Zone Configuration Data

Language:

Zone configuration data consists of two kinds of entities: resources and properties. Each resource has a type, and each resource can also have a set of one or more properties. The properties have names and values. The set of properties is dependent on the resource type.

Resource Types and Properties

The resource and property types are described as follows:

anet

The anet resource automatically creates a temporary VNIC interface for the exclusive-IP zone when the zone boots. The VNIC is deleted when the zone halts.

attr

This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alphanumeric character. The name property can contain alphanumeric characters, hyphens (-), and periods (.). Attribute names beginning with zone. are reserved for use by the system.

autoboot

If this property is set to true, the zone is automatically booted when the global zone is booted. It is set to false by default. Note that if the zones service svc:/system/zones:default is disabled, the zone will not automatically boot, regardless of the setting of this property. You can enable the zones service with the svcadm command described in the svcadm(1M) man page:

global# svcadm enable zones

See Zones Packaging Overview in Creating and Using Oracle Solaris Zones for information on this setting during pkg update.

autoshutdown

Global scope. The action to take for this zone upon clean shutdown of the global zone. The value can be shutdown (a clean zone shutdown; the default); halt, or suspend.

bootargs

This property is used to set a boot argument for the zone. The boot argument is applied unless overridden by the reboot, zoneadm boot, or zoneadm reboot commands. See Zone Boot Arguments.

capped-cpu

This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running. The capped-cpu resource provides a limit for ncpus. For more information, see capped-cpu Zone Resource.

capped-memory

This resource groups the properties used when capping memory for the zone. The capped-memory resource provides limits for physical, swap, and locked memory. At least one of these properties must be specified. To use the capped-memory resource, the service/resource-cap package must be installed in the global zone.

solaris and solaris10 Only:dataset

The only dataset type that should be used with a dataset resource is a ZFS file system. Add a ZFS dataset resource to enable the delegation of storage administration to a non-global zone. The zone administrator can create and destroy file systems within that dataset, and modify properties of the dataset. The zone administrator can create child file systems and clones of its descendants. The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone. After a dataset is delegated to a non-global zone, the zoned property is automatically set. A zoned file system cannot be mounted in the global zone because the zone administrator might have to set the mount point to an unacceptable value.

ZFS datasets can be added to a zone in the following ways.

As an lofs mounted file system, when the goal is solely to share space with the global zone
As a delegated dataset

When the zonecfg template property is used, if a rootzpool resource is not specified, the default zonepath dataset is rootpool/VARSHARE/zones/zonename. The dataset is created by the svc-zones service with a mountpoint /system/zonesThe remaining properties are inherited from rootpool/VARSHARE/zones/,

See Chapter 9, Oracle Solaris ZFS Advanced Topics in Managing ZFS File Systems in Oracle Solaris 11.2, File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones and the datasets(5) man page.

Also see Chapter 12, Troubleshooting Miscellaneous Oracle Solaris Zones Problems in Creating and Using Oracle Solaris Zones for information on dataset issues.

Note - Use the device resource instead of the dataset resource in kernel zones.

dedicated-cpu

This resource dedicates a subset of the system's processors to the zone while it is running. The dedicated-cpu resource provides limits for ncpus and, optionally, importance. ncores, cores, and sockets. For more information, see dedicated-cpu Zone Resource.

device

The zonecfg device resource is used to add virtual disks to a non-global zone's platform. The device resource is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.

Note - To use UFS file systems in a non-global zone through the device resource, the system/file-system/ufs package must be installed into the zone after installation or through the AI manifest script.

fs

Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones.

Note - To use UFS file systems in a non-global zone through the fs resource, the system/file-system/ufs package must be installed into the zone after installation or through the AI manifest script.

The quota command documented in quota(1M) cannot be used to retrieve quota information for UFS file systems added through the fs resource.

solaris and solaris10 Only:fs-allowed

Setting this property gives the zone administrator the ability to mount any file system of that type, either created by the zone administrator or imported by using NFS, and administer that file system. File system mounting permissions within a running zone are also restricted by the fs-allowed property. By default, only mounts of hsfs file systems and network file systems, such as NFS, are allowed within a zone.

The property can be used with a block device delegated into the zone as well.

The fs-allowed property accepts a comma-separated list of additional file systems that can be mounted from within the zone, for example, ufs,pcfs.

zonecfg:my-zone> set fs-allowed=ufs,pcfs

This property does not affect zone mounts administrated by the global zone through the add fs or add dataset properties.

For security considerations, see File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones and Device Use in Non-Global Zones in Creating and Using Oracle Solaris Zones.

solaris-kz Only: ib-vhca

The ib-vhca resource automatically creates a temporary virtual InfiniBand HCA device for an exclusive-IP zone when the zone boots. The device is deleted when the zone halts.

Also see Managing Network Virtualization and Network Resources in Oracle Solaris 11.3

ip-type

This property is required to be set for all non-global zones. See Exclusive-IP Non-Global Zones, Shared-IP Non-Global Zones, and How to Configure the Zone in Creating and Using Oracle Solaris Zones.

limitpriv

This property is used to specify a privilege mask other than the default. See Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones.

Privileges are added by specifying the privilege name, with or without the leading priv_. Privileges are excluded by preceding the name with a dash (-) or an exclamation mark (!). The privilege values are separated by commas and placed within quotation marks (“).

As described in priv_str_to_set(3C), the special privilege sets of none, all, and basic expand to their normal definitions. Because zone configuration takes place from the global zone, the special privilege set zone cannot be used. Because a common use is to alter the default privilege set by adding or removing certain privileges, the special set default maps to the default set of privileges. When default appears at the beginning of the limitpriv property, it expands to the default set.

The following entry adds the ability to use DTrace programs that only require the dtrace_proc and dtrace_user privileges in the zone:

global# zonecfg -z userzone
zonecfg:userzone> set limitpriv="default,dtrace_proc,dtrace_user"

The following entry allows you to examine and modify the resource controls associated with an active process, task, or project on the system by using the priocntl command:

global# zonecfg -z userzone
zonecfg:userzone> set limitpriv="default,proc_priocntl"

If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege, an attempt to verify, ready, or boot the zone will fail with an error message.

net

The net resource assigns an existing network interface in the global zone to the non-global zone. The network interface resource is the interface name. Each zone can have network interfaces that are set up when the zone transitions from the installed state to the ready state.

npiv

Provide N_Port_ID Virtualization (NPIV) support in Oracle Solaris Zones.

pool

This resource is used to associate the zone with a resource pool on the system. Multiple zones can share the resources of one pool. Also see dedicated-cpu Zone Resource.

rctl

The rctl resource is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.

See Setting Zone-Wide Resource Controls for more information.

Note - To configure zone-wide controls using the set global_property_name subcommand of zonecfg instead of the rctl resource, see How to Configure the Zone in Creating and Using Oracle Solaris Zones.

scheduling-class

This property sets the scheduling class for the zone. See Scheduling Class for additional information and tips.

solaris-kz Only: virtual-cpu

This solaris-kz resource dedicates a subset of the system's processors to the zone while it is running. The virtual-cpu resource provides limits for ncpus. For more information, see solaris-kz Only: virtual-cpu Resource.

zonename

The name of the zone. The following rules apply to zone names:

Each zone must have a unique name.
A zone name is case-sensitive.
A zone name must begin with an alphanumeric character.

The name can contain alphanumeric characters, underscores (_), hyphens (-), and periods (.).
The name cannot be longer than 63 characters.
The name global is reserved for the global zone.
Names beginning with SYS are reserved and cannot be used.

zonepath

In zones created with the zonecfg template property, the default value of zonepath is /system/zones/zonename.

If specified, the zonepath property provides the path under which the zone will be installed. Each zone has a path to its root directory that is relative to the global zone's root directory. At installation time, the global zone directory is required to have restricted visibility. The zone path is owned by root with the mode 700. If the zone path does not exist, it will be automatically created during installation. If the permissions are incorrect, they will be automatically corrected.

The non-global zone's root path is one level lower. The zone's root directory has the same ownership and permissions as the root directory (/) in the global zone. The zone directory must be owned by root with the mode 755. This hierarchy ensures that unprivileged users in the global zone are prevented from traversing a non-global zone's file system.

The zone must reside on a ZFS dataset. The ZFS dataset is created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach.

Path	Description
`/system/zones/my-zone`	`zonecfg` `zonepath`
`/system/zones/my-zone/root`	Root of the zone

See Traversing File Systems in Creating and Using Oracle Solaris Zones for more information.

In the zonecfg template property, the default value of zonepath is /system/zones/zonename.

Note - You can move a zone to another location on the same system by specifying a new, full zonepath with the move subcommand of zoneadm. See Moving a Non-Global Zone in Creating and Using Oracle Solaris Zones for instructions.

Resource Type Properties

Resources also have properties to configure. The following properties are associated with the resource types shown.

admin

Define the user name and the authorizations for that user for a given zone.

zonecfg:my-zone> add admin
zonecfg:my-zone:admin> set user=zadmin
zonecfg:my-zone:admin> set auths=login,manage
zonecfg:my-zone:admin> end

The following values can be used for the auths property:

clone (solaris.zone.clonefrom)
config (solaris.zone.config)
config (solaris.zone.liveconfig)
login (solaris.zone.login)
manage (solaris.zone.manage)

Note that these auths do not allow you to create a zone. This capability is included in the Zone Security profile.

anet

linkname, lower-link, allowed-address, allowed-mac-address, allowed-vlan-ids, auto-mac-address, configure-allowed-address, defrouter linkmode (IPoIB), mac-address (non-IPoIB), mac-slot (non-IPoIB),mac-prefix (non-IPoIB), mtu, maxbw, pkey (IPoIB), priority, vlan-id (non-IPoIB) rxfanout, rxrings, txrings, link-protection, allowed-dhcp-cids

For information about additional anet properties, see the zonecfg(1M) man page.

solaris-kz Only: In addition to static configuration of anet MAC addresses and VLAN IDs, there is dynamic MAC address and VLAN ID configuration. A zone can push the MAC address and VLAN ID it requires to the host, and VNIC creation succeeds in this address.

Note - Dynamic configuration cannot be used on single root I/O-based anet configurations, which have the iov property set to on.

To determine which MAC prefixes and VLAN IDs are allowed, use the dladm show-phys command with the –o option:

# dladm show-phys -o link,media,device,allowed-addresses,allowed-vids
LINK   MEDIA       DEVICE   ALLOWED-ADDRESSES   ALLOWED-VIDS
net0   Ethernet    zvnet0   fa:16:3f,           100-199,
                            fa:80:20:21:22      400-498,500

The anet mac allowed-mac-address property provides a set of MAC address prefixes. A kernel zone can create a VNIC with a MAC address that is one of the MAC address prefixes in the allowed-mac-address list. These prefixes can be 1 to 5 octets in length.
```
zonecfg:kz1> add anet
zonecfg:kz1:anet> add mac
zonecfg:kz1:anet:mac> add allowed-mac-address fa:16:3f
zonecfg:kz1:anet:mac> add allowed-mac-address fa:80:20:21:22
zonecfg:kz1:anet:mac> end
zonecfg:kz1:anet> end
```
The allowed-mac-address property does not affect the mac-address property. The allowed-mac-address property controls the additional MAC addresses for the anet resource.

You can also use the special keyword any to match any MAC address.
The anet vlan allowed-vlan-ids property specifies the range of VLAN IDs that can be dynamically configured for that anet. Setting allowed-vlan-ids to the special keyword any allows the zone to use any valid VLAN ID.
```
zonecfg:kz1> add anet
zonecfg:kz1:anet> add vlan
zonecfg:kz1:anet:vlan> add allowed-vlan-ids 100-199
zonecfg:kz1:anet:vlan> add allowed-vlan-ids 400-498
zonecfg:kz1:anet:vlan> add allowed-vlan-ids 500
zonecfg:kz1:anet:vlan> end
zonecfg:kz1:anet> end
```
The allowed-vlan-ids property does not affect the anet vlan-id property. The allowed-vlan-ids property only controls the additional VLAN IDs for the anet resource.

solaris-kz Only: You can create and administer single root I/O (SR-IOV) NIC virtual functions (VF) on kernel zones by using the zonecfg anet resource iov property. Do not set the iov property to auto or on if any of the following properties are set:

allowed-address
allowed-dhcp-cids
configure-allowed-address
cos
defrouter
etsbw-lcl
evs
link-protection
maxbw
mtu
priority
rxfanout
rxrings
txrings
vlan-id
vport
vsi-mgrid
vsi-typeid
vsi-vers

If the iov property is already set to auto or on, then setting any of these properties fails.

For examples and more information, see Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones and the zonecfg(1M) man page.

Note - For kernel zone warm migrations, suspend and resume operations are not supported if the zonecfg iov property is set to auto or on. For further information on kernel zone suspend and resume operations, see Configuring the suspend Resource in Creating and Using Oracle Solaris Kernel Zones and Using Warm Migration to Migrate a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.

solaris Only: Do not set the following anet properties for IPoIB data-links in zonecfg.

mac-address
mac-prefix
mac-slot
vlan-id

Do not set the following anet properties for non-IPoIB data-links in zonecfg.

linkmode
pkey

Set only the following properties for an EVS anet resource:

linkname
evs
vport
configure-allowed-address

The anet resource creates an automatic VNIC interface or an IPoIB interface when the zone boots, and deletes the VNIC or IPoIB interface when the zone halts. Note that the solaris-kz brand does not support IPoIB. The resource properties are managed through the zonecfg command. See the zonecfg(1M) man page for the complete text on properties available.

allowed-address

Configure an IP address for the exclusive-IP zone and also limit the set of configurable IP addresses that can be used by an exclusive-IP zone. To specify multiple addresses, use a list of comma-separated IP addresses.

defrouter

The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks.

Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.

iov

See Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones. For specific information on shadow VNICS used to provide network statistics, see Using Virtual Functions and Shadow VNICs With Oracle Solaris Kernel Zones in Creating and Using Oracle Solaris Kernel Zones.

linkmode (IPoIB only)

Sets the linkmode for the data-link interface. The default value is cm. Valid values are:

cm (the default): Connected Mode. This mode uses a default MTU of 65520 bytes. and supports a maximum MTU of 65535 bytes.
ud: Unreliable Datagram Mode. If Connected Mode is not available for a remote node, Unreliable Datagram mode is automatically used instead. This mode uses a default MTU of 2044 and supports a maximum MTU of 4092 bytes.

linkname

Specify a name for the automatically created VNIC interface or IPoIB interface. Note that solaris-kz does not support IPoIB.

lower-link

Specifies the underlying link for the link to be created. When set to auto, the zoneadmd daemon automatically chooses the link over which the VNIC is created each time the zone boots. You can specify any link on which you can create a VNIC as the lower-link for an anet resource.

All IPoIB links are skipped when selecting the data-link for creating the VNIC automatically during boot.

mac-address (not for IPoIB)

Set the VNIC MAC address based on the specified value or keyword. If the value is not a keyword, it is interpreted as a unicast MAC address. See the zonecfg(1M) man page for supported keywords. If a random MAC address is selected, the generated address is preserved across zone boots, and zone detach and attach operations. When the default policy auto-mac-address is used, Oracle Solaris Zones can obtain a random mac-address.

pkey (IPoIB only)

Set the partition key to be used for creating the IPoIB data-link interface. This property is mandatory. The specified pkey is always treated as hexadecimal, whether or not it has the 0x prefix.

When the zonecfg command creates a zone using the SYSdefault template, an anet resource with the following properties is automatically included in the zone configuration if no other IP resources are set. The linkname is automatically created over the physical Ethernet link and set to the first available name of the form netN, net0. To change the default values, use the zonecfg command.

When the default policy auto is used, an appropriate mac-address is assigned:

Oracle Solaris Zone: random mac-address
Oracle Solaris Kernel Zone: random mac-address
Oracle Solaris Zone under kernel zone: factory mac-address
Oracle VM Server for SPARC guest domain: factory mac-address
Oracle Solaris Kernel Zone running on Oracle VM Server for SPARC guest domain: factory mac-address

The default policy creates an automatic VNIC over the physical Ethernet link, for example, net0, and assigns the MAC address to the VNIC. The optional lower-link property is set to the underlying link, vnic1, over which the automatic VNIC is to be created. VNIC properties such as the link name, underlying physical link, MAC address, bandwidth limit, as well as other VNIC properties, can be specified by using the zonecfg command. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add anet
zonecfg:my-zone:anet> set linkname=net0
zonecfg:my-zone:anet> set lower-link=auto
zonecfg:my-zone:anet> set mac-address=random
zonecfg:my-zone:anet> set link-protection=mac-nospoof
zonecfg:my-zone:anet> end

The following example shows a solaris brand zone configured with an IPoIB data-link interface over the physical link net5 with the IB partition key 0xffff:

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone:anet> add anet
zonecfg:my-zone:anet> set linkname=ib0
zonecfg:my-zone:anet> set lower-link=net5
zonecfg:my-zone:anet> set pkey=0xffff
zonecfg:my-zone:anet> end

The following example shows how to configure VLANs with zones. The vlan-id property is not supported on IPoIB datalinks.

zonecfg:my-zone:anet> add anet
zonecfg:my-zone:anet> set linkname=net0
zonecfg:my-zone:anet> set lower-link=net0
zonecfg:my-zone:anet> set vlan-id=101
zonecfg:my-zone:anet> end

For more information about properties, see the zonecfg(1M) man page. For additional information on the link properties, see the dladm(1M) man page. For information about creating and administering single root I/O (SR-IOV) NIC virtual functions (VF) on kernel zones by using the zonecfg iov anet property, see Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones.

attr

name, type, value

In the following example, a comment about a zone is added.

zonecfg:my-zone> add attr
zonecfg:my-zone:attr> set name=comment
zonecfg:my-zone:attr> set type=string
zonecfg:my-zone:attr> set value="Production zone"
zonecfg:my-zone:attr> end

capped-cpu

ncpus

Specify the number of CPUs. The following example specifies a CPU cap of 3.5 CPUs for the zone my-zone.

zonecfg:my-zone> add capped-cpu
zonecfg:my-zone:capped-cpu> set ncpus=3.5
zonecfg:my-zone:capped-cpu> end

capped-memory

physical, swap, locked, pagesize-policy

Specify the memory limits for the zone my-zone. Each limit is optional, but at least one must be set.

zonecfg:my-zone> add capped-memory
zonecfg:my-zone:capped-memory> set physical=50m
zonecfg:my-zone:capped-memory> set swap=100m
zonecfg:my-zone:capped-memory> set locked=30m
zonecfg:my-zone:capped-memory> end

The capped-memory:pagesize-policy property values can be one of the following:

largest-only: Only the largest possible page size for the Kernel Zone's physical memory is allocated. If you fail to assign all the pages, then you fail to boot the zone.
largest-available: The largest possible page size is used, scaling down the page size if the system cannot allocate all physical memory with a particular page size. This value is the default because scaling to a usable page size ensures the zone can boot.
smallest-only: Lowest allowable page size required to boot the Kernel Zone for the particular platform is chosen.

To use the capped-memory resource, the resource-cap package must be installed in the global zone.

dataset

name, alias

The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.

zonecfg:my-zone> add dataset
zonecfg:my-zone> set name=tank/sales
zonecfg:my-zone> end

A delegated dataset can have a non-default alias as shown in the following example. Note that a dataset alias cannot contain a forward slash (/).

zonecfg:my-zone> add dataset
zonecfg:my-zone:dataset> set name=tank/sales
zonecfg:my-zone:dataset> set alias=data
zonecfg:my-zone:dataset> end

The %{zonename} token can be used for the name property.

To revert to the default alias, use clear alias.

zonecfg:my-zone> clear alias

dedicated-cpu

ncpus, importance, cores, cpus, sockets

Specify the number of CPUs and, optionally, the relative importance of the pool. The following example specifies a CPU range for use by the zone my-zone. importance is also set.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-3
zonecfg:my-zone:dedicated-cpu> set importance=2
zonecfg:my-zone:dedicated-cpu> end

Persistently assign cores 0, 1, 2, and 3 to the zone my-zone. The following dedicated-cpu example uses cores, but cpus=, cores=, and sockets= can all be used.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set cores=0-3
zonecfg:my-zone:dedicated-cpu> end

device

match, allow-partition, allow-raw-io

The device name to match can be a pattern to match or an absolute path. The following tokens are supported for the match and storage properties:

%{zonename}
%{id}
%{global-rootzpool}

Both allow-partition and allow-raw-io can be set to true or false. The default is false. allow-partition enables partitioning. allow-raw-io enables uscsi.

For more information on these resources, see zonecfg(1M).

Restrictions on what can be specified in the device:match resource property for solaris-kz zones include the following:

Only one resource is allowed per LUN.
Slices and partitions are not supported.
Support is only provided for raw disk devices.
The supported device paths are lofi, ramdisk, dsk, and zvols.

In the following example, uscsi operations on a disk device are added to a solaris zone configuration.

zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/*dsk/cXtYdZ*
zonecfg:my-zone:device> set allow-raw-io=true
zonecfg:my-zone:device> end

Veritas Volume Manager devices are delegated to a non-global zone by using add device.

In the following example, a storage device is added to a solaris-kz zone:

zonecfg:my-zone> add device
zonecfg:my-zone:device> set storage=iscsi:///luname.naa.600144f03d70c80000004ea57da10001
zonecfg:my-zone:device> set bootpri=0
zonecfg:my-zone:device> end

If using a token for the storage property, when a new instance of the device resource is added to a zone configuration, the system displays:

    device 0:
        match not specified
        storage.template: dev:/dev/zvol/dsk/%{global-rootzpool}/VARSHARE/zones/%{zonename}/disk%{id}
        storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/kernel-zone1/disk0
        id: 0
        bootpri: 0

Because storage is the only property that has a default value, only this property contains a value in the info output displayed after adding the resource.

Caution - Before adding devices, see Device Use in Non-Global Zones in Creating and Using Oracle Solaris Zones, Running Applications in Non-Global Zones in Creating and Using Oracle Solaris Zones, and Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones for restrictions and security concerns.

fs

dir, special, raw, type, options

The fs resource parameters supply the values that determine how and where to mount file systems. The fs parameters are defined as follows:

dir: Specifies the mount point for the file system
special: Specifies the block special device name or directory from the global zone to mount
raw: Specifies the raw device on which to run fsck before mounting the file system (not applicable to ZFS)
type: Specifies the file system type
options: Specifies mount options similar to those found with the mount command

The lines in the following example specify that the dataset named pool1/fs1 in the global zone is to be mounted as /shared/fs1 in a zone being configured. The file system type to use is ZFS.

zonecfg:my-zone> add fs
zonecfg:my-zone:fs> set dir=/shared/fs1
zonecfg:my-zone:fs> set special=pool1/fs1
zonecfg:my-zone:fs> set type=zfs
zonecfg:my-zone:fs> end

For more information on parameters, see The -o nosuid Option in Creating and Using Oracle Solaris Zones, Security Restrictions and File System Behavior in Creating and Using Oracle Solaris Zones, and the fsck(1M) and mount(1M) man pages. Also note that section 1M man pages are available for mount options that are unique to a specific file system. The names of these man pages have the form mount_filesystem.

Note - The quota command documented in quota(1M) cannot be used to retrieve quota information for UFS file systems added through this resource.

solaris-kz Only: ib-vhca

over-hca, id, port

The ib-vhca resource specifies the physical function (PF) that is used to allocate a virtual function (VF).

Use the following steps to allocate a VF in a kernel zone:

Virtualize the PF by using the ibadm command described in the ibadm(1M) man page.
Use the zonecfg command to allocate a VF to a kernel zone. Note that a specific VF index is not specified. At boot time, an available VF is dynamically allocated from the specified PF to the kernel zone by zoneadmd. If a VF is not available, the resource allocation fails.

id

Unique identifier for the ib-vhca resource.

over-hca

Sets the physical InfiniBand device to use for configuration of the virtual InfiniBand device. To obtain the device name, see the ibadm command.

port

Use the port resource to specify the allowable pkey values for the allocated VF. The port also has an id property that corresponds to the physical port number, which is typically 1 or 2.

id

The id value is used to uniquely identify the port resource. The id corresponds to the physical port number.

pkey

Specifies the InfiniBand Partition key value. The pkey value can either be a keyword or a comma-separated list of hexadecimal values. Do not use the 0x prefix to specify the hexadecimal value.

The keyword used for pkey is auto. Use the autokeyword to automatically generate and assign a pkey value based on the over-hca value specified.

net

address, allowed-addressphysical, defrouter

Note - For a shared-IP zone, both the IP address and the physical device must be specified. Optionally, the default router can be set.

For an exclusive-IP zone, only the physical interface must be specified.

The allowed-address property limits the set of configurable IP addresses that can be used by an exclusive-IP zone.
The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks.
Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.
Traffic from a zone with a default router will go out to the router before coming back to the destination zone.

When shared-IP zones exist on different subnets, do not configure a data-link in the global zone.

In the following example for a shared-IP zone, the physical interface nge0 is added to the zone with an IP address of 192.168.0.1. To list the network interfaces on the system, type:

global# ipadm show-if -po ifname,class,active,persistent
lo0:loopback:yes:46--
nge0:ip:yes:----

Each line of the output, other than the loopback lines, will have the name of a network interface. Lines that contain loopback in the descriptions do not apply to cards. The 46 persistent flags indicate that the interface is configured persistently in the global zone. The yes active value indicates that the interface is currently configured, and the class value of ip indicates that nge0 is a non-loopback interface. The default route is set to 10.0.0.1 for the zone. Setting the defrouter property is optional. Note that ip-type=shared is required.

zonecfg:my-zone> set ip-type=shared
zonecfg:my-zone> add net
zonecfg:my-zone:net> set physical=vnic1
zonecfg:my-zone:net> set address=192.168.0.1
zonecfg:my-zone:net> set defrouter=10.0.0.1
zonecfg:my-zone:net> end

In the following example for an exclusive-IP zone, a VNIC is used for the physical interface, which is a VLAN. To determine which data-links are available, use the command dladm show-link. The allowed-address property constrains the IP addresses that the zone can use. The defrouter property is used to set a default route. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add net
zonecfg:my-zone:net> set allowed-address=10.1.1.32/24
zonecfg:my-zone:net> set physical=vnic1
zonecfg:my-zone:net> set defrouter=10.1.1.1
zonecfg:my-zone:net> end

Only the physical device type will be specified in the add net step. The physical property can be a VNIC.

Note - The Oracle Solaris operating system supports all Ethernet-type interfaces. You can administer the data-links with the dladm command.

rctl

name, value

The following zone-wide resource controls are available.

zone.cpu-cap
zone.cpu-shares (preferred: cpu-shares)
zone.max-locked-memory
zone.max-lofi
zone.max-lwps (preferred: max-lwps)
zone.max-msg-ids (preferred: max-msg-ids)
zone.max-processes(preferred: max-processes
zone.max-sem-ids (preferred: max-sem-ids)
zone.max-shm-ids (preferred: max-shm-ids)
zone.max-shm-memory (preferred: max-shm-memory)
zone.max-swap

Note that the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource, as shown in How to Configure the Zone in Creating and Using Oracle Solaris Zones. If zone-wide resource control entries in a zone are configured using add rctl, the format is different than resource control entries in the project database. In a zone configuration, the rctl resource type consists of three name/value pairs. The names are priv, limit, and action. Each of the names takes a simple value.

zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.cpu-shares
zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none)
zonecfg:my-zone:rctl> end

zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.max-lwps
zonecfg:my-zone:rctl> add value (priv=privileged,limit=100,action=deny)
zonecfg:my-zone:rctl> end

For general information about resource controls and attributes, see Chapter 6, About Resource Controls in Administering Resource Management in Oracle Solaris 11.3 and Resource Controls Used in Non-Global Zones in Creating and Using Oracle Solaris Zones.

solaris and solaris10 Only: rootzpool

storage

Identify the storage object URI to provide a dedicated ZFS zpool for zone installation. For information on URIs and the allowed values for storage, see solaris and solaris10 Only: rootzpool Resource. During zone installation, the zpool is automatically created, or a pre-created zpool is imported. The name my-zone_rpool is assigned.

zonecfg:my-zone> add rootzpool
zonecfg:my-zone:rootzpool> add storage dev:dsk/c4t1d0
zonecfg:my-zone:rootzpool> end

You can add an additional storage property if you are creating a mirrored configuration:

add storage dev:dsk/c4t1d0
add storage dev:dsk/c4t3d0

Only one rootzpool resource can be configured for a zone.

virtual-cpu

ncpus

Specify the number of CPUs. The following example specifies 3 CPUs for the zone my-zone.

zonecfg:my-zone> add virtual-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=3
zonecfg:my-zone:dedicated-cpu> end

solaris and solaris10 Only: zpool

storage, name

Define one or more storage object URIs to delegate a zpool to the zone. For information on URIs and the allowed values for the storage property, see solaris and solaris10 Only: rootzpool Resource. The allowed values for the name property are defined in the zpool(1M) man page.

In this example, a zpool storage resource is delegated to the zone. The zpool is automatically created, or a previously created zpool is imported during installation. The name of the zpool is my-zone_pool1.

zonecfg:my-zone> add zpool
zonecfg:my-zone:zpool> set name=pool1
zonecfg:my-zone:zpool> add storage dev:dsk/c4t2d0 
zonecfg:my-zone:zpool> add storage dev:dsk/c4t4d0 
zonecfg:my-zone:zpool> end

A zone configuration can have one or more zpool resources.

You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.