1 ZONECFG(1M) Maintenance Commands ZONECFG(1M)
2
3
4
5 NAME
6 zonecfg - set up zone configuration
7
8 SYNOPSIS
9 zonecfg -z zonename
10
11
12 zonecfg -z zonename subcommand
13
14
15 zonecfg -z zonename -f command_file
16
17
18 zonecfg help
19
20
21 DESCRIPTION
22 The zonecfg utility creates and modifies the configuration of a zone.
23 Zone configuration consists of a number of resources and properties.
24
25
26 To simplify the user interface, zonecfg uses the concept of a scope.
27 The default scope is global.
28
29
30 The following synopsis of the zonecfg command is for interactive usage:
31
32 zonecfg -z zonename subcommand
33
34
35
36
37 Parameters changed through zonecfg do not affect a running zone. The
38 zone must be rebooted for the changes to take effect.
39
40
41 In addition to creating and modifying a zone, the zonecfg utility can
42 also be used to persistently specify the resource management settings
43 for the global zone.
44
45
46 In the following text, "rctl" is used as an abbreviation for "resource
47 control". See resource_controls(5).
48
49
50 Every zone is configured with an associated brand. The brand determines
51 the user-level environment used within the zone, as well as various
52 behaviors for the zone when it is installed, boots, or is shutdown.
53 Once a zone has been installed the brand cannot be changed. The default
54 brand is determined by the installed distribution in the global zone.
55 Some brands do not support all of the zonecfg properties and resources.
56 See the brand-specific man page for more details on each brand. For an
57 overview of brands, see the brands(5) man page.
58
59 Resources
60 The following resource types are supported:
61
62 attr
63
64 Generic attribute.
65
66
67 capped-cpu
68
69 Limits for CPU usage.
70
71
72 capped-memory
73
74 Limits for physical, swap, and locked memory.
75
76
77 dataset
78
79 ZFS dataset.
80
81
82 dedicated-cpu
83
84 Subset of the system's processors dedicated to this zone while it
85 is running.
86
87
88 device
89
90 Device.
91
92
93 fs
94
95 file-system
96
97
98 net
99
100 Network interface.
101
102
103 rctl
104
105 Resource control.
106
107
108 Properties
109 Each resource type has one or more properties. There are also some
110 global properties, that is, properties of the configuration as a whole,
111 rather than of some particular resource.
112
113
114 The following properties are supported:
115
116 (global)
117
118 zonename
119
120
121 (global)
122
123 zonepath
124
125
126 (global)
127
128 autoboot
129
130
131 (global)
132
133 bootargs
134
135
136 (global)
137
138 pool
139
140
141 (global)
142
143 limitpriv
144
145
146 (global)
147
148 brand
149
150
151 (global)
152
153 cpu-shares
154
155
156 (global)
157
158 hostid
159
160
161 (global)
162
163 max-lwps
164
165
166 (global)
167
168 max-msg-ids
169
170
171 (global)
172
173 max-sem-ids
174
175
176 (global)
177
178 max-shm-ids
179
180
181 (global)
182
183 max-shm-memory
184
185
186 (global)
187
188 scheduling-class
189
190
191 (global)
192
193 fs-allowed
194
195
196 fs
197
198 dir, special, raw, type, options
199
200
201 net
202
203 address, physical, defrouter
204
205
206 device
207
208 match
209
210
211 rctl
212
213 name, value
214
215
216 attr
217
218 name, type, value
219
220
221 dataset
222
223 name
224
225
226 dedicated-cpu
227
228 ncpus, importance
229
230
231 capped-memory
232
233 physical, swap, locked
234
235
236 capped-cpu
237
238 ncpus
239
240
241
242 As for the property values which are paired with these names, they are
243 either simple, complex, or lists. The type allowed is property-
244 specific. Simple values are strings, optionally enclosed within
245 quotation marks. Complex values have the syntax:
246
247 (<name>=<value>,<name>=<value>,...)
248
249
250
251
252 where each <value> is simple, and the <name> strings are unique within
253 a given property. Lists have the syntax:
254
255 [<value>,...]
256
257
258
259
260 where each <value> is either simple or complex. A list of a single
261 value (either simple or complex) is equivalent to specifying that value
262 without the list syntax. That is, "foo" is equivalent to "[foo]". A
263 list can be empty (denoted by "[]").
264
265
266 In interpreting property values, zonecfg accepts regular expressions as
267 specified in fnmatch(5). See EXAMPLES.
268
269
270 The property types are described as follows:
271
272 global: zonename
273
274 The name of the zone.
275
276
277 global: zonepath
278
279 Path to zone's file system.
280
281
282 global: autoboot
283
284 Boolean indicating that a zone should be booted automatically at
285 system boot. Note that if the zones service is disabled, the zone
286 will not autoboot, regardless of the setting of this property. You
287 enable the zones service with a svcadm command, such as:
288
289 # svcadm enable svc:/system/zones:default
290
291
292 Replace enable with disable to disable the zones service. See
293 svcadm(1M).
294
295
296 global: bootargs
297
298 Arguments (options) to be passed to the zone bootup, unless options
299 are supplied to the "zoneadm boot" command, in which case those
300 take precedence. The valid arguments are described in zoneadm(1M).
301
302
303 global: pool
304
305 Name of the resource pool that this zone must be bound to when
306 booted. This property is incompatible with the dedicated-cpu
307 resource.
308
309
310 global: limitpriv
311
312 The maximum set of privileges any process in this zone can obtain.
313 The property should consist of a comma-separated privilege set
314 specification as described in priv_str_to_set(3C). Privileges can
315 be excluded from the resulting set by preceding their names with a
316 dash (-) or an exclamation point (!). The special privilege string
317 "zone" is not supported in this context. If the special string
318 "default" occurs as the first token in the property, it expands
319 into a safe set of privileges that preserve the resource and
320 security isolation described in zones(5). A missing or empty
321 property is equivalent to this same set of safe privileges.
322
323 The system administrator must take extreme care when configuring
324 privileges for a zone. Some privileges cannot be excluded through
325 this mechanism as they are required in order to boot a zone. In
326 addition, there are certain privileges which cannot be given to a
327 zone as doing so would allow processes inside a zone to unduly
328 affect processes in other zones. zoneadm(1M) indicates when an
329 invalid privilege has been added or removed from a zone's privilege
330 set when an attempt is made to either "boot" or "ready" the zone.
331
332 See privileges(5) for a description of privileges. The command
333 "ppriv -l" (see ppriv(1)) produces a list of all Solaris
334 privileges. You can specify privileges as they are displayed by
335 ppriv. In privileges(5), privileges are listed in the form
336 PRIV_privilege_name. For example, the privilege sys_time, as you
337 would specify it in this property, is listed in privileges(5) as
338 PRIV_SYS_TIME.
339
340
341 global: brand
342
343 The zone's brand type.
344
345
346 global: ip-type
347
348 A zone can either share the IP instance with the global zone, which
349 is the default, or have its own exclusive instance of IP.
350
351 This property takes the values shared and exclusive.
352
353
354 global: hostid
355
356 A zone can emulate a 32-bit host identifier to ease system
357 consolidation. A zone's hostid property is empty by default,
358 meaning that the zone does not emulate a host identifier. Zone host
359 identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x
360 or 0X prefix is optional. Both uppercase and lowercase hexadecimal
361 digits are acceptable.
362
363
364 fs: dir, special, raw, type, options
365
366 Values needed to determine how, where, and so forth to mount file
367 systems. See mount(1M), mount(2), fsck(1M), and vfstab(4).
368
369
370 net: address, physical, defrouter
371
372 The network address and physical interface name of the network
373 interface. The network address is one of:
374
375 o a valid IPv4 address, optionally followed by "/" and a
376 prefix length;
377
378 o a valid IPv6 address, which must be followed by "/" and
379 a prefix length;
380
381 o a host name which resolves to an IPv4 address.
382 Note that host names that resolve to IPv6 addresses are not
383 supported.
384
385 The physical interface name is the network interface name.
386
387 The default router is specified similarly to the network address
388 except that it must not be followed by a / (slash) and a network
389 prefix length.
390
391 A zone can be configured to be either exclusive-IP or shared-IP.
392 For a shared-IP zone, you must set both the physical and address
393 properties; setting the default router is optional. The interface
394 specified in the physical property must be plumbed in the global
395 zone prior to booting the non-global zone. However, if the
396 interface is not used by the global zone, it should be configured
397 down in the global zone, and the default router for the interface
398 should be specified here.
399
400 For an exclusive-IP zone, the physical property must be set and the
401 address and default router properties cannot be set.
402
403
404 device: match
405
406 Device name to match.
407
408
409 rctl: name, value
410
411 The name and priv/limit/action triple of a resource control. See
412 prctl(1) and rctladm(1M). The preferred way to set rctl values is
413 to use the global property name associated with a specific rctl.
414
415
416 attr: name, type, value
417
418 The name, type and value of a generic attribute. The type must be
419 one of int, uint, boolean or string, and the value must be of that
420 type. uint means unsigned , that is, a non-negative integer.
421
422
423 dataset: name
424
425 The name of a ZFS dataset to be accessed from within the zone. See
426 zfs(1M).
427
428
429 global: cpu-shares
430
431 The number of Fair Share Scheduler (FSS) shares to allocate to this
432 zone. This property is incompatible with the dedicated-cpu
433 resource. This property is the preferred way to set the zone.cpu-
434 shares rctl.
435
436
437 global: max-lwps
438
439 The maximum number of LWPs simultaneously available to this zone.
440 This property is the preferred way to set the zone.max-lwps rctl.
441
442
443 global: max-msg-ids
444
445 The maximum number of message queue IDs allowed for this zone. This
446 property is the preferred way to set the zone.max-msg-ids rctl.
447
448
449 global: max-sem-ids
450
451 The maximum number of semaphore IDs allowed for this zone. This
452 property is the preferred way to set the zone.max-sem-ids rctl.
453
454
455 global: max-shm-ids
456
457 The maximum number of shared memory IDs allowed for this zone. This
458 property is the preferred way to set the zone.max-shm-ids rctl.
459
460
461 global: max-shm-memory
462
463 The maximum amount of shared memory allowed for this zone. This
464 property is the preferred way to set the zone.max-shm-memory rctl.
465 A scale (K, M, G, T) can be applied to the value for this number
466 (for example, 1M is one megabyte).
467
468
469 global: scheduling-class
470
471 Specifies the scheduling class used for processes running in a
472 zone. When this property is not specified, the scheduling class is
473 established as follows:
474
475 o If the cpu-shares property or equivalent rctl is set,
476 the scheduling class FSS is used.
477
478 o If neither cpu-shares nor the equivalent rctl is set and
479 the zone's pool property references a pool that has a
480 default scheduling class, that class is used.
481
482 o Under any other conditions, the system default
483 scheduling class is used.
484
485 If the FX scheduling class is specified, then the optional fixed-
486 hi-pri attribute can be set to true. This causes all of the
487 processes in the zone to run at the highest FX priority. By default
488 processes under FX run at the lowest priority. See priocntl(2) for
489 details on each scheduling class.
490
491
492
493 dedicated-cpu: ncpus, importance
494
495 The number of CPUs that should be assigned for this zone's
496 exclusive use. The zone will create a pool and processor set when
497 it boots. See pooladm(1M) and poolcfg(1M) for more information on
498 resource pools. The ncpu property can specify a single value or a
499 range (for example, 1-4) of processors. The importance property is
500 optional; if set, it will specify the pset.importance value for use
501 by poold(1M). If this resource is used, there must be enough free
502 processors to allocate to this zone when it boots or the zone will
503 not boot. The processors assigned to this zone will not be
504 available for the use of the global zone or other zones. This
505 resource is incompatible with both the pool and cpu-shares
506 properties. Only a single instance of this resource can be added to
507 the zone.
508
509
510 capped-memory: physical, swap, locked
511
512 The caps on the memory that can be used by this zone. A scale (K,
513 M, G, T) can be applied to the value for each of these numbers (for
514 example, 1M is one megabyte). Each of these properties is optional
515 but at least one property must be set when adding this resource.
516 Only a single instance of this resource can be added to the zone.
517 The physical property sets the max-rss for this zone. This will be
518 enforced by rcapd(1M) running in the global zone. The swap
519 property is the preferred way to set the zone.max-swap rctl. The
520 locked property is the preferred way to set the zone.max-locked-
521 memory rctl.
522
523
524 capped-cpu: ncpus
525
526 Sets a limit on the amount of CPU time that can be used by a zone.
527 The unit used translates to the percentage of a single CPU that can
528 be used by all user threads in a zone, expressed as a fraction (for
529 example, .75) or a mixed number (whole number and fraction, for
530 example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
531 1.25 means 125%, .75 mean 75%, and so forth. When projects within a
532 capped zone have their own caps, the minimum value takes
533 precedence.
534
535 The capped-cpu property is an alias for zone.cpu-cap resource
536 control and is related to the zone.cpu-cap resource control. See
537 resource_controls(5).
538
539
540 global: fs-allowed
541
542 A comma-separated list of additional filesystems that may be
543 mounted within the zone; for example "ufs,pcfs". By default, only
544 hsfs(7fs) and network filesystems can be mounted. If the first
545 entry in the list is "-" then that disables all of the default
546 filesystems. If any filesystems are listed after "-" then only
547 those filesystems can be mounted.
548
549 This property does not apply to filesystems mounted into the zone
550 via "add fs" or "add dataset".
551
552 WARNING: allowing filesystem mounts other than the default may
553 allow the zone administrator to compromise the system with a
554 malicious filesystem image, and is not supported.
555
556
557
558 The following table summarizes resources, property-names, and types:
559
560 resource property-name type
561 (global) zonename simple
562 (global) zonepath simple
563 (global) autoboot simple
564 (global) bootargs simple
565 (global) pool simple
566 (global) limitpriv simple
567 (global) brand simple
568 (global) ip-type simple
569 (global) hostid simple
570 (global) cpu-shares simple
571 (global) max-lwps simple
572 (global) max-msg-ids simple
573 (global) max-sem-ids simple
574 (global) max-shm-ids simple
575 (global) max-shm-memory simple
576 (global) scheduling-class simple
577 fs dir simple
578 special simple
579 raw simple
580 type simple
581 options list of simple
582 net address simple
583 physical simple
584 device match simple
585 rctl name simple
586 value list of complex
587 attr name simple
588 type simple
589 value simple
590 dataset name simple
591 dedicated-cpu ncpus simple or range
592 importance simple
593
594 capped-memory physical simple with scale
595 swap simple with scale
596 locked simple with scale
597
598 capped-cpu ncpus simple
599
600
601
602
603 To further specify things, the breakdown of the complex property
604 "value" of the "rctl" resource type, it consists of three name/value
605 pairs, the names being "priv", "limit" and "action", each of which
606 takes a simple value. The "name" property of an "attr" resource is
607 syntactically restricted in a fashion similar but not identical to zone
608 names: it must begin with an alphanumeric, and can contain
609 alphanumerics plus the hyphen (-), underscore (_), and dot (.)
610 characters. Attribute names beginning with "zone" are reserved for use
611 by the system. Finally, the "autoboot" global property must have a
612 value of "true" or "false".
613
614 Using Kernel Statistics to Monitor CPU Caps
615 Using the kernel statistics (kstat(3KSTAT)) module caps, the system
616 maintains information for all capped projects and zones. You can access
617 this information by reading kernel statistics (kstat(3KSTAT)),
618 specifying caps as the kstat module name. The following command
619 displays kernel statistics for all active CPU caps:
620
621 # kstat caps::'/cpucaps/'
622
623
624
625
626 A kstat(1M) command running in a zone displays only CPU caps relevant
627 for that zone and for projects in that zone. See EXAMPLES.
628
629
630 The following are cap-related arguments for use with kstat(1M):
631
632 caps
633
634 The kstat module.
635
636
637 project_caps or zone_caps
638
639 kstat class, for use with the kstat -c option.
640
641
642 cpucaps_project_id or cpucaps_zone_id
643
644 kstat name, for use with the kstat -n option. id is the project or
645 zone identifier.
646
647
648
649 The following fields are displayed in response to a kstat(1M) command
650 requesting statistics for all CPU caps.
651
652 module
653
654 In this usage of kstat, this field will have the value caps.
655
656
657 name
658
659 As described above, cpucaps_project_id or cpucaps_zone_id
660
661
662 above_sec
663
664 Total time, in seconds, spent above the cap.
665
666
667 below_sec
668
669 Total time, in seconds, spent below the cap.
670
671
672 maxusage
673
674 Maximum observed CPU usage.
675
676
677 nwait
678
679 Number of threads on cap wait queue.
680
681
682 usage
683
684 Current aggregated CPU usage for all threads belonging to a capped
685 project or zone, in terms of a percentage of a single CPU.
686
687
688 value
689
690 The cap value, in terms of a percentage of a single CPU.
691
692
693 zonename
694
695 Name of the zone for which statistics are displayed.
696
697
698
699 See EXAMPLES for sample output from a kstat command.
700
701 OPTIONS
702 The following options are supported:
703
704 -f command_file
705
706 Specify the name of zonecfg command file. command_file is a text
707 file of zonecfg subcommands, one per line.
708
709
710 -z zonename
711
712 Specify the name of a zone. Zone names are case sensitive. Zone
713 names must begin with an alphanumeric character and can contain
714 alphanumeric characters, the underscore (_) the hyphen (-), and the
715 dot (.). The name global and all names beginning with SUNW are
716 reserved and cannot be used.
717
718
719 SUBCOMMANDS
720 You can use the add and select subcommands to select a specific
721 resource, at which point the scope changes to that resource. The end
722 and cancel subcommands are used to complete the resource specification,
723 at which time the scope is reverted back to global. Certain
724 subcommands, such as add, remove and set, have different semantics in
725 each scope.
726
727
728 zonecfg supports a semicolon-separated list of subcommands. For
729 example:
730
731 # zonecfg -z myzone "add net; set physical=myvnic; end"
732
733
734
735
736 Subcommands which can result in destructive actions or loss of work
737 have an -F option to force the action. If input is from a terminal
738 device, the user is prompted when appropriate if such a command is
739 given without the -F option otherwise, if such a command is given
740 without the -F option, the action is disallowed, with a diagnostic
741 message written to standard error.
742
743
744 The following subcommands are supported:
745
746 add resource-type (global scope)
747 add property-name property-value (resource scope)
748
749 In the global scope, begin the specification for a given resource
750 type. The scope is changed to that resource type.
751
752 In the resource scope, add a property of the given name with the
753 given value. The syntax for property values varies with different
754 property types. In general, it is a simple value or a list of
755 simple values enclosed in square brackets, separated by commas
756 ([foo,bar,baz]). See PROPERTIES.
757
758
759 cancel
760
761 End the resource specification and reset scope to global. Abandons
762 any partially specified resources. cancel is only applicable in the
763 resource scope.
764
765
766 clear property-name
767
768 Clear the value for the property.
769
770
771 commit
772
773 Commit the current configuration from memory to stable storage. The
774 configuration must be committed to be used by zoneadm. Until the
775 in-memory configuration is committed, you can remove changes with
776 the revert subcommand. The commit operation is attempted
777 automatically upon completion of a zonecfg session. Since a
778 configuration must be correct to be committed, this operation
779 automatically does a verify.
780
781
782 create [-F] [ -a path |-b | -t template]
783
784 Create an in-memory configuration for the specified zone. Use
785 create to begin to configure a new zone. See commit for saving this
786 to stable storage.
787
788 If you are overwriting an existing configuration, specify the -F
789 option to force the action. Specify the -t template option to
790 create a configuration identical to template, where template is the
791 name of a configured zone.
792
793 Use the -a path option to facilitate configuring a detached zone on
794 a new host. The path parameter is the zonepath location of a
795 detached zone that has been moved on to this new host. Once the
796 detached zone is configured, it should be installed using the
797 "zoneadm attach" command (see zoneadm(1M)). All validation of the
798 new zone happens during the attach process, not during zone
799 configuration.
800
801 Use the -b option to create a blank configuration. Without
802 arguments, create applies the Sun default settings.
803
804
805 delete [-F]
806
807 Delete the specified configuration from memory and stable storage.
808 This action is instantaneous, no commit is necessary. A deleted
809 configuration cannot be reverted.
810
811 Specify the -F option to force the action.
812
813
814 end
815
816 End the resource specification. This subcommand is only applicable
817 in the resource scope. zonecfg checks to make sure the current
818 resource is completely specified. If so, it is added to the in-
819 memory configuration (see commit for saving this to stable storage)
820 and the scope reverts to global. If the specification is
821 incomplete, it issues an appropriate error message.
822
823
824 export [-f output-file]
825
826 Print configuration to standard output. Use the -f option to print
827 the configuration to output-file. This option produces output in a
828 form suitable for use in a command file.
829
830
831 help [usage] [subcommand] [syntax] [command-name]
832
833 Print general help or help about given topic.
834
835
836 info zonename | zonepath | autoboot | brand | pool | limitpriv
837 info [resource-type [property-name=property-value]*]
838
839 Display information about the current configuration. If resource-
840 type is specified, displays only information about resources of the
841 relevant type. If any property-name value pairs are specified,
842 displays only information about resources meeting the given
843 criteria. In the resource scope, any arguments are ignored, and
844 info displays information about the resource which is currently
845 being added or modified.
846
847
848 remove resource-type{property-name=property -value}(global scope)
849
850 In the global scope, removes the specified resource. The [] syntax
851 means 0 or more of whatever is inside the square braces. If you
852 want only to remove a single instance of the resource, you must
853 specify enough property name-value pairs for the resource to be
854 uniquely identified. If no property name-value pairs are specified,
855 all instances will be removed. If there is more than one pair is
856 specified, a confirmation is required, unless you use the -F
857 option.
858
859
860 select resource-type {property-name=property-value}
861
862 Select the resource of the given type which matches the given
863 property-name property-value pair criteria, for modification. This
864 subcommand is applicable only in the global scope. The scope is
865 changed to that resource type. The {} syntax means 1 or more of
866 whatever is inside the curly braces. You must specify enough
867 property -name property-value pairs for the resource to be uniquely
868 identified.
869
870
871 set property-name=property-value
872
873 Set a given property name to the given value. Some properties (for
874 example, zonename and zonepath) are global while others are
875 resource-specific. This subcommand is applicable in both the global
876 and resource scopes.
877
878
879 verify
880
881 Verify the current configuration for correctness:
882
883 o All resources have all of their required properties
884 specified.
885
886 o A zonepath is specified.
887
888
889 revert [-F]
890
891 Revert the configuration back to the last committed state. The -F
892 option can be used to force the action.
893
894
895 exit [-F]
896
897 Exit the zonecfg session. A commit is automatically attempted if
898 needed. You can also use an EOF character to exit zonecfg. The -F
899 option can be used to force the action.
900
901
902 EXAMPLES
903 Example 1 Creating the Environment for a New Zone
904
905
906 In the following example, zonecfg creates the environment for a new
907 zone. /usr/local is loopback mounted from the global zone into
908 /opt/local. /opt/sfw is loopback mounted from the global zone, three
909 logical network interfaces are added, and a limit on the number of
910 fair-share scheduler (FSS) CPU shares for a zone is set using the rctl
911 resource type. The example also shows how to select a given resource
912 for modification.
913
914
915 example# zonecfg -z myzone3
916 my-zone3: No such zone configured
917 Use 'create' to begin configuring a new zone.
918 zonecfg:myzone3> create
919 zonecfg:myzone3> set zonepath=/export/home/my-zone3
920 zonecfg:myzone3> set autoboot=true
921 zonecfg:myzone3> add fs
922 zonecfg:myzone3:fs> set dir=/usr/local
923 zonecfg:myzone3:fs> set special=/opt/local
924 zonecfg:myzone3:fs> set type=lofs
925 zonecfg:myzone3:fs> add options [ro,nodevices]
926 zonecfg:myzone3:fs> end
927 zonecfg:myzone3> add fs
928 zonecfg:myzone3:fs> set dir=/mnt
929 zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7
930 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7
931 zonecfg:myzone3:fs> set type=ufs
932 zonecfg:myzone3:fs> end
933 zonecfg:myzone3> add net
934 zonecfg:myzone3:net> set address=192.168.0.1/24
935 zonecfg:myzone3:net> set physical=eri0
936 zonecfg:myzone3:net> end
937 zonecfg:myzone3> add net
938 zonecfg:myzone3:net> set address=192.168.1.2/24
939 zonecfg:myzone3:net> set physical=eri0
940 zonecfg:myzone3:net> end
941 zonecfg:myzone3> add net
942 zonecfg:myzone3:net> set address=192.168.2.3/24
943 zonecfg:myzone3:net> set physical=eri0
944 zonecfg:myzone3:net> end
945 zonecfg:my-zone3> set cpu-shares=5
946 zonecfg:my-zone3> add capped-memory
947 zonecfg:my-zone3:capped-memory> set physical=50m
948 zonecfg:my-zone3:capped-memory> set swap=100m
949 zonecfg:my-zone3:capped-memory> end
950 zonecfg:myzone3> exit
951
952
953
954 Example 2 Creating a Non-Native Zone
955
956
957 The following example creates a new Linux zone:
958
959
960 example# zonecfg -z lxzone
961 lxzone: No such zone configured
962 Use 'create' to begin configuring a new zone
963 zonecfg:lxzone> create -t SUNWlx
964 zonecfg:lxzone> set zonepath=/export/zones/lxzone
965 zonecfg:lxzone> set autoboot=true
966 zonecfg:lxzone> exit
967
968
969
970 Example 3 Creating an Exclusive-IP Zone
971
972
973 The following example creates a zone that is granted exclusive access
974 to bge1 and bge33000 and that is isolated at the IP layer from the
975 other zones configured on the system.
976
977
978
979 The IP addresses and routing is configured inside the new zone using
980 sysidtool(1M).
981
982
983 example# zonecfg -z excl
984 excl: No such zone configured
985 Use 'create' to begin configuring a new zone
986 zonecfg:excl> create
987 zonecfg:excl> set zonepath=/export/zones/excl
988 zonecfg:excl> set ip-type=exclusive
989 zonecfg:excl> add net
990 zonecfg:excl:net> set physical=bge1
991 zonecfg:excl:net> end
992 zonecfg:excl> add net
993 zonecfg:excl:net> set physical=bge33000
994 zonecfg:excl:net> end
995 zonecfg:excl> exit
996
997
998
999 Example 4 Associating a Zone with a Resource Pool
1000
1001
1002 The following example shows how to associate an existing zone with an
1003 existing resource pool:
1004
1005
1006 example# zonecfg -z myzone
1007 zonecfg:myzone> set pool=mypool
1008 zonecfg:myzone> exit
1009
1010
1011
1012
1013 For more information about resource pools, see pooladm(1M) and
1014 poolcfg(1M).
1015
1016
1017 Example 5 Changing the Name of a Zone
1018
1019
1020 The following example shows how to change the name of an existing zone:
1021
1022
1023 example# zonecfg -z myzone
1024 zonecfg:myzone> set zonename=myzone2
1025 zonecfg:myzone2> exit
1026
1027
1028
1029 Example 6 Changing the Privilege Set of a Zone
1030
1031
1032 The following example shows how to change the set of privileges an
1033 existing zone's processes will be limited to the next time the zone is
1034 booted. In this particular case, the privilege set will be the standard
1035 safe set of privileges a zone normally has along with the privilege to
1036 change the system date and time:
1037
1038
1039 example# zonecfg -z myzone
1040 zonecfg:myzone> set limitpriv="default,sys_time"
1041 zonecfg:myzone2> exit
1042
1043
1044
1045 Example 7 Setting the zone.cpu-shares Property for the Global Zone
1046
1047
1048 The following command sets the zone.cpu-shares property for the global
1049 zone:
1050
1051
1052 example# zonecfg -z global
1053 zonecfg:global> set cpu-shares=5
1054 zonecfg:global> exit
1055
1056
1057
1058 Example 8 Using Pattern Matching
1059
1060
1061 The following commands illustrate zonecfg support for pattern matching.
1062 In the zone flexlm, enter:
1063
1064
1065 zonecfg:flexlm> add device
1066 zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]"
1067 zonecfg:flexlm:device> end
1068
1069
1070
1071
1072 In the global zone, enter:
1073
1074
1075 global# ls /dev/cua
1076 a a000 a001 a002 a003 a004 a005 a006 a007 b
1077
1078
1079
1080
1081 In the zone flexlm, enter:
1082
1083
1084 flexlm# ls /dev/cua
1085 a002 a003 a004 a005
1086
1087
1088
1089 Example 9 Setting a Cap for a Zone to Three CPUs
1090
1091
1092 The following sequence uses the zonecfg command to set the CPU cap for
1093 a zone to three CPUs.
1094
1095
1096 zonecfg:myzone> add capped-cpu
1097 zonecfg:myzone>capped-cpu> set ncpus=3
1098 zonecfg:myzone>capped-cpu>capped-cpu> end
1099
1100
1101
1102
1103 The preceding sequence, which uses the capped-cpu property, is
1104 equivalent to the following sequence, which makes use of the zone.cpu-
1105 cap resource control.
1106
1107
1108 zonecfg:myzone> add rctl
1109 zonecfg:myzone:rctl> set name=zone.cpu-cap
1110 zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none)
1111 zonecfg:myzone:rctl> end
1112
1113
1114
1115 Example 10 Using kstat to Monitor CPU Caps
1116
1117
1118 The following command displays information about all CPU caps.
1119
1120
1121 # kstat -n /cpucaps/
1122 module: caps instance: 0
1123 name: cpucaps_project_0 class: project_caps
1124 above_sec 0
1125 below_sec 2157
1126 crtime 821.048183159
1127 maxusage 2
1128 nwait 0
1129 snaptime 235885.637253027
1130 usage 0
1131 value 18446743151372347932
1132 zonename global
1133
1134 module: caps instance: 0
1135 name: cpucaps_project_1 class: project_caps
1136 above_sec 0
1137 below_sec 0
1138 crtime 225339.192787265
1139 maxusage 5
1140 nwait 0
1141 snaptime 235885.637591677
1142 usage 5
1143 value 18446743151372347932
1144 zonename global
1145
1146 module: caps instance: 0
1147 name: cpucaps_project_201 class: project_caps
1148 above_sec 0
1149 below_sec 235105
1150 crtime 780.37961782
1151 maxusage 100
1152 nwait 0
1153 snaptime 235885.637789687
1154 usage 43
1155 value 100
1156 zonename global
1157
1158 module: caps instance: 0
1159 name: cpucaps_project_202 class: project_caps
1160 above_sec 0
1161 below_sec 235094
1162 crtime 791.72983782
1163 maxusage 100
1164 nwait 0
1165 snaptime 235885.637967512
1166 usage 48
1167 value 100
1168 zonename global
1169
1170 module: caps instance: 0
1171 name: cpucaps_project_203 class: project_caps
1172 above_sec 0
1173 below_sec 235034
1174 crtime 852.104401481
1175 maxusage 75
1176 nwait 0
1177 snaptime 235885.638144304
1178 usage 47
1179 value 100
1180 zonename global
1181
1182 module: caps instance: 0
1183 name: cpucaps_project_86710 class: project_caps
1184 above_sec 22
1185 below_sec 235166
1186 crtime 698.441717859
1187 maxusage 101
1188 nwait 0
1189 snaptime 235885.638319871
1190 usage 54
1191 value 100
1192 zonename global
1193
1194 module: caps instance: 0
1195 name: cpucaps_zone_0 class: zone_caps
1196 above_sec 100733
1197 below_sec 134332
1198 crtime 821.048177123
1199 maxusage 207
1200 nwait 2
1201 snaptime 235885.638497731
1202 usage 199
1203 value 200
1204 zonename global
1205
1206 module: caps instance: 1
1207 name: cpucaps_project_0 class: project_caps
1208 above_sec 0
1209 below_sec 0
1210 crtime 225360.256448422
1211 maxusage 7
1212 nwait 0
1213 snaptime 235885.638714404
1214 usage 7
1215 value 18446743151372347932
1216 zonename test_001
1217
1218 module: caps instance: 1
1219 name: cpucaps_zone_1 class: zone_caps
1220 above_sec 2
1221 below_sec 10524
1222 crtime 225360.256440278
1223 maxusage 106
1224 nwait 0
1225 snaptime 235885.638896443
1226 usage 7
1227 value 100
1228 zonename test_001
1229
1230
1231
1232 Example 11 Displaying CPU Caps for a Specific Zone or Project
1233
1234
1235 Using the kstat -c and -i options, you can display CPU caps for a
1236 specific zone or project, as below. The first command produces a
1237 display for a specific project, the second for the same project within
1238 zone 1.
1239
1240
1241 # kstat -c project_caps
1242
1243 # kstat -c project_caps -i 1
1244
1245
1246
1247 EXIT STATUS
1248 The following exit values are returned:
1249
1250 0
1251
1252 Successful completion.
1253
1254
1255 1
1256
1257 An error occurred.
1258
1259
1260 2
1261
1262 Invalid usage.
1263
1264
1265 ATTRIBUTES
1266 See attributes(5) for descriptions of the following attributes:
1267
1268
1269
1270
1271 +--------------------+-----------------+
1272 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
1273 +--------------------+-----------------+
1274 |Interface Stability | Volatile |
1275 +--------------------+-----------------+
1276
1277 SEE ALSO
1278 ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1279 poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1280 sysidtool(1M), zfs(1M), zoneadm(1M), priocntl(2), priv_str_to_set(3C),
1281 kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1282 privileges(5), resource_controls(5), zones(5)
1283
1284
1285 System Administration Guide: Solaris Containers-Resource Management,
1286 and Solaris Zones
1287
1288 NOTES
1289 All character data used by zonecfg must be in US-ASCII encoding.
1290
1291
1292
1293 November 4, 2015 ZONECFG(1M)