Zone configuration data consists of two kinds of entities, resources and properties. Each resource has a type, and each resource can also have a set of one or more properties. The properties have names and values. The set of properties is dependent on the resource type.
The zone name identifies the zone to the configuration utility. The following rules apply to zone names:
Each zone must have a unique name.
A zone name is case-sensitive.
A zone name must begin with an alpha-numeric character.
The name can contain alpha-numeric characters, underbars (_), hyphens (-), and periods (.).
The name cannot be longer than 64 characters.
The name global and all names beginning with SUNW are reserved and cannot be used.
The zonepath property is the path that contains the zone root. Each zone has a root directory that resides in the global zone's file system under its zonepath. At zone installation time, the zonepath directory hierarchy will be created with the proper owner and mode.. The zonepath directory is required to be owned by root with the mode 700.
The non-global zone's root path is one level lower. The zone's root directory has the same ownership and permissions as the root directory (/) in the global zone. The zone directory must be owned by root with the mode 755. These directories are created automatically with the correct permissions, and do not need to be verified by the zone administrator. This hierarchy ensures that unprivileged users in the global zone are prevented from traversing a non-global zone's file system.
Root of the zone
Devices created for the zone
See Traversing File Systems for a further discussion of this issue.
See Solaris 10 6/06, Solaris 10 11/06, Solaris 10 8/07, and Solaris 10 5/08: Do Not Place the Root File System of a Non-Global Zone on ZFS for ZFS restrictions for these releases.
If this property is set to true, the zone is automatically booted when the global zone is booted. Note that if the zones service, svc:/system/zones:default is disabled, the zone will not autoboot, regardless of the setting of this property. You can enable the zones service with the svcadm command described in the svcadm(1M) man page:
global# svcadm enable zones
Solaris 10 8/07: This property is used to set a boot argument for the zone. The boot argument is applied unless overridden by the reboot, zoneadm boot, or zoneadm reboot commands. See Solaris 10 8/07: Zone Boot Arguments.
This property is used to associate the zone with a resource pool on the system. Multiple zones can share the resources of one pool. Also see Solaris 10 8/07: dedicated-cpu Resource.
Solaris 10 11/06 and Later:This property is used to specify a privilege mask other than the default. See Privileges in a Non-Global Zone.
Privileges are added by specifying the privilege name, with or without the leading priv_. Privileges are excluded by preceding the name with a dash (-) or an exclamation mark (!). The privilege values are separated by commas and placed within quotation marks (“).
As described in priv_str_to_set(3C), the special privilege sets of none, all, and basic expand to their normal definitions. Because zone configuration takes place from the global zone, the special privilege set zone cannot be used. Because a common use is to alter the default privilege set by adding or removing certain privileges, the special set default maps to the default, set of privileges. When default appears at the beginning of the limitpriv property, it expands to the default set.
The following entry adds the ability to use DTrace programs that only require the dtrace_proc and dtrace_user privileges in the zone:
global# zonecfg -z userzone zonecfg:userzone> set limitpriv="default,dtrace_proc,dtrace_user"
If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege, an attempt to verify, ready, or boot the zone will fail with an error message.
Solaris 10 8/07: This property sets the scheduling class for the zone. See Scheduling Class in a Zone for additional information and tips.
Solaris 10 8/07: This resource dedicates a subset of the system's processors to the zone while it is running. The dedicated-cpu resource provides limits for ncpus and, optionally, importance. For more information, see Solaris 10 8/07: dedicated-cpu Resource.
Solaris 10 5/08: This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running. The resource provides a limit for ncpus.
Solaris 10 8/07: This resource groups the properties used when capping memory for the zone. The capped-memory resource provides limits for physical, swap, and locked memory. At least one of these properties must be specified.
Solaris 10 6/06: Adding a ZFS file system dataset resource enables the delegation of storage administration to a non-global zone. The zone administrator can create and destroy file systems within that dataset, create and destroy clones, and modify properties of the dataset. The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone.
ZFS datasets can be added to a zone in the following ways.
As an lofs mounted file system, when the goal is solely to share space with the global zone
As a delegated dataset
Also see Chapter 30, Troubleshooting Miscellaneous Solaris Zones Problems for information on dataset issues.
Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones.
This resource should not be configured in a whole root zone.
In a sparse root zone, the inherit-pkg-dir resource is used to represent directories that contain packaged software that a non-global zone shares with the global zone.
The contents of software packages transferred into the inherit-pkg-dir directory are inherited in read-only mode by the non-global zone. The zone's packaging database is updated to reflect the packages. These resources cannot be modified or removed after the zone has been installed using zoneadm.
Four default inherit-pkg-dir resources are included in the configuration. These directory resources indicate which directories should have their associated packages inherited from the global zone. The resources are implemented through a read-only loopback file system mount.
The network interface resource is the interface name. Each zone can have network interfaces that are be set up when the zone transitions from the installed state to the ready state.
The device resource is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.
The rctl resource is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.
A hostid that is different from the hostid of the global zone can be set.
This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alpha-numeric character. The name property can contain alpha-numeric characters, hyphens (-), and periods (.) . Attribute names beginning with zone. are reserved for use by the system.
Solaris 10 8/07: Specify the number of CPUs and, optionally, the relative importance of the pool. The following example specifies a CPU range for use by the zone my-zone. importance is also set.
zonecfg:my-zone> add dedicated-cpu zonecfg:my-zone:dedicated-cpu> set ncpus=1-3 zonecfg:my-zone:dedicated-cpu> set importance=2 zonecfg:my-zone:dedicated-cpu> end
Specify the number of CPUs. The following example specifies a CPU cap of 3.5 CPUs for the zone my-zone.
zonecfg:my-zone> add capped-cpu zonecfg:my-zone:capped-cpu> set ncpus=3.5 zonecfg:my-zone:capped-cpu> end
physical, swap, locked
Specify the memory limits for the zone my-zone. Each limit is optional, but at least one must be set.
zonecfg:my-zone> add capped-memory zonecfg:my-zone:capped-memory> set physical=50m zonecfg:my-zone:capped-memory> set swap=100m zonecfg:my-zone:capped-memory> set locked=30m zonecfg:my-zone:capped-memory> end
dir, special, raw, type, options
The fs resource parameters supply the values that determine how and where to mount file systems. The fs parameters are defined as follows:
Specifies the mount point for the file system
Specifies the block special device name or directory from the global zone to mount
Specifies the raw device on which to run fsck before mounting the file system
Specifies the file system type
Specifies mount options similar to those found with the mount command
The lines in the following example specify that /dev/dsk/c0t0d0s2 in the global zone is to be mounted as /mnt in a zone being configured. The raw property specifies an optional device on which the fsck command is to be run before an attempt is made to mount the file system. The file system type to use is UFS. The options nodevices and logging are added.
zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/mnt zonecfg:my-zone:fs> set special=/dev/dsk/c0t0d0s2 zonecfg:my-zone:fs> set raw=/dev/rdsk/c0t0d0s2 zonecfg:my-zone:fs> set type=ufs zonecfg:my-zone:fs> add options [nodevices,logging] zonecfg:my-zone:fs> end
For more information, see The -o nosuid Option, Security Restrictions and File System Behavior, and the fsck(1M) and mount(1M) man pages. Also note that section 1M man pages are available for mount options that are unique to a specific file system. The names of these man pages have the form mount_filesystem.
To add a ZFS file system using the fs resource property, see Adding ZFS File Systems to a Non-Global Zone in Oracle Solaris ZFS Administration Guide.
The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.
zonecfg:my-zone> add dataset zonecfg:my-zone> set name=tank/sales zonecfg:my-zone> end
The lines in the following example specify that /opt/sfw is to be loopback mounted from the global zone.
zonecfg:my-zone> add inherit-pkg-dir zonecfg:my-zone:inherit-pkg-dir> set dir=/opt/sfw zonecfg:my-zone:inherit-pkg-dir> end
address, physical, defrouter
The defrouter property can be used to set a default route when the non-global zone is on a subnet that is not configured in the global zone.
Any zone that has the defrouter property set must be on a subnet that is not configured in the global zone.
When shared IP zones exist on different subnets, do not configure a data-link in the global zone.
For an exclusive-IP zone, only the physical interface is specified. The physical property can be a VNIC.
In the following example for a shared-IP zone, the IP address 192.168.0.1 is added to the zone. An hme0 card is used for the physical interface. To determine which physical interface to use, type ifconfig -a on your system. Each line of the output, other than loopback driver lines, begins with the name of a card installed on your system. Lines that contain LOOPBACK in the descriptions do not apply to cards.
zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=hme0 zonecfg:my-zone:net> set address=192.168.0.1 zonecfg:my-zone:net> end
In the following example for an exclusive-IP zone, a bge32001 link is used for the physical interface. To determine which data-links are available, use the command dladm show-link. The data-link must be GLDv3 to be used with exclusive-IP zones, and non-GLDv3 data-links appear as type: legacy in the dladm show-link output. Note that ip-type=exclusive must also be specified.
zonecfg:my-zone> set ip-type=exclusive zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=bge32001 zonecfg:my-zone:net> end
In the following example, a /dev/pts device is included in a zone.
zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/pts* zonecfg:my-zone:device> end
The following zone-wide resource controls are available:
zone.cpu-shares (preferred: cpu-shares)
zone.max-lwps (preferred: max-lwps)
zone.max-msg-ids (preferred: max-msg-ids)
zone.max-sem-ids (preferred: max-sem-ids)
zone.max-shm-ids (preferred: max-shm-ids)
zone.max-shm-memory (preferred: max-shm-memory)
Note that the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource, as shown in How to Configure the Zone. If zone-wide resource control entries in a zone are configured using add rctl, the format is different than resource control entries in the project database. In a zone configuration, the rctl resource type consists of three name/value pairs. The names are priv, limit, and action. Each of the names takes a simple value.
zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.cpu-shares zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none)zonecfg:my-zone:rctl> end
zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.max-lwps zonecfg:my-zone:rctl> add value (priv=privileged,limit=100,action=deny) zonecfg:my-zone:rctl> end
name, type, value
In the following example, a comment about a zone is added.
zonecfg:my-zone> add attr zonecfg:my-zone:attr> set name=comment zonecfg:my-zone:attr> set type=string zonecfg:my-zone:attr> set value="Production zone" zonecfg:my-zone:attr> end
You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.