Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/zonecfg.1m
+++ new/usr/src/man/man1m/zonecfg.1m
1 1 '\" te
2 2 .\" Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" Copyright 2013 Joyent, Inc. All Rights Reserved.
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
6 6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 7 .TH ZONECFG 1M "Feb 28, 2014"
8 8 .SH NAME
9 9 zonecfg \- set up zone configuration
10 10 .SH SYNOPSIS
11 11 .LP
12 12 .nf
13 13 \fBzonecfg\fR \fB-z\fR \fIzonename\fR
14 14 .fi
15 15
16 16 .LP
17 17 .nf
18 18 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fIsubcommand\fR
19 19 .fi
20 20
21 21 .LP
|
↓ open down ↓ |
21 lines elided |
↑ open up ↑ |
22 22 .nf
23 23 \fBzonecfg\fR \fB-z\fR \fIzonename\fR \fB-f\fR \fIcommand_file\fR
24 24 .fi
25 25
26 26 .LP
27 27 .nf
28 28 \fBzonecfg\fR help
29 29 .fi
30 30
31 31 .SH DESCRIPTION
32 -.sp
33 32 .LP
34 33 The \fBzonecfg\fR utility creates and modifies the configuration of a zone.
35 34 Zone configuration consists of a number of resources and properties.
36 35 .sp
37 36 .LP
38 37 To simplify the user interface, \fBzonecfg\fR uses the concept of a scope. The
39 38 default scope is global.
40 39 .sp
41 40 .LP
42 41 The following synopsis of the \fBzonecfg\fR command is for interactive usage:
43 42 .sp
44 43 .in +2
45 44 .nf
46 45 zonecfg \fB-z\fR \fIzonename subcommand\fR
47 46 .fi
48 47 .in -2
49 48 .sp
50 49
51 50 .sp
52 51 .LP
53 52 Parameters changed through \fBzonecfg\fR do not affect a running zone. The zone
54 53 must be rebooted for the changes to take effect.
55 54 .sp
56 55 .LP
57 56 In addition to creating and modifying a zone, the \fBzonecfg\fR utility can
58 57 also be used to persistently specify the resource management settings for the
59 58 global zone.
60 59 .sp
61 60 .LP
62 61 In the following text, "rctl" is used as an abbreviation for "resource
63 62 control". See \fBresource_controls\fR(5).
64 63 .sp
|
↓ open down ↓ |
22 lines elided |
↑ open up ↑ |
65 64 .LP
66 65 Every zone is configured with an associated brand. The brand determines the
67 66 user-level environment used within the zone, as well as various behaviors for
68 67 the zone when it is installed, boots, or is shutdown. Once a zone has been
69 68 installed the brand cannot be changed. The default brand is determined by the
70 69 installed distribution in the global zone. Some brands do not support all of
71 70 the \fBzonecfg\fR properties and resources. See the brand-specific man page for
72 71 more details on each brand. For an overview of brands, see the \fBbrands\fR(5)
73 72 man page.
74 73 .SS "Resources"
75 -.sp
76 74 .LP
77 75 The following resource types are supported:
78 76 .sp
79 77 .ne 2
80 78 .na
81 79 \fB\fBattr\fR\fR
82 80 .ad
83 81 .sp .6
84 82 .RS 4n
85 83 Generic attribute.
86 84 .RE
87 85
88 86 .sp
89 87 .ne 2
90 88 .na
91 89 \fB\fBcapped-cpu\fR\fR
92 90 .ad
93 91 .sp .6
94 92 .RS 4n
95 93 Limits for CPU usage.
96 94 .RE
97 95
98 96 .sp
99 97 .ne 2
100 98 .na
101 99 \fB\fBcapped-memory\fR\fR
102 100 .ad
103 101 .sp .6
104 102 .RS 4n
105 103 Limits for physical, swap, and locked memory.
106 104 .RE
107 105
108 106 .sp
109 107 .ne 2
110 108 .na
111 109 \fB\fBdataset\fR\fR
112 110 .ad
113 111 .sp .6
114 112 .RS 4n
115 113 \fBZFS\fR dataset.
116 114 .RE
117 115
118 116 .sp
119 117 .ne 2
120 118 .na
121 119 \fB\fBdedicated-cpu\fR\fR
122 120 .ad
123 121 .sp .6
124 122 .RS 4n
125 123 Subset of the system's processors dedicated to this zone while it is running.
126 124 .RE
127 125
128 126 .sp
129 127 .ne 2
130 128 .na
131 129 \fB\fBdevice\fR\fR
132 130 .ad
133 131 .sp .6
134 132 .RS 4n
135 133 Device.
136 134 .RE
137 135
138 136 .sp
139 137 .ne 2
140 138 .na
141 139 \fB\fBfs\fR\fR
142 140 .ad
143 141 .sp .6
144 142 .RS 4n
145 143 file-system
146 144 .RE
147 145
148 146 .sp
149 147 .ne 2
150 148 .na
151 149 \fB\fBnet\fR\fR
152 150 .ad
153 151 .sp .6
154 152 .RS 4n
155 153 Network interface.
156 154 .RE
157 155
|
↓ open down ↓ |
72 lines elided |
↑ open up ↑ |
158 156 .sp
159 157 .ne 2
160 158 .na
161 159 \fB\fBrctl\fR\fR
162 160 .ad
163 161 .sp .6
164 162 .RS 4n
165 163 Resource control.
166 164 .RE
167 165
168 -.SS "Properties"
169 166 .sp
167 +.ne 2
168 +.na
169 +\fB\fBsecurity-flags\fR\fR
170 +.ad
171 +.sp .6
172 +.RS 4n
173 +Process security flag settings.
174 +.RE
175 +
176 +.SS "Properties"
170 177 .LP
171 178 Each resource type has one or more properties. There are also some global
172 179 properties, that is, properties of the configuration as a whole, rather than of
173 180 some particular resource.
174 181 .sp
175 182 .LP
176 183 The following properties are supported:
177 184 .sp
178 185 .ne 2
179 186 .na
180 187 \fB(global)\fR
181 188 .ad
182 189 .sp .6
183 190 .RS 4n
184 191 \fBzonename\fR
185 192 .RE
186 193
187 194 .sp
188 195 .ne 2
189 196 .na
190 197 \fB(global)\fR
191 198 .ad
192 199 .sp .6
193 200 .RS 4n
194 201 \fBzonepath\fR
195 202 .RE
196 203
197 204 .sp
198 205 .ne 2
199 206 .na
200 207 \fB(global)\fR
201 208 .ad
202 209 .sp .6
203 210 .RS 4n
204 211 \fBautoboot\fR
205 212 .RE
206 213
207 214 .sp
208 215 .ne 2
209 216 .na
210 217 \fB(global)\fR
211 218 .ad
212 219 .sp .6
213 220 .RS 4n
214 221 \fBbootargs\fR
215 222 .RE
216 223
217 224 .sp
218 225 .ne 2
219 226 .na
220 227 \fB(global)\fR
221 228 .ad
222 229 .sp .6
223 230 .RS 4n
224 231 \fBpool\fR
225 232 .RE
226 233
227 234 .sp
228 235 .ne 2
229 236 .na
230 237 \fB(global)\fR
231 238 .ad
232 239 .sp .6
233 240 .RS 4n
234 241 \fBlimitpriv\fR
235 242 .RE
236 243
237 244 .sp
238 245 .ne 2
239 246 .na
240 247 \fB(global)\fR
241 248 .ad
242 249 .sp .6
243 250 .RS 4n
244 251 \fBbrand\fR
245 252 .RE
246 253
247 254 .sp
248 255 .ne 2
249 256 .na
250 257 \fB(global)\fR
251 258 .ad
252 259 .sp .6
253 260 .RS 4n
254 261 \fBcpu-shares\fR
255 262 .RE
256 263
257 264 .sp
258 265 .ne 2
259 266 .na
260 267 \fB(global)\fR
261 268 .ad
262 269 .sp .6
263 270 .RS 4n
264 271 \fBhostid\fR
265 272 .RE
266 273
267 274 .sp
268 275 .ne 2
269 276 .na
270 277 \fB(global)\fR
271 278 .ad
272 279 .sp .6
273 280 .RS 4n
274 281 \fBmax-lwps\fR
275 282 .RE
276 283
277 284 .sp
278 285 .ne 2
279 286 .na
280 287 \fB(global)\fR
281 288 .ad
282 289 .sp .6
283 290 .RS 4n
284 291 \fBmax-msg-ids\fR
285 292 .RE
286 293
287 294 .sp
288 295 .ne 2
289 296 .na
290 297 \fB(global)\fR
291 298 .ad
292 299 .sp .6
293 300 .RS 4n
294 301 \fBmax-sem-ids\fR
295 302 .RE
296 303
297 304 .sp
298 305 .ne 2
299 306 .na
300 307 \fB(global)\fR
301 308 .ad
302 309 .sp .6
303 310 .RS 4n
304 311 \fBmax-shm-ids\fR
305 312 .RE
306 313
307 314 .sp
308 315 .ne 2
309 316 .na
310 317 \fB(global)\fR
311 318 .ad
312 319 .sp .6
313 320 .RS 4n
314 321 \fBmax-shm-memory\fR
315 322 .RE
316 323
317 324 .sp
318 325 .ne 2
319 326 .na
320 327 \fB(global)\fR
321 328 .ad
322 329 .sp .6
323 330 .RS 4n
324 331 \fBscheduling-class\fR
325 332 .RE
326 333
327 334 .sp
328 335 .ne 2
329 336 .na
330 337 .B (global)
331 338 .ad
332 339 .sp .6
333 340 .RS 4n
334 341 .B fs-allowed
335 342 .RE
336 343
337 344 .sp
338 345 .ne 2
339 346 .na
340 347 \fB\fBfs\fR\fR
341 348 .ad
342 349 .sp .6
343 350 .RS 4n
344 351 \fBdir\fR, \fBspecial\fR, \fBraw\fR, \fBtype\fR, \fBoptions\fR
345 352 .RE
346 353
347 354 .sp
348 355 .ne 2
349 356 .na
350 357 \fB\fBnet\fR\fR
351 358 .ad
352 359 .sp .6
353 360 .RS 4n
354 361 \fBaddress\fR, \fBphysical\fR, \fBdefrouter\fR
355 362 .RE
356 363
357 364 .sp
358 365 .ne 2
359 366 .na
360 367 \fB\fBdevice\fR\fR
361 368 .ad
362 369 .sp .6
363 370 .RS 4n
364 371 \fBmatch\fR
365 372 .RE
366 373
367 374 .sp
368 375 .ne 2
369 376 .na
370 377 \fB\fBrctl\fR\fR
371 378 .ad
372 379 .sp .6
373 380 .RS 4n
374 381 \fBname\fR, \fBvalue\fR
375 382 .RE
376 383
377 384 .sp
378 385 .ne 2
379 386 .na
380 387 \fB\fBattr\fR\fR
381 388 .ad
382 389 .sp .6
383 390 .RS 4n
384 391 \fBname\fR, \fBtype\fR, \fBvalue\fR
385 392 .RE
386 393
387 394 .sp
388 395 .ne 2
389 396 .na
390 397 \fB\fBdataset\fR\fR
391 398 .ad
392 399 .sp .6
393 400 .RS 4n
394 401 \fBname\fR
395 402 .RE
396 403
397 404 .sp
398 405 .ne 2
399 406 .na
400 407 \fB\fBdedicated-cpu\fR\fR
401 408 .ad
402 409 .sp .6
403 410 .RS 4n
404 411 \fBncpus\fR, \fBimportance\fR
405 412 .RE
406 413
407 414 .sp
408 415 .ne 2
409 416 .na
410 417 \fB\fBcapped-memory\fR\fR
411 418 .ad
412 419 .sp .6
413 420 .RS 4n
414 421 \fBphysical\fR, \fBswap\fR, \fBlocked\fR
415 422 .RE
416 423
417 424 .sp
|
↓ open down ↓ |
238 lines elided |
↑ open up ↑ |
418 425 .ne 2
419 426 .na
420 427 \fB\fBcapped-cpu\fR\fR
421 428 .ad
422 429 .sp .6
423 430 .RS 4n
424 431 \fBncpus\fR
425 432 .RE
426 433
427 434 .sp
435 +.ne 2
436 +.na
437 +\fB\fBsecurity-flags\fB\fB
438 +.ad
439 +.sp .6
440 +.RS 4n
441 +\fBlower\fR, \fBdefault\fR, \fBupper\fR.
442 +.RE
443 +
444 +.sp
428 445 .LP
429 446 As for the property values which are paired with these names, they are either
430 447 simple, complex, or lists. The type allowed is property-specific. Simple values
431 448 are strings, optionally enclosed within quotation marks. Complex values have
432 449 the syntax:
433 450 .sp
434 451 .in +2
435 452 .nf
436 453 (<\fIname\fR>=<\fIvalue\fR>,<\fIname\fR>=<\fIvalue\fR>,...)
437 454 .fi
438 455 .in -2
439 456 .sp
440 457
441 458 .sp
442 459 .LP
443 460 where each <\fIvalue\fR> is simple, and the <\fIname\fR> strings are unique
444 461 within a given property. Lists have the syntax:
445 462 .sp
446 463 .in +2
447 464 .nf
448 465 [<\fIvalue\fR>,...]
449 466 .fi
450 467 .in -2
451 468 .sp
452 469
453 470 .sp
454 471 .LP
455 472 where each <\fIvalue\fR> is either simple or complex. A list of a single value
456 473 (either simple or complex) is equivalent to specifying that value without the
457 474 list syntax. That is, "foo" is equivalent to "[foo]". A list can be empty
458 475 (denoted by "[]").
459 476 .sp
460 477 .LP
461 478 In interpreting property values, \fBzonecfg\fR accepts regular expressions as
462 479 specified in \fBfnmatch\fR(5). See \fBEXAMPLES\fR.
463 480 .sp
464 481 .LP
465 482 The property types are described as follows:
466 483 .sp
467 484 .ne 2
468 485 .na
469 486 \fBglobal: \fBzonename\fR\fR
470 487 .ad
471 488 .sp .6
472 489 .RS 4n
473 490 The name of the zone.
474 491 .RE
475 492
476 493 .sp
477 494 .ne 2
478 495 .na
479 496 \fBglobal: \fBzonepath\fR\fR
480 497 .ad
481 498 .sp .6
482 499 .RS 4n
483 500 Path to zone's file system.
484 501 .RE
485 502
486 503 .sp
487 504 .ne 2
488 505 .na
489 506 \fBglobal: \fBautoboot\fR\fR
490 507 .ad
491 508 .sp .6
492 509 .RS 4n
493 510 Boolean indicating that a zone should be booted automatically at system boot.
494 511 Note that if the zones service is disabled, the zone will not autoboot,
495 512 regardless of the setting of this property. You enable the zones service with a
496 513 \fBsvcadm\fR command, such as:
497 514 .sp
498 515 .in +2
499 516 .nf
500 517 # \fBsvcadm enable svc:/system/zones:default\fR
501 518 .fi
502 519 .in -2
503 520 .sp
504 521
505 522 Replace \fBenable\fR with \fBdisable\fR to disable the zones service. See
506 523 \fBsvcadm\fR(1M).
507 524 .RE
508 525
509 526 .sp
510 527 .ne 2
511 528 .na
512 529 \fBglobal: \fBbootargs\fR\fR
513 530 .ad
514 531 .sp .6
515 532 .RS 4n
516 533 Arguments (options) to be passed to the zone bootup, unless options are
517 534 supplied to the "\fBzoneadm boot\fR" command, in which case those take
518 535 precedence. The valid arguments are described in \fBzoneadm\fR(1M).
519 536 .RE
520 537
521 538 .sp
522 539 .ne 2
523 540 .na
524 541 \fBglobal: \fBpool\fR\fR
525 542 .ad
526 543 .sp .6
527 544 .RS 4n
528 545 Name of the resource pool that this zone must be bound to when booted. This
529 546 property is incompatible with the \fBdedicated-cpu\fR resource.
530 547 .RE
531 548
532 549 .sp
533 550 .ne 2
534 551 .na
535 552 \fBglobal: \fBlimitpriv\fR\fR
536 553 .ad
537 554 .sp .6
538 555 .RS 4n
539 556 The maximum set of privileges any process in this zone can obtain. The property
540 557 should consist of a comma-separated privilege set specification as described in
541 558 \fBpriv_str_to_set\fR(3C). Privileges can be excluded from the resulting set by
542 559 preceding their names with a dash (-) or an exclamation point (!). The special
543 560 privilege string "zone" is not supported in this context. If the special string
544 561 "default" occurs as the first token in the property, it expands into a safe set
545 562 of privileges that preserve the resource and security isolation described in
546 563 \fBzones\fR(5). A missing or empty property is equivalent to this same set of
547 564 safe privileges.
548 565 .sp
549 566 The system administrator must take extreme care when configuring privileges for
550 567 a zone. Some privileges cannot be excluded through this mechanism as they are
551 568 required in order to boot a zone. In addition, there are certain privileges
552 569 which cannot be given to a zone as doing so would allow processes inside a zone
553 570 to unduly affect processes in other zones. \fBzoneadm\fR(1M) indicates when an
554 571 invalid privilege has been added or removed from a zone's privilege set when an
555 572 attempt is made to either "boot" or "ready" the zone.
556 573 .sp
557 574 See \fBprivileges\fR(5) for a description of privileges. The command "\fBppriv
558 575 -l\fR" (see \fBppriv\fR(1)) produces a list of all Solaris privileges. You can
559 576 specify privileges as they are displayed by \fBppriv\fR. In
560 577 \fBprivileges\fR(5), privileges are listed in the form
561 578 PRIV_\fIprivilege_name\fR. For example, the privilege \fIsys_time\fR, as you
562 579 would specify it in this property, is listed in \fBprivileges\fR(5) as
563 580 \fBPRIV_SYS_TIME\fR.
564 581 .RE
565 582
566 583 .sp
567 584 .ne 2
568 585 .na
569 586 \fBglobal: \fBbrand\fR\fR
570 587 .ad
571 588 .sp .6
572 589 .RS 4n
573 590 The zone's brand type.
574 591 .RE
575 592
576 593 .sp
577 594 .ne 2
578 595 .na
579 596 \fBglobal: \fBip-type\fR\fR
580 597 .ad
581 598 .sp .6
582 599 .RS 4n
583 600 A zone can either share the IP instance with the global zone, which is the
584 601 default, or have its own exclusive instance of IP.
585 602 .sp
586 603 This property takes the values \fBshared\fR and \fBexclusive\fR.
587 604 .RE
588 605
589 606 .sp
590 607 .ne 2
591 608 .na
592 609 \fBglobal: \fBhostid\fR\fR
593 610 .ad
594 611 .sp .6
595 612 .RS 4n
596 613 A zone can emulate a 32-bit host identifier to ease system consolidation. A
597 614 zone's \fBhostid\fR property is empty by default, meaning that the zone does
598 615 not emulate a host identifier. Zone host identifiers must be hexadecimal values
599 616 between 0 and FFFFFFFE. A \fB0x\fR or \fB0X\fR prefix is optional. Both
600 617 uppercase and lowercase hexadecimal digits are acceptable.
601 618 .RE
602 619
603 620 .sp
604 621 .ne 2
605 622 .na
606 623 \fB\fBfs\fR: dir, special, raw, type, options\fR
607 624 .ad
608 625 .sp .6
609 626 .RS 4n
610 627 Values needed to determine how, where, and so forth to mount file systems. See
611 628 \fBmount\fR(1M), \fBmount\fR(2), \fBfsck\fR(1M), and \fBvfstab\fR(4).
612 629 .RE
613 630
614 631 .sp
615 632 .ne 2
616 633 .na
617 634 \fB\fBnet\fR: address, physical, defrouter\fR
618 635 .ad
619 636 .sp .6
620 637 .RS 4n
621 638 The network address and physical interface name of the network interface. The
622 639 network address is one of:
623 640 .RS +4
624 641 .TP
625 642 .ie t \(bu
626 643 .el o
627 644 a valid IPv4 address, optionally followed by "\fB/\fR" and a prefix length;
628 645 .RE
629 646 .RS +4
630 647 .TP
631 648 .ie t \(bu
632 649 .el o
633 650 a valid IPv6 address, which must be followed by "\fB/\fR" and a prefix length;
634 651 .RE
635 652 .RS +4
636 653 .TP
637 654 .ie t \(bu
638 655 .el o
639 656 a host name which resolves to an IPv4 address.
640 657 .RE
641 658 Note that host names that resolve to IPv6 addresses are not supported.
642 659 .sp
643 660 The physical interface name is the network interface name.
644 661 .sp
645 662 The default router is specified similarly to the network address except that it
646 663 must not be followed by a \fB/\fR (slash) and a network prefix length.
647 664 .sp
648 665 A zone can be configured to be either exclusive-IP or shared-IP. For a
649 666 shared-IP zone, you must set both the physical and address properties; setting
650 667 the default router is optional. The interface specified in the physical
651 668 property must be plumbed in the global zone prior to booting the non-global
652 669 zone. However, if the interface is not used by the global zone, it should be
653 670 configured \fBdown\fR in the global zone, and the default router for the
654 671 interface should be specified here.
655 672 .sp
656 673 For an exclusive-IP zone, the physical property must be set and the address and
657 674 default router properties cannot be set.
658 675 .RE
659 676
660 677 .sp
661 678 .ne 2
662 679 .na
663 680 \fB\fBdevice\fR: match\fR
664 681 .ad
665 682 .sp .6
666 683 .RS 4n
667 684 Device name to match.
668 685 .RE
669 686
670 687 .sp
671 688 .ne 2
672 689 .na
673 690 \fB\fBrctl\fR: name, value\fR
674 691 .ad
675 692 .sp .6
676 693 .RS 4n
677 694 The name and \fIpriv\fR/\fIlimit\fR/\fIaction\fR triple of a resource control.
678 695 See \fBprctl\fR(1) and \fBrctladm\fR(1M). The preferred way to set rctl values
679 696 is to use the global property name associated with a specific rctl.
680 697 .RE
681 698
682 699 .sp
683 700 .ne 2
684 701 .na
685 702 \fB\fBattr\fR: name, type, value\fR
686 703 .ad
687 704 .sp .6
688 705 .RS 4n
689 706 The name, type and value of a generic attribute. The \fBtype\fR must be one of
690 707 \fBint\fR, \fBuint\fR, \fBboolean\fR or \fBstring\fR, and the value must be of
691 708 that type. \fBuint\fR means unsigned , that is, a non-negative integer.
692 709 .RE
693 710
694 711 .sp
695 712 .ne 2
696 713 .na
697 714 \fB\fBdataset\fR: name\fR
698 715 .ad
699 716 .sp .6
700 717 .RS 4n
701 718 The name of a \fBZFS\fR dataset to be accessed from within the zone. See
702 719 \fBzfs\fR(1M).
703 720 .RE
704 721
705 722 .sp
706 723 .ne 2
707 724 .na
708 725 \fBglobal: \fBcpu-shares\fR\fR
709 726 .ad
710 727 .sp .6
711 728 .RS 4n
712 729 The number of Fair Share Scheduler (FSS) shares to allocate to this zone. This
713 730 property is incompatible with the \fBdedicated-cpu\fR resource. This property
714 731 is the preferred way to set the \fBzone.cpu-shares\fR rctl.
715 732 .RE
716 733
717 734 .sp
718 735 .ne 2
719 736 .na
720 737 \fBglobal: \fBmax-lwps\fR\fR
721 738 .ad
722 739 .sp .6
723 740 .RS 4n
724 741 The maximum number of LWPs simultaneously available to this zone. This property
725 742 is the preferred way to set the \fBzone.max-lwps\fR rctl.
726 743 .RE
727 744
728 745 .sp
729 746 .ne 2
730 747 .na
731 748 \fBglobal: \fBmax-msg-ids\fR\fR
732 749 .ad
733 750 .sp .6
734 751 .RS 4n
735 752 The maximum number of message queue IDs allowed for this zone. This property is
736 753 the preferred way to set the \fBzone.max-msg-ids\fR rctl.
737 754 .RE
738 755
739 756 .sp
740 757 .ne 2
741 758 .na
742 759 \fBglobal: \fBmax-sem-ids\fR\fR
743 760 .ad
744 761 .sp .6
745 762 .RS 4n
746 763 The maximum number of semaphore IDs allowed for this zone. This property is the
747 764 preferred way to set the \fBzone.max-sem-ids\fR rctl.
748 765 .RE
749 766
750 767 .sp
751 768 .ne 2
752 769 .na
753 770 \fBglobal: \fBmax-shm-ids\fR\fR
754 771 .ad
755 772 .sp .6
756 773 .RS 4n
757 774 The maximum number of shared memory IDs allowed for this zone. This property is
758 775 the preferred way to set the \fBzone.max-shm-ids\fR rctl.
759 776 .RE
760 777
761 778 .sp
762 779 .ne 2
763 780 .na
764 781 \fBglobal: \fBmax-shm-memory\fR\fR
765 782 .ad
766 783 .sp .6
767 784 .RS 4n
768 785 The maximum amount of shared memory allowed for this zone. This property is the
769 786 preferred way to set the \fBzone.max-shm-memory\fR rctl. A scale (K, M, G, T)
770 787 can be applied to the value for this number (for example, 1M is one megabyte).
771 788 .RE
772 789
773 790 .sp
774 791 .ne 2
775 792 .na
776 793 \fBglobal: \fBscheduling-class\fR\fR
777 794 .ad
778 795 .sp .6
779 796 .RS 4n
780 797 Specifies the scheduling class used for processes running in a zone. When this
781 798 property is not specified, the scheduling class is established as follows:
782 799 .RS +4
783 800 .TP
784 801 .ie t \(bu
785 802 .el o
786 803 If the \fBcpu-shares\fR property or equivalent rctl is set, the scheduling
787 804 class FSS is used.
788 805 .RE
789 806 .RS +4
790 807 .TP
791 808 .ie t \(bu
792 809 .el o
793 810 If neither \fBcpu-shares\fR nor the equivalent rctl is set and the zone's pool
794 811 property references a pool that has a default scheduling class, that class is
795 812 used.
796 813 .RE
797 814 .RS +4
798 815 .TP
799 816 .ie t \(bu
800 817 .el o
801 818 Under any other conditions, the system default scheduling class is used.
802 819 .RE
803 820 .RE
804 821
805 822
806 823
807 824 .sp
808 825 .ne 2
809 826 .na
810 827 \fB\fBdedicated-cpu\fR: ncpus, importance\fR
811 828 .ad
812 829 .sp .6
813 830 .RS 4n
814 831 The number of CPUs that should be assigned for this zone's exclusive use. The
815 832 zone will create a pool and processor set when it boots. See \fBpooladm\fR(1M)
816 833 and \fBpoolcfg\fR(1M) for more information on resource pools. The \fBncpu\fR
817 834 property can specify a single value or a range (for example, 1-4) of
818 835 processors. The \fBimportance\fR property is optional; if set, it will specify
819 836 the \fBpset.importance\fR value for use by \fBpoold\fR(1M). If this resource is
820 837 used, there must be enough free processors to allocate to this zone when it
821 838 boots or the zone will not boot. The processors assigned to this zone will not
822 839 be available for the use of the global zone or other zones. This resource is
823 840 incompatible with both the \fBpool\fR and \fBcpu-shares\fR properties. Only a
824 841 single instance of this resource can be added to the zone.
825 842 .RE
826 843
827 844 .sp
828 845 .ne 2
829 846 .na
830 847 \fB\fBcapped-memory\fR: physical, swap, locked\fR
831 848 .ad
832 849 .sp .6
833 850 .RS 4n
834 851 The caps on the memory that can be used by this zone. A scale (K, M, G, T) can
835 852 be applied to the value for each of these numbers (for example, 1M is one
836 853 megabyte). Each of these properties is optional but at least one property must
837 854 be set when adding this resource. Only a single instance of this resource can
838 855 be added to the zone. The \fBphysical\fR property sets the \fBmax-rss\fR for
839 856 this zone. This will be enforced by \fBrcapd\fR(1M) running in the global zone.
840 857 The \fBswap\fR property is the preferred way to set the \fBzone.max-swap\fR
841 858 rctl. The \fBlocked\fR property is the preferred way to set the
842 859 \fBzone.max-locked-memory\fR rctl.
843 860 .RE
844 861
845 862 .sp
846 863 .ne 2
847 864 .na
848 865 \fB\fBcapped-cpu\fR: ncpus\fR
849 866 .ad
850 867 .sp .6
851 868 .RS 4n
852 869 Sets a limit on the amount of CPU time that can be used by a zone. The unit
853 870 used translates to the percentage of a single CPU that can be used by all user
854 871 threads in a zone, expressed as a fraction (for example, \fB\&.75\fR) or a
855 872 mixed number (whole number and fraction, for example, \fB1.25\fR). An
856 873 \fBncpu\fR value of \fB1\fR means 100% of a CPU, a value of \fB1.25\fR means
857 874 125%, \fB\&.75\fR mean 75%, and so forth. When projects within a capped zone
|
↓ open down ↓ |
420 lines elided |
↑ open up ↑ |
858 875 have their own caps, the minimum value takes precedence.
859 876 .sp
860 877 The \fBcapped-cpu\fR property is an alias for \fBzone.cpu-cap\fR resource
861 878 control and is related to the \fBzone.cpu-cap\fR resource control. See
862 879 \fBresource_controls\fR(5).
863 880 .RE
864 881
865 882 .sp
866 883 .ne 2
867 884 .na
885 +\fB\fBsecurity-flags\fR: lower, default, upper\fR
886 +.ad
887 +.sp .6
888 +.RS 4n
889 +Set the process security flags associated with the zone. The \fBlower\fR and
890 +\fBupper\fR fields set the limits, the \fBdefault\fR field is set of flags all
891 +zone processes inherit.
892 +.RE
893 +
894 +.sp
895 +.ne 2
896 +.na
868 897 \fBglobal: \fBfs-allowed\fR\fR
869 898 .ad
870 899 .sp .6
871 900 .RS 4n
872 901 A comma-separated list of additional filesystems that may be mounted within
873 902 the zone; for example "ufs,pcfs". By default, only hsfs(7fs) and network
874 903 filesystems can be mounted. If the first entry in the list is "-" then
875 904 that disables all of the default filesystems. If any filesystems are listed
876 905 after "-" then only those filesystems can be mounted.
877 906
878 907 This property does not apply to filesystems mounted into the zone via "add fs"
879 908 or "add dataset".
880 909
881 910 WARNING: allowing filesystem mounts other than the default may allow the zone
882 911 administrator to compromise the system with a malicious filesystem image, and
883 912 is not supported.
884 913 .RE
885 914
886 915 .sp
887 916 .LP
888 917 The following table summarizes resources, property-names, and types:
889 918 .sp
890 919 .in +2
891 920 .nf
892 921 resource property-name type
893 922 (global) zonename simple
894 923 (global) zonepath simple
895 924 (global) autoboot simple
896 925 (global) bootargs simple
897 926 (global) pool simple
898 927 (global) limitpriv simple
899 928 (global) brand simple
900 929 (global) ip-type simple
901 930 (global) hostid simple
902 931 (global) cpu-shares simple
903 932 (global) max-lwps simple
904 933 (global) max-msg-ids simple
905 934 (global) max-sem-ids simple
906 935 (global) max-shm-ids simple
907 936 (global) max-shm-memory simple
908 937 (global) scheduling-class simple
909 938 fs dir simple
910 939 special simple
911 940 raw simple
912 941 type simple
913 942 options list of simple
914 943 net address simple
915 944 physical simple
916 945 device match simple
917 946 rctl name simple
918 947 value list of complex
919 948 attr name simple
920 949 type simple
|
↓ open down ↓ |
43 lines elided |
↑ open up ↑ |
921 950 value simple
922 951 dataset name simple
923 952 dedicated-cpu ncpus simple or range
924 953 importance simple
925 954
926 955 capped-memory physical simple with scale
927 956 swap simple with scale
928 957 locked simple with scale
929 958
930 959 capped-cpu ncpus simple
960 +security-flags lower simple
961 + default simple
962 + upper simple
931 963 .fi
932 964 .in -2
933 965 .sp
934 966
935 967 .sp
936 968 .LP
937 969 To further specify things, the breakdown of the complex property "value" of the
938 970 "rctl" resource type, it consists of three name/value pairs, the names being
939 971 "priv", "limit" and "action", each of which takes a simple value. The "name"
940 972 property of an "attr" resource is syntactically restricted in a fashion similar
941 973 but not identical to zone names: it must begin with an alphanumeric, and can
942 974 contain alphanumerics plus the hyphen (\fB-\fR), underscore (\fB_\fR), and dot
943 975 (\fB\&.\fR) characters. Attribute names beginning with "zone" are reserved for
944 976 use by the system. Finally, the "autoboot" global property must have a value of
945 977 "true" or "false".
946 978 .SS "Using Kernel Statistics to Monitor CPU Caps"
947 -.sp
948 979 .LP
949 980 Using the kernel statistics (\fBkstat\fR(3KSTAT)) module \fBcaps\fR, the system
950 981 maintains information for all capped projects and zones. You can access this
951 982 information by reading kernel statistics (\fBkstat\fR(3KSTAT)), specifying
952 983 \fBcaps\fR as the \fBkstat\fR module name. The following command displays
953 984 kernel statistics for all active CPU caps:
954 985 .sp
955 986 .in +2
956 987 .nf
957 988 # \fBkstat caps::'/cpucaps/'\fR
958 989 .fi
959 990 .in -2
960 991 .sp
961 992
962 993 .sp
963 994 .LP
964 995 A \fBkstat\fR(1M) command running in a zone displays only CPU caps relevant for
965 996 that zone and for projects in that zone. See \fBEXAMPLES\fR.
966 997 .sp
967 998 .LP
968 999 The following are cap-related arguments for use with \fBkstat\fR(1M):
969 1000 .sp
970 1001 .ne 2
971 1002 .na
972 1003 \fB\fBcaps\fR\fR
973 1004 .ad
974 1005 .sp .6
975 1006 .RS 4n
976 1007 The \fBkstat\fR module.
977 1008 .RE
978 1009
979 1010 .sp
980 1011 .ne 2
981 1012 .na
982 1013 \fB\fBproject_caps\fR or \fBzone_caps\fR\fR
983 1014 .ad
984 1015 .sp .6
985 1016 .RS 4n
986 1017 \fBkstat\fR class, for use with the \fBkstat\fR \fB-c\fR option.
987 1018 .RE
988 1019
989 1020 .sp
990 1021 .ne 2
991 1022 .na
992 1023 \fB\fBcpucaps_project_\fR\fIid\fR or \fBcpucaps_zone_\fR\fIid\fR\fR
993 1024 .ad
994 1025 .sp .6
995 1026 .RS 4n
996 1027 \fBkstat\fR name, for use with the \fBkstat\fR \fB-n\fR option. \fIid\fR is the
997 1028 project or zone identifier.
998 1029 .RE
999 1030
1000 1031 .sp
1001 1032 .LP
1002 1033 The following fields are displayed in response to a \fBkstat\fR(1M) command
1003 1034 requesting statistics for all CPU caps.
1004 1035 .sp
1005 1036 .ne 2
1006 1037 .na
1007 1038 \fB\fBmodule\fR\fR
1008 1039 .ad
1009 1040 .sp .6
1010 1041 .RS 4n
1011 1042 In this usage of \fBkstat\fR, this field will have the value \fBcaps\fR.
1012 1043 .RE
1013 1044
1014 1045 .sp
1015 1046 .ne 2
1016 1047 .na
1017 1048 \fB\fBname\fR\fR
1018 1049 .ad
1019 1050 .sp .6
1020 1051 .RS 4n
1021 1052 As described above, \fBcpucaps_project_\fR\fIid\fR or
1022 1053 \fBcpucaps_zone_\fR\fIid\fR
1023 1054 .RE
1024 1055
1025 1056 .sp
1026 1057 .ne 2
1027 1058 .na
1028 1059 \fB\fBabove_sec\fR\fR
1029 1060 .ad
1030 1061 .sp .6
1031 1062 .RS 4n
1032 1063 Total time, in seconds, spent above the cap.
1033 1064 .RE
1034 1065
1035 1066 .sp
1036 1067 .ne 2
1037 1068 .na
1038 1069 \fB\fBbelow_sec\fR\fR
1039 1070 .ad
1040 1071 .sp .6
1041 1072 .RS 4n
1042 1073 Total time, in seconds, spent below the cap.
1043 1074 .RE
1044 1075
1045 1076 .sp
1046 1077 .ne 2
1047 1078 .na
1048 1079 \fB\fBmaxusage\fR\fR
1049 1080 .ad
1050 1081 .sp .6
1051 1082 .RS 4n
1052 1083 Maximum observed CPU usage.
1053 1084 .RE
1054 1085
1055 1086 .sp
1056 1087 .ne 2
1057 1088 .na
1058 1089 \fB\fBnwait\fR\fR
1059 1090 .ad
1060 1091 .sp .6
1061 1092 .RS 4n
1062 1093 Number of threads on cap wait queue.
1063 1094 .RE
1064 1095
1065 1096 .sp
1066 1097 .ne 2
1067 1098 .na
1068 1099 \fB\fBusage\fR\fR
1069 1100 .ad
1070 1101 .sp .6
1071 1102 .RS 4n
1072 1103 Current aggregated CPU usage for all threads belonging to a capped project or
1073 1104 zone, in terms of a percentage of a single CPU.
1074 1105 .RE
1075 1106
1076 1107 .sp
1077 1108 .ne 2
1078 1109 .na
1079 1110 \fB\fBvalue\fR\fR
1080 1111 .ad
1081 1112 .sp .6
1082 1113 .RS 4n
1083 1114 The cap value, in terms of a percentage of a single CPU.
1084 1115 .RE
1085 1116
1086 1117 .sp
1087 1118 .ne 2
1088 1119 .na
1089 1120 \fB\fBzonename\fR\fR
|
↓ open down ↓ |
132 lines elided |
↑ open up ↑ |
1090 1121 .ad
1091 1122 .sp .6
1092 1123 .RS 4n
1093 1124 Name of the zone for which statistics are displayed.
1094 1125 .RE
1095 1126
1096 1127 .sp
1097 1128 .LP
1098 1129 See \fBEXAMPLES\fR for sample output from a \fBkstat\fR command.
1099 1130 .SH OPTIONS
1100 -.sp
1101 1131 .LP
1102 1132 The following options are supported:
1103 1133 .sp
1104 1134 .ne 2
1105 1135 .na
1106 1136 \fB\fB-f\fR \fIcommand_file\fR\fR
1107 1137 .ad
1108 1138 .sp .6
1109 1139 .RS 4n
1110 1140 Specify the name of \fBzonecfg\fR command file. \fIcommand_file\fR is a text
1111 1141 file of \fBzonecfg\fR subcommands, one per line.
1112 1142 .RE
1113 1143
1114 1144 .sp
1115 1145 .ne 2
1116 1146 .na
1117 1147 \fB\fB-z\fR \fIzonename\fR\fR
1118 1148 .ad
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
1119 1149 .sp .6
1120 1150 .RS 4n
1121 1151 Specify the name of a zone. Zone names are case sensitive. Zone names must
1122 1152 begin with an alphanumeric character and can contain alphanumeric characters,
1123 1153 the underscore (\fB_\fR) the hyphen (\fB-\fR), and the dot (\fB\&.\fR). The
1124 1154 name \fBglobal\fR and all names beginning with \fBSUNW\fR are reserved and
1125 1155 cannot be used.
1126 1156 .RE
1127 1157
1128 1158 .SH SUBCOMMANDS
1129 -.sp
1130 1159 .LP
1131 1160 You can use the \fBadd\fR and \fBselect\fR subcommands to select a specific
1132 1161 resource, at which point the scope changes to that resource. The \fBend\fR and
1133 1162 \fBcancel\fR subcommands are used to complete the resource specification, at
1134 1163 which time the scope is reverted back to global. Certain subcommands, such as
1135 1164 \fBadd\fR, \fBremove\fR and \fBset\fR, have different semantics in each scope.
1136 1165 .sp
1137 1166 .LP
1138 1167 \fBzonecfg\fR supports a semicolon-separated list of subcommands. For example:
1139 1168 .sp
1140 1169 .in +2
1141 1170 .nf
1142 1171 # \fBzonecfg -z myzone "add net; set physical=myvnic; end"\fR
1143 1172 .fi
1144 1173 .in -2
1145 1174 .sp
1146 1175
1147 1176 .sp
1148 1177 .LP
1149 1178 Subcommands which can result in destructive actions or loss of work have an
1150 1179 \fB-F\fR option to force the action. If input is from a terminal device, the
1151 1180 user is prompted when appropriate if such a command is given without the
1152 1181 \fB-F\fR option otherwise, if such a command is given without the \fB-F\fR
1153 1182 option, the action is disallowed, with a diagnostic message written to standard
1154 1183 error.
1155 1184 .sp
1156 1185 .LP
1157 1186 The following subcommands are supported:
1158 1187 .sp
1159 1188 .ne 2
1160 1189 .na
1161 1190 \fB\fBadd\fR \fIresource-type\fR (global scope)\fR
1162 1191 .ad
1163 1192 .br
1164 1193 .na
1165 1194 \fB\fBadd\fR \fIproperty-name property-value\fR (resource scope)\fR
1166 1195 .ad
1167 1196 .sp .6
1168 1197 .RS 4n
1169 1198 In the global scope, begin the specification for a given resource type. The
1170 1199 scope is changed to that resource type.
1171 1200 .sp
1172 1201 In the resource scope, add a property of the given name with the given value.
1173 1202 The syntax for property values varies with different property types. In
1174 1203 general, it is a simple value or a list of simple values enclosed in square
1175 1204 brackets, separated by commas (\fB[foo,bar,baz]\fR). See \fBPROPERTIES\fR.
1176 1205 .RE
1177 1206
1178 1207 .sp
1179 1208 .ne 2
1180 1209 .na
1181 1210 \fB\fBcancel\fR\fR
1182 1211 .ad
1183 1212 .sp .6
1184 1213 .RS 4n
1185 1214 End the resource specification and reset scope to global. Abandons any
1186 1215 partially specified resources. \fBcancel\fR is only applicable in the resource
1187 1216 scope.
1188 1217 .RE
1189 1218
1190 1219 .sp
1191 1220 .ne 2
1192 1221 .na
1193 1222 \fB\fBclear\fR \fIproperty-name\fR\fR
1194 1223 .ad
1195 1224 .sp .6
1196 1225 .RS 4n
1197 1226 Clear the value for the property.
1198 1227 .RE
1199 1228
1200 1229 .sp
1201 1230 .ne 2
1202 1231 .na
1203 1232 \fB\fBcommit\fR\fR
1204 1233 .ad
1205 1234 .sp .6
1206 1235 .RS 4n
1207 1236 Commit the current configuration from memory to stable storage. The
1208 1237 configuration must be committed to be used by \fBzoneadm\fR. Until the
1209 1238 in-memory configuration is committed, you can remove changes with the
1210 1239 \fBrevert\fR subcommand. The \fBcommit\fR operation is attempted automatically
1211 1240 upon completion of a \fBzonecfg\fR session. Since a configuration must be
1212 1241 correct to be committed, this operation automatically does a verify.
1213 1242 .RE
1214 1243
1215 1244 .sp
1216 1245 .ne 2
1217 1246 .na
1218 1247 \fB\fBcreate [\fR\fB-F\fR\fB] [\fR \fB-a\fR \fIpath\fR |\fB-b\fR \fB|\fR
1219 1248 \fB-t\fR \fItemplate\fR\fB]\fR\fR
1220 1249 .ad
1221 1250 .sp .6
1222 1251 .RS 4n
1223 1252 Create an in-memory configuration for the specified zone. Use \fBcreate\fR to
1224 1253 begin to configure a new zone. See \fBcommit\fR for saving this to stable
1225 1254 storage.
1226 1255 .sp
1227 1256 If you are overwriting an existing configuration, specify the \fB-F\fR option
1228 1257 to force the action. Specify the \fB-t\fR \fItemplate\fR option to create a
1229 1258 configuration identical to \fItemplate\fR, where \fItemplate\fR is the name of
1230 1259 a configured zone.
1231 1260 .sp
1232 1261 Use the \fB-a\fR \fIpath\fR option to facilitate configuring a detached zone on
1233 1262 a new host. The \fIpath\fR parameter is the zonepath location of a detached
1234 1263 zone that has been moved on to this new host. Once the detached zone is
1235 1264 configured, it should be installed using the "\fBzoneadm attach\fR" command
1236 1265 (see \fBzoneadm\fR(1M)). All validation of the new zone happens during the
1237 1266 \fBattach\fR process, not during zone configuration.
1238 1267 .sp
1239 1268 Use the \fB-b\fR option to create a blank configuration. Without arguments,
1240 1269 \fBcreate\fR applies the Sun default settings.
1241 1270 .RE
1242 1271
1243 1272 .sp
1244 1273 .ne 2
1245 1274 .na
1246 1275 \fB\fBdelete [\fR\fB-F\fR\fB]\fR\fR
1247 1276 .ad
1248 1277 .sp .6
1249 1278 .RS 4n
1250 1279 Delete the specified configuration from memory and stable storage. This action
1251 1280 is instantaneous, no commit is necessary. A deleted configuration cannot be
1252 1281 reverted.
1253 1282 .sp
1254 1283 Specify the \fB-F\fR option to force the action.
1255 1284 .RE
1256 1285
1257 1286 .sp
1258 1287 .ne 2
1259 1288 .na
1260 1289 \fB\fBend\fR\fR
1261 1290 .ad
1262 1291 .sp .6
1263 1292 .RS 4n
1264 1293 End the resource specification. This subcommand is only applicable in the
1265 1294 resource scope. \fBzonecfg\fR checks to make sure the current resource is
1266 1295 completely specified. If so, it is added to the in-memory configuration (see
1267 1296 \fBcommit\fR for saving this to stable storage) and the scope reverts to
1268 1297 global. If the specification is incomplete, it issues an appropriate error
1269 1298 message.
1270 1299 .RE
1271 1300
1272 1301 .sp
1273 1302 .ne 2
1274 1303 .na
1275 1304 \fB\fBexport [\fR\fB-f\fR \fIoutput-file\fR\fB]\fR\fR
1276 1305 .ad
1277 1306 .sp .6
1278 1307 .RS 4n
1279 1308 Print configuration to standard output. Use the \fB-f\fR option to print the
1280 1309 configuration to \fIoutput-file\fR. This option produces output in a form
1281 1310 suitable for use in a command file.
1282 1311 .RE
1283 1312
1284 1313 .sp
1285 1314 .ne 2
1286 1315 .na
1287 1316 \fB\fBhelp [usage] [\fIsubcommand\fR] [syntax] [\fR\fIcommand-name\fR\fB]\fR\fR
1288 1317 .ad
1289 1318 .sp .6
1290 1319 .RS 4n
1291 1320 Print general help or help about given topic.
1292 1321 .RE
1293 1322
1294 1323 .sp
1295 1324 .ne 2
1296 1325 .na
1297 1326 \fB\fBinfo zonename | zonepath | autoboot | brand | pool | limitpriv\fR\fR
1298 1327 .ad
1299 1328 .br
1300 1329 .na
1301 1330 \fB\fBinfo [\fR\fIresource-type\fR
1302 1331 \fB[\fR\fIproperty-name\fR\fB=\fR\fIproperty-value\fR\fB]*]\fR\fR
1303 1332 .ad
1304 1333 .sp .6
1305 1334 .RS 4n
1306 1335 Display information about the current configuration. If \fIresource-type\fR is
1307 1336 specified, displays only information about resources of the relevant type. If
1308 1337 any \fIproperty-name\fR value pairs are specified, displays only information
1309 1338 about resources meeting the given criteria. In the resource scope, any
1310 1339 arguments are ignored, and \fBinfo\fR displays information about the resource
1311 1340 which is currently being added or modified.
1312 1341 .RE
1313 1342
1314 1343 .sp
1315 1344 .ne 2
1316 1345 .na
1317 1346 \fB\fBremove\fR \fIresource-type\fR\fB{\fR\fIproperty-name\fR\fB=\fR\fIproperty
1318 1347 -value\fR\fB}\fR(global scope)\fR
1319 1348 .ad
1320 1349 .sp .6
1321 1350 .RS 4n
1322 1351 In the global scope, removes the specified resource. The \fB[]\fR syntax means
1323 1352 0 or more of whatever is inside the square braces. If you want only to remove a
1324 1353 single instance of the resource, you must specify enough property name-value
1325 1354 pairs for the resource to be uniquely identified. If no property name-value
1326 1355 pairs are specified, all instances will be removed. If there is more than one
1327 1356 pair is specified, a confirmation is required, unless you use the \fB-F\fR
1328 1357 option.
1329 1358 .RE
1330 1359
1331 1360 .sp
1332 1361 .ne 2
1333 1362 .na
1334 1363 \fB\fBselect\fR \fIresource-type\fR
1335 1364 \fB{\fR\fIproperty-name\fR\fB=\fR\fIproperty-value\fR\fB}\fR\fR
1336 1365 .ad
1337 1366 .sp .6
1338 1367 .RS 4n
1339 1368 Select the resource of the given type which matches the given
1340 1369 \fIproperty-name\fR \fIproperty-value\fR pair criteria, for modification. This
1341 1370 subcommand is applicable only in the global scope. The scope is changed to that
1342 1371 resource type. The \fB{}\fR syntax means 1 or more of whatever is inside the
1343 1372 curly braces. You must specify enough \fIproperty -name property-value\fR pairs
1344 1373 for the resource to be uniquely identified.
1345 1374 .RE
1346 1375
1347 1376 .sp
1348 1377 .ne 2
1349 1378 .na
1350 1379 \fB\fBset\fR \fIproperty-name\fR\fB=\fR\fIproperty\fR\fB-\fR\fIvalue\fR\fR
1351 1380 .ad
1352 1381 .sp .6
1353 1382 .RS 4n
1354 1383 Set a given property name to the given value. Some properties (for example,
1355 1384 \fBzonename\fR and \fBzonepath\fR) are global while others are
1356 1385 resource-specific. This subcommand is applicable in both the global and
1357 1386 resource scopes.
1358 1387 .RE
1359 1388
1360 1389 .sp
1361 1390 .ne 2
1362 1391 .na
1363 1392 \fB\fBverify\fR\fR
1364 1393 .ad
1365 1394 .sp .6
1366 1395 .RS 4n
1367 1396 Verify the current configuration for correctness:
1368 1397 .RS +4
1369 1398 .TP
1370 1399 .ie t \(bu
1371 1400 .el o
1372 1401 All resources have all of their required properties specified.
1373 1402 .RE
1374 1403 .RS +4
1375 1404 .TP
1376 1405 .ie t \(bu
1377 1406 .el o
1378 1407 A \fBzonepath\fR is specified.
1379 1408 .RE
1380 1409 .RE
1381 1410
1382 1411 .sp
1383 1412 .ne 2
1384 1413 .na
1385 1414 \fB\fBrevert\fR \fB[\fR\fB-F\fR\fB]\fR\fR
1386 1415 .ad
1387 1416 .sp .6
1388 1417 .RS 4n
1389 1418 Revert the configuration back to the last committed state. The \fB-F\fR option
1390 1419 can be used to force the action.
1391 1420 .RE
1392 1421
1393 1422 .sp
1394 1423 .ne 2
1395 1424 .na
1396 1425 \fB\fBexit [\fR\fB-F\fR\fB]\fR\fR
1397 1426 .ad
1398 1427 .sp .6
1399 1428 .RS 4n
1400 1429 Exit the \fBzonecfg\fR session. A commit is automatically attempted if needed.
1401 1430 You can also use an \fBEOF\fR character to exit \fBzonecfg\fR. The \fB-F\fR
1402 1431 option can be used to force the action.
1403 1432 .RE
1404 1433
1405 1434 .SH EXAMPLES
1406 1435 .LP
1407 1436 \fBExample 1 \fRCreating the Environment for a New Zone
1408 1437 .sp
1409 1438 .LP
1410 1439 In the following example, \fBzonecfg\fR creates the environment for a new zone.
1411 1440 \fB/usr/local\fR is loopback mounted from the global zone into
1412 1441 \fB/opt/local\fR. \fB/opt/sfw\fR is loopback mounted from the global zone,
1413 1442 three logical network interfaces are added, and a limit on the number of
1414 1443 fair-share scheduler (FSS) CPU shares for a zone is set using the \fBrctl\fR
1415 1444 resource type. The example also shows how to select a given resource for
1416 1445 modification.
1417 1446
1418 1447 .sp
1419 1448 .in +2
1420 1449 .nf
1421 1450 example# \fBzonecfg -z myzone3\fR
1422 1451 my-zone3: No such zone configured
1423 1452 Use 'create' to begin configuring a new zone.
1424 1453 zonecfg:myzone3> \fBcreate\fR
1425 1454 zonecfg:myzone3> \fBset zonepath=/export/home/my-zone3\fR
1426 1455 zonecfg:myzone3> \fBset autoboot=true\fR
1427 1456 zonecfg:myzone3> \fBadd fs\fR
1428 1457 zonecfg:myzone3:fs> \fBset dir=/usr/local\fR
1429 1458 zonecfg:myzone3:fs> \fBset special=/opt/local\fR
1430 1459 zonecfg:myzone3:fs> \fBset type=lofs\fR
1431 1460 zonecfg:myzone3:fs> \fBadd options [ro,nodevices]\fR
1432 1461 zonecfg:myzone3:fs> \fBend\fR
1433 1462 zonecfg:myzone3> \fBadd fs\fR
1434 1463 zonecfg:myzone3:fs> \fBset dir=/mnt\fR
1435 1464 zonecfg:myzone3:fs> \fBset special=/dev/dsk/c0t0d0s7\fR
1436 1465 zonecfg:myzone3:fs> \fBset raw=/dev/rdsk/c0t0d0s7\fR
1437 1466 zonecfg:myzone3:fs> \fBset type=ufs\fR
1438 1467 zonecfg:myzone3:fs> \fBend\fR
1439 1468 zonecfg:myzone3> \fBadd net\fR
1440 1469 zonecfg:myzone3:net> \fBset address=192.168.0.1/24\fR
1441 1470 zonecfg:myzone3:net> \fBset physical=eri0\fR
1442 1471 zonecfg:myzone3:net> \fBend\fR
1443 1472 zonecfg:myzone3> \fBadd net\fR
1444 1473 zonecfg:myzone3:net> \fBset address=192.168.1.2/24\fR
1445 1474 zonecfg:myzone3:net> \fBset physical=eri0\fR
1446 1475 zonecfg:myzone3:net> \fBend\fR
1447 1476 zonecfg:myzone3> \fBadd net\fR
1448 1477 zonecfg:myzone3:net> \fBset address=192.168.2.3/24\fR
1449 1478 zonecfg:myzone3:net> \fBset physical=eri0\fR
1450 1479 zonecfg:myzone3:net> \fBend\fR
1451 1480 zonecfg:my-zone3> \fBset cpu-shares=5\fR
1452 1481 zonecfg:my-zone3> \fBadd capped-memory\fR
1453 1482 zonecfg:my-zone3:capped-memory> \fBset physical=50m\fR
1454 1483 zonecfg:my-zone3:capped-memory> \fBset swap=100m\fR
1455 1484 zonecfg:my-zone3:capped-memory> \fBend\fR
1456 1485 zonecfg:myzone3> \fBexit\fR
1457 1486 .fi
1458 1487 .in -2
1459 1488 .sp
1460 1489
1461 1490 .LP
1462 1491 \fBExample 2 \fRCreating a Non-Native Zone
1463 1492 .sp
1464 1493 .LP
1465 1494 The following example creates a new Linux zone:
1466 1495
1467 1496 .sp
1468 1497 .in +2
1469 1498 .nf
1470 1499 example# \fBzonecfg -z lxzone\fR
1471 1500 lxzone: No such zone configured
1472 1501 Use 'create' to begin configuring a new zone
1473 1502 zonecfg:lxzone> \fBcreate -t SUNWlx\fR
1474 1503 zonecfg:lxzone> \fBset zonepath=/export/zones/lxzone\fR
1475 1504 zonecfg:lxzone> \fBset autoboot=true\fR
1476 1505 zonecfg:lxzone> \fBexit\fR
1477 1506 .fi
1478 1507 .in -2
1479 1508 .sp
1480 1509
1481 1510 .LP
1482 1511 \fBExample 3 \fRCreating an Exclusive-IP Zone
1483 1512 .sp
1484 1513 .LP
1485 1514 The following example creates a zone that is granted exclusive access to
1486 1515 \fBbge1\fR and \fBbge33000\fR and that is isolated at the IP layer from the
1487 1516 other zones configured on the system.
1488 1517
1489 1518 .sp
1490 1519 .LP
1491 1520 The IP addresses and routing is configured inside the new zone using
1492 1521 \fBsysidtool\fR(1M).
1493 1522
1494 1523 .sp
1495 1524 .in +2
1496 1525 .nf
1497 1526 example# \fBzonecfg -z excl\fR
1498 1527 excl: No such zone configured
1499 1528 Use 'create' to begin configuring a new zone
1500 1529 zonecfg:excl> \fBcreate\fR
1501 1530 zonecfg:excl> \fBset zonepath=/export/zones/excl\fR
1502 1531 zonecfg:excl> \fBset ip-type=exclusive\fR
1503 1532 zonecfg:excl> \fBadd net\fR
1504 1533 zonecfg:excl:net> \fBset physical=bge1\fR
1505 1534 zonecfg:excl:net> \fBend\fR
1506 1535 zonecfg:excl> \fBadd net\fR
1507 1536 zonecfg:excl:net> \fBset physical=bge33000\fR
1508 1537 zonecfg:excl:net> \fBend\fR
1509 1538 zonecfg:excl> \fBexit\fR
1510 1539 .fi
1511 1540 .in -2
1512 1541 .sp
1513 1542
1514 1543 .LP
1515 1544 \fBExample 4 \fRAssociating a Zone with a Resource Pool
1516 1545 .sp
1517 1546 .LP
1518 1547 The following example shows how to associate an existing zone with an existing
1519 1548 resource pool:
1520 1549
1521 1550 .sp
1522 1551 .in +2
1523 1552 .nf
1524 1553 example# \fBzonecfg -z myzone\fR
1525 1554 zonecfg:myzone> \fBset pool=mypool\fR
1526 1555 zonecfg:myzone> \fBexit\fR
1527 1556 .fi
1528 1557 .in -2
1529 1558 .sp
1530 1559
1531 1560 .sp
1532 1561 .LP
1533 1562 For more information about resource pools, see \fBpooladm\fR(1M) and
1534 1563 \fBpoolcfg\fR(1M).
1535 1564
1536 1565 .LP
1537 1566 \fBExample 5 \fRChanging the Name of a Zone
1538 1567 .sp
1539 1568 .LP
1540 1569 The following example shows how to change the name of an existing zone:
1541 1570
1542 1571 .sp
1543 1572 .in +2
1544 1573 .nf
1545 1574 example# \fBzonecfg -z myzone\fR
1546 1575 zonecfg:myzone> \fBset zonename=myzone2\fR
1547 1576 zonecfg:myzone2> \fBexit\fR
1548 1577 .fi
1549 1578 .in -2
1550 1579 .sp
1551 1580
1552 1581 .LP
1553 1582 \fBExample 6 \fRChanging the Privilege Set of a Zone
1554 1583 .sp
1555 1584 .LP
1556 1585 The following example shows how to change the set of privileges an existing
1557 1586 zone's processes will be limited to the next time the zone is booted. In this
1558 1587 particular case, the privilege set will be the standard safe set of privileges
1559 1588 a zone normally has along with the privilege to change the system date and
1560 1589 time:
1561 1590
1562 1591 .sp
1563 1592 .in +2
1564 1593 .nf
1565 1594 example# \fBzonecfg -z myzone\fR
1566 1595 zonecfg:myzone> \fBset limitpriv="default,sys_time"\fR
1567 1596 zonecfg:myzone2> \fBexit\fR
1568 1597 .fi
1569 1598 .in -2
1570 1599 .sp
1571 1600
1572 1601 .LP
1573 1602 \fBExample 7 \fRSetting the \fBzone.cpu-shares\fR Property for the Global Zone
1574 1603 .sp
1575 1604 .LP
1576 1605 The following command sets the \fBzone.cpu-shares\fR property for the global
1577 1606 zone:
1578 1607
1579 1608 .sp
1580 1609 .in +2
1581 1610 .nf
1582 1611 example# \fBzonecfg -z global\fR
1583 1612 zonecfg:global> \fBset cpu-shares=5\fR
1584 1613 zonecfg:global> \fBexit\fR
1585 1614 .fi
1586 1615 .in -2
1587 1616 .sp
1588 1617
1589 1618 .LP
1590 1619 \fBExample 8 \fRUsing Pattern Matching
1591 1620 .sp
1592 1621 .LP
1593 1622 The following commands illustrate \fBzonecfg\fR support for pattern matching.
1594 1623 In the zone \fBflexlm\fR, enter:
1595 1624
1596 1625 .sp
1597 1626 .in +2
1598 1627 .nf
1599 1628 zonecfg:flexlm> \fBadd device\fR
1600 1629 zonecfg:flexlm:device> \fBset match="/dev/cua/a00[2-5]"\fR
1601 1630 zonecfg:flexlm:device> \fBend\fR
1602 1631 .fi
1603 1632 .in -2
1604 1633 .sp
1605 1634
1606 1635 .sp
1607 1636 .LP
1608 1637 In the global zone, enter:
1609 1638
1610 1639 .sp
1611 1640 .in +2
1612 1641 .nf
1613 1642 global# \fBls /dev/cua\fR
1614 1643 a a000 a001 a002 a003 a004 a005 a006 a007 b
1615 1644 .fi
1616 1645 .in -2
1617 1646 .sp
1618 1647
1619 1648 .sp
1620 1649 .LP
1621 1650 In the zone \fBflexlm\fR, enter:
1622 1651
1623 1652 .sp
1624 1653 .in +2
1625 1654 .nf
1626 1655 flexlm# \fBls /dev/cua\fR
1627 1656 a002 a003 a004 a005
1628 1657 .fi
1629 1658 .in -2
1630 1659 .sp
1631 1660
1632 1661 .LP
1633 1662 \fBExample 9 \fRSetting a Cap for a Zone to Three CPUs
1634 1663 .sp
1635 1664 .LP
1636 1665 The following sequence uses the \fBzonecfg\fR command to set the CPU cap for a
1637 1666 zone to three CPUs.
1638 1667
1639 1668 .sp
1640 1669 .in +2
1641 1670 .nf
1642 1671 zonecfg:myzone> \fBadd capped-cpu\fR
1643 1672 zonecfg:myzone>capped-cpu> \fBset ncpus=3\fR
1644 1673 zonecfg:myzone>capped-cpu>capped-cpu> \fBend\fR
1645 1674 .fi
1646 1675 .in -2
1647 1676 .sp
1648 1677
1649 1678 .sp
1650 1679 .LP
1651 1680 The preceding sequence, which uses the capped-cpu property, is equivalent to
1652 1681 the following sequence, which makes use of the \fBzone.cpu-cap\fR resource
1653 1682 control.
1654 1683
1655 1684 .sp
1656 1685 .in +2
1657 1686 .nf
1658 1687 zonecfg:myzone> \fBadd rctl\fR
1659 1688 zonecfg:myzone:rctl> \fBset name=zone.cpu-cap\fR
1660 1689 zonecfg:myzone:rctl> \fBadd value (priv=privileged,limit=300,action=none)\fR
1661 1690 zonecfg:myzone:rctl> \fBend\fR
1662 1691 .fi
1663 1692 .in -2
1664 1693 .sp
1665 1694
1666 1695 .LP
1667 1696 \fBExample 10 \fRUsing \fBkstat\fR to Monitor CPU Caps
1668 1697 .sp
1669 1698 .LP
1670 1699 The following command displays information about all CPU caps.
1671 1700
1672 1701 .sp
1673 1702 .in +2
1674 1703 .nf
1675 1704 # \fBkstat -n /cpucaps/\fR
1676 1705 module: caps instance: 0
1677 1706 name: cpucaps_project_0 class: project_caps
1678 1707 above_sec 0
1679 1708 below_sec 2157
1680 1709 crtime 821.048183159
1681 1710 maxusage 2
1682 1711 nwait 0
1683 1712 snaptime 235885.637253027
1684 1713 usage 0
1685 1714 value 18446743151372347932
1686 1715 zonename global
1687 1716
1688 1717 module: caps instance: 0
1689 1718 name: cpucaps_project_1 class: project_caps
1690 1719 above_sec 0
1691 1720 below_sec 0
1692 1721 crtime 225339.192787265
1693 1722 maxusage 5
1694 1723 nwait 0
1695 1724 snaptime 235885.637591677
1696 1725 usage 5
1697 1726 value 18446743151372347932
1698 1727 zonename global
1699 1728
1700 1729 module: caps instance: 0
1701 1730 name: cpucaps_project_201 class: project_caps
1702 1731 above_sec 0
1703 1732 below_sec 235105
1704 1733 crtime 780.37961782
1705 1734 maxusage 100
1706 1735 nwait 0
1707 1736 snaptime 235885.637789687
1708 1737 usage 43
1709 1738 value 100
1710 1739 zonename global
1711 1740
1712 1741 module: caps instance: 0
1713 1742 name: cpucaps_project_202 class: project_caps
1714 1743 above_sec 0
1715 1744 below_sec 235094
1716 1745 crtime 791.72983782
1717 1746 maxusage 100
1718 1747 nwait 0
1719 1748 snaptime 235885.637967512
1720 1749 usage 48
1721 1750 value 100
1722 1751 zonename global
1723 1752
1724 1753 module: caps instance: 0
1725 1754 name: cpucaps_project_203 class: project_caps
1726 1755 above_sec 0
1727 1756 below_sec 235034
1728 1757 crtime 852.104401481
1729 1758 maxusage 75
1730 1759 nwait 0
1731 1760 snaptime 235885.638144304
1732 1761 usage 47
1733 1762 value 100
1734 1763 zonename global
1735 1764
1736 1765 module: caps instance: 0
1737 1766 name: cpucaps_project_86710 class: project_caps
1738 1767 above_sec 22
1739 1768 below_sec 235166
1740 1769 crtime 698.441717859
1741 1770 maxusage 101
1742 1771 nwait 0
1743 1772 snaptime 235885.638319871
1744 1773 usage 54
1745 1774 value 100
1746 1775 zonename global
1747 1776
1748 1777 module: caps instance: 0
1749 1778 name: cpucaps_zone_0 class: zone_caps
1750 1779 above_sec 100733
1751 1780 below_sec 134332
1752 1781 crtime 821.048177123
1753 1782 maxusage 207
1754 1783 nwait 2
1755 1784 snaptime 235885.638497731
1756 1785 usage 199
1757 1786 value 200
1758 1787 zonename global
1759 1788
1760 1789 module: caps instance: 1
1761 1790 name: cpucaps_project_0 class: project_caps
1762 1791 above_sec 0
1763 1792 below_sec 0
1764 1793 crtime 225360.256448422
1765 1794 maxusage 7
1766 1795 nwait 0
1767 1796 snaptime 235885.638714404
1768 1797 usage 7
1769 1798 value 18446743151372347932
1770 1799 zonename test_001
1771 1800
1772 1801 module: caps instance: 1
1773 1802 name: cpucaps_zone_1 class: zone_caps
1774 1803 above_sec 2
1775 1804 below_sec 10524
1776 1805 crtime 225360.256440278
1777 1806 maxusage 106
1778 1807 nwait 0
1779 1808 snaptime 235885.638896443
1780 1809 usage 7
1781 1810 value 100
1782 1811 zonename test_001
1783 1812 .fi
1784 1813 .in -2
1785 1814 .sp
1786 1815
1787 1816 .LP
1788 1817 \fBExample 11 \fRDisplaying CPU Caps for a Specific Zone or Project
1789 1818 .sp
1790 1819 .LP
1791 1820 Using the \fBkstat\fR \fB-c\fR and \fB-i\fR options, you can display CPU caps
1792 1821 for a specific zone or project, as below. The first command produces a display
1793 1822 for a specific project, the second for the same project within zone 1.
1794 1823
1795 1824 .sp
|
↓ open down ↓ |
656 lines elided |
↑ open up ↑ |
1796 1825 .in +2
1797 1826 .nf
1798 1827 # \fBkstat -c project_caps\fR
1799 1828
1800 1829 # \fBkstat -c project_caps -i 1\fR
1801 1830 .fi
1802 1831 .in -2
1803 1832 .sp
1804 1833
1805 1834 .SH EXIT STATUS
1806 -.sp
1807 1835 .LP
1808 1836 The following exit values are returned:
1809 1837 .sp
1810 1838 .ne 2
1811 1839 .na
1812 1840 \fB\fB0\fR\fR
1813 1841 .ad
1814 1842 .sp .6
1815 1843 .RS 4n
1816 1844 Successful completion.
1817 1845 .RE
1818 1846
1819 1847 .sp
1820 1848 .ne 2
1821 1849 .na
1822 1850 \fB\fB1\fR\fR
1823 1851 .ad
1824 1852 .sp .6
1825 1853 .RS 4n
1826 1854 An error occurred.
1827 1855 .RE
1828 1856
1829 1857 .sp
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
1830 1858 .ne 2
1831 1859 .na
1832 1860 \fB\fB2\fR\fR
1833 1861 .ad
1834 1862 .sp .6
1835 1863 .RS 4n
1836 1864 Invalid usage.
1837 1865 .RE
1838 1866
1839 1867 .SH ATTRIBUTES
1840 -.sp
1841 1868 .LP
1842 1869 See \fBattributes\fR(5) for descriptions of the following attributes:
1843 1870 .sp
1844 1871
1845 1872 .sp
1846 1873 .TS
1847 1874 box;
1848 1875 c | c
1849 1876 l | l .
1850 1877 ATTRIBUTE TYPE ATTRIBUTE VALUE
1851 1878 _
1852 1879 Interface Stability Volatile
1853 1880 .TE
1854 1881
1855 1882 .SH SEE ALSO
1856 -.sp
1857 1883 .LP
1858 1884 \fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
1859 1885 \fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
1860 1886 \fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
1861 1887 \fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
1862 1888 \fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
1863 1889 \fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
1864 -\fBzones\fR(5)
1890 +\fBsecurity-flags\fR(5), \fBzones\fR(5)
1865 1891 .sp
1866 1892 .LP
1867 1893 \fISystem Administration Guide: Solaris Containers-Resource Management, and
1868 1894 Solaris Zones\fR
1869 1895 .SH NOTES
1870 -.sp
1871 1896 .LP
1872 1897 All character data used by \fBzonecfg\fR must be in US-ASCII encoding.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX