Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/zonecfg.1m.man.txt
+++ new/usr/src/man/man1m/zonecfg.1m.man.txt
1 1 ZONECFG(1M) Maintenance Commands ZONECFG(1M)
2 2
3 3
4 4
5 5 NAME
6 6 zonecfg - set up zone configuration
7 7
8 8 SYNOPSIS
9 9 zonecfg -z zonename
10 10
11 11
12 12 zonecfg -z zonename subcommand
13 13
14 14
15 15 zonecfg -z zonename -f command_file
16 16
17 17
18 18 zonecfg help
19 19
20 20
21 21 DESCRIPTION
22 22 The zonecfg utility creates and modifies the configuration of a zone.
23 23 Zone configuration consists of a number of resources and properties.
24 24
25 25
26 26 To simplify the user interface, zonecfg uses the concept of a scope.
27 27 The default scope is global.
28 28
29 29
30 30 The following synopsis of the zonecfg command is for interactive usage:
31 31
32 32 zonecfg -z zonename subcommand
33 33
34 34
35 35
36 36
37 37 Parameters changed through zonecfg do not affect a running zone. The
38 38 zone must be rebooted for the changes to take effect.
39 39
40 40
41 41 In addition to creating and modifying a zone, the zonecfg utility can
42 42 also be used to persistently specify the resource management settings
43 43 for the global zone.
44 44
45 45
46 46 In the following text, "rctl" is used as an abbreviation for "resource
47 47 control". See resource_controls(5).
48 48
49 49
50 50 Every zone is configured with an associated brand. The brand determines
51 51 the user-level environment used within the zone, as well as various
52 52 behaviors for the zone when it is installed, boots, or is shutdown.
53 53 Once a zone has been installed the brand cannot be changed. The default
54 54 brand is determined by the installed distribution in the global zone.
55 55 Some brands do not support all of the zonecfg properties and resources.
56 56 See the brand-specific man page for more details on each brand. For an
57 57 overview of brands, see the brands(5) man page.
58 58
59 59 Resources
60 60 The following resource types are supported:
61 61
62 62 attr
63 63
64 64 Generic attribute.
65 65
66 66
67 67 capped-cpu
68 68
69 69 Limits for CPU usage.
70 70
71 71
72 72 capped-memory
73 73
74 74 Limits for physical, swap, and locked memory.
75 75
76 76
77 77 dataset
78 78
79 79 ZFS dataset.
80 80
81 81
82 82 dedicated-cpu
83 83
84 84 Subset of the system's processors dedicated to this zone while it
85 85 is running.
86 86
87 87
88 88 device
89 89
90 90 Device.
91 91
92 92
93 93 fs
94 94
95 95 file-system
96 96
97 97
|
↓ open down ↓ |
97 lines elided |
↑ open up ↑ |
98 98 net
99 99
100 100 Network interface.
101 101
102 102
103 103 rctl
104 104
105 105 Resource control.
106 106
107 107
108 + security-flags
109 +
110 + Process security flag settings.
111 +
112 +
108 113 Properties
109 114 Each resource type has one or more properties. There are also some
110 115 global properties, that is, properties of the configuration as a whole,
111 116 rather than of some particular resource.
112 117
113 118
114 119 The following properties are supported:
115 120
116 121 (global)
117 122
118 123 zonename
119 124
120 125
121 126 (global)
122 127
123 128 zonepath
124 129
125 130
126 131 (global)
127 132
128 133 autoboot
129 134
130 135
131 136 (global)
132 137
133 138 bootargs
134 139
135 140
136 141 (global)
137 142
138 143 pool
139 144
140 145
141 146 (global)
142 147
143 148 limitpriv
144 149
145 150
146 151 (global)
147 152
148 153 brand
149 154
150 155
151 156 (global)
152 157
153 158 cpu-shares
154 159
155 160
156 161 (global)
157 162
158 163 hostid
159 164
160 165
161 166 (global)
162 167
163 168 max-lwps
164 169
165 170
166 171 (global)
167 172
168 173 max-msg-ids
169 174
170 175
171 176 (global)
172 177
173 178 max-sem-ids
174 179
175 180
176 181 (global)
177 182
178 183 max-shm-ids
179 184
180 185
181 186 (global)
182 187
183 188 max-shm-memory
184 189
185 190
186 191 (global)
187 192
188 193 scheduling-class
189 194
190 195
191 196 (global)
192 197
193 198 fs-allowed
194 199
195 200
196 201 fs
197 202
198 203 dir, special, raw, type, options
199 204
200 205
201 206 net
202 207
203 208 address, physical, defrouter
204 209
205 210
206 211 device
207 212
208 213 match
209 214
210 215
211 216 rctl
212 217
213 218 name, value
214 219
215 220
216 221 attr
217 222
218 223 name, type, value
219 224
220 225
221 226 dataset
222 227
223 228 name
224 229
225 230
226 231 dedicated-cpu
227 232
228 233 ncpus, importance
229 234
230 235
|
↓ open down ↓ |
113 lines elided |
↑ open up ↑ |
231 236 capped-memory
232 237
233 238 physical, swap, locked
234 239
235 240
236 241 capped-cpu
237 242
238 243 ncpus
239 244
240 245
246 + security-flags
247 +
248 + lower, default, upper.
249 +
250 +
241 251
242 252 As for the property values which are paired with these names, they are
243 253 either simple, complex, or lists. The type allowed is property-
244 254 specific. Simple values are strings, optionally enclosed within
245 255 quotation marks. Complex values have the syntax:
246 256
247 257 (<name>=<value>,<name>=<value>,...)
248 258
249 259
250 260
251 261
252 262 where each <value> is simple, and the <name> strings are unique within
253 263 a given property. Lists have the syntax:
254 264
255 265 [<value>,...]
256 266
257 267
258 268
259 269
260 270 where each <value> is either simple or complex. A list of a single
261 271 value (either simple or complex) is equivalent to specifying that value
262 272 without the list syntax. That is, "foo" is equivalent to "[foo]". A
263 273 list can be empty (denoted by "[]").
264 274
265 275
266 276 In interpreting property values, zonecfg accepts regular expressions as
267 277 specified in fnmatch(5). See EXAMPLES.
268 278
269 279
270 280 The property types are described as follows:
271 281
272 282 global: zonename
273 283
274 284 The name of the zone.
275 285
276 286
277 287 global: zonepath
278 288
279 289 Path to zone's file system.
280 290
281 291
282 292 global: autoboot
283 293
284 294 Boolean indicating that a zone should be booted automatically at
285 295 system boot. Note that if the zones service is disabled, the zone
286 296 will not autoboot, regardless of the setting of this property. You
287 297 enable the zones service with a svcadm command, such as:
288 298
289 299 # svcadm enable svc:/system/zones:default
290 300
291 301
292 302 Replace enable with disable to disable the zones service. See
293 303 svcadm(1M).
294 304
295 305
296 306 global: bootargs
297 307
298 308 Arguments (options) to be passed to the zone bootup, unless options
299 309 are supplied to the "zoneadm boot" command, in which case those
300 310 take precedence. The valid arguments are described in zoneadm(1M).
301 311
302 312
303 313 global: pool
304 314
305 315 Name of the resource pool that this zone must be bound to when
306 316 booted. This property is incompatible with the dedicated-cpu
307 317 resource.
308 318
309 319
310 320 global: limitpriv
311 321
312 322 The maximum set of privileges any process in this zone can obtain.
313 323 The property should consist of a comma-separated privilege set
314 324 specification as described in priv_str_to_set(3C). Privileges can
315 325 be excluded from the resulting set by preceding their names with a
316 326 dash (-) or an exclamation point (!). The special privilege string
317 327 "zone" is not supported in this context. If the special string
318 328 "default" occurs as the first token in the property, it expands
319 329 into a safe set of privileges that preserve the resource and
320 330 security isolation described in zones(5). A missing or empty
321 331 property is equivalent to this same set of safe privileges.
322 332
323 333 The system administrator must take extreme care when configuring
324 334 privileges for a zone. Some privileges cannot be excluded through
325 335 this mechanism as they are required in order to boot a zone. In
326 336 addition, there are certain privileges which cannot be given to a
327 337 zone as doing so would allow processes inside a zone to unduly
328 338 affect processes in other zones. zoneadm(1M) indicates when an
329 339 invalid privilege has been added or removed from a zone's privilege
330 340 set when an attempt is made to either "boot" or "ready" the zone.
331 341
332 342 See privileges(5) for a description of privileges. The command
333 343 "ppriv -l" (see ppriv(1)) produces a list of all Solaris
334 344 privileges. You can specify privileges as they are displayed by
335 345 ppriv. In privileges(5), privileges are listed in the form
336 346 PRIV_privilege_name. For example, the privilege sys_time, as you
337 347 would specify it in this property, is listed in privileges(5) as
338 348 PRIV_SYS_TIME.
339 349
340 350
341 351 global: brand
342 352
343 353 The zone's brand type.
344 354
345 355
346 356 global: ip-type
347 357
348 358 A zone can either share the IP instance with the global zone, which
349 359 is the default, or have its own exclusive instance of IP.
350 360
351 361 This property takes the values shared and exclusive.
352 362
353 363
354 364 global: hostid
355 365
356 366 A zone can emulate a 32-bit host identifier to ease system
357 367 consolidation. A zone's hostid property is empty by default,
358 368 meaning that the zone does not emulate a host identifier. Zone host
359 369 identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x
360 370 or 0X prefix is optional. Both uppercase and lowercase hexadecimal
361 371 digits are acceptable.
362 372
363 373
364 374 fs: dir, special, raw, type, options
365 375
366 376 Values needed to determine how, where, and so forth to mount file
367 377 systems. See mount(1M), mount(2), fsck(1M), and vfstab(4).
368 378
369 379
370 380 net: address, physical, defrouter
371 381
372 382 The network address and physical interface name of the network
373 383 interface. The network address is one of:
374 384
375 385 o a valid IPv4 address, optionally followed by "/" and a
376 386 prefix length;
377 387
378 388 o a valid IPv6 address, which must be followed by "/" and
379 389 a prefix length;
380 390
381 391 o a host name which resolves to an IPv4 address.
382 392 Note that host names that resolve to IPv6 addresses are not
383 393 supported.
384 394
385 395 The physical interface name is the network interface name.
386 396
387 397 The default router is specified similarly to the network address
388 398 except that it must not be followed by a / (slash) and a network
389 399 prefix length.
390 400
391 401 A zone can be configured to be either exclusive-IP or shared-IP.
392 402 For a shared-IP zone, you must set both the physical and address
393 403 properties; setting the default router is optional. The interface
394 404 specified in the physical property must be plumbed in the global
395 405 zone prior to booting the non-global zone. However, if the
396 406 interface is not used by the global zone, it should be configured
397 407 down in the global zone, and the default router for the interface
398 408 should be specified here.
399 409
400 410 For an exclusive-IP zone, the physical property must be set and the
401 411 address and default router properties cannot be set.
402 412
403 413
404 414 device: match
405 415
406 416 Device name to match.
407 417
408 418
409 419 rctl: name, value
410 420
411 421 The name and priv/limit/action triple of a resource control. See
412 422 prctl(1) and rctladm(1M). The preferred way to set rctl values is
413 423 to use the global property name associated with a specific rctl.
414 424
415 425
416 426 attr: name, type, value
417 427
418 428 The name, type and value of a generic attribute. The type must be
419 429 one of int, uint, boolean or string, and the value must be of that
420 430 type. uint means unsigned , that is, a non-negative integer.
421 431
422 432
423 433 dataset: name
424 434
425 435 The name of a ZFS dataset to be accessed from within the zone. See
426 436 zfs(1M).
427 437
428 438
429 439 global: cpu-shares
430 440
431 441 The number of Fair Share Scheduler (FSS) shares to allocate to this
432 442 zone. This property is incompatible with the dedicated-cpu
433 443 resource. This property is the preferred way to set the zone.cpu-
434 444 shares rctl.
435 445
436 446
437 447 global: max-lwps
438 448
439 449 The maximum number of LWPs simultaneously available to this zone.
440 450 This property is the preferred way to set the zone.max-lwps rctl.
441 451
442 452
443 453 global: max-msg-ids
444 454
445 455 The maximum number of message queue IDs allowed for this zone. This
446 456 property is the preferred way to set the zone.max-msg-ids rctl.
447 457
448 458
449 459 global: max-sem-ids
450 460
451 461 The maximum number of semaphore IDs allowed for this zone. This
452 462 property is the preferred way to set the zone.max-sem-ids rctl.
453 463
454 464
455 465 global: max-shm-ids
456 466
457 467 The maximum number of shared memory IDs allowed for this zone. This
458 468 property is the preferred way to set the zone.max-shm-ids rctl.
459 469
460 470
461 471 global: max-shm-memory
462 472
463 473 The maximum amount of shared memory allowed for this zone. This
464 474 property is the preferred way to set the zone.max-shm-memory rctl.
465 475 A scale (K, M, G, T) can be applied to the value for this number
466 476 (for example, 1M is one megabyte).
467 477
468 478
469 479 global: scheduling-class
470 480
471 481 Specifies the scheduling class used for processes running in a
472 482 zone. When this property is not specified, the scheduling class is
473 483 established as follows:
474 484
475 485 o If the cpu-shares property or equivalent rctl is set,
476 486 the scheduling class FSS is used.
477 487
478 488 o If neither cpu-shares nor the equivalent rctl is set and
479 489 the zone's pool property references a pool that has a
480 490 default scheduling class, that class is used.
481 491
482 492 o Under any other conditions, the system default
483 493 scheduling class is used.
484 494
485 495
486 496
487 497
488 498 dedicated-cpu: ncpus, importance
489 499
490 500 The number of CPUs that should be assigned for this zone's
491 501 exclusive use. The zone will create a pool and processor set when
492 502 it boots. See pooladm(1M) and poolcfg(1M) for more information on
493 503 resource pools. The ncpu property can specify a single value or a
494 504 range (for example, 1-4) of processors. The importance property is
495 505 optional; if set, it will specify the pset.importance value for use
496 506 by poold(1M). If this resource is used, there must be enough free
497 507 processors to allocate to this zone when it boots or the zone will
498 508 not boot. The processors assigned to this zone will not be
499 509 available for the use of the global zone or other zones. This
500 510 resource is incompatible with both the pool and cpu-shares
501 511 properties. Only a single instance of this resource can be added to
502 512 the zone.
503 513
504 514
505 515 capped-memory: physical, swap, locked
506 516
507 517 The caps on the memory that can be used by this zone. A scale (K,
508 518 M, G, T) can be applied to the value for each of these numbers (for
509 519 example, 1M is one megabyte). Each of these properties is optional
510 520 but at least one property must be set when adding this resource.
511 521 Only a single instance of this resource can be added to the zone.
512 522 The physical property sets the max-rss for this zone. This will be
513 523 enforced by rcapd(1M) running in the global zone. The swap
514 524 property is the preferred way to set the zone.max-swap rctl. The
515 525 locked property is the preferred way to set the zone.max-locked-
516 526 memory rctl.
517 527
518 528
519 529 capped-cpu: ncpus
520 530
521 531 Sets a limit on the amount of CPU time that can be used by a zone.
522 532 The unit used translates to the percentage of a single CPU that can
523 533 be used by all user threads in a zone, expressed as a fraction (for
524 534 example, .75) or a mixed number (whole number and fraction, for
|
↓ open down ↓ |
274 lines elided |
↑ open up ↑ |
525 535 example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
526 536 1.25 means 125%, .75 mean 75%, and so forth. When projects within a
527 537 capped zone have their own caps, the minimum value takes
528 538 precedence.
529 539
530 540 The capped-cpu property is an alias for zone.cpu-cap resource
531 541 control and is related to the zone.cpu-cap resource control. See
532 542 resource_controls(5).
533 543
534 544
545 + security-flags: lower, default, upper
546 +
547 + Set the process security flags associated with the zone. The lower
548 + and upper fields set the limits, the default field is set of flags
549 + all zone processes inherit.
550 +
551 +
535 552 global: fs-allowed
536 553
537 554 A comma-separated list of additional filesystems that may be
538 555 mounted within the zone; for example "ufs,pcfs". By default, only
539 556 hsfs(7fs) and network filesystems can be mounted. If the first
540 557 entry in the list is "-" then that disables all of the default
541 558 filesystems. If any filesystems are listed after "-" then only
542 559 those filesystems can be mounted.
543 560
544 561 This property does not apply to filesystems mounted into the zone
545 562 via "add fs" or "add dataset".
546 563
547 564 WARNING: allowing filesystem mounts other than the default may
548 565 allow the zone administrator to compromise the system with a
549 566 malicious filesystem image, and is not supported.
550 567
551 568
552 569
553 570 The following table summarizes resources, property-names, and types:
554 571
555 572 resource property-name type
556 573 (global) zonename simple
557 574 (global) zonepath simple
558 575 (global) autoboot simple
559 576 (global) bootargs simple
560 577 (global) pool simple
561 578 (global) limitpriv simple
562 579 (global) brand simple
563 580 (global) ip-type simple
564 581 (global) hostid simple
565 582 (global) cpu-shares simple
566 583 (global) max-lwps simple
567 584 (global) max-msg-ids simple
568 585 (global) max-sem-ids simple
569 586 (global) max-shm-ids simple
570 587 (global) max-shm-memory simple
571 588 (global) scheduling-class simple
572 589 fs dir simple
573 590 special simple
574 591 raw simple
575 592 type simple
576 593 options list of simple
577 594 net address simple
578 595 physical simple
579 596 device match simple
580 597 rctl name simple
581 598 value list of complex
582 599 attr name simple
583 600 type simple
|
↓ open down ↓ |
39 lines elided |
↑ open up ↑ |
584 601 value simple
585 602 dataset name simple
586 603 dedicated-cpu ncpus simple or range
587 604 importance simple
588 605
589 606 capped-memory physical simple with scale
590 607 swap simple with scale
591 608 locked simple with scale
592 609
593 610 capped-cpu ncpus simple
611 + security-flags lower simple
612 + default simple
613 + upper simple
594 614
595 615
596 616
597 617
598 618 To further specify things, the breakdown of the complex property
599 619 "value" of the "rctl" resource type, it consists of three name/value
600 620 pairs, the names being "priv", "limit" and "action", each of which
601 621 takes a simple value. The "name" property of an "attr" resource is
602 622 syntactically restricted in a fashion similar but not identical to zone
603 623 names: it must begin with an alphanumeric, and can contain
604 624 alphanumerics plus the hyphen (-), underscore (_), and dot (.)
605 625 characters. Attribute names beginning with "zone" are reserved for use
606 626 by the system. Finally, the "autoboot" global property must have a
607 627 value of "true" or "false".
608 628
609 629 Using Kernel Statistics to Monitor CPU Caps
610 630 Using the kernel statistics (kstat(3KSTAT)) module caps, the system
611 631 maintains information for all capped projects and zones. You can access
612 632 this information by reading kernel statistics (kstat(3KSTAT)),
613 633 specifying caps as the kstat module name. The following command
614 634 displays kernel statistics for all active CPU caps:
615 635
616 636 # kstat caps::'/cpucaps/'
617 637
618 638
619 639
620 640
621 641 A kstat(1M) command running in a zone displays only CPU caps relevant
622 642 for that zone and for projects in that zone. See EXAMPLES.
623 643
624 644
625 645 The following are cap-related arguments for use with kstat(1M):
626 646
627 647 caps
628 648
629 649 The kstat module.
630 650
631 651
632 652 project_caps or zone_caps
633 653
634 654 kstat class, for use with the kstat -c option.
635 655
636 656
637 657 cpucaps_project_id or cpucaps_zone_id
638 658
639 659 kstat name, for use with the kstat -n option. id is the project or
640 660 zone identifier.
641 661
642 662
643 663
644 664 The following fields are displayed in response to a kstat(1M) command
645 665 requesting statistics for all CPU caps.
646 666
647 667 module
648 668
649 669 In this usage of kstat, this field will have the value caps.
650 670
651 671
652 672 name
653 673
654 674 As described above, cpucaps_project_id or cpucaps_zone_id
655 675
656 676
657 677 above_sec
658 678
659 679 Total time, in seconds, spent above the cap.
660 680
661 681
662 682 below_sec
663 683
664 684 Total time, in seconds, spent below the cap.
665 685
666 686
667 687 maxusage
668 688
669 689 Maximum observed CPU usage.
670 690
671 691
672 692 nwait
673 693
674 694 Number of threads on cap wait queue.
675 695
676 696
677 697 usage
678 698
679 699 Current aggregated CPU usage for all threads belonging to a capped
680 700 project or zone, in terms of a percentage of a single CPU.
681 701
682 702
683 703 value
684 704
685 705 The cap value, in terms of a percentage of a single CPU.
686 706
687 707
688 708 zonename
689 709
690 710 Name of the zone for which statistics are displayed.
691 711
692 712
693 713
694 714 See EXAMPLES for sample output from a kstat command.
695 715
696 716 OPTIONS
697 717 The following options are supported:
698 718
699 719 -f command_file
700 720
701 721 Specify the name of zonecfg command file. command_file is a text
702 722 file of zonecfg subcommands, one per line.
703 723
704 724
705 725 -z zonename
706 726
707 727 Specify the name of a zone. Zone names are case sensitive. Zone
708 728 names must begin with an alphanumeric character and can contain
709 729 alphanumeric characters, the underscore (_) the hyphen (-), and the
710 730 dot (.). The name global and all names beginning with SUNW are
711 731 reserved and cannot be used.
712 732
713 733
714 734 SUBCOMMANDS
715 735 You can use the add and select subcommands to select a specific
716 736 resource, at which point the scope changes to that resource. The end
717 737 and cancel subcommands are used to complete the resource specification,
718 738 at which time the scope is reverted back to global. Certain
719 739 subcommands, such as add, remove and set, have different semantics in
720 740 each scope.
721 741
722 742
723 743 zonecfg supports a semicolon-separated list of subcommands. For
724 744 example:
725 745
726 746 # zonecfg -z myzone "add net; set physical=myvnic; end"
727 747
728 748
729 749
730 750
731 751 Subcommands which can result in destructive actions or loss of work
732 752 have an -F option to force the action. If input is from a terminal
733 753 device, the user is prompted when appropriate if such a command is
734 754 given without the -F option otherwise, if such a command is given
735 755 without the -F option, the action is disallowed, with a diagnostic
736 756 message written to standard error.
737 757
738 758
739 759 The following subcommands are supported:
740 760
741 761 add resource-type (global scope)
742 762 add property-name property-value (resource scope)
743 763
744 764 In the global scope, begin the specification for a given resource
745 765 type. The scope is changed to that resource type.
746 766
747 767 In the resource scope, add a property of the given name with the
748 768 given value. The syntax for property values varies with different
749 769 property types. In general, it is a simple value or a list of
750 770 simple values enclosed in square brackets, separated by commas
751 771 ([foo,bar,baz]). See PROPERTIES.
752 772
753 773
754 774 cancel
755 775
756 776 End the resource specification and reset scope to global. Abandons
757 777 any partially specified resources. cancel is only applicable in the
758 778 resource scope.
759 779
760 780
761 781 clear property-name
762 782
763 783 Clear the value for the property.
764 784
765 785
766 786 commit
767 787
768 788 Commit the current configuration from memory to stable storage. The
769 789 configuration must be committed to be used by zoneadm. Until the
770 790 in-memory configuration is committed, you can remove changes with
771 791 the revert subcommand. The commit operation is attempted
772 792 automatically upon completion of a zonecfg session. Since a
773 793 configuration must be correct to be committed, this operation
774 794 automatically does a verify.
775 795
776 796
777 797 create [-F] [ -a path |-b | -t template]
778 798
779 799 Create an in-memory configuration for the specified zone. Use
780 800 create to begin to configure a new zone. See commit for saving this
781 801 to stable storage.
782 802
783 803 If you are overwriting an existing configuration, specify the -F
784 804 option to force the action. Specify the -t template option to
785 805 create a configuration identical to template, where template is the
786 806 name of a configured zone.
787 807
788 808 Use the -a path option to facilitate configuring a detached zone on
789 809 a new host. The path parameter is the zonepath location of a
790 810 detached zone that has been moved on to this new host. Once the
791 811 detached zone is configured, it should be installed using the
792 812 "zoneadm attach" command (see zoneadm(1M)). All validation of the
793 813 new zone happens during the attach process, not during zone
794 814 configuration.
795 815
796 816 Use the -b option to create a blank configuration. Without
797 817 arguments, create applies the Sun default settings.
798 818
799 819
800 820 delete [-F]
801 821
802 822 Delete the specified configuration from memory and stable storage.
803 823 This action is instantaneous, no commit is necessary. A deleted
804 824 configuration cannot be reverted.
805 825
806 826 Specify the -F option to force the action.
807 827
808 828
809 829 end
810 830
811 831 End the resource specification. This subcommand is only applicable
812 832 in the resource scope. zonecfg checks to make sure the current
813 833 resource is completely specified. If so, it is added to the in-
814 834 memory configuration (see commit for saving this to stable storage)
815 835 and the scope reverts to global. If the specification is
816 836 incomplete, it issues an appropriate error message.
817 837
818 838
819 839 export [-f output-file]
820 840
821 841 Print configuration to standard output. Use the -f option to print
822 842 the configuration to output-file. This option produces output in a
823 843 form suitable for use in a command file.
824 844
825 845
826 846 help [usage] [subcommand] [syntax] [command-name]
827 847
828 848 Print general help or help about given topic.
829 849
830 850
831 851 info zonename | zonepath | autoboot | brand | pool | limitpriv
832 852 info [resource-type [property-name=property-value]*]
833 853
834 854 Display information about the current configuration. If resource-
835 855 type is specified, displays only information about resources of the
836 856 relevant type. If any property-name value pairs are specified,
837 857 displays only information about resources meeting the given
838 858 criteria. In the resource scope, any arguments are ignored, and
839 859 info displays information about the resource which is currently
840 860 being added or modified.
841 861
842 862
843 863 remove resource-type{property-name=property -value}(global scope)
844 864
845 865 In the global scope, removes the specified resource. The [] syntax
846 866 means 0 or more of whatever is inside the square braces. If you
847 867 want only to remove a single instance of the resource, you must
848 868 specify enough property name-value pairs for the resource to be
849 869 uniquely identified. If no property name-value pairs are specified,
850 870 all instances will be removed. If there is more than one pair is
851 871 specified, a confirmation is required, unless you use the -F
852 872 option.
853 873
854 874
855 875 select resource-type {property-name=property-value}
856 876
857 877 Select the resource of the given type which matches the given
858 878 property-name property-value pair criteria, for modification. This
859 879 subcommand is applicable only in the global scope. The scope is
860 880 changed to that resource type. The {} syntax means 1 or more of
861 881 whatever is inside the curly braces. You must specify enough
862 882 property -name property-value pairs for the resource to be uniquely
863 883 identified.
864 884
865 885
866 886 set property-name=property-value
867 887
868 888 Set a given property name to the given value. Some properties (for
869 889 example, zonename and zonepath) are global while others are
870 890 resource-specific. This subcommand is applicable in both the global
871 891 and resource scopes.
872 892
873 893
874 894 verify
875 895
876 896 Verify the current configuration for correctness:
877 897
878 898 o All resources have all of their required properties
879 899 specified.
880 900
881 901 o A zonepath is specified.
882 902
883 903
884 904 revert [-F]
885 905
886 906 Revert the configuration back to the last committed state. The -F
887 907 option can be used to force the action.
888 908
889 909
890 910 exit [-F]
891 911
892 912 Exit the zonecfg session. A commit is automatically attempted if
893 913 needed. You can also use an EOF character to exit zonecfg. The -F
894 914 option can be used to force the action.
895 915
896 916
897 917 EXAMPLES
898 918 Example 1 Creating the Environment for a New Zone
899 919
900 920
901 921 In the following example, zonecfg creates the environment for a new
902 922 zone. /usr/local is loopback mounted from the global zone into
903 923 /opt/local. /opt/sfw is loopback mounted from the global zone, three
904 924 logical network interfaces are added, and a limit on the number of
905 925 fair-share scheduler (FSS) CPU shares for a zone is set using the rctl
906 926 resource type. The example also shows how to select a given resource
907 927 for modification.
908 928
909 929
910 930 example# zonecfg -z myzone3
911 931 my-zone3: No such zone configured
912 932 Use 'create' to begin configuring a new zone.
913 933 zonecfg:myzone3> create
914 934 zonecfg:myzone3> set zonepath=/export/home/my-zone3
915 935 zonecfg:myzone3> set autoboot=true
916 936 zonecfg:myzone3> add fs
917 937 zonecfg:myzone3:fs> set dir=/usr/local
918 938 zonecfg:myzone3:fs> set special=/opt/local
919 939 zonecfg:myzone3:fs> set type=lofs
920 940 zonecfg:myzone3:fs> add options [ro,nodevices]
921 941 zonecfg:myzone3:fs> end
922 942 zonecfg:myzone3> add fs
923 943 zonecfg:myzone3:fs> set dir=/mnt
924 944 zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7
925 945 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7
926 946 zonecfg:myzone3:fs> set type=ufs
927 947 zonecfg:myzone3:fs> end
928 948 zonecfg:myzone3> add net
929 949 zonecfg:myzone3:net> set address=192.168.0.1/24
930 950 zonecfg:myzone3:net> set physical=eri0
931 951 zonecfg:myzone3:net> end
932 952 zonecfg:myzone3> add net
933 953 zonecfg:myzone3:net> set address=192.168.1.2/24
934 954 zonecfg:myzone3:net> set physical=eri0
935 955 zonecfg:myzone3:net> end
936 956 zonecfg:myzone3> add net
937 957 zonecfg:myzone3:net> set address=192.168.2.3/24
938 958 zonecfg:myzone3:net> set physical=eri0
939 959 zonecfg:myzone3:net> end
940 960 zonecfg:my-zone3> set cpu-shares=5
941 961 zonecfg:my-zone3> add capped-memory
942 962 zonecfg:my-zone3:capped-memory> set physical=50m
943 963 zonecfg:my-zone3:capped-memory> set swap=100m
944 964 zonecfg:my-zone3:capped-memory> end
945 965 zonecfg:myzone3> exit
946 966
947 967
948 968
949 969 Example 2 Creating a Non-Native Zone
950 970
951 971
952 972 The following example creates a new Linux zone:
953 973
954 974
955 975 example# zonecfg -z lxzone
956 976 lxzone: No such zone configured
957 977 Use 'create' to begin configuring a new zone
958 978 zonecfg:lxzone> create -t SUNWlx
959 979 zonecfg:lxzone> set zonepath=/export/zones/lxzone
960 980 zonecfg:lxzone> set autoboot=true
961 981 zonecfg:lxzone> exit
962 982
963 983
964 984
965 985 Example 3 Creating an Exclusive-IP Zone
966 986
967 987
968 988 The following example creates a zone that is granted exclusive access
969 989 to bge1 and bge33000 and that is isolated at the IP layer from the
970 990 other zones configured on the system.
971 991
972 992
973 993
974 994 The IP addresses and routing is configured inside the new zone using
975 995 sysidtool(1M).
976 996
977 997
978 998 example# zonecfg -z excl
979 999 excl: No such zone configured
980 1000 Use 'create' to begin configuring a new zone
981 1001 zonecfg:excl> create
982 1002 zonecfg:excl> set zonepath=/export/zones/excl
983 1003 zonecfg:excl> set ip-type=exclusive
984 1004 zonecfg:excl> add net
985 1005 zonecfg:excl:net> set physical=bge1
986 1006 zonecfg:excl:net> end
987 1007 zonecfg:excl> add net
988 1008 zonecfg:excl:net> set physical=bge33000
989 1009 zonecfg:excl:net> end
990 1010 zonecfg:excl> exit
991 1011
992 1012
993 1013
994 1014 Example 4 Associating a Zone with a Resource Pool
995 1015
996 1016
997 1017 The following example shows how to associate an existing zone with an
998 1018 existing resource pool:
999 1019
1000 1020
1001 1021 example# zonecfg -z myzone
1002 1022 zonecfg:myzone> set pool=mypool
1003 1023 zonecfg:myzone> exit
1004 1024
1005 1025
1006 1026
1007 1027
1008 1028 For more information about resource pools, see pooladm(1M) and
1009 1029 poolcfg(1M).
1010 1030
1011 1031
1012 1032 Example 5 Changing the Name of a Zone
1013 1033
1014 1034
1015 1035 The following example shows how to change the name of an existing zone:
1016 1036
1017 1037
1018 1038 example# zonecfg -z myzone
1019 1039 zonecfg:myzone> set zonename=myzone2
1020 1040 zonecfg:myzone2> exit
1021 1041
1022 1042
1023 1043
1024 1044 Example 6 Changing the Privilege Set of a Zone
1025 1045
1026 1046
1027 1047 The following example shows how to change the set of privileges an
1028 1048 existing zone's processes will be limited to the next time the zone is
1029 1049 booted. In this particular case, the privilege set will be the standard
1030 1050 safe set of privileges a zone normally has along with the privilege to
1031 1051 change the system date and time:
1032 1052
1033 1053
1034 1054 example# zonecfg -z myzone
1035 1055 zonecfg:myzone> set limitpriv="default,sys_time"
1036 1056 zonecfg:myzone2> exit
1037 1057
1038 1058
1039 1059
1040 1060 Example 7 Setting the zone.cpu-shares Property for the Global Zone
1041 1061
1042 1062
1043 1063 The following command sets the zone.cpu-shares property for the global
1044 1064 zone:
1045 1065
1046 1066
1047 1067 example# zonecfg -z global
1048 1068 zonecfg:global> set cpu-shares=5
1049 1069 zonecfg:global> exit
1050 1070
1051 1071
1052 1072
1053 1073 Example 8 Using Pattern Matching
1054 1074
1055 1075
1056 1076 The following commands illustrate zonecfg support for pattern matching.
1057 1077 In the zone flexlm, enter:
1058 1078
1059 1079
1060 1080 zonecfg:flexlm> add device
1061 1081 zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]"
1062 1082 zonecfg:flexlm:device> end
1063 1083
1064 1084
1065 1085
1066 1086
1067 1087 In the global zone, enter:
1068 1088
1069 1089
1070 1090 global# ls /dev/cua
1071 1091 a a000 a001 a002 a003 a004 a005 a006 a007 b
1072 1092
1073 1093
1074 1094
1075 1095
1076 1096 In the zone flexlm, enter:
1077 1097
1078 1098
1079 1099 flexlm# ls /dev/cua
1080 1100 a002 a003 a004 a005
1081 1101
1082 1102
1083 1103
1084 1104 Example 9 Setting a Cap for a Zone to Three CPUs
1085 1105
1086 1106
1087 1107 The following sequence uses the zonecfg command to set the CPU cap for
1088 1108 a zone to three CPUs.
1089 1109
1090 1110
1091 1111 zonecfg:myzone> add capped-cpu
1092 1112 zonecfg:myzone>capped-cpu> set ncpus=3
1093 1113 zonecfg:myzone>capped-cpu>capped-cpu> end
1094 1114
1095 1115
1096 1116
1097 1117
1098 1118 The preceding sequence, which uses the capped-cpu property, is
1099 1119 equivalent to the following sequence, which makes use of the zone.cpu-
1100 1120 cap resource control.
1101 1121
1102 1122
1103 1123 zonecfg:myzone> add rctl
1104 1124 zonecfg:myzone:rctl> set name=zone.cpu-cap
1105 1125 zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none)
1106 1126 zonecfg:myzone:rctl> end
1107 1127
1108 1128
1109 1129
1110 1130 Example 10 Using kstat to Monitor CPU Caps
1111 1131
1112 1132
1113 1133 The following command displays information about all CPU caps.
1114 1134
1115 1135
1116 1136 # kstat -n /cpucaps/
1117 1137 module: caps instance: 0
1118 1138 name: cpucaps_project_0 class: project_caps
1119 1139 above_sec 0
1120 1140 below_sec 2157
1121 1141 crtime 821.048183159
1122 1142 maxusage 2
1123 1143 nwait 0
1124 1144 snaptime 235885.637253027
1125 1145 usage 0
1126 1146 value 18446743151372347932
1127 1147 zonename global
1128 1148
1129 1149 module: caps instance: 0
1130 1150 name: cpucaps_project_1 class: project_caps
1131 1151 above_sec 0
1132 1152 below_sec 0
1133 1153 crtime 225339.192787265
1134 1154 maxusage 5
1135 1155 nwait 0
1136 1156 snaptime 235885.637591677
1137 1157 usage 5
1138 1158 value 18446743151372347932
1139 1159 zonename global
1140 1160
1141 1161 module: caps instance: 0
1142 1162 name: cpucaps_project_201 class: project_caps
1143 1163 above_sec 0
1144 1164 below_sec 235105
1145 1165 crtime 780.37961782
1146 1166 maxusage 100
1147 1167 nwait 0
1148 1168 snaptime 235885.637789687
1149 1169 usage 43
1150 1170 value 100
1151 1171 zonename global
1152 1172
1153 1173 module: caps instance: 0
1154 1174 name: cpucaps_project_202 class: project_caps
1155 1175 above_sec 0
1156 1176 below_sec 235094
1157 1177 crtime 791.72983782
1158 1178 maxusage 100
1159 1179 nwait 0
1160 1180 snaptime 235885.637967512
1161 1181 usage 48
1162 1182 value 100
1163 1183 zonename global
1164 1184
1165 1185 module: caps instance: 0
1166 1186 name: cpucaps_project_203 class: project_caps
1167 1187 above_sec 0
1168 1188 below_sec 235034
1169 1189 crtime 852.104401481
1170 1190 maxusage 75
1171 1191 nwait 0
1172 1192 snaptime 235885.638144304
1173 1193 usage 47
1174 1194 value 100
1175 1195 zonename global
1176 1196
1177 1197 module: caps instance: 0
1178 1198 name: cpucaps_project_86710 class: project_caps
1179 1199 above_sec 22
1180 1200 below_sec 235166
1181 1201 crtime 698.441717859
1182 1202 maxusage 101
1183 1203 nwait 0
1184 1204 snaptime 235885.638319871
1185 1205 usage 54
1186 1206 value 100
1187 1207 zonename global
1188 1208
1189 1209 module: caps instance: 0
1190 1210 name: cpucaps_zone_0 class: zone_caps
1191 1211 above_sec 100733
1192 1212 below_sec 134332
1193 1213 crtime 821.048177123
1194 1214 maxusage 207
1195 1215 nwait 2
1196 1216 snaptime 235885.638497731
1197 1217 usage 199
1198 1218 value 200
1199 1219 zonename global
1200 1220
1201 1221 module: caps instance: 1
1202 1222 name: cpucaps_project_0 class: project_caps
1203 1223 above_sec 0
1204 1224 below_sec 0
1205 1225 crtime 225360.256448422
1206 1226 maxusage 7
1207 1227 nwait 0
1208 1228 snaptime 235885.638714404
1209 1229 usage 7
1210 1230 value 18446743151372347932
1211 1231 zonename test_001
1212 1232
1213 1233 module: caps instance: 1
1214 1234 name: cpucaps_zone_1 class: zone_caps
1215 1235 above_sec 2
1216 1236 below_sec 10524
1217 1237 crtime 225360.256440278
1218 1238 maxusage 106
1219 1239 nwait 0
1220 1240 snaptime 235885.638896443
1221 1241 usage 7
1222 1242 value 100
1223 1243 zonename test_001
1224 1244
1225 1245
1226 1246
1227 1247 Example 11 Displaying CPU Caps for a Specific Zone or Project
1228 1248
1229 1249
1230 1250 Using the kstat -c and -i options, you can display CPU caps for a
1231 1251 specific zone or project, as below. The first command produces a
1232 1252 display for a specific project, the second for the same project within
1233 1253 zone 1.
1234 1254
1235 1255
1236 1256 # kstat -c project_caps
1237 1257
1238 1258 # kstat -c project_caps -i 1
1239 1259
1240 1260
1241 1261
1242 1262 EXIT STATUS
1243 1263 The following exit values are returned:
1244 1264
1245 1265 0
1246 1266
1247 1267 Successful completion.
1248 1268
1249 1269
1250 1270 1
1251 1271
1252 1272 An error occurred.
1253 1273
1254 1274
1255 1275 2
1256 1276
1257 1277 Invalid usage.
1258 1278
1259 1279
1260 1280 ATTRIBUTES
1261 1281 See attributes(5) for descriptions of the following attributes:
1262 1282
1263 1283
1264 1284
1265 1285
1266 1286 +--------------------+-----------------+
|
↓ open down ↓ |
663 lines elided |
↑ open up ↑ |
1267 1287 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
1268 1288 +--------------------+-----------------+
1269 1289 |Interface Stability | Volatile |
1270 1290 +--------------------+-----------------+
1271 1291
1272 1292 SEE ALSO
1273 1293 ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1274 1294 poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1275 1295 sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1276 1296 kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1277 - privileges(5), resource_controls(5), zones(5)
1297 + privileges(5), resource_controls(5), security-flags(5), zones(5)
1278 1298
1279 1299
1280 1300 System Administration Guide: Solaris Containers-Resource Management,
1281 1301 and Solaris Zones
1282 1302
1283 1303 NOTES
1284 1304 All character data used by zonecfg must be in US-ASCII encoding.
1285 1305
1286 1306
1287 1307
1288 - February 28, 2014 ZONECFG(1M)
1308 + June 6, 2016 ZONECFG(1M)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX