The resource and property types are described as follows:
The name of the zone. The following rules apply to zone names:
Each zone must have a unique name.
A zone name is case-sensitive.
A zone name must begin with an alphanumeric character.
The name can contain alphanumeric characters, underbars (_), hyphens (-), and periods (.).
The name cannot be longer than 63 characters.
The name global is reserved for the global zone.
Names beginning with SYS are reserved and cannot be used.
The zonepath property specifies the path under which the zone will be installed. Each zone has a path to its root directory that is relative to the global zone's root directory. At installation time, the global zone directory is required to have restricted visibility. The zone path must be owned by root with the mode 700. If the zone path does not exist, it will be automatically created during installation. If the permissions are incorrect, they will be automatically corrected.
The non-global zone's root path is one level lower. The zone's root directory has the same ownership and permissions as the root directory (/) in the global zone. The zone directory must be owned by root with the mode 755. This hierarchy ensures that unprivileged users in the global zone are prevented from traversing a non-global zone's file system.
The zone must reside on a ZFS dataset. The ZFS dataset is created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach.
|
See Traversing File Systems in Creating and Using Oracle Solaris Zones for more information.
In the zonecfg template property, the default value of zonepath is /system/zones/zonename.
If this property is set to true, the zone is automatically booted when the global zone is booted. It is set to false by default. Note that if the zones service svc:/system/zones:default is disabled, the zone will not automatically boot, regardless of the setting of this property. You can enable the zones service with the svcadm command described in the svcadm(1M) man page:
global# svcadm enable zones
See Zones Packaging Overview in Creating and Using Oracle Solaris Zones for information on this setting during pkg update.
This property is used to set a boot argument for the zone. The boot argument is applied unless overridden by the reboot, zoneadm boot, or zoneadm reboot commands. See Zone Boot Arguments.
This property is used to specify a privilege mask other than the default. See Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones .
Privileges are added by specifying the privilege name, with or without the leading priv_. Privileges are excluded by preceding the name with a dash (-) or an exclamation mark (!). The privilege values are separated by commas and placed within quotation marks (“).
As described in priv_str_to_set(3C), the special privilege sets of none, all, and basic expand to their normal definitions. Because zone configuration takes place from the global zone, the special privilege set zone cannot be used. Because a common use is to alter the default privilege set by adding or removing certain privileges, the special set default maps to the default set of privileges. When default appears at the beginning of the limitpriv property, it expands to the default set.
The following entry adds the ability to use DTrace programs that only require the dtrace_proc and dtrace_user privileges in the zone:
global# zonecfg -z userzone zonecfg:userzone> set limitpriv="default,dtrace_proc,dtrace_user"
If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege, an attempt to verify, ready, or boot the zone will fail with an error message.
This property sets the scheduling class for the zone. See Scheduling Class for additional information and tips.
This property is required to be set for all non-global zones. See Exclusive-IP Non-Global Zones, Shared-IP Non-Global Zones, and How to Configure the Zone in Creating and Using Oracle Solaris Zones .
This resource dedicates a subset of the system's processors to the zone while it is running. The dedicated-cpu resource provides limits for ncpus and, optionally, importance. ncores, cores, and sockets. For more information, see dedicated-cpu Resource.
This solaris-kz resource dedicates a subset of the system's processors to the zone while it is running. The virtual-cpu resource provides limits for ncpus. For more information, see solaris-kz Only: virtual-cpu Resource.
This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running. The capped-cpu resource provides a limit for ncpus. For more information, see capped-cpu Resource.
This resource groups the properties used when capping memory for the zone. The capped-memory resource provides limits for physical, swap, and locked memory. At least one of these properties must be specified. To use the capped-memory resource, the service/resource-cap package must be installed in the global zone.
The anet resource automatically creates a temporary VNIC interface for the exclusive-IP zone when the zone boots and deletes it when the zone halts.
The net resource assigns an existing network interface in the global zone to the non-global zone. The network interface resource is the interface name. Each zone can have network interfaces that are set up when the zone transitions from the installed state to the ready state.
A dataset is a generic term for file system, volume, or snapshot. Adding a ZFS dataset resource enables the delegation of storage administration to a non-global zone. If the delegated dataset is a file system, the zone administrator can create and destroy file systems within that dataset, and modify properties of the dataset. The zone administrator can create snapshots, child file systems and volumes, and clones of its descendants. If the delegated dataset is a volume, the zone administrator can set properties and create snapshots. The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone. After a dataset is delegated to a non-global zone, the zoned property is automatically set. A zoned file system cannot be mounted in the global zone because the zone administrator might have to set the mount point to an unacceptable value.
ZFS datasets can be added to a zone in the following ways.
As an lofs mounted file system, when the goal is solely to share space with the global zone
As a delegated dataset
When the zonecfg template property is used, if a rootzpool resource is not specified, the default zonepath dataset is rootpool/VARSHARE/zones/zonename. The dataset is created by the svc-zones service with a mountpoint /system/zonesThe remaining properties are inherited from rootpool/VARSHARE/zones/,
See Chapter 9, Oracle Solaris ZFS Advanced Topics, in Managing ZFS File Systems in Oracle Solaris 11.2 , File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones and the datasets (5) man page.
Also see Chapter 13, Troubleshooting Miscellaneous Oracle Solaris Zones Problems, in Creating and Using Oracle Solaris Zones for information on dataset issues.
Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones .
The quota command documented in quota(1M) cannot be used to retrieve quota information for UFS file systems added through the fs resource.
Setting this property gives the zone administrator the ability to mount any file system of that type, either created by the zone administrator or imported by using NFS, and administer that file system. File system mounting permissions within a running zone are also restricted by the fs-allowed property. By default, only mounts of hsfs file systems and network file systems, such as NFS, are allowed within a zone.
The property can be used with a block device or ZVOL device delegated into the zone as well.
The fs-allowed property accepts a comma-separated list of additional file systems that can be mounted from within the zone, for example, ufs,pcfs.
zonecfg:my-zone> set fs-allowed=ufs,pcfs
This property does not affect zone mounts administrated by the global zone through the add fs or add dataset properties.
For security considerations, see File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones and Device Use in Non-Global Zones in Creating and Using Oracle Solaris Zones .
The zonefigdevice resource is used to add virtual disks to a non-global zone's platform. The device resource is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.
This property is used to associate the zone with a resource pool on the system. Multiple zones can share the resources of one pool. Also see dedicated-cpu Resource.
The rctl resource is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.
See Setting Zone-Wide Resource Controls for more information.
This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alphanumeric character. The name property can contain alphanumeric characters, hyphens (-), and periods (.). Attribute names beginning with zone. are reserved for use by the system.