|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management Oracle Solaris 11.1 Information Library|
This section covers the required and optional zone components that can be configured. Only the zone name and zone path are required. Additional information is provided in Zone Configuration Data.
You must choose a name and a path for your zone. The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that the parent directory of the zone path must also be a dataset.
For more information, see Chapter 27, Configuring and Administering Immutable Zones.
Specify the user name.
Specify the authorizations for the user name.
If RBAC is in use, the authorization solaris.zone.login/zonename is required for interactive logins. Password authentication takes place in the zone.
If RBAC is in use, for non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.
If RBAC is in use, subcommands that make a copy of another zone require the authorization, solaris.zone.clonefrom/source_zone.
The dedicated-cpu resource specifies that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system will dynamically create a temporary pool for use while the zone is running.
With specification in zonecfg, pool settings propagate during migrations.
The dedicated-cpu resource sets limits for ncpus, and optionally, importance.
Specify the number of CPUs or specify a range, such as 2–4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:
Set the importance property.
Enable the poold service. For instructions, see How to Enable the Dynamic Resource Pools Service Using svcadm.
If you are using a CPU range to achieve dynamic behavior, also set the importance property, The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, importance defaults to 1. For more information, see pool.importance Property Constraint.
Note - The capped-cpu resource and the dedicated-cpu resource are incompatible. The cpu-shares rctl and the dedicated-cpu resource are incompatible.
The capped-cpu resource provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone. When used in conjunction with processor sets, CPU caps limit CPU usage within a set. The capped-cpu resource has a single ncpus property that is a positive decimal with two digits to the right of the decimal. This property corresponds to units of CPUs. The resource does not accept a range. The resource does accept a decimal number. When specifying ncpus, a value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system.
Note - The capped-cpu resource and the dedicated-cpu resource are incompatible.
You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among zones, based on their importance. This importance is expressed by the number of shares of CPU resources that you assign to each zone. Even if you are not using FSS to manage CPU resource allocation between zones, you can set the zone's scheduling-class to use FSS so that you can set shares on projects within the zone.
When you explicitly set the cpu-shares property, the fair share scheduler (FSS) will be used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class. The following actions set the scheduling class for a zone:
You can use the scheduling-class property in zonecfg to set the scheduling class for the zone.
You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default. See Introduction to Resource Pools and How to Associate a Pool With a Scheduling Class.
If the cpu-shares rctl is set and FSS has not been set as the scheduling class for the zone through another action, zoneadmd sets the scheduling class to FSS when the zone boots.
If the scheduling class is not set through any other action, the zone inherits the system default scheduling class.
Note that you can use the priocntl described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.
The capped-memory resource sets limits for physical, swap, and locked memory. Each limit is optional, but at least one must be set. To use the capped-memory resource, the resource-cap package must be installed in the global zone.
Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone.
Note - Applications generally do not lock significant amounts of memory, but you might decide to set locked memory if the zone's applications are known to lock memory. If zone trust is a concern, you can also consider setting the locked memory cap to 10 percent of the system's physical memory, or 10 percent of the zone's physical memory cap.
For more information, see Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone. To temporarily set a resource cap for a zone, see How to Specify a Temporary Resource Cap for a Zone.
The optional rootzpool resource in the zonecfg utility is used to create a dedicated ZFS zpool for zone installation. The zone root ZFS zpool can be hosted on shared storage devices defined by one or more Universal Resource Identifiers (URIs). The required storage property identifies the storage object URI to contain the root zfs file system for a zone. Only one rootzpool can be defined for a given zone. The storage is automatically configured for the zone when the zone is booted.
The corresponding zpools are automatically created or imported during zone installation or zone attach operations. When the zone is uninstalled or detached, the following actions take place:
The storage resources are automatically unconfigured.
The corresponding zpools are automatically exported or destroyed.
In order to reuse a pre-created zpool for a zone installation, the zpool must be exported from the system.
The zones framework supports the following URI types:
Local device path URI
dev:local-path-under-/dev dev://absolute-path-with-dev dev:absolute-path-with-dev
dev:dsk/c7t0d0s0 dev:///dev/dsk/c7t0d0s0 dev:/dev/dsk/c7t0d0s0
lu (Logical Unit)
Fibre Channel (FC) and Serial Attached SCSI (SAS)
iscsi:///luname.naa.600144f03d70c80000004ea57da10001 iscsi://[::1]/luname.naa.600144f03d70c80000004ea57da10001 iscsi://127.0.0.1/luname.naa.600144f03d70c80000004ea57da10001 iscsi://127.0.0.1:3620/luname.naa.600144f03d70c80000004ea57da10001 iscsi://hostname:3620/luname.naa.600144f03d70c80000004ea57da10001
The suriadm tool is used to administer shared objects based on storage URIs. For information about IDs, the Name Address Authority (NAA), and obtaining URIs for existing storage objects, see the suriadm(1M) and suri(5) man pages.
The system names the newly created or imported rootzpool for its associated zone. The assigned name has the form zonename_rpool.
The storage property is managed using the following commands from inside the rootzpool resource scope:
add storage URI string
remove storage URI string
The corresponding zpools are automatically created or imported during zone installation or zone attach operations.
When the zone is uninstalled or detached, the following actions take place:
The storage resources are automatically unconfigured.
The corresponding zpools are automatically exported or destroyed.
The required storage property identifies the storage object URI associated with this resource.
The storage property is managed using the following settings in the zpool resource scope:
add storage URI string
remove storage URI string
The name property is mandatory for the zpool resource. The property is used in the name for a zpool delegated to the zone. The ZFS file system name component cannot contain a forward slash (/).
The assigned name of the newly created or imported zpool has the form zonename_name. This is the zpool name visible inside the non-global zone.
Note - A zone installation can fail when a storage object contains preexisting partitions, zpools, or UFS file systems. For more information, see Step 4 in How to Install a Configured Zone.
Zone network interfaces configured by the zonecfg utility to provide network connectivity are automatically set up and placed in the zone when it is booted.
The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.
There are two IP types available for non-global zones, shared-IP and exclusive-IP. Exclusive IP is the default IP type. A shared-IP zone shares a network interface with the global zone. Configuration in the global zone must be done by the ipadm utility to use shared-IP zones. An exclusive-IP zone must have a dedicated network interface. If the exclusive-IP zone is configured using the anet resource, a dedicated VNIC is automatically created and assigned to that zone. By using the automated anet resource, the requirement to create and configure data-links in the global zone and assign the data-links to non-global zones is eliminated. Use the anet resource to accomplish the following:
Allow the global zone administrator to choose specific names for the data-links assigned to non-global zones
Allow multiple zones to use data-links of the same name
For backward compatibility, preconfigured data-links can be assigned to non-global zones.
Note - The link protection is described in Chapter 20, Using Link Protection in Virtualized Environments, in Oracle Solaris Administration: Network Interfaces and Network Virtualization can be used on a system running zones. This functionality is configured in the global zone.
A data-link is an interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. A data-link is also referred to as a physical interface, for example, a Network Interface Card (NIC). The data-link is the physical property configured by using zonecfg(1M). The physical property can be a VNIC, as described in Part III, Network Virtualization and Resource Management, in Oracle Solaris Administration: Network Interfaces and Network Virtualization.
Example data-links are physical interfaces such as e1000g0 and bge1, NICs such as bge3, aggregations such as aggr1, aggr2, or VLAN-tagged interfaces such as e1000g123000 and bge234003 (as VLAN 123 on e1000g0 and VLAN 234 on bge3, respectively).
For information about using IP over Infiniband (IPoIB), see the anet description in Resource Type Properties.
A shared-IP zone uses an existing IP interface from the global zone. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:
The non-global zone is to use the same data-link that is used by the global zone, regardless of whether the global and non-global zones are on the same subnet.
You do not want the other capabilities that the exclusive-IP zone provides.
Shared-IP zones are assigned one or more IP addresses using the net resource of the zonecfg command. The data-link names must also be configured in the global zone.
In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.
To use the shared-IP type networking configuration in the global zone, you must use ipadm, not automatic network configuration. To determine whether networking configuration is being done by ipadm, run the following command. The response displayed must be DefaultFixed.
# svcprop -p netcfg/active_ncp svc:/network/physical:default DefaultFixed
The IP addresses assigned to shared-IP zones are associated with logical network interfaces.
The ipadm command can be used from the global zone to assign or remove logical interfaces in a running zone.
To add interfaces, use the following command:
global# ipadm set-addrprop -p zone=my-zone net0/addr1
To remove interfaces, use one of the following commands:
global# ipadm set-addrprop -p zone=global net0/addr
global# ipadm reset-addrprop -p zone net0/addr1
For more information, see Shared-IP Network Interfaces.
An exclusive-IP zone has its own IP-related state and one or more dedicated data-links.
The following features can be used in an exclusive-IP zone:
ipadm for setting TCP/UDP/SCTP as well as IP/ARP-level tunables
IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association
There are two ways to configure exclusive-IP zones:
Use the anet resource of the zonecfg utility to automatically create a temporary VNIC for the zone when the zone boots and delete it when the zone halts.
Preconfigure the data-link in the global zone and assigned it to the exclusive-IP zone by using the net resource of the zonecfg utility. The data-link is specified by using the physical property of the net resource. The physical property can be a VNIC, as described in Part III, Network Virtualization and Resource Management, in Oracle Solaris Administration: Network Interfaces and Network Virtualization. The address property of the net resource is not set.
By default, an exclusive-IP zone can configure and use any IP address on the associated interface. Optionally, a comma separated list of IP addresses can be specified using the allowed-address property. The exclusive-IP zone cannot use IP addresses that are not in the allowed-address list. Moreover, all the addresses in the allowed-address list will automatically be persistently configured for the exclusive-IP zone when the zone is booted. If this interface configuration is not wanted, then the configure-allowed-address property must be set to false. The default value is true.
Note that the assigned data-link enables the snoop command to be used.
The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. See Administering Data-Links in Exclusive-IP Non-Global Zones for usage examples.
Inside a running exclusive-IP zone that is assigned its own set of data-links, the ipadm command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as in the global zone, by using the sysconfig interface described in the sysconfig(1M) man page.
The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command.
global# zlogin zone1 ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 nge0/_b dhcp ok 10.134.62.47/24 lo0/v6 static ok ::1/128 nge0/_a addrconf ok fe80::2e0:81ff:fe5d:c630/10
The Reliable Datagram Sockets (RDS) IPC protocol is supported in both exclusive-IP and shared-IP non-global zones. The RDSv3 driver is enabled as SMF service rds. By default, the service is disabled after installation. The service can be enabled within a given non-global zone by a zone administrator granted appropriate authorizations. After zlogin, rds can be enabled in each zone in which it is to run.
Example 16-1 How to Enable the rds Service in a Non-Global Zone
To enable RDSv3 service in an exclusive-IP or shared-IP zone, zlogin and execute the svcadm enable command:
# svcadm enable rds
Verify that rds is enabled:
# svcs rds STATE STIME FMRI online 22:50:53 svc:/system/rds:default
For more information, see the svcadm(1M) man page.
In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.
For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, in an exclusive-IP zone, the superuser or user with the required rights profile can send spoofed packets on those data-links, just as can be done in the global zone. IP address spoofing can be disabled by setting the allowed-address property. For the anet resource, additional protections such as mac-nospoof and dhcp-nospoof can be enabled by setting the link-protection property.
The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.
Each zone has a ZFS dataset delegated to it by default. This default delegated dataset mimics the dataset layout of the default global zone dataset layout. A dataset called .../rpool/ROOT contains boot environments. This dataset should not be manipulated directly. The rpool dataset, which must exist, is mounted by default at .../rpool. The .../rpool/export, and .../rpool/export/home datasets are mounted at /export and /export/home. These non-global zone datasets have the same uses as the corresponding global zone datasets, and can be managed in the same way. The zone administrator can create additional datasets within the .../rpool, .../rpool/export, and .../rpool/export/home datasets.
You should not use the zfs command described in the zfs(1M) man page to create, delete, or rename file systems within the hierarchy that starts at the zone's rpool/ROOT file system. The zfs command can be used to set properties other than canmount, mountpoint, sharesmb, zoned, com.oracle.*:*, com.sun:*, and org.opensolaris.*.*..
Generally, the file systems mounted in a zone include the following:
The set of file systems mounted when the virtual platform is initialized
The set of file systems mounted from within the application environment itself
These sets can include, for example, the following file systems:
ZFS file systems with a mountpoint other than none or legacy that also have a value of yes for the canmount property.
File systems specified in a zone's /etc/vfstab file.
AutoFS and AutoFS-triggered mounts. autofs properties are set by using the sharectl described in sharectl(1M).
Mounts explicitly performed by a zone administrator
File system mounting permissions within a running zone are also defined by the zonecfg fs-allowed property. This property does not apply to file systems mounted into the zone by using the zonecfg add fs or add dataset resources. By default, only mounts of file systems within a zone's default delegated dataset, hsfs file systems, and network file systems such as NFS, are allowed within a zone.
Caution - Certain restrictions are placed on mounts other than the defaults performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.
There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.
For more information about datasets, see the datasets(5) man page. For more information about BEs, see Creating and Administering Oracle Solaris 11.1 Boot Environments
It is not supported to mount a file system in a way that hides any file, symbolic link, or directory that is part of the zone's system image as described in the pkg(5) man page. For example, if there are no packages installed that deliver content into /usr/local, it is permissible to mount a file system at /usr/local. However, if any package, including legacy SVR4 packages, delivers a file, directory, or symbolic link into a path that begins with /usr/local, it is not supported to mount a file system at /usr/local. It is supported to temporarily mount a file system at /mnt.
Due to the order in which file systems are mounted in a zone, it is not possible to have an fs resource mount a file system at /export/filesys if /export comes from the zone's rpool/export dataset or another delegated dataset.
You can set a hostid property for the non-global zone that is different from the hostid of the global zone. This would be done, for example, in the case of a machine migrated into a zone on another system. Applications now inside the zone might depend on the original hostid. See Resource Types and Properties for more information.
The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the zone's /dev file system. For more information, see How to Configure the Zone.
A removable loopback file lofi device, which works like a CD-ROM device, can be configured in a non-global zone. You can change the file that the device maps to and create multiple lofi devices to use the same file in readonly mode. This type of lofi device is created by using the lofiadm command with the -r option. A file name is not required at creation time. During the lifecycle of a removable lofi device, a file can be associated with an empty device, or dissociated from a device that is not empty. A file can be associated with multiple removable lofi devices safely at the same time. A removable lofi device is read-only. You cannot remap a file that has been mapped to either a normal read-write lofi device or to a removable lofi device. The number of potential lofi devices is limited by the zone.max-lofi resource control, which can be set by using zonecfg(1M) in the global zone.
Once created, a removable lofi device is read-only. The lofi driver will return an error on any write operation to a removable lofi device.
The lofiadm command is also used to list removable lofi devices.
Example 16-2 Create a Removable lofi Device With an Associated File
# lofiadm -r /path/to/file /dev/lofi/1
Example 16-3 Create an Empty Removable lofi Device
# lofiadm -r /dev/lofi/2
Example 16-4 Insert a File Into a Removable lofi Device
# lofiadm -r /path/to/file /dev/lofi/1 /dev/lofi/1
Delegation is only supported for solaris zones.
Disks must use the sd target as shown by using the prtconf command with the -D option. See prtconf(1M).
When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:
Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.
Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.
Note - There are a few privileges that cannot be removed from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.
If you have configured resource pools on your system as described in Chapter 13, Creating and Administering Resource Pools (Tasks), you can use the pool property to associate the zone with one of the resource pools when you configure the zone.
If you do not have resource pools configured, you can still specify that a subset of the system's processors be dedicated to a non-global zone while it is running by using the dedicated-cpu resource. The system will dynamically create a temporary pool for use while the zone is running. With specification through zonecfg, pool settings propagate during migrations.
Note - A zone configuration using a persistent pool set through the pool property is incompatible with a temporary pool configured through the dedicated-cpu resource. You can set only one of these two properties.
The global administrator or a user with appropriate authorizations can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.
These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone.
The preferred, simpler method for setting a zone-wide resource control is to use the property name or resource, such as capped-cpu, instead of the rctl resource, such as cpu-cap.
The zone.cpu-cap resource control sets an absolute limit on the amount of CPU resources that can be consumed by a zone. A value of 100 means 100 percent of one CPU as the setting. A value of 125 is 125 percent, because 100 percent corresponds to one full CPU on the system when using CPU caps.
Note - When setting the capped-cpu resource, you can use a decimal number for the unit. The value correlates to the zone.cpu-cap resource control, but the setting is scaled down by 100. A setting of 1 is equivalent to a setting of 100 for the resource control.
The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on an Oracle Solaris System With Zones Installed. The global property name for this control is cpu-shares.
The zone.max-locked-memory resource control limits the amount of locked physical memory available to a zone. The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Table 6-1 for more information.
The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Table 6-1 for more information. The global property name for this control is max-lwps.
The zone.max-processes resource control enhances resource isolation by preventing a zone from using too many process table slots and thus affecting other zones. The allocation of the process table slots resource across projects within the zone can be set by using the project.max-processes resource control described in Available Resource Controls. The global property name for this control is max-processes. The zone.max-processes resource control can also encompass the zone.max-lwps resource control. If zone.max-processes is set and zone.max-lwps is not set, then zone.max-lwps is implicitly set to 10 times the zone.max-processes value when the zone is booted. Note that because both normal processes and zombie processes take up process table slots, the max-processes control thus protects against zombies exhausting the process table. Because zombie processes do not have any LWPs by definition, the max-lwps cannot protect against this possibility.
The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.
The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat -Z displays a SWAP column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting.
Table 16-1 Zone-Wide Resource Controls
These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.
You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone.