Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


  88        device
  89 
  90            Device.
  91 
  92 
  93        fs
  94 
  95            file-system
  96 
  97 
  98        net
  99 
 100            Network interface.
 101 
 102 
 103        rctl
 104 
 105            Resource control.
 106 
 107 





 108    Properties
 109        Each resource type has one or more properties. There are also some
 110        global properties, that is, properties of the configuration as a whole,
 111        rather than of some particular resource.
 112 
 113 
 114        The following properties are supported:
 115 
 116        (global)
 117 
 118            zonename
 119 
 120 
 121        (global)
 122 
 123            zonepath
 124 
 125 
 126        (global)
 127 


 221        dataset
 222 
 223            name
 224 
 225 
 226        dedicated-cpu
 227 
 228            ncpus, importance
 229 
 230 
 231        capped-memory
 232 
 233            physical, swap, locked
 234 
 235 
 236        capped-cpu
 237 
 238            ncpus
 239 
 240 





 241 
 242        As for the property values which are paired with these names, they are
 243        either simple, complex, or lists. The type allowed is property-
 244        specific. Simple values are strings, optionally enclosed within
 245        quotation marks. Complex values have the syntax:
 246 
 247          (<name>=<value>,<name>=<value>,...)
 248 
 249 
 250 
 251 
 252        where each <value> is simple, and the <name> strings are     unique within
 253        a given property. Lists have the syntax:
 254 
 255          [<value>,...]
 256 
 257 
 258 
 259 
 260        where each <value> is either simple or complex. A list of a single


 515            locked property is the preferred way to set the zone.max-locked-
 516            memory rctl.
 517 
 518 
 519        capped-cpu: ncpus
 520 
 521            Sets a limit on the amount of CPU time that can be used by a zone.
 522            The unit used translates to the percentage of a single CPU that can
 523            be used by all user threads in a zone, expressed as a fraction (for
 524            example, .75) or a mixed number (whole number and fraction, for
 525            example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
 526            1.25 means 125%, .75 mean 75%, and so forth. When projects within a
 527            capped zone have their own caps, the minimum value takes
 528            precedence.
 529 
 530            The capped-cpu property is an alias for zone.cpu-cap resource
 531            control and is related to the zone.cpu-cap resource control. See
 532            resource_controls(5).
 533 
 534 







 535        global: fs-allowed
 536 
 537            A comma-separated list of additional filesystems that may be
 538            mounted within the zone; for example "ufs,pcfs". By default, only
 539            hsfs(7fs) and network filesystems can be mounted. If the first
 540            entry in the list is "-" then that disables all of the default
 541            filesystems. If any filesystems are listed after "-" then only
 542            those filesystems can be mounted.
 543 
 544            This property does not apply to filesystems mounted into the zone
 545            via "add fs" or "add dataset".
 546 
 547            WARNING: allowing filesystem mounts other than the default may
 548            allow the zone administrator to compromise the system with a
 549            malicious filesystem image, and is not supported.
 550 
 551 
 552 
 553        The following table summarizes resources, property-names, and types:
 554 


 574                             raw             simple
 575                             type            simple
 576                             options         list of simple
 577          net               address         simple
 578                             physical        simple
 579          device            match           simple
 580          rctl              name            simple
 581                             value           list of complex
 582          attr              name            simple
 583                             type            simple
 584                             value           simple
 585          dataset           name            simple
 586          dedicated-cpu     ncpus           simple or range
 587                             importance      simple
 588 
 589          capped-memory     physical        simple with scale
 590                             swap            simple with scale
 591                             locked          simple with scale
 592 
 593          capped-cpu        ncpus           simple



 594 
 595 
 596 
 597 
 598        To further specify things, the breakdown of the complex property
 599        "value" of the "rctl" resource type, it consists of three name/value
 600        pairs, the names being "priv", "limit" and "action", each of which
 601        takes a simple value. The "name" property of an "attr" resource is
 602        syntactically restricted in a fashion similar but not identical to zone
 603        names: it must begin with an alphanumeric, and can contain
 604        alphanumerics plus the hyphen (-), underscore (_), and dot (.)
 605        characters. Attribute names beginning with "zone" are reserved for use
 606        by the system. Finally, the "autoboot" global property must have a
 607        value of "true" or "false".
 608 
 609    Using Kernel Statistics to Monitor CPU Caps
 610        Using the kernel statistics (kstat(3KSTAT)) module caps, the system
 611        maintains information for all capped projects and zones. You can access
 612        this information by reading kernel statistics (kstat(3KSTAT)),
 613        specifying caps as the kstat module name. The following command


1257            Invalid usage.
1258 
1259 
1260 ATTRIBUTES
1261        See attributes(5) for descriptions of the following attributes:
1262 
1263 
1264 
1265 
1266        +--------------------+-----------------+
1267        |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
1268        +--------------------+-----------------+
1269        |Interface Stability | Volatile        |
1270        +--------------------+-----------------+
1271 
1272 SEE ALSO
1273        ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1274        poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1275        sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1276        kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1277        privileges(5), resource_controls(5), zones(5)
1278 
1279 
1280        System Administration Guide: Solaris Containers-Resource Management,
1281        and Solaris Zones
1282 
1283 NOTES
1284        All character data used by zonecfg must be in US-ASCII encoding.
1285 
1286 
1287 
1288                                February 28, 2014                   ZONECFG(1M)


  88        device
  89 
  90            Device.
  91 
  92 
  93        fs
  94 
  95            file-system
  96 
  97 
  98        net
  99 
 100            Network interface.
 101 
 102 
 103        rctl
 104 
 105            Resource control.
 106 
 107 
 108        security-flags
 109 
 110            Process security flag settings.
 111 
 112 
 113    Properties
 114        Each resource type has one or more properties. There are also some
 115        global properties, that is, properties of the configuration as a whole,
 116        rather than of some particular resource.
 117 
 118 
 119        The following properties are supported:
 120 
 121        (global)
 122 
 123            zonename
 124 
 125 
 126        (global)
 127 
 128            zonepath
 129 
 130 
 131        (global)
 132 


 226        dataset
 227 
 228            name
 229 
 230 
 231        dedicated-cpu
 232 
 233            ncpus, importance
 234 
 235 
 236        capped-memory
 237 
 238            physical, swap, locked
 239 
 240 
 241        capped-cpu
 242 
 243            ncpus
 244 
 245 
 246        security-flags
 247 
 248            lower, default, upper.
 249 
 250 
 251 
 252        As for the property values which are paired with these names, they are
 253        either simple, complex, or lists. The type allowed is property-
 254        specific. Simple values are strings, optionally enclosed within
 255        quotation marks. Complex values have the syntax:
 256 
 257          (<name>=<value>,<name>=<value>,...)
 258 
 259 
 260 
 261 
 262        where each <value> is simple, and the <name> strings are     unique within
 263        a given property. Lists have the syntax:
 264 
 265          [<value>,...]
 266 
 267 
 268 
 269 
 270        where each <value> is either simple or complex. A list of a single


 525            locked property is the preferred way to set the zone.max-locked-
 526            memory rctl.
 527 
 528 
 529        capped-cpu: ncpus
 530 
 531            Sets a limit on the amount of CPU time that can be used by a zone.
 532            The unit used translates to the percentage of a single CPU that can
 533            be used by all user threads in a zone, expressed as a fraction (for
 534            example, .75) or a mixed number (whole number and fraction, for
 535            example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
 536            1.25 means 125%, .75 mean 75%, and so forth. When projects within a
 537            capped zone have their own caps, the minimum value takes
 538            precedence.
 539 
 540            The capped-cpu property is an alias for zone.cpu-cap resource
 541            control and is related to the zone.cpu-cap resource control. See
 542            resource_controls(5).
 543 
 544 
 545        security-flags: lower, default, upper
 546 
 547            Set the process security flags associated with the zone.  The lower
 548            and upper fields set the limits, the default field is set of flags
 549            all zone processes inherit.
 550 
 551 
 552        global: fs-allowed
 553 
 554            A comma-separated list of additional filesystems that may be
 555            mounted within the zone; for example "ufs,pcfs". By default, only
 556            hsfs(7fs) and network filesystems can be mounted. If the first
 557            entry in the list is "-" then that disables all of the default
 558            filesystems. If any filesystems are listed after "-" then only
 559            those filesystems can be mounted.
 560 
 561            This property does not apply to filesystems mounted into the zone
 562            via "add fs" or "add dataset".
 563 
 564            WARNING: allowing filesystem mounts other than the default may
 565            allow the zone administrator to compromise the system with a
 566            malicious filesystem image, and is not supported.
 567 
 568 
 569 
 570        The following table summarizes resources, property-names, and types:
 571 


 591                             raw             simple
 592                             type            simple
 593                             options         list of simple
 594          net               address         simple
 595                             physical        simple
 596          device            match           simple
 597          rctl              name            simple
 598                             value           list of complex
 599          attr              name            simple
 600                             type            simple
 601                             value           simple
 602          dataset           name            simple
 603          dedicated-cpu     ncpus           simple or range
 604                             importance      simple
 605 
 606          capped-memory     physical        simple with scale
 607                             swap            simple with scale
 608                             locked          simple with scale
 609 
 610          capped-cpu        ncpus           simple
 611          security-flags   lower           simple
 612                             default        simple
 613                             upper          simple
 614 
 615 
 616 
 617 
 618        To further specify things, the breakdown of the complex property
 619        "value" of the "rctl" resource type, it consists of three name/value
 620        pairs, the names being "priv", "limit" and "action", each of which
 621        takes a simple value. The "name" property of an "attr" resource is
 622        syntactically restricted in a fashion similar but not identical to zone
 623        names: it must begin with an alphanumeric, and can contain
 624        alphanumerics plus the hyphen (-), underscore (_), and dot (.)
 625        characters. Attribute names beginning with "zone" are reserved for use
 626        by the system. Finally, the "autoboot" global property must have a
 627        value of "true" or "false".
 628 
 629    Using Kernel Statistics to Monitor CPU Caps
 630        Using the kernel statistics (kstat(3KSTAT)) module caps, the system
 631        maintains information for all capped projects and zones. You can access
 632        this information by reading kernel statistics (kstat(3KSTAT)),
 633        specifying caps as the kstat module name. The following command


1277            Invalid usage.
1278 
1279 
1280 ATTRIBUTES
1281        See attributes(5) for descriptions of the following attributes:
1282 
1283 
1284 
1285 
1286        +--------------------+-----------------+
1287        |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
1288        +--------------------+-----------------+
1289        |Interface Stability | Volatile        |
1290        +--------------------+-----------------+
1291 
1292 SEE ALSO
1293        ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1294        poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1295        sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1296        kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1297        privileges(5), resource_controls(5), security-flags(5), zones(5)
1298 
1299 
1300        System Administration Guide: Solaris Containers-Resource Management,
1301        and Solaris Zones
1302 
1303 NOTES
1304        All character data used by zonecfg must be in US-ASCII encoding.
1305 
1306 
1307 
1308                                February 28, 2014                   ZONECFG(1M)