1 ZONECFG(1M) Maintenance Commands ZONECFG(1M) 2 3 4 5 NAME 6 zonecfg - set up zone configuration 7 8 SYNOPSIS 9 zonecfg -z zonename 10 11 12 zonecfg -z zonename subcommand 13 14 15 zonecfg -z zonename -f command_file 16 17 18 zonecfg help 19 20 21 DESCRIPTION 22 The zonecfg utility creates and modifies the configuration of a zone. 23 Zone configuration consists of a number of resources and properties. 24 25 26 To simplify the user interface, zonecfg uses the concept of a scope. 27 The default scope is global. 28 29 30 The following synopsis of the zonecfg command is for interactive usage: 31 32 zonecfg -z zonename subcommand 33 34 35 36 37 Parameters changed through zonecfg do not affect a running zone. The 38 zone must be rebooted for the changes to take effect. 39 40 41 In addition to creating and modifying a zone, the zonecfg utility can 42 also be used to persistently specify the resource management settings 43 for the global zone. 44 45 46 In the following text, "rctl" is used as an abbreviation for "resource 47 control". See resource_controls(5). 48 49 50 Every zone is configured with an associated brand. The brand determines 51 the user-level environment used within the zone, as well as various 52 behaviors for the zone when it is installed, boots, or is shutdown. 53 Once a zone has been installed the brand cannot be changed. The default 54 brand is determined by the installed distribution in the global zone. 55 Some brands do not support all of the zonecfg properties and resources. 56 See the brand-specific man page for more details on each brand. For an 57 overview of brands, see the brands(5) man page. 58 59 Resources 60 The following resource types are supported: 61 62 attr 63 64 Generic attribute. 65 66 67 capped-cpu 68 69 Limits for CPU usage. 70 71 72 capped-memory 73 74 Limits for physical, swap, and locked memory. 75 76 77 dataset 78 79 ZFS dataset. 80 81 82 dedicated-cpu 83 84 Subset of the system's processors dedicated to this zone while it 85 is running. 86 87 88 device 89 90 Device. 91 92 93 fs 94 95 file-system 96 97 98 net 99 100 Network interface. 101 102 103 rctl 104 105 Resource control. 106 107 108 security-flags 109 110 Process security flag settings. 111 112 113 Properties 114 Each resource type has one or more properties. There are also some 115 global properties, that is, properties of the configuration as a whole, 116 rather than of some particular resource. 117 118 119 The following properties are supported: 120 121 (global) 122 123 zonename 124 125 126 (global) 127 128 zonepath 129 130 131 (global) 132 133 autoboot 134 135 136 (global) 137 138 bootargs 139 140 141 (global) 142 143 pool 144 145 146 (global) 147 148 limitpriv 149 150 151 (global) 152 153 brand 154 155 156 (global) 157 158 cpu-shares 159 160 161 (global) 162 163 hostid 164 165 166 (global) 167 168 max-lwps 169 170 171 (global) 172 173 max-msg-ids 174 175 176 (global) 177 178 max-sem-ids 179 180 181 (global) 182 183 max-shm-ids 184 185 186 (global) 187 188 max-shm-memory 189 190 191 (global) 192 193 scheduling-class 194 195 196 (global) 197 198 fs-allowed 199 200 201 fs 202 203 dir, special, raw, type, options 204 205 206 net 207 208 address, physical, defrouter 209 210 211 device 212 213 match 214 215 216 rctl 217 218 name, value 219 220 221 attr 222 223 name, type, value 224 225 226 dataset 227 228 name 229 230 231 dedicated-cpu 232 233 ncpus, importance 234 235 236 capped-memory 237 238 physical, swap, locked 239 240 241 capped-cpu 242 243 ncpus 244 245 246 security-flags 247 248 lower, default, upper. 249 250 251 252 As for the property values which are paired with these names, they are 253 either simple, complex, or lists. The type allowed is property- 254 specific. Simple values are strings, optionally enclosed within 255 quotation marks. Complex values have the syntax: 256 257 (<name>=<value>,<name>=<value>,...) 258 259 260 261 262 where each <value> is simple, and the <name> strings are unique within 263 a given property. Lists have the syntax: 264 265 [<value>,...] 266 267 268 269 270 where each <value> is either simple or complex. A list of a single 271 value (either simple or complex) is equivalent to specifying that value 272 without the list syntax. That is, "foo" is equivalent to "[foo]". A 273 list can be empty (denoted by "[]"). 274 275 276 In interpreting property values, zonecfg accepts regular expressions as 277 specified in fnmatch(5). See EXAMPLES. 278 279 280 The property types are described as follows: 281 282 global: zonename 283 284 The name of the zone. 285 286 287 global: zonepath 288 289 Path to zone's file system. 290 291 292 global: autoboot 293 294 Boolean indicating that a zone should be booted automatically at 295 system boot. Note that if the zones service is disabled, the zone 296 will not autoboot, regardless of the setting of this property. You 297 enable the zones service with a svcadm command, such as: 298 299 # svcadm enable svc:/system/zones:default 300 301 302 Replace enable with disable to disable the zones service. See 303 svcadm(1M). 304 305 306 global: bootargs 307 308 Arguments (options) to be passed to the zone bootup, unless options 309 are supplied to the "zoneadm boot" command, in which case those 310 take precedence. The valid arguments are described in zoneadm(1M). 311 312 313 global: pool 314 315 Name of the resource pool that this zone must be bound to when 316 booted. This property is incompatible with the dedicated-cpu 317 resource. 318 319 320 global: limitpriv 321 322 The maximum set of privileges any process in this zone can obtain. 323 The property should consist of a comma-separated privilege set 324 specification as described in priv_str_to_set(3C). Privileges can 325 be excluded from the resulting set by preceding their names with a 326 dash (-) or an exclamation point (!). The special privilege string 327 "zone" is not supported in this context. If the special string 328 "default" occurs as the first token in the property, it expands 329 into a safe set of privileges that preserve the resource and 330 security isolation described in zones(5). A missing or empty 331 property is equivalent to this same set of safe privileges. 332 333 The system administrator must take extreme care when configuring 334 privileges for a zone. Some privileges cannot be excluded through 335 this mechanism as they are required in order to boot a zone. In 336 addition, there are certain privileges which cannot be given to a 337 zone as doing so would allow processes inside a zone to unduly 338 affect processes in other zones. zoneadm(1M) indicates when an 339 invalid privilege has been added or removed from a zone's privilege 340 set when an attempt is made to either "boot" or "ready" the zone. 341 342 See privileges(5) for a description of privileges. The command 343 "ppriv -l" (see ppriv(1)) produces a list of all Solaris 344 privileges. You can specify privileges as they are displayed by 345 ppriv. In privileges(5), privileges are listed in the form 346 PRIV_privilege_name. For example, the privilege sys_time, as you 347 would specify it in this property, is listed in privileges(5) as 348 PRIV_SYS_TIME. 349 350 351 global: brand 352 353 The zone's brand type. 354 355 356 global: ip-type 357 358 A zone can either share the IP instance with the global zone, which 359 is the default, or have its own exclusive instance of IP. 360 361 This property takes the values shared and exclusive. 362 363 364 global: hostid 365 366 A zone can emulate a 32-bit host identifier to ease system 367 consolidation. A zone's hostid property is empty by default, 368 meaning that the zone does not emulate a host identifier. Zone host 369 identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x 370 or 0X prefix is optional. Both uppercase and lowercase hexadecimal 371 digits are acceptable. 372 373 374 fs: dir, special, raw, type, options 375 376 Values needed to determine how, where, and so forth to mount file 377 systems. See mount(1M), mount(2), fsck(1M), and vfstab(4). 378 379 380 net: address, physical, defrouter 381 382 The network address and physical interface name of the network 383 interface. The network address is one of: 384 385 o a valid IPv4 address, optionally followed by "/" and a 386 prefix length; 387 388 o a valid IPv6 address, which must be followed by "/" and 389 a prefix length; 390 391 o a host name which resolves to an IPv4 address. 392 Note that host names that resolve to IPv6 addresses are not 393 supported. 394 395 The physical interface name is the network interface name. 396 397 The default router is specified similarly to the network address 398 except that it must not be followed by a / (slash) and a network 399 prefix length. 400 401 A zone can be configured to be either exclusive-IP or shared-IP. 402 For a shared-IP zone, you must set both the physical and address 403 properties; setting the default router is optional. The interface 404 specified in the physical property must be plumbed in the global 405 zone prior to booting the non-global zone. However, if the 406 interface is not used by the global zone, it should be configured 407 down in the global zone, and the default router for the interface 408 should be specified here. 409 410 For an exclusive-IP zone, the physical property must be set and the 411 address and default router properties cannot be set. 412 413 414 device: match 415 416 Device name to match. 417 418 419 rctl: name, value 420 421 The name and priv/limit/action triple of a resource control. See 422 prctl(1) and rctladm(1M). The preferred way to set rctl values is 423 to use the global property name associated with a specific rctl. 424 425 426 attr: name, type, value 427 428 The name, type and value of a generic attribute. The type must be 429 one of int, uint, boolean or string, and the value must be of that 430 type. uint means unsigned , that is, a non-negative integer. 431 432 433 dataset: name 434 435 The name of a ZFS dataset to be accessed from within the zone. See 436 zfs(1M). 437 438 439 global: cpu-shares 440 441 The number of Fair Share Scheduler (FSS) shares to allocate to this 442 zone. This property is incompatible with the dedicated-cpu 443 resource. This property is the preferred way to set the zone.cpu- 444 shares rctl. 445 446 447 global: max-lwps 448 449 The maximum number of LWPs simultaneously available to this zone. 450 This property is the preferred way to set the zone.max-lwps rctl. 451 452 453 global: max-msg-ids 454 455 The maximum number of message queue IDs allowed for this zone. This 456 property is the preferred way to set the zone.max-msg-ids rctl. 457 458 459 global: max-sem-ids 460 461 The maximum number of semaphore IDs allowed for this zone. This 462 property is the preferred way to set the zone.max-sem-ids rctl. 463 464 465 global: max-shm-ids 466 467 The maximum number of shared memory IDs allowed for this zone. This 468 property is the preferred way to set the zone.max-shm-ids rctl. 469 470 471 global: max-shm-memory 472 473 The maximum amount of shared memory allowed for this zone. This 474 property is the preferred way to set the zone.max-shm-memory rctl. 475 A scale (K, M, G, T) can be applied to the value for this number 476 (for example, 1M is one megabyte). 477 478 479 global: scheduling-class 480 481 Specifies the scheduling class used for processes running in a 482 zone. When this property is not specified, the scheduling class is 483 established as follows: 484 485 o If the cpu-shares property or equivalent rctl is set, 486 the scheduling class FSS is used. 487 488 o If neither cpu-shares nor the equivalent rctl is set and 489 the zone's pool property references a pool that has a 490 default scheduling class, that class is used. 491 492 o Under any other conditions, the system default 493 scheduling class is used. 494 495 496 497 498 dedicated-cpu: ncpus, importance 499 500 The number of CPUs that should be assigned for this zone's 501 exclusive use. The zone will create a pool and processor set when 502 it boots. See pooladm(1M) and poolcfg(1M) for more information on 503 resource pools. The ncpu property can specify a single value or a 504 range (for example, 1-4) of processors. The importance property is 505 optional; if set, it will specify the pset.importance value for use 506 by poold(1M). If this resource is used, there must be enough free 507 processors to allocate to this zone when it boots or the zone will 508 not boot. The processors assigned to this zone will not be 509 available for the use of the global zone or other zones. This 510 resource is incompatible with both the pool and cpu-shares 511 properties. Only a single instance of this resource can be added to 512 the zone. 513 514 515 capped-memory: physical, swap, locked 516 517 The caps on the memory that can be used by this zone. A scale (K, 518 M, G, T) can be applied to the value for each of these numbers (for 519 example, 1M is one megabyte). Each of these properties is optional 520 but at least one property must be set when adding this resource. 521 Only a single instance of this resource can be added to the zone. 522 The physical property sets the max-rss for this zone. This will be 523 enforced by rcapd(1M) running in the global zone. The swap 524 property is the preferred way to set the zone.max-swap rctl. The 525 locked property is the preferred way to set the zone.max-locked- 526 memory rctl. 527 528 529 capped-cpu: ncpus 530 531 Sets a limit on the amount of CPU time that can be used by a zone. 532 The unit used translates to the percentage of a single CPU that can 533 be used by all user threads in a zone, expressed as a fraction (for 534 example, .75) or a mixed number (whole number and fraction, for 535 example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of 536 1.25 means 125%, .75 mean 75%, and so forth. When projects within a 537 capped zone have their own caps, the minimum value takes 538 precedence. 539 540 The capped-cpu property is an alias for zone.cpu-cap resource 541 control and is related to the zone.cpu-cap resource control. See 542 resource_controls(5). 543 544 545 security-flags: lower, default, upper 546 547 Set the process security flags associated with the zone. The lower 548 and upper fields set the limits, the default field is set of flags 549 all zone processes inherit. 550 551 552 global: fs-allowed 553 554 A comma-separated list of additional filesystems that may be 555 mounted within the zone; for example "ufs,pcfs". By default, only 556 hsfs(7fs) and network filesystems can be mounted. If the first 557 entry in the list is "-" then that disables all of the default 558 filesystems. If any filesystems are listed after "-" then only 559 those filesystems can be mounted. 560 561 This property does not apply to filesystems mounted into the zone 562 via "add fs" or "add dataset". 563 564 WARNING: allowing filesystem mounts other than the default may 565 allow the zone administrator to compromise the system with a 566 malicious filesystem image, and is not supported. 567 568 569 570 The following table summarizes resources, property-names, and types: 571 572 resource property-name type 573 (global) zonename simple 574 (global) zonepath simple 575 (global) autoboot simple 576 (global) bootargs simple 577 (global) pool simple 578 (global) limitpriv simple 579 (global) brand simple 580 (global) ip-type simple 581 (global) hostid simple 582 (global) cpu-shares simple 583 (global) max-lwps simple 584 (global) max-msg-ids simple 585 (global) max-sem-ids simple 586 (global) max-shm-ids simple 587 (global) max-shm-memory simple 588 (global) scheduling-class simple 589 fs dir simple 590 special simple 591 raw simple 592 type simple 593 options list of simple 594 net address simple 595 physical simple 596 device match simple 597 rctl name simple 598 value list of complex 599 attr name simple 600 type simple 601 value simple 602 dataset name simple 603 dedicated-cpu ncpus simple or range 604 importance simple 605 606 capped-memory physical simple with scale 607 swap simple with scale 608 locked simple with scale 609 610 capped-cpu ncpus simple 611 security-flags lower simple 612 default simple 613 upper simple 614 615 616 617 618 To further specify things, the breakdown of the complex property 619 "value" of the "rctl" resource type, it consists of three name/value 620 pairs, the names being "priv", "limit" and "action", each of which 621 takes a simple value. The "name" property of an "attr" resource is 622 syntactically restricted in a fashion similar but not identical to zone 623 names: it must begin with an alphanumeric, and can contain 624 alphanumerics plus the hyphen (-), underscore (_), and dot (.) 625 characters. Attribute names beginning with "zone" are reserved for use 626 by the system. Finally, the "autoboot" global property must have a 627 value of "true" or "false". 628 629 Using Kernel Statistics to Monitor CPU Caps 630 Using the kernel statistics (kstat(3KSTAT)) module caps, the system 631 maintains information for all capped projects and zones. You can access 632 this information by reading kernel statistics (kstat(3KSTAT)), 633 specifying caps as the kstat module name. The following command 634 displays kernel statistics for all active CPU caps: 635 636 # kstat caps::'/cpucaps/' 637 638 639 640 641 A kstat(1M) command running in a zone displays only CPU caps relevant 642 for that zone and for projects in that zone. See EXAMPLES. 643 644 645 The following are cap-related arguments for use with kstat(1M): 646 647 caps 648 649 The kstat module. 650 651 652 project_caps or zone_caps 653 654 kstat class, for use with the kstat -c option. 655 656 657 cpucaps_project_id or cpucaps_zone_id 658 659 kstat name, for use with the kstat -n option. id is the project or 660 zone identifier. 661 662 663 664 The following fields are displayed in response to a kstat(1M) command 665 requesting statistics for all CPU caps. 666 667 module 668 669 In this usage of kstat, this field will have the value caps. 670 671 672 name 673 674 As described above, cpucaps_project_id or cpucaps_zone_id 675 676 677 above_sec 678 679 Total time, in seconds, spent above the cap. 680 681 682 below_sec 683 684 Total time, in seconds, spent below the cap. 685 686 687 maxusage 688 689 Maximum observed CPU usage. 690 691 692 nwait 693 694 Number of threads on cap wait queue. 695 696 697 usage 698 699 Current aggregated CPU usage for all threads belonging to a capped 700 project or zone, in terms of a percentage of a single CPU. 701 702 703 value 704 705 The cap value, in terms of a percentage of a single CPU. 706 707 708 zonename 709 710 Name of the zone for which statistics are displayed. 711 712 713 714 See EXAMPLES for sample output from a kstat command. 715 716 OPTIONS 717 The following options are supported: 718 719 -f command_file 720 721 Specify the name of zonecfg command file. command_file is a text 722 file of zonecfg subcommands, one per line. 723 724 725 -z zonename 726 727 Specify the name of a zone. Zone names are case sensitive. Zone 728 names must begin with an alphanumeric character and can contain 729 alphanumeric characters, the underscore (_) the hyphen (-), and the 730 dot (.). The name global and all names beginning with SUNW are 731 reserved and cannot be used. 732 733 734 SUBCOMMANDS 735 You can use the add and select subcommands to select a specific 736 resource, at which point the scope changes to that resource. The end 737 and cancel subcommands are used to complete the resource specification, 738 at which time the scope is reverted back to global. Certain 739 subcommands, such as add, remove and set, have different semantics in 740 each scope. 741 742 743 zonecfg supports a semicolon-separated list of subcommands. For 744 example: 745 746 # zonecfg -z myzone "add net; set physical=myvnic; end" 747 748 749 750 751 Subcommands which can result in destructive actions or loss of work 752 have an -F option to force the action. If input is from a terminal 753 device, the user is prompted when appropriate if such a command is 754 given without the -F option otherwise, if such a command is given 755 without the -F option, the action is disallowed, with a diagnostic 756 message written to standard error. 757 758 759 The following subcommands are supported: 760 761 add resource-type (global scope) 762 add property-name property-value (resource scope) 763 764 In the global scope, begin the specification for a given resource 765 type. The scope is changed to that resource type. 766 767 In the resource scope, add a property of the given name with the 768 given value. The syntax for property values varies with different 769 property types. In general, it is a simple value or a list of 770 simple values enclosed in square brackets, separated by commas 771 ([foo,bar,baz]). See PROPERTIES. 772 773 774 cancel 775 776 End the resource specification and reset scope to global. Abandons 777 any partially specified resources. cancel is only applicable in the 778 resource scope. 779 780 781 clear property-name 782 783 Clear the value for the property. 784 785 786 commit 787 788 Commit the current configuration from memory to stable storage. The 789 configuration must be committed to be used by zoneadm. Until the 790 in-memory configuration is committed, you can remove changes with 791 the revert subcommand. The commit operation is attempted 792 automatically upon completion of a zonecfg session. Since a 793 configuration must be correct to be committed, this operation 794 automatically does a verify. 795 796 797 create [-F] [ -a path |-b | -t template] 798 799 Create an in-memory configuration for the specified zone. Use 800 create to begin to configure a new zone. See commit for saving this 801 to stable storage. 802 803 If you are overwriting an existing configuration, specify the -F 804 option to force the action. Specify the -t template option to 805 create a configuration identical to template, where template is the 806 name of a configured zone. 807 808 Use the -a path option to facilitate configuring a detached zone on 809 a new host. The path parameter is the zonepath location of a 810 detached zone that has been moved on to this new host. Once the 811 detached zone is configured, it should be installed using the 812 "zoneadm attach" command (see zoneadm(1M)). All validation of the 813 new zone happens during the attach process, not during zone 814 configuration. 815 816 Use the -b option to create a blank configuration. Without 817 arguments, create applies the Sun default settings. 818 819 820 delete [-F] 821 822 Delete the specified configuration from memory and stable storage. 823 This action is instantaneous, no commit is necessary. A deleted 824 configuration cannot be reverted. 825 826 Specify the -F option to force the action. 827 828 829 end 830 831 End the resource specification. This subcommand is only applicable 832 in the resource scope. zonecfg checks to make sure the current 833 resource is completely specified. If so, it is added to the in- 834 memory configuration (see commit for saving this to stable storage) 835 and the scope reverts to global. If the specification is 836 incomplete, it issues an appropriate error message. 837 838 839 export [-f output-file] 840 841 Print configuration to standard output. Use the -f option to print 842 the configuration to output-file. This option produces output in a 843 form suitable for use in a command file. 844 845 846 help [usage] [subcommand] [syntax] [command-name] 847 848 Print general help or help about given topic. 849 850 851 info zonename | zonepath | autoboot | brand | pool | limitpriv 852 info [resource-type [property-name=property-value]*] 853 854 Display information about the current configuration. If resource- 855 type is specified, displays only information about resources of the 856 relevant type. If any property-name value pairs are specified, 857 displays only information about resources meeting the given 858 criteria. In the resource scope, any arguments are ignored, and 859 info displays information about the resource which is currently 860 being added or modified. 861 862 863 remove resource-type{property-name=property -value}(global scope) 864 865 In the global scope, removes the specified resource. The [] syntax 866 means 0 or more of whatever is inside the square braces. If you 867 want only to remove a single instance of the resource, you must 868 specify enough property name-value pairs for the resource to be 869 uniquely identified. If no property name-value pairs are specified, 870 all instances will be removed. If there is more than one pair is 871 specified, a confirmation is required, unless you use the -F 872 option. 873 874 875 select resource-type {property-name=property-value} 876 877 Select the resource of the given type which matches the given 878 property-name property-value pair criteria, for modification. This 879 subcommand is applicable only in the global scope. The scope is 880 changed to that resource type. The {} syntax means 1 or more of 881 whatever is inside the curly braces. You must specify enough 882 property -name property-value pairs for the resource to be uniquely 883 identified. 884 885 886 set property-name=property-value 887 888 Set a given property name to the given value. Some properties (for 889 example, zonename and zonepath) are global while others are 890 resource-specific. This subcommand is applicable in both the global 891 and resource scopes. 892 893 894 verify 895 896 Verify the current configuration for correctness: 897 898 o All resources have all of their required properties 899 specified. 900 901 o A zonepath is specified. 902 903 904 revert [-F] 905 906 Revert the configuration back to the last committed state. The -F 907 option can be used to force the action. 908 909 910 exit [-F] 911 912 Exit the zonecfg session. A commit is automatically attempted if 913 needed. You can also use an EOF character to exit zonecfg. The -F 914 option can be used to force the action. 915 916 917 EXAMPLES 918 Example 1 Creating the Environment for a New Zone 919 920 921 In the following example, zonecfg creates the environment for a new 922 zone. /usr/local is loopback mounted from the global zone into 923 /opt/local. /opt/sfw is loopback mounted from the global zone, three 924 logical network interfaces are added, and a limit on the number of 925 fair-share scheduler (FSS) CPU shares for a zone is set using the rctl 926 resource type. The example also shows how to select a given resource 927 for modification. 928 929 930 example# zonecfg -z myzone3 931 my-zone3: No such zone configured 932 Use 'create' to begin configuring a new zone. 933 zonecfg:myzone3> create 934 zonecfg:myzone3> set zonepath=/export/home/my-zone3 935 zonecfg:myzone3> set autoboot=true 936 zonecfg:myzone3> add fs 937 zonecfg:myzone3:fs> set dir=/usr/local 938 zonecfg:myzone3:fs> set special=/opt/local 939 zonecfg:myzone3:fs> set type=lofs 940 zonecfg:myzone3:fs> add options [ro,nodevices] 941 zonecfg:myzone3:fs> end 942 zonecfg:myzone3> add fs 943 zonecfg:myzone3:fs> set dir=/mnt 944 zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7 945 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7 946 zonecfg:myzone3:fs> set type=ufs 947 zonecfg:myzone3:fs> end 948 zonecfg:myzone3> add net 949 zonecfg:myzone3:net> set address=192.168.0.1/24 950 zonecfg:myzone3:net> set physical=eri0 951 zonecfg:myzone3:net> end 952 zonecfg:myzone3> add net 953 zonecfg:myzone3:net> set address=192.168.1.2/24 954 zonecfg:myzone3:net> set physical=eri0 955 zonecfg:myzone3:net> end 956 zonecfg:myzone3> add net 957 zonecfg:myzone3:net> set address=192.168.2.3/24 958 zonecfg:myzone3:net> set physical=eri0 959 zonecfg:myzone3:net> end 960 zonecfg:my-zone3> set cpu-shares=5 961 zonecfg:my-zone3> add capped-memory 962 zonecfg:my-zone3:capped-memory> set physical=50m 963 zonecfg:my-zone3:capped-memory> set swap=100m 964 zonecfg:my-zone3:capped-memory> end 965 zonecfg:myzone3> exit 966 967 968 969 Example 2 Creating a Non-Native Zone 970 971 972 The following example creates a new Linux zone: 973 974 975 example# zonecfg -z lxzone 976 lxzone: No such zone configured 977 Use 'create' to begin configuring a new zone 978 zonecfg:lxzone> create -t SUNWlx 979 zonecfg:lxzone> set zonepath=/export/zones/lxzone 980 zonecfg:lxzone> set autoboot=true 981 zonecfg:lxzone> exit 982 983 984 985 Example 3 Creating an Exclusive-IP Zone 986 987 988 The following example creates a zone that is granted exclusive access 989 to bge1 and bge33000 and that is isolated at the IP layer from the 990 other zones configured on the system. 991 992 993 994 The IP addresses and routing is configured inside the new zone using 995 sysidtool(1M). 996 997 998 example# zonecfg -z excl 999 excl: No such zone configured 1000 Use 'create' to begin configuring a new zone 1001 zonecfg:excl> create 1002 zonecfg:excl> set zonepath=/export/zones/excl 1003 zonecfg:excl> set ip-type=exclusive 1004 zonecfg:excl> add net 1005 zonecfg:excl:net> set physical=bge1 1006 zonecfg:excl:net> end 1007 zonecfg:excl> add net 1008 zonecfg:excl:net> set physical=bge33000 1009 zonecfg:excl:net> end 1010 zonecfg:excl> exit 1011 1012 1013 1014 Example 4 Associating a Zone with a Resource Pool 1015 1016 1017 The following example shows how to associate an existing zone with an 1018 existing resource pool: 1019 1020 1021 example# zonecfg -z myzone 1022 zonecfg:myzone> set pool=mypool 1023 zonecfg:myzone> exit 1024 1025 1026 1027 1028 For more information about resource pools, see pooladm(1M) and 1029 poolcfg(1M). 1030 1031 1032 Example 5 Changing the Name of a Zone 1033 1034 1035 The following example shows how to change the name of an existing zone: 1036 1037 1038 example# zonecfg -z myzone 1039 zonecfg:myzone> set zonename=myzone2 1040 zonecfg:myzone2> exit 1041 1042 1043 1044 Example 6 Changing the Privilege Set of a Zone 1045 1046 1047 The following example shows how to change the set of privileges an 1048 existing zone's processes will be limited to the next time the zone is 1049 booted. In this particular case, the privilege set will be the standard 1050 safe set of privileges a zone normally has along with the privilege to 1051 change the system date and time: 1052 1053 1054 example# zonecfg -z myzone 1055 zonecfg:myzone> set limitpriv="default,sys_time" 1056 zonecfg:myzone2> exit 1057 1058 1059 1060 Example 7 Setting the zone.cpu-shares Property for the Global Zone 1061 1062 1063 The following command sets the zone.cpu-shares property for the global 1064 zone: 1065 1066 1067 example# zonecfg -z global 1068 zonecfg:global> set cpu-shares=5 1069 zonecfg:global> exit 1070 1071 1072 1073 Example 8 Using Pattern Matching 1074 1075 1076 The following commands illustrate zonecfg support for pattern matching. 1077 In the zone flexlm, enter: 1078 1079 1080 zonecfg:flexlm> add device 1081 zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]" 1082 zonecfg:flexlm:device> end 1083 1084 1085 1086 1087 In the global zone, enter: 1088 1089 1090 global# ls /dev/cua 1091 a a000 a001 a002 a003 a004 a005 a006 a007 b 1092 1093 1094 1095 1096 In the zone flexlm, enter: 1097 1098 1099 flexlm# ls /dev/cua 1100 a002 a003 a004 a005 1101 1102 1103 1104 Example 9 Setting a Cap for a Zone to Three CPUs 1105 1106 1107 The following sequence uses the zonecfg command to set the CPU cap for 1108 a zone to three CPUs. 1109 1110 1111 zonecfg:myzone> add capped-cpu 1112 zonecfg:myzone>capped-cpu> set ncpus=3 1113 zonecfg:myzone>capped-cpu>capped-cpu> end 1114 1115 1116 1117 1118 The preceding sequence, which uses the capped-cpu property, is 1119 equivalent to the following sequence, which makes use of the zone.cpu- 1120 cap resource control. 1121 1122 1123 zonecfg:myzone> add rctl 1124 zonecfg:myzone:rctl> set name=zone.cpu-cap 1125 zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none) 1126 zonecfg:myzone:rctl> end 1127 1128 1129 1130 Example 10 Using kstat to Monitor CPU Caps 1131 1132 1133 The following command displays information about all CPU caps. 1134 1135 1136 # kstat -n /cpucaps/ 1137 module: caps instance: 0 1138 name: cpucaps_project_0 class: project_caps 1139 above_sec 0 1140 below_sec 2157 1141 crtime 821.048183159 1142 maxusage 2 1143 nwait 0 1144 snaptime 235885.637253027 1145 usage 0 1146 value 18446743151372347932 1147 zonename global 1148 1149 module: caps instance: 0 1150 name: cpucaps_project_1 class: project_caps 1151 above_sec 0 1152 below_sec 0 1153 crtime 225339.192787265 1154 maxusage 5 1155 nwait 0 1156 snaptime 235885.637591677 1157 usage 5 1158 value 18446743151372347932 1159 zonename global 1160 1161 module: caps instance: 0 1162 name: cpucaps_project_201 class: project_caps 1163 above_sec 0 1164 below_sec 235105 1165 crtime 780.37961782 1166 maxusage 100 1167 nwait 0 1168 snaptime 235885.637789687 1169 usage 43 1170 value 100 1171 zonename global 1172 1173 module: caps instance: 0 1174 name: cpucaps_project_202 class: project_caps 1175 above_sec 0 1176 below_sec 235094 1177 crtime 791.72983782 1178 maxusage 100 1179 nwait 0 1180 snaptime 235885.637967512 1181 usage 48 1182 value 100 1183 zonename global 1184 1185 module: caps instance: 0 1186 name: cpucaps_project_203 class: project_caps 1187 above_sec 0 1188 below_sec 235034 1189 crtime 852.104401481 1190 maxusage 75 1191 nwait 0 1192 snaptime 235885.638144304 1193 usage 47 1194 value 100 1195 zonename global 1196 1197 module: caps instance: 0 1198 name: cpucaps_project_86710 class: project_caps 1199 above_sec 22 1200 below_sec 235166 1201 crtime 698.441717859 1202 maxusage 101 1203 nwait 0 1204 snaptime 235885.638319871 1205 usage 54 1206 value 100 1207 zonename global 1208 1209 module: caps instance: 0 1210 name: cpucaps_zone_0 class: zone_caps 1211 above_sec 100733 1212 below_sec 134332 1213 crtime 821.048177123 1214 maxusage 207 1215 nwait 2 1216 snaptime 235885.638497731 1217 usage 199 1218 value 200 1219 zonename global 1220 1221 module: caps instance: 1 1222 name: cpucaps_project_0 class: project_caps 1223 above_sec 0 1224 below_sec 0 1225 crtime 225360.256448422 1226 maxusage 7 1227 nwait 0 1228 snaptime 235885.638714404 1229 usage 7 1230 value 18446743151372347932 1231 zonename test_001 1232 1233 module: caps instance: 1 1234 name: cpucaps_zone_1 class: zone_caps 1235 above_sec 2 1236 below_sec 10524 1237 crtime 225360.256440278 1238 maxusage 106 1239 nwait 0 1240 snaptime 235885.638896443 1241 usage 7 1242 value 100 1243 zonename test_001 1244 1245 1246 1247 Example 11 Displaying CPU Caps for a Specific Zone or Project 1248 1249 1250 Using the kstat -c and -i options, you can display CPU caps for a 1251 specific zone or project, as below. The first command produces a 1252 display for a specific project, the second for the same project within 1253 zone 1. 1254 1255 1256 # kstat -c project_caps 1257 1258 # kstat -c project_caps -i 1 1259 1260 1261 1262 EXIT STATUS 1263 The following exit values are returned: 1264 1265 0 1266 1267 Successful completion. 1268 1269 1270 1 1271 1272 An error occurred. 1273 1274 1275 2 1276 1277 Invalid usage. 1278 1279 1280 ATTRIBUTES 1281 See attributes(5) for descriptions of the following attributes: 1282 1283 1284 1285 1286 +--------------------+-----------------+ 1287 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 1288 +--------------------+-----------------+ 1289 |Interface Stability | Volatile | 1290 +--------------------+-----------------+ 1291 1292 SEE ALSO 1293 ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M), 1294 poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M), 1295 sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C), 1296 kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5), 1297 privileges(5), resource_controls(5), security-flags(5), zones(5) 1298 1299 1300 System Administration Guide: Solaris Containers-Resource Management, 1301 and Solaris Zones 1302 1303 NOTES 1304 All character data used by zonecfg must be in US-ASCII encoding. 1305 1306 1307 1308 February 28, 2014 ZONECFG(1M)