JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Oracle Solaris Resource Management

1.  Introduction to Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

Part II Oracle Solaris Zones

15.  Introduction to Oracle Solaris Zones

16.  Non-Global Zone Configuration (Overview)

About Resources in Zones

Pre-Installation Configuration Process

Zone Components

Zone Name and Path

Zone Autoboot

admin Resource

Resource Pool Association

dedicated-cpu Resource

capped-cpu Resource

Scheduling Class

Physical Memory Control and the capped-memory Resource

Zone Network Interfaces

About Data-Links

Shared-IP Non-Global Zones

Exclusive-IP Non-Global Zones

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

File Systems Mounted in Zones

Host ID in Zones

Configured Devices in Zones

Disk Format Support in Non-Global Zones

Setting Zone-Wide Resource Controls

Configurable Privileges

Including a Comment for a Zone

Using the zonecfg Command

zonecfg Modes

zonecfg Interactive Mode

zonecfg Command-File Mode

Zone Configuration Data

Resource and Property Types

Resource Type Properties

Tecla Command-Line Editing Library

17.  Planning and Configuring Non-Global Zones (Tasks)

18.  About Installing, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)

19.  Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

20.  Non-Global Zone Login (Overview)

21.  Logging In to Non-Global Zones (Tasks)

22.  Moving and Migrating Non-Global Zones (Tasks)

23.  About Packages on an Oracle Solaris 11 Express System With Zones Installed

24.  Oracle Solaris Zones Administration (Overview)

25.  Administering Oracle Solaris Zones (Tasks)

26.  Troubleshooting Miscellaneous Oracle Solaris Zones Problems

Part III Oracle Solaris 10 Zones

27.  Introduction to Oracle Solaris 10 Zones

28.  Assessing an Oracle Solaris 10 System and Creating an Archive

29.  (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Container

30.  Configuring the solaris10 Branded Zone

31.  Installing the solaris10 Branded Zone

32.  Booting a Zone and Zone Migration

33.  solaris10 Branded Zone Login and Post-Installation Configuration



Zone Configuration Data

Zone configuration data consists of two kinds of entities: resources and properties. Each resource has a type, and each resource can also have a set of one or more properties. The properties have names and values. The set of properties is dependent on the resource type.

The only required properties are zonename and zonepath.

Resource and Property Types

The resource and property types are described as follows:


The name of the zone. The following rules apply to zone names:

  • Each zone must have a unique name.

  • A zone name is case-sensitive.

  • A zone name must begin with an alphanumeric character.

    The name can contain alphanumeric characters, underbars (_), hyphens (-), and periods (.).

  • The name cannot be longer than 64 characters.

  • The name global and all names beginning with SUNW are reserved and cannot be used.


The zonepath property is the path to the zone root. Each zone has a path to its root directory that is relative to the global zone's root directory. At installation time, the global zone directory is required to have restricted visibility. It must be owned by root with the mode 700.

The non-global zone's root path is one level lower. The zone's root directory has the same ownership and permissions as the root directory (/) in the global zone. The zone directory must be owned by root with the mode 755. These directories are created automatically with the correct permissions, and do not need to be verified by the zone administrator. This hierarchy ensures that unprivileged users in the global zone are prevented from traversing a non-global zone's file system.

The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. The parent directory of the zone path must also be a dataset.

zonecfg zonepath
Root of the zone
Devices created for the zone

See Traversing File Systems for a further discussion of this issue.

Note - You can move a zone to another location on the same system by specifying a new, full zonepath with the move subcommand of zoneadm. See Moving a Non-Global Zone for instructions.


If this property is set to true, the zone is automatically booted when the global zone is booted. Note that if the zones service svc:/system/zones:default is disabled, the zone will not automatically boot, regardless of the setting of this property. You can enable the zones service with the svcadm command described in the svcadm(1M) man page:

global# svcadm enable zones

See Zones Packaging Overview for information on this setting during pkg image-update.


This property is used to set a boot argument for the zone. The boot argument is applied unless overridden by the reboot, zoneadm boot, or zoneadm reboot commands. See Zone Boot Arguments.


This property is used to associate the zone with a resource pool on the system. Multiple zones can share the resources of one pool. Also see dedicated-cpu Resource.


This property is used to specify a privilege mask other than the default. See Privileges in a Non-Global Zone.

Privileges are added by specifying the privilege name, with or without the leading priv_. Privileges are excluded by preceding the name with a dash (-) or an exclamation mark (!). The privilege values are separated by commas and placed within quotation marks ().

As described in priv_str_to_set(3C), the special privilege sets of none, all, and basic expand to their normal definitions. Because zone configuration takes place from the global zone, the special privilege set zone cannot be used. Because a common use is to alter the default privilege set by adding or removing certain privileges, the special set default maps to the default, set of privileges. When default appears at the beginning of the limitpriv property, it expands to the default set.

The following entry adds the ability to use DTrace programs that only require the dtrace_proc and dtrace_user privileges in the zone:

global# zonecfg -z userzone
zonecfg:userzone> set limitpriv="default,dtrace_proc,dtrace_user"

If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege, an attempt to verify, ready, or boot the zone will fail with an error message.


This property sets the scheduling class for the zone. See Scheduling Class for additional information and tips.


This property is required to be set only if the zone is an exclusive-IP zone. See Exclusive-IP Non-Global Zones and How to Configure the Zone.


This resource dedicates a subset of the system's processors to the zone while it is running. The dedicated-cpu resource provides limits for ncpus and, optionally, importance. For more information, see dedicated-cpu Resource.


This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running. The capped-cpu resource provides a limit for ncpus. For more information, see capped-cpu Resource.


This resource groups the properties used when capping memory for the zone. The capped-memory resource provides limits for physical, swap, and locked memory. At least one of these properties must be specified.


The network interface resource is the interface name. Each zone can have network interfaces that should be set up when the zone transitions from the installed state to the ready state.


Adding a ZFS dataset resource enables the delegation of storage administration to a non-global zone. The zone administrator can create and destroy file systems within that dataset, and modify properties of the dataset. The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone. After a dataset is delegated to a non-global zone, the zoned property is automatically set. A zoned file system cannot be mounted in the global zone because the zone administrator might have to set the mount point to an unacceptable value.

ZFS datasets can be added to a zone in the following ways.

  • As an lofs mounted file system, when the goal is solely to share space with the global zone

  • As a delegated dataset

See Chapter 10, Oracle Solaris ZFS Advanced Topics, in Oracle Solaris ZFS Administration Guide and File Systems and Non-Global Zones.

Also see Chapter 26, Troubleshooting Miscellaneous Oracle Solaris Zones Problems for information on dataset issues.


Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones.


Setting this property gives the zone administrator the ability to mount any file system of that type, either created by the zone administrator or imported by using NFS, and administer that file system. File system mounting permissions within a running zone are also restricted by the fs-allowed property. By default, only mounts of hsfs file systems and network file systems, such as NFS, are allowed within a zone.

The property can be used with a block device or ZVOL device delegated into the zone as well.

The fs-allowed property accepts a comma-separated list of additional file systems that can be mounted from within the zone, for example, ufs,pcfs.

zonecfg:my-zone> set fs-allowed=ufs,pcfs

This property does not affect zone mounts administrated by the global zone through the add fs or add dataset properties.

For security considerations, see File Systems and Non-Global Zones and Device Use in Non-Global Zones.


The device resource is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.


The rctl resource is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.

See Setting Zone-Wide Resource Controls for more information.

Note - To configure zone-wide controls using the set global_property_name subcommand of zonefig instead of the rctl resource, see How to Configure the Zone.


A hostid that is different from the hostid of the global zone can be set.


This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alphanumeric character. The name property can contain alphanumeric characters, hyphens (-), and periods (.). Attribute names beginning with zone. are reserved for use by the system.

Resource Type Properties

Resources also have properties to configure. The following properties are associated with the resource types shown.


Define the user name and the authorizations for that user for a given zone.

zonecfg:my-zone> add admin
zonecfg:my-zone:admin> set user=zadmin
zonecfg:my-zone:admin> set auths=login,manage
zonecfg:my-zone:admin> end

The following values can be used for the auths property:

  • login (

  • manage (

  • clone (

Note that these auths do not enable you to create a zone. This capability is included in the Zone Security profile.


ncpus, importance

Specify the number of CPUs and, optionally, the relative importance of the pool. The following example specifies a CPU range for use by the zone my-zone. importance is also set.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-3
zonecfg:my-zone:dedicated-cpu> set importance=2
zonecfg:my-zone:dedicated-cpu> end


Specify the number of CPUs. The following example specifies a CPU cap of 3.5 CPUs for the zone my-zone.

zonecfg:my-zone> add capped-cpu
zonecfg:my-zone:capped-cpu> set ncpus=3.5
zonecfg:my-zone:capped-cpu> end

physical, swap, lockedSpecify the memory limits for the zone my-zone. Each limit is optional, but at least one must be set.

zonecfg:my-zone> add capped-memory
zonecfg:my-zone:capped-memory> set physical=50m
zonecfg:my-zone:capped-memory> set swap=100m
zonecfg:my-zone:capped-memory> set locked=30m
zonecfg:my-zone:capped-memory> end

dir, special, raw, type, options

The fs resource parameters supply the values that determine how and where to mount file systems. The fs parameters are defined as follows:


Specifies the mount point for the file system


Specifies the block special device name or directory from the global zone to mount


Specifies the raw device on which to run fsck before mounting the file system (not applicable to ZFS)


Specifies the file system type


Specifies mount options similar to those found with the mount command

The lines in the following example specify that the dataset named pool1/fs1 in the global zone is to be mounted as /shared/fs1 in a zone being configured. The file system type to use is ZFS.

zonecfg:my-zone> add fs
zonecfg:my-zone:fs> set dir=/shared/fs1
zonecfg:my-zone:fs> set special=pool1/fs1
zonecfg:my-zone:fs> set type=zfs
zonecfg:my-zone:fs> end

For more information on parameters, see The -o nosuid Option, Security Restrictions and File System Behavior, and the fsck(1M) and mount(1M) man pages. Also note that section 1M man pages are available for mount options that are unique to a specific file system. The names of these man pages have the form mount_filesystem.



The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.

zonecfg:my-zone> add dataset
zonecfg:my-zone> set name=tank/sales
zonecfg:my-zone> end

address, allowed-addressphysical, defrouter

Note - For a shared-IP zone, both the IP address and the device are specified. Optionally, the default router can be set. For an exclusive-IP zone, only the physical interface must be specified.

  • The allowed-address property limits the set of configurable IP addresses that can be used by an exclusive-IP zone.

  • The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks.

  • Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.

  • Traffic from a zone with a default router will go out to the router before coming back to the destination zone.

When shared-IP zones exist on different subnets, do not configure a data-link in the global zone.

For an exclusive-IP zone, the physical property can be a VNIC.

In the following example for a shared-IP zone, the IP address is added to the zone. An hme0 card is used for the physical interface. To determine which physical interface to use, type ifconfig -a on your system. Each line of the output, other than loopback driver lines, begins with the name of a card installed on your system. Lines that contain LOOPBACK in the descriptions do not apply to cards. The default route is set to for the zone.

zonecfg:my-zone> add net
zonecfg:my-zone:net> set physical=hme0
zonecfg:my-zone:net> set address=
zonecfg:my-zone:net> set defrouter=
zonecfg:my-zone:net> end

In the following example for an exclusive-IP zone, a bge32001 link is used for the physical interface, which is a VLAN on bge1. To determine which data-links are available, use the command dladm show-link. The allowed-address property constrains which IP addresses zone can use. The defrouter property is used to set a default route. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add net
zonecfg:myzone:net> set allowed-address=
zonecfg:my-zone:net> set physical=vnic0
zonecfg:myzone:net> set defrouter=
zonecfg:my-zone:net> end

The physical property can be a VNIC, as described in Part IV, Network Virtualization and Resource Management, in System Administration Guide: Network Interfaces and Network Virtualization.

Note - The Oracle Solaris operating system supports all Ethernet-type interfaces, and their data-links can be administered with the dladm command.



In the following example, a /dev/pts device is included in a zone.

zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/pts*
zonecfg:my-zone:device> end


Caution - Before adding devices, see Device Use in Non-Global Zones, Running Applications in Non-Global Zones, and Privileges in a Non-Global Zone for restrictions and security concerns.


name, value

The following zone-wide resource controls are available.

  • zone.cpu-cap

  • zone.cpu-shares (preferred: cpu-shares)

  • zone.max-locked-memory

  • zone.max-lofi

  • zone.max-lwps (preferred: max-lwps)

  • zone.max-msg-ids (preferred: max-msg-ids)

  • zone.max-processes(preferred: max-processes

  • zone.max-sem-ids (preferred: max-sem-ids)

  • zone.max-shm-ids (preferred: max-shm-ids)

  • zone.max-shm-memory (preferred: max-shm-memory)

  • zone.max-swap

Note that the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource, as shown in How to Configure the Zone. If zone-wide resource control entries in a zone are configured using add rctl, the format is different than resource control entries in the project database. In a zone configuration, the rctl resource type consists of three name/value pairs. The names are priv, limit, and action. Each of the names takes a simple value.

zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.cpu-shares
zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none)
zonecfg:my-zone:rctl> end
zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.max-lwps
zonecfg:my-zone:rctl> add value (priv=privileged,limit=100,action=deny)
zonecfg:my-zone:rctl> end

For general information about resource controls and attributes, see Chapter 6, Resource Controls (Overview) and Resource Controls Used in Non-Global Zones.


name, type, value

In the following example, a comment about a zone is added.

zonecfg:my-zone> add attr
zonecfg:my-zone:attr> set name=comment
zonecfg:my-zone:attr> set type=string
zonecfg:my-zone:attr> set value="Production zone"
zonecfg:my-zone:attr> end

You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.