1 ZONECFG(1M)                  Maintenance Commands                  ZONECFG(1M)
   2 
   3 
   4 
   5 NAME
   6        zonecfg - set up zone configuration
   7 
   8 SYNOPSIS
   9        zonecfg -z zonename
  10 
  11 
  12        zonecfg -z zonename subcommand
  13 
  14 
  15        zonecfg -z zonename -f command_file
  16 
  17 
  18        zonecfg help
  19 
  20 
  21 DESCRIPTION
  22        The zonecfg utility creates and modifies the configuration of a zone.
  23        Zone configuration consists of a number of resources and properties.
  24 
  25 
  26        To simplify the user interface, zonecfg uses the concept of a scope.
  27        The default scope is global.
  28 
  29 
  30        The following synopsis of the zonecfg command is for interactive usage:
  31 
  32          zonecfg -z zonename subcommand
  33 
  34 
  35 
  36 
  37        Parameters changed through zonecfg do not affect a running zone. The
  38        zone must be rebooted for the changes to take effect.
  39 
  40 
  41        In addition to creating and modifying a zone, the zonecfg utility can
  42        also be used to persistently specify the resource management settings
  43        for the global zone.
  44 
  45 
  46        In the following text, "rctl" is used as an abbreviation for "resource
  47        control". See resource_controls(5).
  48 
  49 
  50        Every zone is configured with an associated brand. The brand determines
  51        the user-level environment used within the zone, as well as various
  52        behaviors for the zone when it is installed, boots, or is shutdown.
  53        Once a zone has been installed the brand cannot be changed. The default
  54        brand is determined by the installed distribution in the global zone.
  55        Some brands do not support all of the zonecfg properties and resources.
  56        See the brand-specific man page for more details on each brand. For an
  57        overview of brands, see the brands(5) man page.
  58 
  59    Resources
  60        The following resource types are supported:
  61 
  62        attr
  63 
  64            Generic attribute.
  65 
  66 
  67        capped-cpu
  68 
  69            Limits for CPU usage.
  70 
  71 
  72        capped-memory
  73 
  74            Limits for physical, swap, and locked memory.
  75 
  76 
  77        dataset
  78 
  79            ZFS dataset.
  80 
  81 
  82        dedicated-cpu
  83 
  84            Subset of the system's processors dedicated to this zone while it
  85            is running.
  86 
  87 
  88        device
  89 
  90            Device.
  91 
  92 
  93        fs
  94 
  95            file-system
  96 
  97 
  98        net
  99 
 100            Network interface.
 101 
 102 
 103        rctl
 104 
 105            Resource control.
 106 
 107 
 108        security-flags
 109 
 110            Process security flag settings.
 111 
 112 
 113    Properties
 114        Each resource type has one or more properties. There are also some
 115        global properties, that is, properties of the configuration as a whole,
 116        rather than of some particular resource.
 117 
 118 
 119        The following properties are supported:
 120 
 121        (global)
 122 
 123            zonename
 124 
 125 
 126        (global)
 127 
 128            zonepath
 129 
 130 
 131        (global)
 132 
 133            autoboot
 134 
 135 
 136        (global)
 137 
 138            bootargs
 139 
 140 
 141        (global)
 142 
 143            pool
 144 
 145 
 146        (global)
 147 
 148            limitpriv
 149 
 150 
 151        (global)
 152 
 153            brand
 154 
 155 
 156        (global)
 157 
 158            cpu-shares
 159 
 160 
 161        (global)
 162 
 163            hostid
 164 
 165 
 166        (global)
 167 
 168            max-lwps
 169 
 170 
 171        (global)
 172 
 173            max-msg-ids
 174 
 175 
 176        (global)
 177 
 178            max-sem-ids
 179 
 180 
 181        (global)
 182 
 183            max-shm-ids
 184 
 185 
 186        (global)
 187 
 188            max-shm-memory
 189 
 190 
 191        (global)
 192 
 193            scheduling-class
 194 
 195 
 196        (global)
 197 
 198            fs-allowed
 199 
 200 
 201        fs
 202 
 203            dir, special, raw, type, options
 204 
 205 
 206        net
 207 
 208            address, physical, defrouter
 209 
 210 
 211        device
 212 
 213            match
 214 
 215 
 216        rctl
 217 
 218            name, value
 219 
 220 
 221        attr
 222 
 223            name, type, value
 224 
 225 
 226        dataset
 227 
 228            name
 229 
 230 
 231        dedicated-cpu
 232 
 233            ncpus, importance
 234 
 235 
 236        capped-memory
 237 
 238            physical, swap, locked
 239 
 240 
 241        capped-cpu
 242 
 243            ncpus
 244 
 245 
 246        security-flags
 247 
 248            lower, default, upper.
 249 
 250 
 251 
 252        As for the property values which are paired with these names, they are
 253        either simple, complex, or lists. The type allowed is property-
 254        specific. Simple values are strings, optionally enclosed within
 255        quotation marks. Complex values have the syntax:
 256 
 257          (<name>=<value>,<name>=<value>,...)
 258 
 259 
 260 
 261 
 262        where each <value> is simple, and the <name> strings are     unique within
 263        a given property. Lists have the syntax:
 264 
 265          [<value>,...]
 266 
 267 
 268 
 269 
 270        where each <value> is either simple or complex. A list of a single
 271        value (either simple or complex) is equivalent to specifying that value
 272        without the list syntax. That is, "foo" is equivalent to "[foo]". A
 273        list can be empty (denoted by "[]").
 274 
 275 
 276        In interpreting property values, zonecfg accepts regular expressions as
 277        specified in fnmatch(5). See EXAMPLES.
 278 
 279 
 280        The property types are described as follows:
 281 
 282        global: zonename
 283 
 284            The name of the zone.
 285 
 286 
 287        global: zonepath
 288 
 289            Path to zone's file system.
 290 
 291 
 292        global: autoboot
 293 
 294            Boolean indicating that a zone should be booted automatically at
 295            system boot.  Note that if the zones service is disabled, the zone
 296            will not autoboot, regardless of the setting of this property. You
 297            enable the zones service with a svcadm command, such as:
 298 
 299              # svcadm enable svc:/system/zones:default
 300 
 301 
 302            Replace enable with disable to disable the zones service. See
 303            svcadm(1M).
 304 
 305 
 306        global: bootargs
 307 
 308            Arguments (options) to be passed to the zone bootup, unless options
 309            are supplied to the "zoneadm boot" command, in which case those
 310            take precedence. The valid arguments are described in zoneadm(1M).
 311 
 312 
 313        global: pool
 314 
 315            Name of the resource pool that this zone must be bound to when
 316            booted. This property is incompatible with the dedicated-cpu
 317            resource.
 318 
 319 
 320        global: limitpriv
 321 
 322            The maximum set of privileges any process in this zone can obtain.
 323            The property should consist of a comma-separated privilege set
 324            specification as described in priv_str_to_set(3C). Privileges can
 325            be excluded from the resulting set by preceding their names with a
 326            dash (-) or an exclamation point (!). The special privilege string
 327            "zone" is not supported in this context. If the special string
 328            "default" occurs as the first token in the property, it expands
 329            into a safe set of privileges that preserve the resource and
 330            security isolation described in zones(5). A missing or empty
 331            property is equivalent to this same set of safe privileges.
 332 
 333            The system administrator must take extreme care when configuring
 334            privileges for a zone. Some privileges cannot be excluded through
 335            this mechanism as they are required in order to boot a zone. In
 336            addition, there are certain privileges which cannot be given to a
 337            zone as doing so would allow processes inside a zone to unduly
 338            affect processes in other zones. zoneadm(1M) indicates when an
 339            invalid privilege has been added or removed from a zone's privilege
 340            set when an attempt is made to either "boot" or "ready" the zone.
 341 
 342            See privileges(5) for a description of privileges. The command
 343            "ppriv -l" (see ppriv(1)) produces a list of all Solaris
 344            privileges. You can specify privileges as they are displayed by
 345            ppriv. In privileges(5), privileges are listed in the form
 346            PRIV_privilege_name. For example, the privilege sys_time, as you
 347            would specify it in this property, is listed in privileges(5) as
 348            PRIV_SYS_TIME.
 349 
 350 
 351        global: brand
 352 
 353            The zone's brand type.
 354 
 355 
 356        global: ip-type
 357 
 358            A zone can either share the IP instance with the global zone, which
 359            is the default, or have its own exclusive instance of IP.
 360 
 361            This property takes the values shared and exclusive.
 362 
 363 
 364        global: hostid
 365 
 366            A zone can emulate a 32-bit host identifier to ease system
 367            consolidation. A zone's hostid property is empty by default,
 368            meaning that the zone does not emulate a host identifier. Zone host
 369            identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x
 370            or 0X prefix is optional. Both uppercase and lowercase hexadecimal
 371            digits are acceptable.
 372 
 373 
 374        fs: dir, special, raw, type, options
 375 
 376            Values needed to determine how, where, and so forth to mount file
 377            systems. See mount(1M), mount(2), fsck(1M), and vfstab(4).
 378 
 379 
 380        net: address, physical, defrouter
 381 
 382            The network address and physical interface name of the network
 383            interface. The network address is one of:
 384 
 385                o      a valid IPv4 address, optionally followed by "/" and a
 386                       prefix length;
 387 
 388                o      a valid IPv6 address, which must be followed by "/" and
 389                       a prefix length;
 390 
 391                o      a host name which resolves to an IPv4 address.
 392            Note that host names that resolve to IPv6 addresses are not
 393            supported.
 394 
 395            The physical interface name is the network interface name.
 396 
 397            The default router is specified similarly to the network address
 398            except that it must not be followed by a / (slash) and a network
 399            prefix length.
 400 
 401            A zone can be configured to be either exclusive-IP or shared-IP.
 402            For a shared-IP zone, you must set both the physical and address
 403            properties; setting the default router is optional. The interface
 404            specified in the physical property must be plumbed in the global
 405            zone prior to booting the non-global zone. However, if the
 406            interface is not used by the global zone, it should be configured
 407            down in the global zone, and the default router for the interface
 408            should be specified here.
 409 
 410            For an exclusive-IP zone, the physical property must be set and the
 411            address and default router properties cannot be set.
 412 
 413 
 414        device: match
 415 
 416            Device name to match.
 417 
 418 
 419        rctl: name, value
 420 
 421            The name and priv/limit/action triple of a resource control.  See
 422            prctl(1) and rctladm(1M). The preferred way to set rctl values is
 423            to use the global property name associated with a specific rctl.
 424 
 425 
 426        attr: name, type, value
 427 
 428            The name, type and value of a generic attribute. The type must be
 429            one of int, uint, boolean or string, and the value must be of that
 430            type. uint means unsigned , that is, a non-negative integer.
 431 
 432 
 433        dataset: name
 434 
 435            The name of a ZFS dataset to be accessed from within the zone. See
 436            zfs(1M).
 437 
 438 
 439        global: cpu-shares
 440 
 441            The number of Fair Share Scheduler (FSS) shares to allocate to this
 442            zone. This property is incompatible with the dedicated-cpu
 443            resource. This property is the preferred way to set the zone.cpu-
 444            shares rctl.
 445 
 446 
 447        global: max-lwps
 448 
 449            The maximum number of LWPs simultaneously available to this zone.
 450            This property is the preferred way to set the zone.max-lwps rctl.
 451 
 452 
 453        global: max-msg-ids
 454 
 455            The maximum number of message queue IDs allowed for this zone. This
 456            property is the preferred way to set the zone.max-msg-ids rctl.
 457 
 458 
 459        global: max-sem-ids
 460 
 461            The maximum number of semaphore IDs allowed for this zone. This
 462            property is the preferred way to set the zone.max-sem-ids rctl.
 463 
 464 
 465        global: max-shm-ids
 466 
 467            The maximum number of shared memory IDs allowed for this zone. This
 468            property is the preferred way to set the zone.max-shm-ids rctl.
 469 
 470 
 471        global: max-shm-memory
 472 
 473            The maximum amount of shared memory allowed for this zone. This
 474            property is the preferred way to set the zone.max-shm-memory rctl.
 475            A scale (K, M, G, T) can be applied to the value for this number
 476            (for example, 1M is one megabyte).
 477 
 478 
 479        global: scheduling-class
 480 
 481            Specifies the scheduling class used for processes running in a
 482            zone. When this property is not specified, the scheduling class is
 483            established as follows:
 484 
 485                o      If the cpu-shares property or equivalent rctl is set,
 486                       the scheduling class FSS is used.
 487 
 488                o      If neither cpu-shares nor the equivalent rctl is set and
 489                       the zone's pool property references a pool that has a
 490                       default scheduling class, that class is used.
 491 
 492                o      Under any other conditions, the system default
 493                       scheduling class is used.
 494 
 495 
 496 
 497 
 498        dedicated-cpu: ncpus, importance
 499 
 500            The number of CPUs that should be assigned for this zone's
 501            exclusive use. The zone will create a pool and processor set when
 502            it boots. See pooladm(1M) and poolcfg(1M) for more information on
 503            resource pools. The ncpu property can specify a single value or a
 504            range (for example, 1-4) of processors. The importance property is
 505            optional; if set, it will specify the pset.importance value for use
 506            by poold(1M). If this resource is used, there must be enough free
 507            processors to allocate to this zone when it boots or the zone will
 508            not boot. The processors assigned to this zone will not be
 509            available for the use of the global zone or other zones. This
 510            resource is incompatible with both the pool and cpu-shares
 511            properties. Only a single instance of this resource can be added to
 512            the zone.
 513 
 514 
 515        capped-memory: physical, swap, locked
 516 
 517            The caps on the memory that can be used by this zone. A scale (K,
 518            M, G, T) can be applied to the value for each of these numbers (for
 519            example, 1M is one megabyte). Each of these properties is optional
 520            but at least one property must be set when adding this resource.
 521            Only a single instance of this resource can be added to the zone.
 522            The physical property sets the max-rss for this zone. This will be
 523            enforced by rcapd(1M) running in the global zone.  The swap
 524            property is the preferred way to set the zone.max-swap rctl. The
 525            locked property is the preferred way to set the zone.max-locked-
 526            memory rctl.
 527 
 528 
 529        capped-cpu: ncpus
 530 
 531            Sets a limit on the amount of CPU time that can be used by a zone.
 532            The unit used translates to the percentage of a single CPU that can
 533            be used by all user threads in a zone, expressed as a fraction (for
 534            example, .75) or a mixed number (whole number and fraction, for
 535            example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
 536            1.25 means 125%, .75 mean 75%, and so forth. When projects within a
 537            capped zone have their own caps, the minimum value takes
 538            precedence.
 539 
 540            The capped-cpu property is an alias for zone.cpu-cap resource
 541            control and is related to the zone.cpu-cap resource control. See
 542            resource_controls(5).
 543 
 544 
 545        security-flags: lower, default, upper
 546 
 547            Set the process security flags associated with the zone.  The lower
 548            and upper fields set the limits, the default field is set of flags
 549            all zone processes inherit.
 550 
 551 
 552        global: fs-allowed
 553 
 554            A comma-separated list of additional filesystems that may be
 555            mounted within the zone; for example "ufs,pcfs". By default, only
 556            hsfs(7fs) and network filesystems can be mounted. If the first
 557            entry in the list is "-" then that disables all of the default
 558            filesystems. If any filesystems are listed after "-" then only
 559            those filesystems can be mounted.
 560 
 561            This property does not apply to filesystems mounted into the zone
 562            via "add fs" or "add dataset".
 563 
 564            WARNING: allowing filesystem mounts other than the default may
 565            allow the zone administrator to compromise the system with a
 566            malicious filesystem image, and is not supported.
 567 
 568 
 569 
 570        The following table summarizes resources, property-names, and types:
 571 
 572          resource          property-name   type
 573          (global)          zonename        simple
 574          (global)          zonepath        simple
 575          (global)          autoboot        simple
 576          (global)          bootargs        simple
 577          (global)          pool            simple
 578          (global)          limitpriv       simple
 579          (global)          brand           simple
 580          (global)          ip-type         simple
 581          (global)          hostid          simple
 582          (global)          cpu-shares      simple
 583          (global)          max-lwps        simple
 584          (global)          max-msg-ids     simple
 585          (global)          max-sem-ids     simple
 586          (global)          max-shm-ids     simple
 587          (global)          max-shm-memory  simple
 588          (global)          scheduling-class simple
 589          fs                dir             simple
 590                             special         simple
 591                             raw             simple
 592                             type            simple
 593                             options         list of simple
 594          net               address         simple
 595                             physical        simple
 596          device            match           simple
 597          rctl              name            simple
 598                             value           list of complex
 599          attr              name            simple
 600                             type            simple
 601                             value           simple
 602          dataset           name            simple
 603          dedicated-cpu     ncpus           simple or range
 604                             importance      simple
 605 
 606          capped-memory     physical        simple with scale
 607                             swap            simple with scale
 608                             locked          simple with scale
 609 
 610          capped-cpu        ncpus           simple
 611          security-flags   lower           simple
 612                             default        simple
 613                             upper          simple
 614 
 615 
 616 
 617 
 618        To further specify things, the breakdown of the complex property
 619        "value" of the "rctl" resource type, it consists of three name/value
 620        pairs, the names being "priv", "limit" and "action", each of which
 621        takes a simple value. The "name" property of an "attr" resource is
 622        syntactically restricted in a fashion similar but not identical to zone
 623        names: it must begin with an alphanumeric, and can contain
 624        alphanumerics plus the hyphen (-), underscore (_), and dot (.)
 625        characters. Attribute names beginning with "zone" are reserved for use
 626        by the system. Finally, the "autoboot" global property must have a
 627        value of "true" or "false".
 628 
 629    Using Kernel Statistics to Monitor CPU Caps
 630        Using the kernel statistics (kstat(3KSTAT)) module caps, the system
 631        maintains information for all capped projects and zones. You can access
 632        this information by reading kernel statistics (kstat(3KSTAT)),
 633        specifying caps as the kstat module name. The following command
 634        displays kernel statistics for all active CPU caps:
 635 
 636          # kstat caps::'/cpucaps/'
 637 
 638 
 639 
 640 
 641        A kstat(1M) command running in a zone displays only CPU caps relevant
 642        for that zone and for projects in that zone. See EXAMPLES.
 643 
 644 
 645        The following are cap-related arguments for use with kstat(1M):
 646 
 647        caps
 648 
 649            The kstat module.
 650 
 651 
 652        project_caps or zone_caps
 653 
 654            kstat class, for use with the kstat -c option.
 655 
 656 
 657        cpucaps_project_id or cpucaps_zone_id
 658 
 659            kstat name, for use with the kstat -n option. id is the project or
 660            zone identifier.
 661 
 662 
 663 
 664        The following fields are displayed in response to a kstat(1M) command
 665        requesting statistics for all CPU caps.
 666 
 667        module
 668 
 669            In this usage of kstat, this field will have the value caps.
 670 
 671 
 672        name
 673 
 674            As described above, cpucaps_project_id or cpucaps_zone_id
 675 
 676 
 677        above_sec
 678 
 679            Total time, in seconds, spent above the cap.
 680 
 681 
 682        below_sec
 683 
 684            Total time, in seconds, spent below the cap.
 685 
 686 
 687        maxusage
 688 
 689            Maximum observed CPU usage.
 690 
 691 
 692        nwait
 693 
 694            Number of threads on cap wait queue.
 695 
 696 
 697        usage
 698 
 699            Current aggregated CPU usage for all threads belonging to a capped
 700            project or zone, in terms of a percentage of a single CPU.
 701 
 702 
 703        value
 704 
 705            The cap value, in terms of a percentage of a single CPU.
 706 
 707 
 708        zonename
 709 
 710            Name of the zone for which statistics are displayed.
 711 
 712 
 713 
 714        See EXAMPLES for sample output from a kstat command.
 715 
 716 OPTIONS
 717        The following options are supported:
 718 
 719        -f command_file
 720 
 721            Specify the name of zonecfg command file. command_file is a text
 722            file of zonecfg subcommands, one per line.
 723 
 724 
 725        -z zonename
 726 
 727            Specify the name of a zone. Zone names are case sensitive. Zone
 728            names must begin with an alphanumeric character and can contain
 729            alphanumeric characters, the underscore (_) the hyphen (-), and the
 730            dot (.). The name global and all names beginning with SUNW are
 731            reserved and cannot be used.
 732 
 733 
 734 SUBCOMMANDS
 735        You can use the add and select subcommands to select a specific
 736        resource, at which point the scope changes to that resource. The end
 737        and cancel subcommands are used to complete the resource specification,
 738        at which time the scope is reverted back to global. Certain
 739        subcommands, such as add, remove and set, have different semantics in
 740        each scope.
 741 
 742 
 743        zonecfg supports a semicolon-separated list of subcommands. For
 744        example:
 745 
 746          # zonecfg -z myzone "add net; set physical=myvnic; end"
 747 
 748 
 749 
 750 
 751        Subcommands which can result in destructive actions or loss of work
 752        have an -F option to force the action. If input is from a terminal
 753        device, the user is prompted when appropriate if such a command is
 754        given without the -F option otherwise, if such a command is given
 755        without the -F option, the action is disallowed, with a diagnostic
 756        message written to standard error.
 757 
 758 
 759        The following subcommands are supported:
 760 
 761        add resource-type (global scope)
 762        add property-name property-value (resource scope)
 763 
 764            In the global scope, begin the specification for a given resource
 765            type. The scope is changed to that resource type.
 766 
 767            In the resource scope, add a property of the given name with the
 768            given value.  The syntax for property values varies with different
 769            property types. In general, it is a simple value or a list of
 770            simple values enclosed in square brackets, separated by commas
 771            ([foo,bar,baz]). See PROPERTIES.
 772 
 773 
 774        cancel
 775 
 776            End the resource specification and reset scope to global. Abandons
 777            any partially specified resources. cancel is only applicable in the
 778            resource scope.
 779 
 780 
 781        clear property-name
 782 
 783            Clear the value for the property.
 784 
 785 
 786        commit
 787 
 788            Commit the current configuration from memory to stable storage. The
 789            configuration must be committed to be used by zoneadm. Until the
 790            in-memory configuration is committed, you can remove changes with
 791            the revert subcommand. The commit operation is attempted
 792            automatically upon completion of a zonecfg session. Since a
 793            configuration must be correct to be committed, this operation
 794            automatically does a verify.
 795 
 796 
 797        create [-F] [ -a path |-b | -t template]
 798 
 799            Create an in-memory configuration for the specified zone. Use
 800            create to begin to configure a new zone. See commit for saving this
 801            to stable storage.
 802 
 803            If you are overwriting an existing configuration, specify the -F
 804            option to force the action. Specify the -t template option to
 805            create a configuration identical to template, where template is the
 806            name of a configured zone.
 807 
 808            Use the -a path option to facilitate configuring a detached zone on
 809            a new host. The path parameter is the zonepath location of a
 810            detached zone that has been moved on to this new host. Once the
 811            detached zone is configured, it should be installed using the
 812            "zoneadm attach" command (see zoneadm(1M)). All validation of the
 813            new zone happens during the attach process, not during zone
 814            configuration.
 815 
 816            Use the -b option to create a blank configuration. Without
 817            arguments, create applies the Sun default settings.
 818 
 819 
 820        delete [-F]
 821 
 822            Delete the specified configuration from memory and stable storage.
 823            This action is instantaneous, no commit is necessary. A deleted
 824            configuration cannot be reverted.
 825 
 826            Specify the -F option to force the action.
 827 
 828 
 829        end
 830 
 831            End the resource specification. This subcommand is only applicable
 832            in the resource scope. zonecfg checks to make sure the current
 833            resource is completely specified. If so, it is added to the in-
 834            memory configuration (see commit for saving this to stable storage)
 835            and the scope reverts to global. If the specification is
 836            incomplete, it issues an appropriate error message.
 837 
 838 
 839        export [-f output-file]
 840 
 841            Print configuration to standard output. Use the -f option to print
 842            the configuration to output-file. This option produces output in a
 843            form suitable for use in a command file.
 844 
 845 
 846        help [usage] [subcommand] [syntax] [command-name]
 847 
 848            Print general help or help about given topic.
 849 
 850 
 851        info zonename | zonepath | autoboot | brand | pool | limitpriv
 852        info [resource-type [property-name=property-value]*]
 853 
 854            Display information about the current configuration. If resource-
 855            type is specified, displays only information about resources of the
 856            relevant type. If any property-name value pairs are specified,
 857            displays only information about resources meeting the given
 858            criteria. In the resource scope, any arguments are ignored, and
 859            info displays information about the resource which is currently
 860            being added or modified.
 861 
 862 
 863        remove resource-type{property-name=property -value}(global scope)
 864 
 865            In the global scope, removes the specified resource. The [] syntax
 866            means 0 or more of whatever is inside the square braces. If you
 867            want only to remove a single instance of the resource, you must
 868            specify enough property name-value pairs for the resource to be
 869            uniquely identified. If no property name-value pairs are specified,
 870            all instances will be removed. If there is more than one pair is
 871            specified, a confirmation is required, unless you use the -F
 872            option.
 873 
 874 
 875        select resource-type {property-name=property-value}
 876 
 877            Select the resource of the given type which matches the given
 878            property-name property-value pair criteria, for modification. This
 879            subcommand is applicable only in the global scope. The scope is
 880            changed to that resource type. The {} syntax means 1 or more of
 881            whatever is inside the curly braces. You must specify enough
 882            property -name property-value pairs for the resource to be uniquely
 883            identified.
 884 
 885 
 886        set property-name=property-value
 887 
 888            Set a given property name to the given value. Some properties (for
 889            example, zonename and zonepath) are global while others are
 890            resource-specific. This subcommand is applicable in both the global
 891            and resource scopes.
 892 
 893 
 894        verify
 895 
 896            Verify the current configuration for correctness:
 897 
 898                o      All resources have all of their required properties
 899                       specified.
 900 
 901                o      A zonepath is specified.
 902 
 903 
 904        revert [-F]
 905 
 906            Revert the configuration back to the last committed state. The -F
 907            option can be used to force the action.
 908 
 909 
 910        exit [-F]
 911 
 912            Exit the zonecfg session. A commit is automatically attempted if
 913            needed.  You can also use an EOF character to exit zonecfg. The -F
 914            option can be used to force the action.
 915 
 916 
 917 EXAMPLES
 918        Example 1 Creating the Environment for a New Zone
 919 
 920 
 921        In the following example, zonecfg creates the environment for a new
 922        zone.  /usr/local is loopback mounted from the global zone into
 923        /opt/local. /opt/sfw is loopback mounted from the global zone, three
 924        logical network interfaces are added, and a limit on the number of
 925        fair-share scheduler (FSS) CPU shares for a zone is set using the rctl
 926        resource type. The example also shows how to select a given resource
 927        for modification.
 928 
 929 
 930          example# zonecfg -z myzone3
 931          my-zone3: No such zone configured
 932          Use 'create' to begin configuring a new zone.
 933          zonecfg:myzone3> create
 934          zonecfg:myzone3> set zonepath=/export/home/my-zone3
 935          zonecfg:myzone3> set autoboot=true
 936          zonecfg:myzone3> add fs
 937          zonecfg:myzone3:fs> set dir=/usr/local
 938          zonecfg:myzone3:fs> set special=/opt/local
 939          zonecfg:myzone3:fs> set type=lofs
 940          zonecfg:myzone3:fs> add options [ro,nodevices]
 941          zonecfg:myzone3:fs> end
 942          zonecfg:myzone3> add fs
 943          zonecfg:myzone3:fs> set dir=/mnt
 944          zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7
 945          zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7
 946          zonecfg:myzone3:fs> set type=ufs
 947          zonecfg:myzone3:fs> end
 948          zonecfg:myzone3> add net
 949          zonecfg:myzone3:net> set address=192.168.0.1/24
 950          zonecfg:myzone3:net> set physical=eri0
 951          zonecfg:myzone3:net> end
 952          zonecfg:myzone3> add net
 953          zonecfg:myzone3:net> set address=192.168.1.2/24
 954          zonecfg:myzone3:net> set physical=eri0
 955          zonecfg:myzone3:net> end
 956          zonecfg:myzone3> add net
 957          zonecfg:myzone3:net> set address=192.168.2.3/24
 958          zonecfg:myzone3:net> set physical=eri0
 959          zonecfg:myzone3:net> end
 960          zonecfg:my-zone3> set cpu-shares=5
 961          zonecfg:my-zone3> add capped-memory
 962          zonecfg:my-zone3:capped-memory> set physical=50m
 963          zonecfg:my-zone3:capped-memory> set swap=100m
 964          zonecfg:my-zone3:capped-memory> end
 965          zonecfg:myzone3> exit
 966 
 967 
 968 
 969        Example 2 Creating a Non-Native Zone
 970 
 971 
 972        The following example creates a new Linux zone:
 973 
 974 
 975          example# zonecfg -z lxzone
 976          lxzone: No such zone configured
 977          Use 'create' to begin configuring a new zone
 978          zonecfg:lxzone> create      -t SUNWlx
 979          zonecfg:lxzone> set zonepath=/export/zones/lxzone
 980          zonecfg:lxzone> set autoboot=true
 981          zonecfg:lxzone> exit
 982 
 983 
 984 
 985        Example 3 Creating an Exclusive-IP Zone
 986 
 987 
 988        The following example creates a zone that is granted exclusive access
 989        to bge1 and bge33000 and that is isolated at the IP layer from the
 990        other zones configured on the system.
 991 
 992 
 993 
 994        The IP addresses and routing is configured inside the new zone using
 995        sysidtool(1M).
 996 
 997 
 998          example# zonecfg -z excl
 999          excl: No such zone configured
1000          Use 'create' to begin configuring a new zone
1001          zonecfg:excl> create
1002          zonecfg:excl> set zonepath=/export/zones/excl
1003          zonecfg:excl> set ip-type=exclusive
1004          zonecfg:excl> add net
1005          zonecfg:excl:net> set physical=bge1
1006          zonecfg:excl:net> end
1007          zonecfg:excl> add net
1008          zonecfg:excl:net> set physical=bge33000
1009          zonecfg:excl:net> end
1010          zonecfg:excl> exit
1011 
1012 
1013 
1014        Example 4 Associating a Zone with a Resource Pool
1015 
1016 
1017        The following example shows how to associate an existing zone with an
1018        existing resource pool:
1019 
1020 
1021          example# zonecfg -z myzone
1022          zonecfg:myzone> set pool=mypool
1023          zonecfg:myzone> exit
1024 
1025 
1026 
1027 
1028        For more information about resource pools, see pooladm(1M) and
1029        poolcfg(1M).
1030 
1031 
1032        Example 5 Changing the Name of a Zone
1033 
1034 
1035        The following example shows how to change the name of an existing zone:
1036 
1037 
1038          example# zonecfg -z myzone
1039          zonecfg:myzone> set zonename=myzone2
1040          zonecfg:myzone2> exit
1041 
1042 
1043 
1044        Example 6 Changing the Privilege Set of a Zone
1045 
1046 
1047        The following example shows how to change the set of privileges an
1048        existing zone's processes will be limited to the next time the zone is
1049        booted. In this particular case, the privilege set will be the standard
1050        safe set of privileges a zone normally has along with the privilege to
1051        change the system date and time:
1052 
1053 
1054          example# zonecfg -z myzone
1055          zonecfg:myzone> set limitpriv="default,sys_time"
1056          zonecfg:myzone2> exit
1057 
1058 
1059 
1060        Example 7 Setting the zone.cpu-shares Property for the Global Zone
1061 
1062 
1063        The following command sets the zone.cpu-shares property for the global
1064        zone:
1065 
1066 
1067          example# zonecfg -z global
1068          zonecfg:global> set cpu-shares=5
1069          zonecfg:global> exit
1070 
1071 
1072 
1073        Example 8 Using Pattern Matching
1074 
1075 
1076        The following commands illustrate zonecfg support for pattern matching.
1077        In the zone flexlm, enter:
1078 
1079 
1080          zonecfg:flexlm> add device
1081          zonecfg:flexlm:device>      set match="/dev/cua/a00[2-5]"
1082          zonecfg:flexlm:device>      end
1083 
1084 
1085 
1086 
1087        In the global zone, enter:
1088 
1089 
1090          global# ls /dev/cua
1091          a     a000  a001  a002  a003  a004  a005  a006  a007  b
1092 
1093 
1094 
1095 
1096        In the zone flexlm, enter:
1097 
1098 
1099          flexlm# ls /dev/cua
1100          a002  a003  a004  a005
1101 
1102 
1103 
1104        Example 9 Setting a Cap for a Zone to Three CPUs
1105 
1106 
1107        The following sequence uses the zonecfg command to set the CPU cap for
1108        a zone to three CPUs.
1109 
1110 
1111          zonecfg:myzone> add capped-cpu
1112          zonecfg:myzone>capped-cpu> set   ncpus=3
1113          zonecfg:myzone>capped-cpu>capped-cpu> end
1114 
1115 
1116 
1117 
1118        The preceding sequence, which uses the capped-cpu property, is
1119        equivalent to the following sequence, which makes use of the zone.cpu-
1120        cap resource control.
1121 
1122 
1123          zonecfg:myzone> add rctl
1124          zonecfg:myzone:rctl> set name=zone.cpu-cap
1125          zonecfg:myzone:rctl> add value      (priv=privileged,limit=300,action=none)
1126          zonecfg:myzone:rctl> end
1127 
1128 
1129 
1130        Example 10 Using kstat to Monitor CPU Caps
1131 
1132 
1133        The following command displays information about all CPU caps.
1134 
1135 
1136          # kstat -n /cpucaps/
1137          module: caps                            instance: 0
1138          name:   cpucaps_project_0               class:    project_caps
1139                  above_sec                       0
1140                  below_sec                       2157
1141                  crtime                          821.048183159
1142                  maxusage                        2
1143                  nwait                           0
1144                  snaptime                        235885.637253027
1145                  usage                           0
1146                  value                           18446743151372347932
1147                  zonename                        global
1148 
1149          module: caps                            instance: 0
1150          name:   cpucaps_project_1               class:    project_caps
1151                  above_sec                       0
1152                  below_sec                       0
1153                  crtime                          225339.192787265
1154                  maxusage                        5
1155                  nwait                           0
1156                  snaptime                        235885.637591677
1157                  usage                           5
1158                  value                           18446743151372347932
1159                  zonename                        global
1160 
1161          module: caps                            instance: 0
1162          name:   cpucaps_project_201             class:    project_caps
1163                  above_sec                       0
1164                  below_sec                       235105
1165                  crtime                          780.37961782
1166                  maxusage                        100
1167                  nwait                           0
1168                  snaptime                        235885.637789687
1169                  usage                           43
1170                  value                           100
1171                  zonename                        global
1172 
1173          module: caps                            instance: 0
1174          name:   cpucaps_project_202             class:    project_caps
1175                  above_sec                       0
1176                  below_sec                       235094
1177                  crtime                          791.72983782
1178                  maxusage                        100
1179                  nwait                           0
1180                  snaptime                        235885.637967512
1181                  usage                           48
1182                  value                           100
1183                  zonename                        global
1184 
1185          module: caps                            instance: 0
1186          name:   cpucaps_project_203             class:    project_caps
1187                  above_sec                       0
1188                  below_sec                       235034
1189                  crtime                          852.104401481
1190                  maxusage                        75
1191                  nwait                           0
1192                  snaptime                        235885.638144304
1193                  usage                           47
1194                  value                           100
1195                  zonename                        global
1196 
1197          module: caps                            instance: 0
1198          name:   cpucaps_project_86710           class:    project_caps
1199                  above_sec                       22
1200                  below_sec                       235166
1201                  crtime                          698.441717859
1202                  maxusage                        101
1203                  nwait                           0
1204                  snaptime                        235885.638319871
1205                  usage                           54
1206                  value                           100
1207                  zonename                        global
1208 
1209          module: caps                            instance: 0
1210          name:   cpucaps_zone_0                  class:    zone_caps
1211                  above_sec                       100733
1212                  below_sec                       134332
1213                  crtime                          821.048177123
1214                  maxusage                        207
1215                  nwait                           2
1216                  snaptime                        235885.638497731
1217                  usage                           199
1218                  value                           200
1219                  zonename                        global
1220 
1221          module: caps                            instance: 1
1222          name:   cpucaps_project_0               class:    project_caps
1223                  above_sec                       0
1224                  below_sec                       0
1225                  crtime                          225360.256448422
1226                  maxusage                        7
1227                  nwait                           0
1228                  snaptime                        235885.638714404
1229                  usage                           7
1230                  value                           18446743151372347932
1231                  zonename                        test_001
1232 
1233          module: caps                            instance: 1
1234          name:   cpucaps_zone_1                  class:    zone_caps
1235                  above_sec                       2
1236                  below_sec                       10524
1237                  crtime                          225360.256440278
1238                  maxusage                        106
1239                  nwait                           0
1240                  snaptime                        235885.638896443
1241                  usage                           7
1242                  value                           100
1243                  zonename                        test_001
1244 
1245 
1246 
1247        Example 11 Displaying CPU Caps for a Specific Zone or Project
1248 
1249 
1250        Using the kstat -c and -i options, you can display CPU caps for a
1251        specific zone or project, as below. The first command produces a
1252        display for a specific project, the second for the same project within
1253        zone 1.
1254 
1255 
1256          # kstat -c project_caps
1257 
1258          # kstat -c project_caps -i 1
1259 
1260 
1261 
1262 EXIT STATUS
1263        The following exit values are returned:
1264 
1265        0
1266 
1267            Successful completion.
1268 
1269 
1270        1
1271 
1272            An error occurred.
1273 
1274 
1275        2
1276 
1277            Invalid usage.
1278 
1279 
1280 ATTRIBUTES
1281        See attributes(5) for descriptions of the following attributes:
1282 
1283 
1284 
1285 
1286        +--------------------+-----------------+
1287        |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
1288        +--------------------+-----------------+
1289        |Interface Stability | Volatile        |
1290        +--------------------+-----------------+
1291 
1292 SEE ALSO
1293        ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1294        poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1295        sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1296        kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1297        privileges(5), resource_controls(5), security-flags(5), zones(5)
1298 
1299 
1300        System Administration Guide: Solaris Containers-Resource Management,
1301        and Solaris Zones
1302 
1303 NOTES
1304        All character data used by zonecfg must be in US-ASCII encoding.
1305 
1306 
1307 
1308                                February 28, 2014                   ZONECFG(1M)