Zone Components

This section covers the required and optional zone components that can be configured. Only the zone name and zone path are required. Additional information is provided in Zone Configuration Data.

Zone Name and Path

You must choose a name and a path for your zone. The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that the parent directory of the zone path must also be a dataset.

Zone Autoboot

The autoboot property setting determines whether the zone is automatically booted when the global zone is booted. The zones service, svc:/system/zones:default must also be enabled.

Also note that if the zone is set autoboot=true, then this setting should be changed to autoboot=false when a pkg image-update is performed. See Zones Packaging Overview. Once the new BE is booted and the zones are synced up to the global zone, then autoboot can be turned back on (reset to true).

`admin` Resource

The admin setting allows you to set zone administration authorization. The preferred method for defining authorizations is through the zonecfg command.

user

Specify the user name.

auths

Specify the authorizations for the user name.

solaris.zone.login: If role-based access control (RBAC) is in use, the authorization solaris.zone.login/zonenameis required for interactive logins. Password authentication takes place in the zone.
solaris.zone.manage: If RBAC is in use, for non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.
solaris.zone.clonefrom: If RBAC is in use, subcommands that make a copy of another zone require the authorization, solaris.zone.clonefrom/source_zone.

Resource Pool Association

If you have configured resource pools on your system as described in Chapter 13, Creating and Administering Resource Pools (Tasks), you can use the pool property to associate the zone with one of the resource pools when you configure the zone.

If you do not have resource pools configured, you can still specify that a subset of the system's processors be dedicated to a non-global zone while it is running by using the dedicated-cpu resource. The system will dynamically create a temporary pool for use while the zone is running. With specification through zonecfg, pool settings propagate during migrations.

Note - A zone configuration using a persistent pool set through the pool property is incompatible with a temporary pool configured through the dedicated-cpu resource. You can set only one of these two properties.

`dedicated-cpu` Resource

The dedicated-cpu resource specifies that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system will dynamically create a temporary pool for use while the zone is running.

With specification in zonecfg, pool settings propagate during migrations.

The dedicated-cpu resource sets limits for ncpus, and optionally, importance.

ncpus

Specify the number of CPUs or specify a range, such as 2–4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:

Set the importance property.
Enable the poold service. For instructions, see How to Enable the Dynamic Resource Pools Service Using svcadm.

importance

If you are using a CPU range to achieve dynamic behavior, also set the importance property, The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, importance defaults to 1. For more information, see pool.importance Property Constraint.

Note - The capped-cpu resource and the dedicated-cpu resource are incompatible. The cpu-shares rctl and the dedicated-cpu resource are incompatible.

`capped-cpu` Resource

The capped-cpu resource provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone. When used in conjunction with processor sets, CPU caps limit CPU usage within a set. The capped-cpu resource has a single ncpus property that is a positive decimal with two digits to the right of the decimal. This property corresponds to units of CPUs. The resource does not accept a range. The resource does accept a decimal number. When specifying ncpus, a value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system.

Note - The capped-cpu resource and the dedicated-cpu resource are incompatible.

Scheduling Class

You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among zones, based on their importance. This importance is expressed by the number of shares of CPU resources that you assign to each zone. Even if you are not using FSS to manage CPU resource allocation between zones, you can set the zone's scheduling-class to use FSS so that you can set shares on projects within the zone.

When you explicitly set the cpu-shares property, the fair share scheduler (FSS) will be used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class. The following actions set the scheduling class for a zone:

You can use the scheduling-class property in zonecfg to set the scheduling class for the zone.
You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default. See Introduction to Resource Pools and How to Associate a Pool With a Scheduling Class.
If the cpu-shares rctl is set and FSS has not been set as the scheduling class for the zone through another action, zoneadmd sets the scheduling class to FSS when the zone boots.
If the scheduling class is not set through any other action, the zone inherits the system default scheduling class.

Note that you can use the priocntl described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.

Physical Memory Control and the `capped-memory` Resource

The capped-memory resource sets limits for physical, swap, and locked memory. Each limit is optional, but at least one must be set.

Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone.
The swap property of the capped-memory resource is the preferred way to set the zone.max-swap resource control.
The locked property of the capped-memory resource is the preferred way to set the zone.max-locked-memory resource control.

Note - Applications generally do not lock significant amounts of memory, but you might decide to set locked memory if the zone's applications are known to lock memory. If zone trust is a concern, you can also consider setting the locked memory cap to 10 percent of the system's physical memory, or 10 percent of the zone's physical memory cap.

For more information, see Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone. To temporarily set a resource cap for a zone, see How to Specify a Temporary Resource Cap for a Zone.

Zone Network Interfaces

Zone network interfaces configured by the zonecfg command to provide network connectivity will automatically be set up and placed in the zone when it is booted.

The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.

There are two IP types available for non-global zones, shared-IP and exclusive-IP. The shared-IP zone shares a network interface and the exclusive-IP zone must have a dedicated network interface.

For information about IP features in each type, see Networking in Shared-IP Non-Global Zones and Networking in Exclusive-IP Non-Global Zones.

Note - The link protection feature described in Chapter 18, Using Link Protection in Virtualized Environments, in System Administration Guide: Network Interfaces and Network Virtualization can be used on a system running zones. This feature is configured in the global zone.

About Data-Links

A data-link is an interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. Data-links are physical interfaces e1000g0, bge3 (as NICs), aggr1, aggr2 (as aggregations), or e1000g123000, bge234003 (as VLAN 123 on e1000g0 and VLAN 234 on bge3, respectively). physical interfaces (e.g. e1000g0, bge1), aggregations (aggr3), or VLAN-tagged interfaces (e1000g111000 (VLAN tag 111 on e1000g0), bge111001, aggr111003). A data-link may also be referred to as a physical interface, such as when referring to a Network Interface Card (NIC). The data-link is the physical property configured with the zone configuration tool zonecfg(1M). The physical property can be a VNIC, as described in Part IV, Network Virtualization and Resource Management, in System Administration Guide: Network Interfaces and Network Virtualization.

Data-links are e1000g0, bge3 (as NICs), aggr1, aggr2 (as aggregations), or e1000g123000, bge234003 (as VLAN 123 on e1000g0 and VLAN 234 on bge3, respectively).

Shared-IP Non-Global Zones

The shared-IP zone is the default type. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:

The non-global zone is to use the same data-link that is used by the global zone, regardless of whether the global and non-global zones are on the same subnet.
You do not want the other capabilities that the exclusive-IP zone provides.

Shared-IP zones are assigned one or more IP addresses using the zonecfg command. The data-link names must also be configured in the global zone.

In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.

These addresses are associated with logical network interfaces. The ifconfig command can be used from the global zone to add or remove logical interfaces in a running zone. For more information, see Shared-IP Network Interfaces.

Exclusive-IP Non-Global Zones

Full IP-level functionality is available in an exclusive-IP zone.

An exclusive-IP zone has its own IP-related state.

This includes the ability to use the following features in an exclusive-IP zone:

DHCPv4 and IPv6 stateless address autoconfiguration
IP Filter, including network address translation (NAT) functionality
IP Network Multipathing (IPMP)
IP routing
ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs
IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association

Query — add VNIC, (vdb1) net;set physical=vdb1;endAn exclusive-IP zone is assigned its own set of data-links using the zonecfg command. The zone is given a data-link name such as xge0, e1000g1, or bge32001, using the physical property of the net resource. The physical property can be a VNIC, as described in Part IV, Network Virtualization and Resource Management, in System Administration Guide: Network Interfaces and Network Virtualization. The address property of the net resource is not set.

The defrouter and the allowed-addresses properties of the net resource can optionally be set. Setting allowed-addresses allows only those addresses to be configured by the non-global zone. Data-link protection is enabled with the allowed-addresses property. When the non-global zone is booted:

The IP interfaces are automatically created and configured.
The default route is configured.

Note that the assigned data-link enables the snoop command to be used.

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. See Administering Data-Links in Exclusive-IP Non-Global Zones for usage examples.

Inside a running exclusive-IP zone, the ifconfig command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as for the global zone, by using the sysidtools described in sysidcfg(4).

Note - The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command. An example follows.

global# zlogin zone1 ifconfig -a

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, in an exclusive-IP zone, the superuser or user with the required rights profile can send spoofed packets on those data-links, just as can be done in the global zone.

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.

File Systems Mounted in Zones

Generally, the file systems mounted in a zone include the following:

The set of file systems mounted when the virtual platform is initialized
The set of file systems mounted from within the application environment itself

This can include, for example, the following file systems:

File systems specified in a zone's /etc/vfstab file
Moved to SMF. Use sharectl(1M) to manage NFS properties. Get SMF replacement ?

AutoFS and AutoFS-triggered mounts

Mounts explicitly performed by a zone administrator

File system mounting permissions within a running zone are also defined by the zonecfg fs-allowed property. This property does not apply to file systems mounted into the zone by using the zonecfg add fs or add dataset resources. By default, only mounts of hsfs file systems, and network file systems such as NFS, are allowed within a zone.

Caution - Certain restrictions are placed on mounts other than the defaults performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.

There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.

Host ID in Zones

You can set a hostid property for the non-global zone that is different from the hostid of the global zone. This would be done, for example, in the case of a machine migrated into a zone on another system. Applications now inside the zone might depend on the original hostid. See Resource and Property Types for more information.

Configured Devices in Zones

The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the zone's /dev file system. For more information, see How to Configure the Zone.

Disk Format Support in Non-Global Zones

Safe delegation of slices and disks to zones is enabled by using the limitpriv property described in Resource and Property Types:

Delegation is only supported for ipkg zones
Disks must use the sd target as shown by using the prtconf command with the -D option.
If just a slice is being delegated, the following limitpriv must be set through the zonecfg utility:

zonecfg:my-zone> set limitpriv="default,-storage_config"
Raw, unsafe, SCSI access may be allowed by adding the storage_raw privilege.

Setting Zone-Wide Resource Controls

The global administrator or a user with appropriate authorizations can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.

These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone.

The preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource.

The zone.cpu-cap resource control sets an absolute limit on the amount of CPU resources that can be consumed by a zone. A value of 100 means 100 percent of one CPU as the project.cpu-cap setting. A value of 125 is 125 percent, because 100 percent corresponds to one full CPU on the system when using CPU caps.

Note - When setting the capped-cpu resource, you can use a decimal number for the unit. The value correlates to the zone.capped-cpu resource control, but the setting is scaled down by 100. A setting of 1 is equivalent to a setting of 100 for the resource control.

The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on an Oracle Solaris System With Zones Installed. The global property name for this control is cpu-shares.

The zone.max-locked-memory resource control limits the amount of locked physical memory available to a zone The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Table 6-1 for more information.

The zone.max-lofi resource control limits the number of potential lofi devices that can be created by a zone.

The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Table 6-1 for more information. The global property name for this control is max-lwps.

The zone.max-processes resource control enhances resource isolation by preventing a zone from using too many process table slots and thus affecting other zones. The allocation of the process table slots resource across projects within the zone can be set by using the project.max-processes resource control described in Available Resource Controls. The global property name for this control is max-processes. The zone.max-processes resource control can also encompass the zone.max-lwps resource control. If zone.max-processes is set and zone.max-lwps is not set, then zone.max-lwps is implicitly set to 10 times the zone.max-processes value when the zone is booted. Note that because both normal processes and zombie processes take up process table slots, the max-processes control thus protects against zombies exhausting the process table. Because zombie processes do not have any LWPs by definition, the max-lwps cannot protect against this possibility.

The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.

The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat -Z displays a SWAP column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting.

Table 16-1 Zone-Wide Resource Controls

Control Name	Global Property Name	Description	Default Unit	Value Used For
`zone.cpu-cap`		Absolute limit on the amount of CPU resources for this zone	Quantity (number of CPUs), expressed as a percentage Note - When setting as the `capped-cpu` resource, you can use a decimal number for the unit.
`zone.cpu-shares`	`cpu-shares`	Number of fair share scheduler (FSS) CPU shares for this zone	Quantity (shares)
`zone.max-locked-memory`		Total amount of physical locked memory available to a zone. If `priv_proc_lock_memory` is assigned to a zone, consider setting this resource control as well, to prevent that zone from locking all memory.	Size (bytes)	`locked` property of `capped-memory`
`zone.max-lofi`	`max-lofi`	Limit on the number of potential `lofi` devices that can be created by a zone	Quantity (number of `lofi` devices)
`zone.max-lwps`	`max-lwps`	Maximum number of LWPs simultaneously available to this zone	Quantity (LWPs)
`zone.max-msg-ids`	`max-msg-ids`	Maximum number of message queue IDs allowed for this zone	Quantity (message queue IDs)
`zone.max-processes`	`max-processes`	Maximum number of process table slots simultaneously available to this zone	Quantity (process table slots)
`zone.max-sem-ids`	`max-sem-ids`	Maximum number of semaphore IDs allowed for this zone	Quantity (semaphore IDs)
`zone.max-shm-ids`	`max-shm-ids`	Maximum number of shared memory IDs allowed for this zone	Quantity (shared memory IDs)
`zone.max-shm-memory`	`max-shm-memory`	Total amount of System V shared memory allowed for this zone	Size (bytes)
`zone.max-swap`		Total amount of swap that can be consumed by user process address space mappings and `tmpfs` mounts for this zone.	Size (bytes)	`swap` property of `capped-memory`

These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.

Configurable Privileges

When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:

Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.
Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.

Note - There are a few privileges that cannot be removed from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.

For more information, see Privileges in a Non-Global Zone, How to Configure the Zone, and privileges(5).

Including a Comment for a Zone

You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone.

Skip Navigation Links
Exit Print View
	System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management Oracle Solaris 11 Express 11/10