool:
1019
1020
1021 example# zonecfg -z myzone
1022 zonecfg:myzone> set pool=mypool
1023 zonecfg:myzone> exit
1024
1025
1026
1027
1028 For more information about resource pools, see pooladm(1M) and
1029 poolcfg(1M).
1030
1031
1032 Example 5 Changing the Name of a Zone
1033
1034
1035 The following example shows how to change the name of an existing zone:
1036
1037
1038 example# zonecfg -z myzone
1039 zonecfg:myzone> set zonename=myzone2
1040 zonecfg:myzone2> exit
1041
1042
1043
1044 Example 6 Changing the Privilege Set of a Zone
1045
1046
1047 The following example shows how to change the set of privileges an
1048 existing zone's processes will be limited to the next time the zone is
1049 booted. In this particular case, the privilege set will be the standard
1050 safe set of privileges a zone normally has along with the privilege to
1051 change the system date and time:
1052
1053
1054 example# zonecfg -z myzone
1055 zonecfg:myzone> set limitpriv="default,sys_time"
1056 zonecfg:myzone2> exit
1057
1058
1059
1060 Example 7 Setting the zone.cpu-shares Property for the Global Zone
1061
1062
1063 The following command sets the zone.cpu-shares property for the global
1064 zone:
1065
1066
1067 example# zonecfg -z global
1068 zonecfg:global> set cpu-shares=5
1069 zonecfg:global> exit
1070
1071
1072
1073 Example 8 Using Pattern Matching
1074
1075
1076 The following commands illustrate zonecfg support for pattern matching.
1077 In the zone flexlm, enter:
1078
1079
1080 zonecfg:flexlm> add device
1081 zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]"
1082 zonecfg:flexlm:device> end
1083
1084
1085
1086
1087 In the global zone, enter:
1088
1089
1090 global# ls /dev/cua
1091 a a000 a001 a002 a003 a004 a005 a006 a007 b
1092
1093
1094
1095
1096 In the zone flexlm, enter:
1097
1098
1099 flexlm# ls /dev/cua
1100 a002 a003 a004 a005
1101
1102
1103
1104 Example 9 Setting a Cap for a Zone to Three CPUs
1105
1106
1107 The following sequence uses the zonecfg command to set the CPU cap for
1108 a zone to three CPUs.
1109
1110
1111 zonecfg:myzone> add capped-cpu
1112 zonecfg:myzone>capped-cpu> set ncpus=3
1113 zonecfg:myzone>capped-cpu>capped-cpu> end
1114
1115
1116
1117
1118 The preceding sequence, which uses the capped-cpu property, is
1119 equivalent to the following sequence, which makes use of the zone.cpu-
1120 cap resource control.
1121
1122
1123 zonecfg:myzone> add rctl
1124 zonecfg:myzone:rctl> set name=zone.cpu-cap
1125 zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none)
1126 zonecfg:myzone:rctl> end
1127
1128
1129
1130 Example 10 Using kstat to Monitor CPU Caps
1131
1132
1133 The following command displays information about all CPU caps.
1134
1135
1136 # kstat -n /cpucaps/
1137 module: caps instance: 0
1138 name: cpucaps_project_0 class: project_caps
1139 above_sec 0
1140 below_sec 2157
1141 crtime 821.048183159
1142 maxusage 2
1143 nwait 0
1144 snaptime 235885.637253027
1145 usage 0
1146 value 18446743151372347932
1147 zonename global
1148
1149 module: caps instance: 0
1150 name: cpucaps_project_1 class: project_caps
1151 above_sec 0
1152 below_sec 0
1153 crtime 225339.192787265
1154 maxusage 5
1155 nwait 0
1156 snaptime 235885.637591677
1157 usage 5
1158 value 18446743151372347932
1159 zonename global
1160
1161 module: caps instance: 0
1162 name: cpucaps_project_201 class: project_caps
1163 above_sec 0
1164 below_sec 235105
1165 crtime 780.37961782
1166 maxusage 100
1167 nwait 0
1168 snaptime 235885.637789687
1169 usage 43
1170 value 100
1171 zonename global
1172
1173 module: caps instance: 0
1174 name: cpucaps_project_202 class: project_caps
1175 above_sec 0
1176 below_sec 235094
1177 crtime 791.72983782
1178 maxusage 100
1179 nwait 0
1180 snaptime 235885.637967512
1181 usage 48
1182 value 100
1183 zonename global
1184
1185 module: caps instance: 0
1186 name: cpucaps_project_203 class: project_caps
1187 above_sec 0
1188 below_sec 235034
1189 crtime 852.104401481
1190 maxusage 75
1191 nwait 0
1192 snaptime 235885.638144304
1193 usage 47
1194 value 100
1195 zonename global
1196
1197 module: caps instance: 0
1198 name: cpucaps_project_86710 class: project_caps
1199 above_sec 22
1200 below_sec 235166
1201 crtime 698.441717859
1202 maxusage 101
1203 nwait 0
1204 snaptime 235885.638319871
1205 usage 54
1206 value 100
1207 zonename global
1208
1209 module: caps instance: 0
1210 name: cpucaps_zone_0 class: zone_caps
1211 above_sec 100733
1212 below_sec 134332
1213 crtime 821.048177123
1214 maxusage 207
1215 nwait 2
1216 snaptime 235885.638497731
1217 usage 199
1218 value 200
1219 zonename global
1220
1221 module: caps instance: 1
1222 name: cpucaps_project_0 class: project_caps
1223 above_sec 0
1224 below_sec 0
1225 crtime 225360.256448422
1226 maxusage 7
1227 nwait 0
1228 snaptime 235885.638714404
1229 usage 7
1230 value 18446743151372347932
1231 zonename test_001
1232
1233 module: caps instance: 1
1234 name: cpucaps_zone_1 class: zone_caps
1235 above_sec 2
1236 below_sec 10524
1237 crtime 225360.256440278
1238 maxusage 106
1239 nwait 0
1240 snaptime 235885.638896443
1241 usage 7
1242 value 100
1243 zonename test_001
1244
1245
1246
1247 Example 11 Displaying CPU Caps for a Specific Zone or Project
1248
1249
1250 Using the kstat -c and -i options, you can display CPU caps for a
1251 specific zone or project, as below. The first command produces a
1252 display for a specific project, the second for the same project within
1253 zone 1.
1254
1255
1256 # kstat -c project_caps
1257
1258 # kstat -c project_caps -i 1
1259
1260
1261
1262 EXIT STATUS
1263 The following exit values are returned:
1264
1265 0
1266
1267 Successful completion.
1268
1269
1270 1
1271
1272 An error occurred.
1273
1274
1275 2
1276
1277 Invalid usage.
1278
1279
1280 ATTRIBUTES
1281 See attributes(5) for descriptions of the following attributes:
1282
1283
1284
1285
1286 +--------------------+-----------------+
1287 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
1288 +--------------------+-----------------+
1289 |Interface Stability | Volatile |
1290 +--------------------+-----------------+
1291
1292 SEE ALSO
1293 ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1294 poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1295 sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1296 kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1297 privileges(5), resource_controls(5), security-flags(5), zones(5)
1298
1299
1300 System Administration Guide: Solaris Containers-Resource Management,
1301 and Solaris Zones
1302
1303 NOTES
1304 All character data used by zonecfg must be in US-ASCII encoding.
1305
1306
1307
1308 June 6, 2016 ZONECFG(1M)