Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management Oracle Solaris 11 Express 11/10 |
Part I Oracle Solaris Resource Management
1. Introduction to Resource Management
2. Projects and Tasks (Overview)
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Introduction to Oracle Solaris Zones
16. Non-Global Zone Configuration (Overview)
Pre-Installation Configuration Process
Physical Memory Control and the capped-memory Resource
Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones
Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time
Disk Format Support in Non-Global Zones
Setting Zone-Wide Resource Controls
Including a Comment for a Zone
Tecla Command-Line Editing Library
17. Planning and Configuring Non-Global Zones (Tasks)
18. About Installing, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)
19. Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
20. Non-Global Zone Login (Overview)
21. Logging In to Non-Global Zones (Tasks)
22. Moving and Migrating Non-Global Zones (Tasks)
23. About Packages on an Oracle Solaris 11 Express System With Zones Installed
24. Oracle Solaris Zones Administration (Overview)
25. Administering Oracle Solaris Zones (Tasks)
26. Troubleshooting Miscellaneous Oracle Solaris Zones Problems
Part III Oracle Solaris 10 Zones
27. Introduction to Oracle Solaris 10 Zones
28. Assessing an Oracle Solaris 10 System and Creating an Archive
30. Configuring the solaris10 Branded Zone
31. Installing the solaris10 Branded Zone
32. Booting a Zone and Zone Migration
33. solaris10 Branded Zone Login and Post-Installation Configuration
Zone configuration data consists of two kinds of entities: resources and properties. Each resource has a type, and each resource can also have a set of one or more properties. The properties have names and values. The set of properties is dependent on the resource type.
The only required properties are zonename and zonepath.
The resource and property types are described as follows:
The name of the zone. The following rules apply to zone names:
Each zone must have a unique name.
A zone name is case-sensitive.
A zone name must begin with an alphanumeric character.
The name can contain alphanumeric characters, underbars (_), hyphens (-), and periods (.).
The name cannot be longer than 64 characters.
The name global and all names beginning with SUNW are reserved and cannot be used.
The zonepath property is the path to the zone root. Each zone has a path to its root directory that is relative to the global zone's root directory. At installation time, the global zone directory is required to have restricted visibility. It must be owned by root with the mode 700.
The non-global zone's root path is one level lower. The zone's root directory has the same ownership and permissions as the root directory (/) in the global zone. The zone directory must be owned by root with the mode 755. These directories are created automatically with the correct permissions, and do not need to be verified by the zone administrator. This hierarchy ensures that unprivileged users in the global zone are prevented from traversing a non-global zone's file system.
The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. The parent directory of the zone path must also be a dataset.
|
See Traversing File Systems for a further discussion of this issue.
Note - You can move a zone to another location on the same system by specifying a new, full zonepath with the move subcommand of zoneadm. See Moving a Non-Global Zone for instructions.
If this property is set to true, the zone is automatically booted when the global zone is booted. Note that if the zones service svc:/system/zones:default is disabled, the zone will not automatically boot, regardless of the setting of this property. You can enable the zones service with the svcadm command described in the svcadm(1M) man page:
global# svcadm enable zones
See Zones Packaging Overview for information on this setting during pkg image-update.
This property is used to set a boot argument for the zone. The boot argument is applied unless overridden by the reboot, zoneadm boot, or zoneadm reboot commands. See Zone Boot Arguments.
This property is used to associate the zone with a resource pool on the system. Multiple zones can share the resources of one pool. Also see dedicated-cpu Resource.
This property is used to specify a privilege mask other than the default. See Privileges in a Non-Global Zone.
Privileges are added by specifying the privilege name, with or without the leading priv_. Privileges are excluded by preceding the name with a dash (-) or an exclamation mark (!). The privilege values are separated by commas and placed within quotation marks (“).
As described in priv_str_to_set(3C), the special privilege sets of none, all, and basic expand to their normal definitions. Because zone configuration takes place from the global zone, the special privilege set zone cannot be used. Because a common use is to alter the default privilege set by adding or removing certain privileges, the special set default maps to the default, set of privileges. When default appears at the beginning of the limitpriv property, it expands to the default set.
The following entry adds the ability to use DTrace programs that only require the dtrace_proc and dtrace_user privileges in the zone:
global# zonecfg -z userzone zonecfg:userzone> set limitpriv="default,dtrace_proc,dtrace_user"
If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege, an attempt to verify, ready, or boot the zone will fail with an error message.
This property sets the scheduling class for the zone. See Scheduling Class for additional information and tips.
This property is required to be set only if the zone is an exclusive-IP zone. See Exclusive-IP Non-Global Zones and How to Configure the Zone.
This resource dedicates a subset of the system's processors to the zone while it is running. The dedicated-cpu resource provides limits for ncpus and, optionally, importance. For more information, see dedicated-cpu Resource.
This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running. The capped-cpu resource provides a limit for ncpus. For more information, see capped-cpu Resource.
This resource groups the properties used when capping memory for the zone. The capped-memory resource provides limits for physical, swap, and locked memory. At least one of these properties must be specified.
The network interface resource is the interface name. Each zone can have network interfaces that should be set up when the zone transitions from the installed state to the ready state.
Adding a ZFS dataset resource enables the delegation of storage administration to a non-global zone. The zone administrator can create and destroy file systems within that dataset, and modify properties of the dataset. The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone. After a dataset is delegated to a non-global zone, the zoned property is automatically set. A zoned file system cannot be mounted in the global zone because the zone administrator might have to set the mount point to an unacceptable value.
ZFS datasets can be added to a zone in the following ways.
As an lofs mounted file system, when the goal is solely to share space with the global zone
As a delegated dataset
See Chapter 10, Oracle Solaris ZFS Advanced Topics, in Oracle Solaris ZFS Administration Guide and File Systems and Non-Global Zones.
Also see Chapter 26, Troubleshooting Miscellaneous Oracle Solaris Zones Problems for information on dataset issues.
Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones.
Setting this property gives the zone administrator the ability to mount any file system of that type, either created by the zone administrator or imported by using NFS, and administer that file system. File system mounting permissions within a running zone are also restricted by the fs-allowed property. By default, only mounts of hsfs file systems and network file systems, such as NFS, are allowed within a zone.
The property can be used with a block device or ZVOL device delegated into the zone as well.
The fs-allowed property accepts a comma-separated list of additional file systems that can be mounted from within the zone, for example, ufs,pcfs.
zonecfg:my-zone> set fs-allowed=ufs,pcfs
This property does not affect zone mounts administrated by the global zone through the add fs or add dataset properties.
For security considerations, see File Systems and Non-Global Zones and Device Use in Non-Global Zones.
The device resource is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.
The rctl resource is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.
See Setting Zone-Wide Resource Controls for more information.
Note - To configure zone-wide controls using the set global_property_name subcommand of zonefig instead of the rctl resource, see How to Configure the Zone.
A hostid that is different from the hostid of the global zone can be set.
This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alphanumeric character. The name property can contain alphanumeric characters, hyphens (-), and periods (.). Attribute names beginning with zone. are reserved for use by the system.
Resources also have properties to configure. The following properties are associated with the resource types shown.
Define the user name and the authorizations for that user for a given zone.
zonecfg:my-zone> add admin zonecfg:my-zone:admin> set user=zadmin zonecfg:my-zone:admin> set auths=login,manage zonecfg:my-zone:admin> end
The following values can be used for the auths property:
login (solaris.zone.login)
manage (solaris.zone.manage)
clone (solaris.zone.clonefrom)
Note that these auths do not enable you to create a zone. This capability is included in the Zone Security profile.
ncpus, importance
Specify the number of CPUs and, optionally, the relative importance of the pool. The following example specifies a CPU range for use by the zone my-zone. importance is also set.
zonecfg:my-zone> add dedicated-cpu zonecfg:my-zone:dedicated-cpu> set ncpus=1-3 zonecfg:my-zone:dedicated-cpu> set importance=2 zonecfg:my-zone:dedicated-cpu> end
ncpus
Specify the number of CPUs. The following example specifies a CPU cap of 3.5 CPUs for the zone my-zone.
zonecfg:my-zone> add capped-cpu zonecfg:my-zone:capped-cpu> set ncpus=3.5 zonecfg:my-zone:capped-cpu> end
physical, swap, lockedSpecify the memory limits for the zone my-zone. Each limit is optional, but at least one must be set.
zonecfg:my-zone> add capped-memory zonecfg:my-zone:capped-memory> set physical=50m zonecfg:my-zone:capped-memory> set swap=100m zonecfg:my-zone:capped-memory> set locked=30m zonecfg:my-zone:capped-memory> end
dir, special, raw, type, options
The fs resource parameters supply the values that determine how and where to mount file systems. The fs parameters are defined as follows:
Specifies the mount point for the file system
Specifies the block special device name or directory from the global zone to mount
Specifies the raw device on which to run fsck before mounting the file system (not applicable to ZFS)
Specifies the file system type
Specifies mount options similar to those found with the mount command
The lines in the following example specify that the dataset named pool1/fs1 in the global zone is to be mounted as /shared/fs1 in a zone being configured. The file system type to use is ZFS.
zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/shared/fs1 zonecfg:my-zone:fs> set special=pool1/fs1 zonecfg:my-zone:fs> set type=zfs zonecfg:my-zone:fs> end
For more information on parameters, see The -o nosuid Option, Security Restrictions and File System Behavior, and the fsck(1M) and mount(1M) man pages. Also note that section 1M man pages are available for mount options that are unique to a specific file system. The names of these man pages have the form mount_filesystem.
name
The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.
zonecfg:my-zone> add dataset zonecfg:my-zone> set name=tank/sales zonecfg:my-zone> end
address, allowed-addressphysical, defrouter
Note - For a shared-IP zone, both the IP address and the device are specified. Optionally, the default router can be set. For an exclusive-IP zone, only the physical interface must be specified.
The allowed-address property limits the set of configurable IP addresses that can be used by an exclusive-IP zone.
The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks.
Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.
Traffic from a zone with a default router will go out to the router before coming back to the destination zone.
When shared-IP zones exist on different subnets, do not configure a data-link in the global zone.
For an exclusive-IP zone, the physical property can be a VNIC.
In the following example for a shared-IP zone, the IP address 192.168.0.1 is added to the zone. An hme0 card is used for the physical interface. To determine which physical interface to use, type ifconfig -a on your system. Each line of the output, other than loopback driver lines, begins with the name of a card installed on your system. Lines that contain LOOPBACK in the descriptions do not apply to cards. The default route is set to 10.0.0.1 for the zone.
zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=hme0 zonecfg:my-zone:net> set address=192.168.0.1 zonecfg:my-zone:net> set defrouter=10.0.0.1 zonecfg:my-zone:net> end
In the following example for an exclusive-IP zone, a bge32001 link is used for the physical interface, which is a VLAN on bge1. To determine which data-links are available, use the command dladm show-link. The allowed-address property constrains which IP addresses zone can use. The defrouter property is used to set a default route. Note that ip-type=exclusive must also be specified.
zonecfg:my-zone> set ip-type=exclusive zonecfg:my-zone> add net zonecfg:myzone:net> set allowed-address=11.1.1.32/24 zonecfg:my-zone:net> set physical=vnic0 zonecfg:myzone:net> set defrouter=11.1.1.1 zonecfg:my-zone:net> end
The physical property can be a VNIC, as described in Part IV, Network Virtualization and Resource Management, in System Administration Guide: Network Interfaces and Network Virtualization.
Note - The Oracle Solaris operating system supports all Ethernet-type interfaces, and their data-links can be administered with the dladm command.
match
In the following example, a /dev/pts device is included in a zone.
zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/pts* zonecfg:my-zone:device> end
Caution - Before adding devices, see Device Use in Non-Global Zones, Running Applications in Non-Global Zones, and Privileges in a Non-Global Zone for restrictions and security concerns. |
name, value
The following zone-wide resource controls are available.
zone.cpu-cap
zone.cpu-shares (preferred: cpu-shares)
zone.max-locked-memory
zone.max-lofi
zone.max-lwps (preferred: max-lwps)
zone.max-msg-ids (preferred: max-msg-ids)
zone.max-processes(preferred: max-processes
zone.max-sem-ids (preferred: max-sem-ids)
zone.max-shm-ids (preferred: max-shm-ids)
zone.max-shm-memory (preferred: max-shm-memory)
zone.max-swap
Note that the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource, as shown in How to Configure the Zone. If zone-wide resource control entries in a zone are configured using add rctl, the format is different than resource control entries in the project database. In a zone configuration, the rctl resource type consists of three name/value pairs. The names are priv, limit, and action. Each of the names takes a simple value.
zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.cpu-shares zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none) zonecfg:my-zone:rctl> end
zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.max-lwps zonecfg:my-zone:rctl> add value (priv=privileged,limit=100,action=deny) zonecfg:my-zone:rctl> end
For general information about resource controls and attributes, see Chapter 6, Resource Controls (Overview) and Resource Controls Used in Non-Global Zones.
name, type, value
In the following example, a comment about a zone is added.
zonecfg:my-zone> add attr zonecfg:my-zone:attr> set name=comment zonecfg:my-zone:attr> set type=string zonecfg:my-zone:attr> set value="Production zone" zonecfg:my-zone:attr> end
You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.