1zonecfg(1M) System Administration Commands zonecfg(1M)
2
6 zonecfg - set up zone configuration
7
9 zonecfg -z zonename
10 zonecfg -z zonename subcommand
13 zonecfg -z zonename -f command_file
16 zonecfg help
19
22 The zonecfg utility creates and modifies the configuration of a zone.
23 Zone configuration consists of a number of resources and properties.
24 To simplify the user interface, zonecfg uses the concept of a scope.
27 The default scope is global.
28 The following synopsis of the zonecfg command is for interactive usage:
31 zonecfg -z zonename subcommand
33 Parameters changed through zonecfg do not affect a running zone. The
38 zone must be rebooted for the changes to take effect.
39 In addition to creating and modifying a zone, the zonecfg utility can
42 also be used to persistently specify the resource management settings
43 for the global zone.
44 In the following text, "rctl" is used as an abbreviation for "resource
47 control". See resource_controls(5).
48 Every zone is configured with an associated brand. The brand determines
51 the user-level environment used within the zone, as well as various
52 behaviors for the zone when it is installed, boots, or is shutdown.
53 Once a zone has been installed the brand cannot be changed. The default
54 brand is determined by the installed distribution in the global zone.
55 Some brands do not support all of the zonecfg properties and resources.
56 See the brand-specific man page for more details on each brand. For an
57 overview of brands, see the brands(5) man page.
58 Resources
60 The following resource types are supported:
61 attr
63 Generic attribute.
65 capped-cpu
68 Limits for CPU usage.
70 capped-memory
73 Limits for physical, swap, and locked memory.
75 dataset
78 ZFS dataset.
80 dedicated-cpu
83 Subset of the system's processors dedicated to this zone while it
85 is running.
86 device
89 Device.
91 fs
94 file-system
96 inherit-pkg-dir
99 Directory inherited from the global zone. Used for sparse root
101 zones (see the discussion of "Sparse and Whole Root Non-Global
102 Zones," below). Software packages whose contents have been trans‐
103 ferred into that directory are inherited in read-only mode by the
104 non-global zone and the non-global zone's packaging database is
105 updated to reflect those packages. Such resources are not modifi‐
106 able or removable once a zone has been installed with zoneadm.
107 net
110 Network interface.
112 rctl
115 Resource control.
117 Sparse and Whole Root Non-Global Zones
120 In the administration of zones, it is useful to distinguish between the
121 global zone and non-global zones. Within non-global zones, there are
122 two zone root file system models: sparse and whole root. The sparse
123 root zone model optimizes the sharing of objects. The whole root zone
124 model provides the maximum configurability. Note that not all brands
125 support the sparse zone model.
126 Sparse Root Zones
128 Non-global zones that have inherit-pkg-dir resources are called sparse
129 root zones.
130 The sparse root zone model optimizes the sharing of objects in the fol‐
133 lowing ways:
134 o Only a subset of the packages installed in the global zone
136 are installed directly into the non-global zone.
137 o Read-only loopback file systems, identified as inherit-pkg-
139 dir resources, are used to gain access to other files.
140 In this model, all packages appear to be installed in the non-global
143 zone. Packages that do not deliver content into read-only loopback
144 mount file systems are fully installed. There is no need to install
145 content delivered into read-only loopback mounted file systems since
146 that content is inherited (and visible) from the global zone.
147 o As a general guideline, a zone requires about 100 megabytes
149 of free disk space per zone when the global zone has been
150 installed with all of the standard Solaris packages.
151 o By default, any additional packages installed in the global
153 zone also populate the non-global zones. The amount of disk
154 space required might be increased accordingly, depending on
155 whether the additional packages deliver files that reside in
156 the inherit-pkg-dir resource space.
157 An additional 40 megabytes of RAM per zone are suggested, but not
160 required on a machine with sufficient swap space.
161 A sparse zone inherits the following directories:
164 /lib
166 /platform
167 /sbin
168 /usr
169 Although zonecfg allows you to remove one of these as an inherited
174 directory, you should not do so. You should either follow the whole-
175 root model or the sparse model; a subset of the sparse model is not
176 tested and you might encounter unexpected problems.
177 Adding an additional inherit-pkg-dir directory, such as /opt, to a
180 sparse root zone is acceptable.
181 Whole Root Zones
183 The whole root zone model provides the maximum configurability. All of
184 the required and any selected optional Solaris packages are installed
185 into the private file systems of the zone. The advantages of this model
186 include the capability for global administrators to customize their
187 zones file system layout. This would be done, for example, to add arbi‐
188 trary unbundled or third-party packages.
189 The disk requirements for this model are determined by the disk space
192 used by the packages currently installed in the global zone.
193 Note -
195 If you create a sparse root zone that contains the following inherit-
197 pkg-dir directories, you must remove these directories from the non-
198 global zone's configuration before the zone is installed to have a
199 whole root zone:
200 o /lib
202 o /platform
204 o /sbin
206 o /usr
208 Properties
210 Each resource type has one or more properties. There are also some
211 global properties, that is, properties of the configuration as a whole,
212 rather than of some particular resource.
213 The following properties are supported:
216 (global)
218 zonename
220 (global)
223 zonepath
225 (global)
228 autoboot
230 (global)
233 bootargs
235 (global)
238 pool
240 (global)
243 limitpriv
245 (global)
248 brand
250 (global)
253 cpu-shares
255 (global)
258 hostid
260 (global)
263 max-lwps
265 (global)
268 max-msg-ids
270 (global)
273 max-sem-ids
275 (global)
278 max-shm-ids
280 (global)
283 max-shm-memory
285 (global)
288 scheduling-class
290 fs
293 dir, special, raw, type, options
295 inherit-pkg-dir
298 dir
300 net
303 address, physical, defrouter
305 device
308 match
310 rctl
313 name, value
315 attr
318 name, type, value
320 dataset
323 name
325 dedicated-cpu
328 ncpus, importance
330 capped-memory
333 physical, swap, locked
335 capped-cpu
338 ncpus
340 As for the property values which are paired with these names, they are
344 either simple, complex, or lists. The type allowed is property-spe‐
345 cific. Simple values are strings, optionally enclosed within quotation
346 marks. Complex values have the syntax:
347 (<name>=<value>,<name>=<value>,...)
349 where each <value> is simple, and the <name> strings are unique within
354 a given property. Lists have the syntax:
355 [<value>,...]
357 where each <value> is either simple or complex. A list of a single
362 value (either simple or complex) is equivalent to specifying that value
363 without the list syntax. That is, "foo" is equivalent to "[foo]". A
364 list can be empty (denoted by "[]").
365 In interpreting property values, zonecfg accepts regular expressions as
368 specified in fnmatch(5). See EXAMPLES.
369 The property types are described as follows:
372 global: zonename
374 The name of the zone.
376 global: zonepath
379 Path to zone's file system.
381 global: autoboot
384 Boolean indicating that a zone should be booted automatically at
386 system boot. Note that if the zones service is disabled, the zone
387 will not autoboot, regardless of the setting of this property. You
388 enable the zones service with a svcadm command, such as:
389 # svcadm enable svc:/system/zones:default
391 Replace enable with disable to disable the zones service. See
394 svcadm(1M).
395 global: bootargs
398 Arguments (options) to be passed to the zone bootup, unless options
400 are supplied to the "zoneadm boot" command, in which case those
401 take precedence. The valid arguments are described in zoneadm(1M).
402 global: pool
405 Name of the resource pool that this zone must be bound to when
407 booted. This property is incompatible with the dedicated-cpu
408 resource.
409 global: limitpriv
412 The maximum set of privileges any process in this zone can obtain.
414 The property should consist of a comma-separated privilege set
415 specification as described in priv_str_to_set(3C). Privileges can
416 be excluded from the resulting set by preceding their names with a
417 dash (-) or an exclamation point (!). The special privilege string
418 "zone" is not supported in this context. If the special string
419 "default" occurs as the first token in the property, it expands
420 into a safe set of privileges that preserve the resource and secu‐
421 rity isolation described in zones(5). A missing or empty property
422 is equivalent to this same set of safe privileges.
423 The system administrator must take extreme care when configuring
425 privileges for a zone. Some privileges cannot be excluded through
426 this mechanism as they are required in order to boot a zone. In
427 addition, there are certain privileges which cannot be given to a
428 zone as doing so would allow processes inside a zone to unduly
429 affect processes in other zones. zoneadm(1M) indicates when an
430 invalid privilege has been added or removed from a zone's privilege
431 set when an attempt is made to either "boot" or "ready" the zone.
432 See privileges(5) for a description of privileges. The command
434 "ppriv -l" (see ppriv(1)) produces a list of all Solaris privi‐
435 leges. You can specify privileges as they are displayed by ppriv.
436 In privileges(5), privileges are listed in the form PRIV_privi‐
437 lege_name. For example, the privilege sys_time, as you would spec‐
438 ify it in this property, is listed in privileges(5) as
439 PRIV_SYS_TIME.
440 global: brand
443 The zone's brand type.
445 global: ip-type
448 A zone can either share the IP instance with the global zone, which
450 is the default, or have its own exclusive instance of IP.
451 This property takes the values shared and exclusive.
453 global: hostid
456 A zone can emulate a 32-bit host identifier to ease system consoli‐
458 dation. A zone's hostid property is empty by default, meaning that
459 the zone does not emulate a host identifier. Zone host identifiers
460 must be hexadecimal values between 0 and FFFFFFFE. A 0x or 0X pre‐
461 fix is optional. Both uppercase and lowercase hexadecimal digits
462 are acceptable.
463 fs: dir, special, raw, type, options
466 Values needed to determine how, where, and so forth to mount file
468 systems. See mount(1M), mount(2), fsck(1M), and vfstab(4).
469 inherit-pkg-dir: dir
472 The directory path.
474 net: address, physical, defrouter
477 The network address and physical interface name of the network
479 interface. The network address is one of:
480 o a valid IPv4 address, optionally followed by "/" and a
482 prefix length;
483 o a valid IPv6 address, which must be followed by "/" and
485 a prefix length;
486 o a host name which resolves to an IPv4 address.
488 Note that host names that resolve to IPv6 addresses are not sup‐
489 ported.
490 The physical interface name is the network interface name.
492 The default router is specified similarly to the network address
494 except that it must not be followed by a / (slash) and a network
495 prefix length.
496 A zone can be configured to be either exclusive-IP or shared-IP.
498 For a shared-IP zone, you must set both the physical and address
499 properties; setting the default router is optional. The interface
500 specified in the physical property must be plumbed in the global
501 zone prior to booting the non-global zone. However, if the inter‐
502 face is not used by the global zone, it should be configured down
503 in the global zone, and the default router for the interface should
504 be specified here.
505 For an exclusive-IP zone, the physical property must be set and the
507 address and default router properties cannot be set.
508 device: match
511 Device name to match.
513 rctl: name, value
516 The name and priv/limit/action triple of a resource control. See
518 prctl(1) and rctladm(1M). The preferred way to set rctl values is
519 to use the global property name associated with a specific rctl.
520 attr: name, type, value
523 The name, type and value of a generic attribute. The type must be
525 one of int, uint, boolean or string, and the value must be of that
526 type. uint means unsigned , that is, a non-negative integer.
527 dataset: name
530 The name of a ZFS dataset to be accessed from within the zone. See
532 zfs(1M).
533 global: cpu-shares
536 The number of Fair Share Scheduler (FSS) shares to allocate to this
538 zone. This property is incompatible with the dedicated-cpu
539 resource. This property is the preferred way to set the zone.cpu-
540 shares rctl.
541 global: max-lwps
544 The maximum number of LWPs simultaneously available to this zone.
546 This property is the preferred way to set the zone.max-lwps rctl.
547 global: max-msg-ids
550 The maximum number of message queue IDs allowed for this zone. This
552 property is the preferred way to set the zone.max-msg-ids rctl.
553 global: max-sem-ids
556 The maximum number of semaphore IDs allowed for this zone. This
558 property is the preferred way to set the zone.max-sem-ids rctl.
559 global: max-shm-ids
562 The maximum number of shared memory IDs allowed for this zone. This
564 property is the preferred way to set the zone.max-shm-ids rctl.
565 global: max-shm-memory
568 The maximum amount of shared memory allowed for this zone. This
570 property is the preferred way to set the zone.max-shm-memory rctl.
571 A scale (K, M, G, T) can be applied to the value for this number
572 (for example, 1M is one megabyte).
573 global: scheduling-class
576 Specifies the scheduling class used for processes running in a
578 zone. When this property is not specified, the scheduling class is
579 established as follows:
580 o If the cpu-shares property or equivalent rctl is set,
582 the scheduling class FSS is used.
583 o If neither cpu-shares nor the equivalent rctl is set and
585 the zone's pool property references a pool that has a
586 default scheduling class, that class is used.
587 o Under any other conditions, the system default schedul‐
589 ing class is used.
590 dedicated-cpu: ncpus, importance
593 The number of CPUs that should be assigned for this zone's exclu‐
595 sive use. The zone will create a pool and processor set when it
596 boots. See pooladm(1M) and poolcfg(1M) for more information on
597 resource pools. The ncpu property can specify a single value or a
598 range (for example, 1-4) of processors. The importance property is
599 optional; if set, it will specify the pset.importance value for use
600 by poold(1M). If this resource is used, there must be enough free
601 processors to allocate to this zone when it boots or the zone will
602 not boot. The processors assigned to this zone will not be avail‐
603 able for the use of the global zone or other zones. This resource
604 is incompatible with both the pool and cpu-shares properties. Only
605 a single instance of this resource can be added to the zone.
606 capped-memory: physical, swap, locked
609 The caps on the memory that can be used by this zone. A scale (K,
611 M, G, T) can be applied to the value for each of these numbers (for
612 example, 1M is one megabyte). Each of these properties is optional
613 but at least one property must be set when adding this resource.
614 Only a single instance of this resource can be added to the zone.
615 The physical property sets the max-rss for this zone. This will be
616 enforced by rcapd(1M) running in the global zone. The swap property
617 is the preferred way to set the zone.max-swap rctl. The locked
618 property is the preferred way to set the zone.max-locked-memory
619 rctl.
620 capped-cpu: ncpus
623 Sets a limit on the amount of CPU time that can be used by a zone.
625 The unit used translates to the percentage of a single CPU that can
626 be used by all user threads in a zone, expressed as a fraction (for
627 example, .75) or a mixed number (whole number and fraction, for
628 example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
629 1.25 means 125%, .75 mean 75%, and so forth. When projects within a
630 capped zone have their own caps, the minimum value takes prece‐
631 dence.
632 The capped-cpu property is an alias for zone.cpu-cap resource con‐
634 trol and is related to the zone.cpu-cap resource control. See
635 resource_controls(5).
636 The following table summarizes resources, property-names, and types:
640 resource property-name type
642 (global) zonename simple
643 (global) zonepath simple
644 (global) autoboot simple
645 (global) bootargs simple
646 (global) pool simple
647 (global) limitpriv simple
648 (global) brand simple
649 (global) ip-type simple
650 (global) hostid simple
651 (global) cpu-shares simple
652 (global) max-lwps simple
653 (global) max-msg-ids simple
654 (global) max-sem-ids simple
655 (global) max-shm-ids simple
656 (global) max-shm-memory simple
657 (global) scheduling-class simple
658 fs dir simple
659 special simple
660 raw simple
661 type simple
662 options list of simple
663 inherit-pkg-dir dir simple
664 net address simple
665 physical simple
666 device match simple
667 rctl name simple
668 value list of complex
669 attr name simple
670 type simple
671 value simple
672 dataset name simple
673 dedicated-cpu ncpus simple or range
674 importance simple
675 capped-memory physical simple with scale
677 swap simple with scale
678 locked simple with scale
679 capped-cpu ncpus simple
681 To further specify things, the breakdown of the complex property
686 "value" of the "rctl" resource type, it consists of three name/value
687 pairs, the names being "priv", "limit" and "action", each of which
688 takes a simple value. The "name" property of an "attr" resource is syn‐
689 tactically restricted in a fashion similar but not identical to zone
690 names: it must begin with an alphanumeric, and can contain alphanumer‐
691 ics plus the hyphen (-), underscore (_), and dot (.) characters.
692 Attribute names beginning with "zone" are reserved for use by the sys‐
693 tem. Finally, the "autoboot" global property must have a value of
694 "true" or "false".
695 Using Kernel Statistics to Monitor CPU Caps
697 Using the kernel statistics (kstat(3KSTAT)) module caps, the system
698 maintains information for all capped projects and zones. You can access
699 this information by reading kernel statistics (kstat(3KSTAT)), specify‐
700 ing caps as the kstat module name. The following command displays ker‐
701 nel statistics for all active CPU caps:
702 # kstat caps::'/cpucaps/'
704 A kstat(1M) command running in a zone displays only CPU caps relevant
709 for that zone and for projects in that zone. See EXAMPLES.
710 The following are cap-related arguments for use with kstat(1M):
713 caps
715 The kstat module.
717 project_caps or zone_caps
720 kstat class, for use with the kstat -c option.
722 cpucaps_project_id or cpucaps_zone_id
725 kstat name, for use with the kstat -n option. id is the project or
727 zone identifier.
728 The following fields are displayed in response to a kstat(1M) command
732 requesting statistics for all CPU caps.
733 module
735 In this usage of kstat, this field will have the value caps.
737 name
740 As described above, cpucaps_project_id or cpucaps_zone_id
742 above_sec
745 Total time, in seconds, spent above the cap.
747 below_sec
750 Total time, in seconds, spent below the cap.
752 maxusage
755 Maximum observed CPU usage.
757 nwait
760 Number of threads on cap wait queue.
762 usage
765 Current aggregated CPU usage for all threads belonging to a capped
767 project or zone, in terms of a percentage of a single CPU.
768 value
771 The cap value, in terms of a percentage of a single CPU.
773 zonename
776 Name of the zone for which statistics are displayed.
778 See EXAMPLES for sample output from a kstat command.
782
784 The following options are supported:
785 -f command_file
787 Specify the name of zonecfg command file. command_file is a text
789 file of zonecfg subcommands, one per line.
790 -z zonename
793 Specify the name of a zone. Zone names are case sensitive. Zone
795 names must begin with an alphanumeric character and can contain
796 alphanumeric characters, the underscore (_) the hyphen (-), and the
797 dot (.). The name global and all names beginning with SUNW are
798 reserved and cannot be used.
799
802 You can use the add and select subcommands to select a specific
803 resource, at which point the scope changes to that resource. The end
804 and cancel subcommands are used to complete the resource specification,
805 at which time the scope is reverted back to global. Certain subcom‐
806 mands, such as add, remove and set, have different semantics in each
807 scope.
808 zonecfg supports a semicolon-separated list of subcommands. For exam‐
811 ple:
812 # zonecfg -z myzone "add net; set physical=myvnic; end"
814 Subcommands which can result in destructive actions or loss of work
819 have an -F option to force the action. If input is from a terminal
820 device, the user is prompted when appropriate if such a command is
821 given without the -F option otherwise, if such a command is given with‐
822 out the -F option, the action is disallowed, with a diagnostic message
823 written to standard error.
824 The following subcommands are supported:
827 add resource-type (global scope)
829 add property-name property-value (resource scope)
830 In the global scope, begin the specification for a given resource
832 type. The scope is changed to that resource type.
833 In the resource scope, add a property of the given name with the
835 given value. The syntax for property values varies with different
836 property types. In general, it is a simple value or a list of sim‐
837 ple values enclosed in square brackets, separated by commas
838 ([foo,bar,baz]). See PROPERTIES.
839 cancel
842 End the resource specification and reset scope to global. Abandons
844 any partially specified resources. cancel is only applicable in the
845 resource scope.
846 clear property-name
849 Clear the value for the property.
851 commit
854 Commit the current configuration from memory to stable storage. The
856 configuration must be committed to be used by zoneadm. Until the
857 in-memory configuration is committed, you can remove changes with
858 the revert subcommand. The commit operation is attempted automati‐
859 cally upon completion of a zonecfg session. Since a configuration
860 must be correct to be committed, this operation automatically does
861 a verify.
862 create [-F] [ -a path |-b | -t template]
865 Create an in-memory configuration for the specified zone. Use cre‐
867 ate to begin to configure a new zone. See commit for saving this to
868 stable storage.
869 If you are overwriting an existing configuration, specify the -F
871 option to force the action. Specify the -t template option to cre‐
872 ate a configuration identical to template, where template is the
873 name of a configured zone.
874 Use the -a path option to facilitate configuring a detached zone on
876 a new host. The path parameter is the zonepath location of a
877 detached zone that has been moved on to this new host. Once the
878 detached zone is configured, it should be installed using the
879 "zoneadm attach" command (see zoneadm(1M)). All validation of the
880 new zone happens during the attach process, not during zone config‐
881 uration.
882 Use the -b option to create a blank configuration. Without argu‐
884 ments, create applies the Sun default settings.
885 delete [-F]
888 Delete the specified configuration from memory and stable storage.
890 This action is instantaneous, no commit is necessary. A deleted
891 configuration cannot be reverted.
892 Specify the -F option to force the action.
894 end
897 End the resource specification. This subcommand is only applicable
899 in the resource scope. zonecfg checks to make sure the current
900 resource is completely specified. If so, it is added to the in-mem‐
901 ory configuration (see commit for saving this to stable storage)
902 and the scope reverts to global. If the specification is incom‐
903 plete, it issues an appropriate error message.
904 export [-f output-file]
907 Print configuration to standard output. Use the -f option to print
909 the configuration to output-file. This option produces output in a
910 form suitable for use in a command file.
911 help [usage] [subcommand] [syntax] [command-name]
914 Print general help or help about given topic.
916 info zonename | zonepath | autoboot | brand | pool | limitpriv
919 info [resource-type [property-name=property-value]*]
920 Display information about the current configuration. If resource-
922 type is specified, displays only information about resources of the
923 relevant type. If any property-name value pairs are specified, dis‐
924 plays only information about resources meeting the given criteria.
925 In the resource scope, any arguments are ignored, and info displays
926 information about the resource which is currently being added or
927 modified.
928 remove resource-type{property-name=property-value}(global scope)
931 In the global scope, removes the specified resource. The [] syntax
933 means 0 or more of whatever is inside the square braces. If you
934 want only to remove a single instance of the resource, you must
935 specify enough property name-value pairs for the resource to be
936 uniquely identified. If no property name-value pairs are specified,
937 all instances will be removed. If there is more than one pair is
938 specified, a confirmation is required, unless you use the -F
939 option.
940 select resource-type {property-name=property-value}
943 Select the resource of the given type which matches the given prop‐
945 erty-name property-value pair criteria, for modification. This sub‐
946 command is applicable only in the global scope. The scope is
947 changed to that resource type. The {} syntax means 1 or more of
948 whatever is inside the curly braces. You must specify enough prop‐
949 erty -name property-value pairs for the resource to be uniquely
950 identified.
951 set property-name=property-value
954 Set a given property name to the given value. Some properties (for
956 example, zonename and zonepath) are global while others are
957 resource-specific. This subcommand is applicable in both the global
958 and resource scopes.
959 verify
962 Verify the current configuration for correctness:
964 o All resources have all of their required properties
966 specified.
967 o A zonepath is specified.
969 revert [-F]
972 Revert the configuration back to the last committed state. The -F
974 option can be used to force the action.
975 exit [-F]
978 Exit the zonecfg session. A commit is automatically attempted if
980 needed. You can also use an EOF character to exit zonecfg. The -F
981 option can be used to force the action.
982
985 Example 1 Creating the Environment for a New Zone
986 In the following example, zonecfg creates the environment for a new
989 zone. /usr/local is loopback mounted from the global zone into
990 /opt/local. /opt/sfw is loopback mounted from the global zone, three
991 logical network interfaces are added, and a limit on the number of
992 fair-share scheduler (FSS) CPU shares for a zone is set using the rctl
993 resource type. The example also shows how to select a given resource
994 for modification.
995 example# zonecfg -z myzone3
998 my-zone3: No such zone configured
999 Use 'create' to begin configuring a new zone.
1000 zonecfg:myzone3> create
1001 zonecfg:myzone3> set zonepath=/export/home/my-zone3
1002 zonecfg:myzone3> set autoboot=true
1003 zonecfg:myzone3> add fs
1004 zonecfg:myzone3:fs> set dir=/usr/local
1005 zonecfg:myzone3:fs> set special=/opt/local
1006 zonecfg:myzone3:fs> set type=lofs
1007 zonecfg:myzone3:fs> add options [ro,nodevices]
1008 zonecfg:myzone3:fs> end
1009 zonecfg:myzone3> add fs
1010 zonecfg:myzone3:fs> set dir=/mnt
1011 zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7
1012 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7
1013 zonecfg:myzone3:fs> set type=ufs
1014 zonecfg:myzone3:fs> end
1015 zonecfg:myzone3> add inherit-pkg-dir
1016 zonecfg:myzone3:inherit-pkg-dir> set dir=/opt/sfw
1017 zonecfg:myzone3:inherit-pkg-dir> end
1018 zonecfg:myzone3> add net
1019 zonecfg:myzone3:net> set address=192.168.0.1/24
1020 zonecfg:myzone3:net> set physical=eri0
1021 zonecfg:myzone3:net> end
1022 zonecfg:myzone3> add net
1023 zonecfg:myzone3:net> set address=192.168.1.2/24
1024 zonecfg:myzone3:net> set physical=eri0
1025 zonecfg:myzone3:net> end
1026 zonecfg:myzone3> add net
1027 zonecfg:myzone3:net> set address=192.168.2.3/24
1028 zonecfg:myzone3:net> set physical=eri0
1029 zonecfg:myzone3:net> end
1030 zonecfg:my-zone3> set cpu-shares=5
1031 zonecfg:my-zone3> add capped-memory
1032 zonecfg:my-zone3:capped-memory> set physical=50m
1033 zonecfg:my-zone3:capped-memory> set swap=100m
1034 zonecfg:my-zone3:capped-memory> end
1035 zonecfg:myzone3> exit
1036 Example 2 Creating a Non-Native Zone
1040 The following example creates a new Linux zone:
1043 example# zonecfg -z lxzone
1046 lxzone: No such zone configured
1047 Use 'create' to begin configuring a new zone
1048 zonecfg:lxzone> create -t SUNWlx
1049 zonecfg:lxzone> set zonepath=/export/zones/lxzone
1050 zonecfg:lxzone> set autoboot=true
1051 zonecfg:lxzone> exit
1052 Example 3 Creating an Exclusive-IP Zone
1056 The following example creates a zone that is granted exclusive access
1059 to bge1 and bge33000 and that is isolated at the IP layer from the
1060 other zones configured on the system.
1061 The IP addresses and routing is configured inside the new zone using
1065 sysidtool(1M).
1066 example# zonecfg -z excl
1069 excl: No such zone configured
1070 Use 'create' to begin configuring a new zone
1071 zonecfg:excl> create
1072 zonecfg:excl> set zonepath=/export/zones/excl
1073 zonecfg:excl> set ip-type=exclusive
1074 zonecfg:excl> add net
1075 zonecfg:excl:net> set physical=bge1
1076 zonecfg:excl:net> end
1077 zonecfg:excl> add net
1078 zonecfg:excl:net> set physical=bge33000
1079 zonecfg:excl:net> end
1080 zonecfg:excl> exit
1081 Example 4 Associating a Zone with a Resource Pool
1085 The following example shows how to associate an existing zone with an
1088 existing resource pool:
1089 example# zonecfg -z myzone
1092 zonecfg:myzone> set pool=mypool
1093 zonecfg:myzone> exit
1094 For more information about resource pools, see pooladm(1M) and pool‐
1099 cfg(1M).
1100 Example 5 Changing the Name of a Zone
1103 The following example shows how to change the name of an existing zone:
1106 example# zonecfg -z myzone
1109 zonecfg:myzone> set zonename=myzone2
1110 zonecfg:myzone2> exit
1111 Example 6 Changing the Privilege Set of a Zone
1115 The following example shows how to change the set of privileges an
1118 existing zone's processes will be limited to the next time the zone is
1119 booted. In this particular case, the privilege set will be the standard
1120 safe set of privileges a zone normally has along with the privilege to
1121 change the system date and time:
1122 example# zonecfg -z myzone
1125 zonecfg:myzone> set limitpriv="default,sys_time"
1126 zonecfg:myzone2> exit
1127 Example 7 Setting the zone.cpu-shares Property for the Global Zone
1131 The following command sets the zone.cpu-shares property for the global
1134 zone:
1135 example# zonecfg -z global
1138 zonecfg:global> set cpu-shares=5
1139 zonecfg:global> exit
1140 Example 8 Using Pattern Matching
1144 The following commands illustrate zonecfg support for pattern matching.
1147 In the zone flexlm, enter:
1148 zonecfg:flexlm> add device
1151 zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]"
1152 zonecfg:flexlm:device> end
1153 In the global zone, enter:
1158 global# ls /dev/cua
1161 a a000 a001 a002 a003 a004 a005 a006 a007 b
1162 In the zone flexlm, enter:
1167 flexlm# ls /dev/cua
1170 a002 a003 a004 a005
1171 Example 9 Setting a Cap for a Zone to Three CPUs
1175 The following sequence uses the zonecfg command to set the CPU cap for
1178 a zone to three CPUs.
1179 zonecfg:myzone> add capped-cpu
1182 zonecfg:myzone>capped-cpu> set ncpus=3
1183 zonecfg:myzone>capped-cpu>capped-cpu> end
1184 The preceding sequence, which uses the capped-cpu property, is equiva‐
1189 lent to the following sequence, which makes use of the zone.cpu-cap
1190 resource control.
1191 zonecfg:myzone> add rctl
1194 zonecfg:myzone:rctl> set name=zone.cpu-cap
1195 zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none)
1196 zonecfg:myzone:rctl> end
1197 Example 10 Using kstat to Monitor CPU Caps
1201 The following command displays information about all CPU caps.
1204 # kstat -n /cpucaps/
1207 module: caps instance: 0
1208 name: cpucaps_project_0 class: project_caps
1209 above_sec 0
1210 below_sec 2157
1211 crtime 821.048183159
1212 maxusage 2
1213 nwait 0
1214 snaptime 235885.637253027
1215 usage 0
1216 value 18446743151372347932
1217 zonename global
1218 module: caps instance: 0
1220 name: cpucaps_project_1 class: project_caps
1221 above_sec 0
1222 below_sec 0
1223 crtime 225339.192787265
1224 maxusage 5
1225 nwait 0
1226 snaptime 235885.637591677
1227 usage 5
1228 value 18446743151372347932
1229 zonename global
1230 module: caps instance: 0
1232 name: cpucaps_project_201 class: project_caps
1233 above_sec 0
1234 below_sec 235105
1235 crtime 780.37961782
1236 maxusage 100
1237 nwait 0
1238 snaptime 235885.637789687
1239 usage 43
1240 value 100
1241 zonename global
1242 module: caps instance: 0
1244 name: cpucaps_project_202 class: project_caps
1245 above_sec 0
1246 below_sec 235094
1247 crtime 791.72983782
1248 maxusage 100
1249 nwait 0
1250 snaptime 235885.637967512
1251 usage 48
1252 value 100
1253 zonename global
1254 module: caps instance: 0
1256 name: cpucaps_project_203 class: project_caps
1257 above_sec 0
1258 below_sec 235034
1259 crtime 852.104401481
1260 maxusage 75
1261 nwait 0
1262 snaptime 235885.638144304
1263 usage 47
1264 value 100
1265 zonename global
1266 module: caps instance: 0
1268 name: cpucaps_project_86710 class: project_caps
1269 above_sec 22
1270 below_sec 235166
1271 crtime 698.441717859
1272 maxusage 101
1273 nwait 0
1274 snaptime 235885.638319871
1275 usage 54
1276 value 100
1277 zonename global
1278 module: caps instance: 0
1280 name: cpucaps_zone_0 class: zone_caps
1281 above_sec 100733
1282 below_sec 134332
1283 crtime 821.048177123
1284 maxusage 207
1285 nwait 2
1286 snaptime 235885.638497731
1287 usage 199
1288 value 200
1289 zonename global
1290 module: caps instance: 1
1292 name: cpucaps_project_0 class: project_caps
1293 above_sec 0
1294 below_sec 0
1295 crtime 225360.256448422
1296 maxusage 7
1297 nwait 0
1298 snaptime 235885.638714404
1299 usage 7
1300 value 18446743151372347932
1301 zonename test_001
1302 module: caps instance: 1
1304 name: cpucaps_zone_1 class: zone_caps
1305 above_sec 2
1306 below_sec 10524
1307 crtime 225360.256440278
1308 maxusage 106
1309 nwait 0
1310 snaptime 235885.638896443
1311 usage 7
1312 value 100
1313 zonename test_001
1314 Example 11 Displaying CPU Caps for a Specific Zone or Project
1318 Using the kstat -c and -i options, you can display CPU caps for a spe‐
1321 cific zone or project, as below. The first command produces a display
1322 for a specific project, the second for the same project within zone 1.
1323 # kstat -c project_caps
1326 # kstat -c project_caps -i 1
1328
1332 The following exit values are returned:
1333 0
1335 Successful completion.
1337 1
1340 An error occurred.
1342 2
1345 Invalid usage.
1347
1350 See attributes(5) for descriptions of the following attributes:
1351 ┌─────────────────────────────┬─────────────────────────────┐
1356 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
1357 ├─────────────────────────────┼─────────────────────────────┤
1358 │Availability │SUNWzoneu │
1359 ├─────────────────────────────┼─────────────────────────────┤
1360 │Interface Stability │Volatile │
1361 └─────────────────────────────┴─────────────────────────────┘
1362
1364 ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M), pool‐
1365 cfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M), sysidtool(1M),
1366 zfs(1M), zoneadm(1M), priv_str_to_set(3C), kstat(3KSTAT), vfstab(4),
1367 attributes(5), brands(5), fnmatch(5), lx(5), privileges(5),
1368 resource_controls(5), zones(5)
1369 System Administration Guide: Solaris Containers-Resource Management,
1372 and Solaris Zones
1373
1375 All character data used by zonecfg must be in US-ASCII encoding.
1376SunOS 5.11 29 Jul 2009 zonecfg(1M)