Chapter 28 Solaris Zones Administration (Tasks)

This chapter covers general administration tasks and provides usage examples.

• What's New in This Chapter?

• Using the ppriv Utility

• Using DTrace in a Non-Global Zone

• Mounting File Systems in Running Non-Global Zones

• Adding Non-Global Zone Access to Specific File Systems in the Global Zone

• Using IP Network Multipathing on a Solaris System With Zones Installed

• Solaris 10 8/07: Administering Data-Links in Exclusive-IP Non-Global Zones

• Using the Fair Share Scheduler on a Solaris System With Zones Installed

• Using Rights Profiles in Zone Administration

• Backing Up a Solaris System With Installed Zones

• Restoring a Non-Global Zone

What's New in This Chapter?

This section lists new product features and identifies documentation improvements in this guide.

For a complete listing of new Solaris 10 features and a description of Solaris releases, see Oracle Solaris 10 9/10 What’s New.

What's New in This Chapter for Solaris 10 1/06?

A new procedure for media access has been added. See How to Add Access to CD or DVD Media in a Non-Global Zone.

New procedures for backing up and restoring files in zones have been added. See Backing Up a Solaris System With Installed Zones and Restoring a Non-Global Zone.

What's New in This Chapter for Solaris 10 6/06?

New procedures have been added. See How to Mount a File System From the Global Zone Into a Non-Global Zone and How to Add a Writable Directory under /usr in a Non-Global Zone.

What's New in This Chapter for Solaris 10 8/07?

New procedures have been added. See How to Use DTrace, Solaris 10 8/07: Administering Data-Links in Exclusive-IP Non-Global Zones, Checking the Status of SMF Services in a Non-Global Zone.

Using the ppriv Utility

Use the ppriv utility to display the zone's privileges.

How to List Solaris Privileges in the Global Zone

Use the ppriv utility with the -l option to list the privileges available on the system.

1. At the prompt, type ppriv -l zone to report the set of privileges available in the zone.

   global# ppriv -l zone

   You will see a display similar to this:

   contract_event contract_observer cpc_cpu . . .

How to List the Non-Global Zone's Privilege Set

Use the ppriv utility with the -l option and the expression zone to list the zone's privileges.

1. Log into the non-global zone. This example uses a zone named my-zone.

2. At the prompt, type ppriv -l zone to report the set of privileges available in the zone.

   my-zone# ppriv -l zone

   You will see a display similar to this:

   contract_event contract_observer file_chown . . .

How to List a Non-Global Zone's Privilege Set With Verbose Output

Use the ppriv utility with the -l option, the expression zone, and the -v option to list the zone's privileges.

1. Log into the non-global zone. This example uses a zone named my-zone.

2. At the prompt, type ppriv -l -v zone to report the set of privileges available in the zone, with a description of each privilege.

   my-zone# ppriv -l -v zone

   You will see a display similar to this:

   contract_event Allows a process to request critical events without limitation. Allows a process to request reliable delivery of all events on any event queue. contract_observer Allows a process to observe contract events generated by contracts created and owned by users other than the process's effective user ID. Allows a process to open contract event endpoints belonging to contracts created and owned by users other than the process's effective user ID. file_chown Allows a process to change a file's owner user ID. Allows a process to change a file's group ID to one other than the process' effective group ID or one of the process' supplemental group IDs. . . .

Using DTrace in a Non-Global Zone

Perform the following steps to use DTrace functionality as described in Running DTrace in a Non-Global Zone.

How to Use DTrace

1. Use the zonecfg limitpriv property to add the dtrace_proc and dtrace_user privileges.

   global# zonecfg -z my-zone zonecfg:my-zone> set limitpriv="default,dtrace_proc,dtrace_user" zonecfg:my-zone> exit

   ---

   Note –

   Depending on your requirements, you can add either privilege, or both privileges.

   ---

2. Boot the zone.

   global# zoneadm -z my-zone boot

3. Log in to the zone.

   global# zlogin my-zone

4. Run the DTrace program.

   my-zone# dtrace -l

Checking the Status of SMF Services in a Non-Global Zone

To check the status of SMF services in a native non-global zone, use the zlogin command.

How to Check the Status of SMF Services From the Command Line

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. From the command line, type the following to show all services, including disabled ones.

   global# zlogin my-zone svcs -a

See Also

For more information, see Chapter 22, Logging In to Non-Global Zones (Tasks) and svcs(1).

How to Check the Status of SMF Services From Within a Zone

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Log in to the zone.

   global# zlogin my-zone

3. Run the svcs command with the -a option to show all services, including disabled ones.

   my-zone# svcs -a

See Also

For more information, see Chapter 22, Logging In to Non-Global Zones (Tasks) and svcs(1).

Mounting File Systems in Running Non-Global Zones

You can mount file systems in a running non-global zone. The following procedures are covered.

• As the global administrator in the global zone, you can import raw and block devices into a non-global zone. After the devices are imported, the zone administrator has access to the disk. The zone administrator can then create a new file system on the disk and perform one of the following actions:

  • Mount the file system manually

  • Place the file system in /etc/vfstab so that it will be mounted on zone boot

• As the global administrator, you can also mount a file system from the global zone into the non-global zone.

How to Import Raw and Block Devices by Using zonecfg

This procedure uses the lofifile driver, which exports a file as a block device.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Change directories to /usr/tmp.

   global# cd /usr/tmp

3. Create a new UFS file system.

   global# mkfile 10m fsfile

4. Attach the file as a block device.

   The first available slot, which is /dev/lofi/1 if no other lofi devices have been created, is used.

   global# lofiadm -a `pwd`/fsfile

   You will also get the required character device.

5. Import the devices into the zone my-zone.

   global# zonecfg -z my-zone zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/rlofi/1 zonecfg:my-zone:device> end zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/lofi/1 zonecfg:my-zone:device> end

6. Reboot the zone.

   global# zoneadm -z my-zone boot

7. Log in to the zone and verify that the devices were successfully imported.

   my-zone# ls -l /dev/*lofi/*

   You will see a display that is similar to this:

   brw------- 1 root sys 147, 1 Jan 7 11:26 /dev/lofi/1 crw------- 1 root sys 147, 1 Jan 7 11:26 /dev/rlofi/1

See Also

For more information, see the lofiadm(1M) and lofi(7D) man pages.

How to Mount the File System Manually

You must be the zone administrator and have the Zone Management profile to perform this procedure. This procedure uses the newfs command, which is described in the newfs(1M) man page.

1. Become superuser, or have the Zone Management rights profile in your list of profiles.

2. In the zone my-zone, create a new file system on the disk.

   my-zone# newfs /dev/lofi/1

3. Respond yes at the prompt.

   newfs: construct a new file system /dev/rlofi/1: (y/n)? y

   You will see a display that is similar to this:

   /dev/rlofi/1: 20468 sectors in 34 cylinders of 1 tracks, 602 sectors 10.0MB in 3 cyl groups (16 c/g, 4.70MB/g, 2240 i/g) super-block backups (for fsck -F ufs -o b=#) at: 32, 9664, 19296,

4. Check the file system for errors.

   my-zone# fsck -F ufs /dev/rlofi/1

   You will see a display that is similar to this:

   ** /dev/rlofi/1 ** Last Mounted on ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 2 files, 9 used, 9320 free (16 frags, 1163 blocks, 0.2% fragmentation)

5. Mount the file system.

   my-zone# mount -F ufs /dev/lofi/1 /mnt

6. Verify the mount.

   my-zone# grep /mnt /etc/mnttab

   You will see a display similar to this:

   /dev/lofi/1 /mnt ufs rw,suid,intr,largefiles,xattr,onerror=panic,zone=foo,dev=24c0001 1073503869

How to Place a File System in /etc/vfstab to Be Mounted When the Zone Boots

This procedure is used to mount the block device /dev/lofi/1 on the file system path /mnt. The block device contains a UFS file system. The following options are used:

• logging is used as the mount option.

• yes tells the system to automatically mount the file system when the zone boots.

• /dev/rlofi/1 is the character (or raw) device. The fsck command is run on the raw device if required.

1. Become superuser, or have the Zone Management rights profile in your list of profiles.

2. In the zone my-zone, add the following line to /etc/vfstab:

   /dev/lofi/1 /dev/rlofi/1 /mnt ufs 2 yes logging

How to Mount a File System From the Global Zone Into a Non-Global Zone

Assume that a zone has the zonepath /export/home/my-zone. You want to mount the disk /dev/lofi/1 from the global zone into /mnt in the non-global zone.

You must be the global administrator in the global zone to perform this procedure.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. To mount the disk into /mnt in the non-global zone, type the following from the global zone:

   global# mount -F ufs /dev/lofi/1 /export/home/my-zone/root/mnt

See Also

For information about lofi, see the lofiadm(1M) and lofi(7D) man pages.

Adding Non-Global Zone Access to Specific File Systems in the Global Zone

How to Add Access to CD or DVD Media in a Non-Global Zone

This procedure enables you to add read-only access to CD or DVD media in a non-global zone. The Volume Management file system is used in the global zone for mounting the media. A CD or DVD can then be used to install a product in the non-global zone. This procedure uses a DVD named jes_05q4_dvd.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Determine whether the Volume Management file system is running in the global zone.

   global# svcs volfs STATE STIME FMRI online Sep_29 svc:/system/filesystem/volfs:default

3. (Optional) If the Volume Management file system is not running in the global zone, start it.

   global# svcadm volfs enable

4. Insert the media.

5. Check for media in the drive.

   global# volcheck

6. Test whether the DVD is automounted.

   global# ls /cdrom

   You will see a display similar to the following:

   cdrom cdrom1 jes_05q4_dvd

7. Loopback mount the file system with the options ro,nodevices (read-only and no devices) in the non-global zone.

   global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/cdrom zonecfg:my-zone:fs> set special=/cdrom zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> add options [ro,nodevices] zonecfg:my-zone:fs> end zonecfg:my-zone> commit zonecfg:my-zone> exit

8. Reboot the non-global zone.

   global# zoneadm -z my-zone reboot

9. Use the zoneadm list command with the -v option to verify the status.

   global# zoneadm list -v

   You will see a display that is similar to the following:

   ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 my-zone running /export/home/my-zone native shared

10. Log in to the non-global zone.

    global# zlogin my-zone

11. Verify the DVD-ROM mount.

    my-zone# ls /cdrom

    You will see a display similar to this:

    cdrom cdrom1 jes_05q4_dvd

12. Install the product as described in the product installation guide.

13. Exit the non-global zone.

    my-zone# exit

    ---

    Tip –

    You might want to retain the /cdrom file system in your non-global zone. The mount will always reflect the current contents of the CD-ROM drive, or an empty directory if the drive is empty.

    ---

14. (Optional) If you want to remove the /cdrom file system from the non-global zone, use the following procedure.

    global# zonecfg -z my-zone zonecfg:my-zone> remove fs dir=/cdrom zonecfg:my-zone> commit zonecfg:my-zone> exit

How to Add a Writable Directory under /usr in a Non-Global Zone

In a sparse root zone, /usr is mounted read-only from the global zone. You can use this procedure to add a writable directory, such as /usr/local, under /usr in your zone.

You must be the global administrator in the global zone to perform this procedure.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Create the directory /usr/local in the global zone.

   global# mkdir -p /usr/local

3. Specify a directory in the global zone to serve as the backing store for the zone's /usr/local directory.

   global# mkdir -p /storage/local/my-zone

4. Edit the configuration for the zone my-zone.

   global# zonecfg -z my-zone

5. Add the loopback-mounted filesystem.

   zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/usr/local zonecfg:my-zone:fs> set special=/storage/local/my-zone zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> end zonecfg:my-zone> commit zonecfg:my-zone> exit

6. Boot the zone.

How to Export Home Directories in the Global Zone Into a Non-Global Zone

This procedure is used to export home directories or other file systems from the global zone into non-global zones on the same system.

You must be the global administrator in the global zone to perform this procedure.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Add the loopback-mounted filesystem.

   global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/export/home zonecfg:my-zone:fs> set special=/export/home zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> set options=nodevices zonecfg:my-zone:fs> end zonecfg:my-zone> commit zonecfg:my-zone> exit

3. Add the following line to the zone's /etc/auto_home file:

   $HOST:/export/home/&

Using IP Network Multipathing on a Solaris System With Zones Installed

Solaris 10 8/07: How to Use IP Network Multipathing in Exclusive-IP Non-Global Zones

IP Network Multipathing (IPMP) in an exclusive-IP zone is configured as it is in the global zone.

You can configure one or more physical interfaces into an IP multipathing group, or IPMP group. After configuring IPMP, the system automatically monitors the interfaces in the IPMP group for failure. If an interface in the group fails or is removed for maintenance, IPMP automatically migrates, or fails over, the failed interface's IP addresses. The recipient of these addresses is a functioning interface in the failed interface's IPMP group. The failover feature of IPMP preserves connectivity and prevents disruption of any existing connections. Additionally, IPMP improves overall network performance by automatically spreading out network traffic across the set of interfaces in the IPMP group. This process is called load spreading.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Configure IPMP groups as described in Configuring IPMP Groups in System Administration Guide: IP Services.

How to Extend IP Network Multipathing Functionality to Shared-IP Non-Global Zones

Use this procedure to configure IPMP in the global zone and extend the IPMP functionality to non-global zones.

Each address, or logical interface, should be associated with a non-global zone when you configure the zone. See Using the zonecfg Command and How to Configure the Zone for instructions.

This procedure accomplishes the following:

• The cards bge0 and hme0 are configured together in a group.

• Address 192.168.0.1 is associated with the non-global zone my-zone.

• The bge0 card is set as the physical interface. Thus, the IP address is hosted in the group that contains the bge0 and hme0 cards.

In a running zone, you can use the ifconfig command to make the association. See Shared-IP Network Interfaces and the ifconfig(1M) man page.

You must be the global administrator in the global zone to perform this procedure.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. In the global zone, configure IPMP groups as described in Configuring IPMP Groups in System Administration Guide: IP Services.

3. Use the zonecfg command to configure the zone. When you configure the net resource, add address 192.168.0.1, physical interface bge0, and a default router setting to the zone my-zone:

   zonecfg:my-zone> add net zonecfg:my-zone:net> set address=192.168.0.1 zonecfg:my-zone:net> set physical=bge0 zonecfg:my-zone:net> set defrouter=10.0.0.1 zonecfg:my-zone:net> end

   Only bge0 would be visible in non-global zone my-zone.

If bge0 Subsequently Fails

If bge0 subsequently fails and the bge0 data addresses fail over to hme0 in the global zone, then the my-zone addresses migrate as well.

If address 192.168.0.1 moves to hme0, then only hme0 would now be visible in non-global zone my-zone. This card would be associated with address 192.168.0.1, and bge0 would no longer be visible.

Solaris 10 8/07: Administering Data-Links in Exclusive-IP Non-Global Zones

The dladm command is used from the global zone to administer data-links.

How to Use dladm show-linkprop

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones.

You must be the global administrator in the global zone to administer data-links.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Show the assignment of data-links on the system.

   global# dladm show-linkprop

Example 28–1 Using dladm With the show-linkprop Subcommand

1. In the first screen, zone 49bge, which is assigned bge0 has not been booted

   global# dladm show-linkprop LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone -- -- -- ath0 channel 6 -- -- ath0 powermode ? off off,fast,max ath0 radio ? on on,off ath0 speed 11 -- 1,2,5.5,6,9,11,12,18,24,36,48,54 ath0 zone -- -- --

2. Zone 49bge is booted.

   global# zoneadm -z 49bge boot

3. The command dladm show-linkprop is run again. Note that the bge0 link is now assigned to 49bge.

   global# dladm show-linkprop LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone 49bge -- -- ath0 channel 6 -- -- ath0 powermode ? off off,fast,max ath0 radio ? on on,off ath0 speed 11 -- 1,2,5.5,6,9,11,12,18,24,36,48,54 ath0 zone -- -- --

How to Use dladm set-linkprop

The dladm command can be used with the set-linkprop subcommand to temporarily assign data-links to running exclusive-IP zones. Persistent assignment must be made through the zonecfg command.

You must be the global administrator in the global zone to administer data-links.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Use dladm set-linkprop with the -t to add bge0 to a running zone called excl.

   global# dladm set-linkprop -t -p zone=excl bge0 LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone excl -- --

   ---

   Tip –

   The -p option produces a display using a stable machine-parseable format.

   ---

How to Use dladm reset-linkprop

The dladm command can be used with the reset-linkprop subcommand to reset the bge0 link value to unassigned.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Use dladm reset-linkprop with the -t to undo the zone assignment of the bge0 device.

   global# dladm reset-linkprop -t -p zone=excl bge0 LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone excl -- --

   ---

   Tip –

   The -p option produces a display using a stable machine-parseable format.

   ---

Troubleshooting

If the running zone is using the device, the reassignment fails and an error message is displayed. See Exclusive-IP Zone Is Using Device, so dladm reset-linkprop Fails.

Using the Fair Share Scheduler on a Solaris System With Zones Installed

Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted. To set shares in a zone permanently, see How to Configure the Zone and How to Set zone.cpu-shares in the Global Zone.

How to Set FSS Shares in the Global Zone Using the prctl Command

The global zone is given one share by default. You can use this procedure to change the default allocation. Note that you must reset shares allocated through the prctl command whenever you reboot the system.

You must be the global administrator in the global zone to perform this procedure.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Use the prctl utility to assign two shares to the global zone:

   # prctl -n zone.cpu-shares -v 2 -r -i zone global

3. (Optional) To verify the number of shares assigned to the global zone, type:

   # prctl -n zone.cpu-shares -i zone global

See Also

For more information on the prctl utility, see the prctl(1) man page.

How to Change the zone.cpu-shares Value in a Zone Dynamically

This procedure can be used for any zone, not just the global zone.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration

2. Use the prctl command to specify a new value for cpu-shares.

   # prctl -n zone.cpu-shares -r -v value -i zone zonename

   idtype is either the zonename or the zoneid. value is the new value.

Using Rights Profiles in Zone Administration

This section covers tasks associated with using rights profiles in non-global zones.

How to Assign the Zone Management Profile

The Zone Management profile grants the power to manage all of the non-global zones on the system to a user.

You must be the global administrator in the global zone to perform this procedure.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Create a role that includes the Zone Management rights profile, and assign the role to a user.

   • To create and assign the role by using the Solaris Management Console, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Refer to the task “How to Create and Assign a Role By Using the GUI.”

   • To create and assign the role on the command line, see Managing RBAC in System Administration Guide: Security Services. Refer to the task “How to Create a Role From the Command Line.”

Example—Using Profile Shells With Zone Commands

You can execute zone commands in a profile using the pfexec program. The program executes commands with the attributes specified by the user's profiles in the exec_attr database. The program is invoked by the profile shells pfksh, pfcsh, and pfsh.

Use the pfexec program to log in to a zone, for example, my-zone.

machine$ pfexec zlogin my-zone

Backing Up a Solaris System With Installed Zones

The following procedures can be used to back up files in zones. Remember to also back up the zones' configuration files.

How to Use ufsdump to Perform Backups

You can perform full or incremental backups using the ufsdump command. This procedure backs up the zone /export/my-zone to /backup/my-zone.ufsdump, where my-zone is replaced with the name of a zone on your system. You might want to have a separate file system, for example, a file system mounted on /backup, to hold the backups.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. (Optional) Shut down the zone to put the zone in a quiescent state and to avoid creating backups of shared file systems.

   global# zlogin -S my-zone init 0

3. Check the zone's status.

   global# zoneadm list -cv

   You will see a display similar to the following:

   ID NAME STATUS PATH BRAND IP 0 global running / native shared - my-zone installed /export/home/my-zone native shared

4. Perform the backup.

   global# ufsdump 0f /backup/my-zone.ufsdump /export/my-zone

   You will see a display similar to the following:

   DUMP: Date of this level 0 dump: Wed Aug 10 16:13:52 2005 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rdsk/c0t0d0s0 (bird:/) to /backup/my-zone.ufsdump. DUMP: Mapping (Pass I) [regular files] DUMP: Mapping (Pass II) [directories] DUMP: Writing 63 Kilobyte records DUMP: Estimated 363468 blocks (174.47MB). DUMP: Dumping (Pass III) [directories] DUMP: Dumping (Pass IV) [regular files] DUMP: 369934 blocks (180.63MB) on 1 volume at 432 KB/sec DUMP: DUMP IS DONE

5. Boot the zone.

   global# zoneadm -z my-zone boot

How to Create a UFS Snapshot Using fssnap

This approach uses the fssnap command, which creates a temporary image of a file system intended for backup operations.

This method can be used to provide a clean, consistent backup of the zone files only, and it can be executed while zones are running. However, it is a good idea to suspend or checkpoint active applications that are updating files when the snapshot is created. An application updating files when the snapshot is created might leave these files in an internally inconsistent, truncated, or otherwise unusable state.

In the example procedure below, note the following:

• There is a zone named my-zone under /export/home.

• /export/home is a separate file system.

Before You Begin

The destination backup is /backup/my-zone.ufsdump. You must create the directory backup under /.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Create the snapshot.

   global# fssnap -o bs=/export /export/home

   You will see a display similar to the following:

   dev/fssnap/0

3. Mount the snapshot.

   global# mount -o ro /dev/fssnap/0 /mnt

4. Back up my-zone from the snapshot.

   global# ufsdump 0f /backup/my-zone.ufsdump /mnt/my-zone

   You will see a display similar to the following:

   DUMP: Date of this level 0 dump: Thu Oct 06 15:13:07 2005 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rfssnap/0 (pc2:/mnt) to /backup/my-zone.ufsdump. DUMP: Mapping (Pass I) [regular files] DUMP: Mapping (Pass II) [directories] DUMP: Writing 32 Kilobyte records DUMP: Estimated 176028 blocks (85.95MB). DUMP: Dumping (Pass III) [directories] DUMP: Dumping (Pass IV) [regular files] DUMP: 175614 blocks (85.75MB) on 1 volume at 2731 KB/sec DUMP: DUMP IS DONE

5. Unmount the snapshot.

   global# umount /mnt

6. Delete the snapshot.

   global# fssnap -d /dev/fssnap/0

   Note that the snapshot is also removed from the system when the system is rebooted.

How to Use find and cpio to Perform Backups

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Change directories to the root directory.

   global# cd /

3. Back up my-zone files that are not loopback mounted to /backup/my-zone.cpio.

   global# find export/my-zone -fstype lofs -prune -o -local | cpio -oc -O /backup/my-zone.cpio type as one line

4. Verify the results.

   global# ls -l backup/my-zone.cpio

   You will see a display similar to the following:

   -rwxr-xr-x 1 root root 99680256 Aug 10 16:13 backup/my-zone.cpio

How to Print a Copy of a Zone Configuration

You should create backup files of your non-global zone configurations. You can use the backups to recreate the zones later, if necessary. Create the copy of the zone's configuration after you have logged in to the zone for the first time and have responded to the sysidtool questions. This procedure uses a zone named my-zone and a backup file named my-zone.config to illustrate the process.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Print the configuration for the zone my-zone to a file named my-zone.config.

   global# zonecfg -z my-zone export > my-zone.config

Restoring a Non-Global Zone

How to Restore an Individual Non-Global Zone

You can use the backup files of your non-global zone configurations to restore non-global zones, if necessary. This procedure uses a zone named my-zone and a backup file named my-zone.config to illustrate the process of restoring a zone.

1. Become superuser, or assume the Primary Administrator role.

   To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Specify that my-zone.config be used as the zonecfg command file to recreate the zone my-zone.

   global# zonecfg -z my-zone -f my-zone.config

3. Install the zone.

   global# zoneadm -z my-zone install

4. To prevent the system from displaying the sysidtool questions upon initial zone login, delete the file zonepath/root/etc/.UNCONFIGURED, for example:

   global# rm /export/home/my-zone/root/etc/.UNCONFIGURED

5. If you have any zone-specific files to restore, such as application data, manually restore (and possibly hand-merge) files from a backup into the newly created zone's root file system.