JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Oracle Solaris Resource Management

1.  Introduction to Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

Part II Oracle Solaris Zones

15.  Introduction to Oracle Solaris Zones

16.  Non-Global Zone Configuration (Overview)

About Resources in Zones

Using Rights Profiles and Roles in Zone Administration

Pre-Installation Configuration Process

Zone Components

Zone Name and Path

Zone Autoboot

file-mac-profile Property for Read-Only Root Zone

admin Resource

dedicated-cpu Resource

capped-cpu Resource

Scheduling Class

Physical Memory Control and the capped-memory Resource

rootzpool Resource

Adding a zpool Resource Automatically

Zone Network Interfaces

About Data-Links

Shared-IP Non-Global Zones

Exclusive-IP Non-Global Zones

Reliable Datagram Sockets Support in Non-Global Zones

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

File Systems Mounted in Zones

File System Mounts and Updating

Host ID in Zones

/dev File System in Non-Global Zones

Removable lofi Device in Non-Global Zones

Disk Format Support in Non-Global Zones

Configurable Privileges

Resource Pool Association

Setting Zone-Wide Resource Controls

Including a Comment for a Zone

Using the zonecfg Command

zonecfg Modes

zonecfg Interactive Mode

zonecfg Command-File Mode

Zone Configuration Data

Resource Types and Properties

Resource Type Properties

Example Zone Configurations

Tecla Command-Line Editing Library

17.  Planning and Configuring Non-Global Zones (Tasks)

18.  About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)

19.  Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

20.  Non-Global Zone Login (Overview)

21.  Logging In to Non-Global Zones (Tasks)

22.  About Zone Migrations and the zonep2vchk Tool

23.  Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)

24.  About Automatic Installation and Packages on an Oracle Solaris 11.1 System With Zones Installed

25.  Oracle Solaris Zones Administration (Overview)

26.  Administering Oracle Solaris Zones (Tasks)

27.  Configuring and Administering Immutable Zones

28.  Troubleshooting Miscellaneous Oracle Solaris Zones Problems

Part III Oracle Solaris 10 Zones

29.  Introduction to Oracle Solaris 10 Zones

30.  Assessing an Oracle Solaris 10 System and Creating an Archive

31.  (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone

32.  Configuring the solaris10 Branded Zone

33.  Installing the solaris10 Branded Zone

34.  Booting a Zone, Logging in, and Zone Migration

Glossary

Index

Zone Components

This section covers the required and optional zone components that can be configured. Only the zone name and zone path are required. Additional information is provided in Zone Configuration Data.

Zone Name and Path

You must choose a name and a path for your zone. The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that the parent directory of the zone path must also be a dataset.

Zone Autoboot

The autoboot property setting determines whether the zone is automatically booted when the global zone is booted. The zones service, svc:/system/zones:default must also be enabled.

file-mac-profile Property for Read-Only Root Zone

In solaris zones, the file-mac-profile is used to configure zones with read-only roots.

For more information, see Chapter 27, Configuring and Administering Immutable Zones.

admin Resource

The admin setting allows you to set zone administration authorization. The preferred method for defining authorizations is through the zonecfg command.

user

Specify the user name.

auths

Specify the authorizations for the user name.

solaris.zone.login

If RBAC is in use, the authorization solaris.zone.login/zonename is required for interactive logins. Password authentication takes place in the zone.

solaris.zone.manage

If RBAC is in use, for non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.

solaris.zone.clonefrom

If RBAC is in use, subcommands that make a copy of another zone require the authorization, solaris.zone.clonefrom/source_zone.

dedicated-cpu Resource

The dedicated-cpu resource specifies that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system will dynamically create a temporary pool for use while the zone is running.

With specification in zonecfg, pool settings propagate during migrations.

The dedicated-cpu resource sets limits for ncpus, and optionally, importance.

ncpus

Specify the number of CPUs or specify a range, such as 2–4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:

importance

If you are using a CPU range to achieve dynamic behavior, also set the importance property, The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, importance defaults to 1. For more information, see pool.importance Property Constraint.


Note - The capped-cpu resource and the dedicated-cpu resource are incompatible. The cpu-shares rctl and the dedicated-cpu resource are incompatible.


capped-cpu Resource

The capped-cpu resource provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone. When used in conjunction with processor sets, CPU caps limit CPU usage within a set. The capped-cpu resource has a single ncpus property that is a positive decimal with two digits to the right of the decimal. This property corresponds to units of CPUs. The resource does not accept a range. The resource does accept a decimal number. When specifying ncpus, a value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system.


Note - The capped-cpu resource and the dedicated-cpu resource are incompatible.


Scheduling Class

You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among zones, based on their importance. This importance is expressed by the number of shares of CPU resources that you assign to each zone. Even if you are not using FSS to manage CPU resource allocation between zones, you can set the zone's scheduling-class to use FSS so that you can set shares on projects within the zone.

When you explicitly set the cpu-shares property, the fair share scheduler (FSS) will be used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class. The following actions set the scheduling class for a zone:

Note that you can use the priocntl described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.

Physical Memory Control and the capped-memory Resource

The capped-memory resource sets limits for physical, swap, and locked memory. Each limit is optional, but at least one must be set. To use the capped-memory resource, the resource-cap package must be installed in the global zone.


Note - Applications generally do not lock significant amounts of memory, but you might decide to set locked memory if the zone's applications are known to lock memory. If zone trust is a concern, you can also consider setting the locked memory cap to 10 percent of the system's physical memory, or 10 percent of the zone's physical memory cap.


For more information, see Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone. To temporarily set a resource cap for a zone, see How to Specify a Temporary Resource Cap for a Zone.

rootzpool Resource

The optional rootzpool resource in the zonecfg utility is used to create a dedicated ZFS zpool for zone installation. The zone root ZFS zpool can be hosted on shared storage devices defined by one or more Universal Resource Identifiers (URIs). The required storage property identifies the storage object URI to contain the root zfs file system for a zone. Only one rootzpool can be defined for a given zone. The storage is automatically configured for the zone when the zone is booted.

The corresponding zpools are automatically created or imported during zone installation or zone attach operations. When the zone is uninstalled or detached, the following actions take place:

In order to reuse a pre-created zpool for a zone installation, the zpool must be exported from the system.

The zones framework supports the following URI types:

The suriadm tool is used to administer shared objects based on storage URIs. For information about IDs, the Name Address Authority (NAA), and obtaining URIs for existing storage objects, see the suriadm(1M) and suri(5) man pages.

The system names the newly created or imported rootzpool for its associated zone. The assigned name has the form zonename_rpool.

The storage property is managed using the following commands from inside the rootzpool resource scope:

Adding a zpool Resource Automatically

A zpool can be delegated to a non-global zone by configuring the optional zpool resource in the zonecfg utility. The zpool is automatically configured for the zone when it is booted.

The corresponding zpools are automatically created or imported during zone installation or zone attach operations.

When the zone is uninstalled or detached, the following actions take place:

The required storage property identifies the storage object URI associated with this resource.

The storage property is managed using the following settings in the zpool resource scope:

The name property is mandatory for the zpool resource. The property is used in the name for a zpool delegated to the zone. The ZFS file system name component cannot contain a forward slash (/).

The assigned name of the newly created or imported zpool has the form zonename_name. This is the zpool name visible inside the non-global zone.


Note - A zone installation can fail when a storage object contains preexisting partitions, zpools, or UFS file systems. For more information, see Step 4 in How to Install a Configured Zone.


Zone Network Interfaces

Zone network interfaces configured by the zonecfg utility to provide network connectivity are automatically set up and placed in the zone when it is booted.

The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.

There are two IP types available for non-global zones, shared-IP and exclusive-IP. Exclusive IP is the default IP type. A shared-IP zone shares a network interface with the global zone. Configuration in the global zone must be done by the ipadm utility to use shared-IP zones. An exclusive-IP zone must have a dedicated network interface. If the exclusive-IP zone is configured using the anet resource, a dedicated VNIC is automatically created and assigned to that zone. By using the automated anet resource, the requirement to create and configure data-links in the global zone and assign the data-links to non-global zones is eliminated. Use the anet resource to accomplish the following:

For backward compatibility, preconfigured data-links can be assigned to non-global zones.

For information about IP features in each type, see Networking in Shared-IP Non-Global Zones and Networking in Exclusive-IP Non-Global Zones.


Note - The link protection is described in Chapter 20, Using Link Protection in Virtualized Environments, in Oracle Solaris Administration: Network Interfaces and Network Virtualization can be used on a system running zones. This functionality is configured in the global zone.


About Data-Links

A data-link is an interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. A data-link is also referred to as a physical interface, for example, a Network Interface Card (NIC). The data-link is the physical property configured by using zonecfg(1M). The physical property can be a VNIC, as described in Part III, Network Virtualization and Resource Management, in Oracle Solaris Administration: Network Interfaces and Network Virtualization.

Example data-links are physical interfaces such as e1000g0 and bge1, NICs such as bge3, aggregations such as aggr1, aggr2, or VLAN-tagged interfaces such as e1000g123000 and bge234003 (as VLAN 123 on e1000g0 and VLAN 234 on bge3, respectively).

For information about using IP over Infiniband (IPoIB), see the anet description in Resource Type Properties.

Shared-IP Non-Global Zones

A shared-IP zone uses an existing IP interface from the global zone. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:

Shared-IP zones are assigned one or more IP addresses using the net resource of the zonecfg command. The data-link names must also be configured in the global zone.

In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.

To use the shared-IP type networking configuration in the global zone, you must use ipadm, not automatic network configuration. To determine whether networking configuration is being done by ipadm, run the following command. The response displayed must be DefaultFixed.

# svcprop -p netcfg/active_ncp svc:/network/physical:default
DefaultFixed

The IP addresses assigned to shared-IP zones are associated with logical network interfaces.

The ipadm command can be used from the global zone to assign or remove logical interfaces in a running zone.

To add interfaces, use the following command:

global# ipadm set-addrprop -p zone=my-zone net0/addr1

To remove interfaces, use one of the following commands:

global# ipadm set-addrprop -p zone=global net0/addr

or:

global# ipadm reset-addrprop -p zone net0/addr1 

For more information, see Shared-IP Network Interfaces.

Exclusive-IP Non-Global Zones

Exclusive-IP is the default networking configuration for non-global zones.

An exclusive-IP zone has its own IP-related state and one or more dedicated data-links.

The following features can be used in an exclusive-IP zone:

There are two ways to configure exclusive-IP zones:

By default, an exclusive-IP zone can configure and use any IP address on the associated interface. Optionally, a comma separated list of IP addresses can be specified using the allowed-address property. The exclusive-IP zone cannot use IP addresses that are not in the allowed-address list. Moreover, all the addresses in the allowed-address list will automatically be persistently configured for the exclusive-IP zone when the zone is booted. If this interface configuration is not wanted, then the configure-allowed-address property must be set to false. The default value is true.

Note that the assigned data-link enables the snoop command to be used.

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. See Administering Data-Links in Exclusive-IP Non-Global Zones for usage examples.

Inside a running exclusive-IP zone that is assigned its own set of data-links, the ipadm command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as in the global zone, by using the sysconfig interface described in the sysconfig(1M) man page.

The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command.

global# zlogin zone1 ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
nge0/_b           dhcp     ok           10.134.62.47/24
lo0/v6            static   ok           ::1/128
nge0/_a           addrconf ok           fe80::2e0:81ff:fe5d:c630/10

Reliable Datagram Sockets Support in Non-Global Zones

The Reliable Datagram Sockets (RDS) IPC protocol is supported in both exclusive-IP and shared-IP non-global zones. The RDSv3 driver is enabled as SMF service rds. By default, the service is disabled after installation. The service can be enabled within a given non-global zone by a zone administrator granted appropriate authorizations. After zlogin, rds can be enabled in each zone in which it is to run.

Example 16-1 How to Enable the rds Service in a Non-Global Zone

  1. To enable RDSv3 service in an exclusive-IP or shared-IP zone, zlogin and execute the svcadm enable command:

    # svcadm enable rds
  2. Verify that rds is enabled:

    # svcs rds
        STATE          STIME    FMRI
        online         22:50:53 svc:/system/rds:default

For more information, see the svcadm(1M) man page.

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, in an exclusive-IP zone, the superuser or user with the required rights profile can send spoofed packets on those data-links, just as can be done in the global zone. IP address spoofing can be disabled by setting the allowed-address property. For the anet resource, additional protections such as mac-nospoof and dhcp-nospoof can be enabled by setting the link-protection property.

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.

File Systems Mounted in Zones

Each zone has a ZFS dataset delegated to it by default. This default delegated dataset mimics the dataset layout of the default global zone dataset layout. A dataset called .../rpool/ROOT contains boot environments. This dataset should not be manipulated directly. The rpool dataset, which must exist, is mounted by default at .../rpool. The .../rpool/export, and .../rpool/export/home datasets are mounted at /export and /export/home. These non-global zone datasets have the same uses as the corresponding global zone datasets, and can be managed in the same way. The zone administrator can create additional datasets within the .../rpool, .../rpool/export, and .../rpool/export/home datasets.

You should not use the zfs command described in the zfs(1M) man page to create, delete, or rename file systems within the hierarchy that starts at the zone's rpool/ROOT file system. The zfs command can be used to set properties other than canmount, mountpoint, sharesmb, zoned, com.oracle.*:*, com.sun:*, and org.opensolaris.*.*..

Generally, the file systems mounted in a zone include the following:

These sets can include, for example, the following file systems:

There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.

For more information about datasets, see the datasets(5) man page. For more information about BEs, see Creating and Administering Oracle Solaris 11.1 Boot Environments

File System Mounts and Updating

It is not supported to mount a file system in a way that hides any file, symbolic link, or directory that is part of the zone's system image as described in the pkg(5) man page. For example, if there are no packages installed that deliver content into /usr/local, it is permissible to mount a file system at /usr/local. However, if any package, including legacy SVR4 packages, delivers a file, directory, or symbolic link into a path that begins with /usr/local, it is not supported to mount a file system at /usr/local. It is supported to temporarily mount a file system at /mnt.

Due to the order in which file systems are mounted in a zone, it is not possible to have an fs resource mount a file system at /export/filesys if /export comes from the zone's rpool/export dataset or another delegated dataset.

Host ID in Zones

You can set a hostid property for the non-global zone that is different from the hostid of the global zone. This would be done, for example, in the case of a machine migrated into a zone on another system. Applications now inside the zone might depend on the original hostid. See Resource Types and Properties for more information.

/dev File System in Non-Global Zones

The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the zone's /dev file system. For more information, see How to Configure the Zone.

Removable lofi Device in Non-Global Zones

A removable loopback file lofi device, which works like a CD-ROM device, can be configured in a non-global zone. You can change the file that the device maps to and create multiple lofi devices to use the same file in readonly mode. This type of lofi device is created by using the lofiadm command with the -r option. A file name is not required at creation time. During the lifecycle of a removable lofi device, a file can be associated with an empty device, or dissociated from a device that is not empty. A file can be associated with multiple removable lofi devices safely at the same time. A removable lofi device is read-only. You cannot remap a file that has been mapped to either a normal read-write lofi device or to a removable lofi device. The number of potential lofi devices is limited by the zone.max-lofi resource control, which can be set by using zonecfg(1M) in the global zone.

Once created, a removable lofi device is read-only. The lofi driver will return an error on any write operation to a removable lofi device.

The lofiadm command is also used to list removable lofi devices.

Example 16-2 Create a Removable lofi Device With an Associated File

# lofiadm -r /path/to/file 
/dev/lofi/1

Example 16-3 Create an Empty Removable lofi Device

# lofiadm -r 
/dev/lofi/2

Example 16-4 Insert a File Into a Removable lofi Device

# lofiadm -r /path/to/file /dev/lofi/1
/dev/lofi/1

For more information, see the lofiadm(1M), zonecfg(1M), and lofi(7D) man pages. Also see Zone-Wide Resource Controls.

Disk Format Support in Non-Global Zones

Disk partitioning and use of the uscsi command are enabled through the zonecfg tool. See device in Resource Type Properties for an example. For more information on the uscsi command, see uscsi(7I).

Configurable Privileges

When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:


Note - There are a few privileges that cannot be removed from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.


For more information, see Privileges in a Non-Global Zone, How to Configure the Zone, and privileges(5).

Resource Pool Association

If you have configured resource pools on your system as described in Chapter 13, Creating and Administering Resource Pools (Tasks), you can use the pool property to associate the zone with one of the resource pools when you configure the zone.

If you do not have resource pools configured, you can still specify that a subset of the system's processors be dedicated to a non-global zone while it is running by using the dedicated-cpu resource. The system will dynamically create a temporary pool for use while the zone is running. With specification through zonecfg, pool settings propagate during migrations.


Note - A zone configuration using a persistent pool set through the pool property is incompatible with a temporary pool configured through the dedicated-cpu resource. You can set only one of these two properties.


Setting Zone-Wide Resource Controls

The global administrator or a user with appropriate authorizations can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.

These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone.

The preferred, simpler method for setting a zone-wide resource control is to use the property name or resource, such as capped-cpu, instead of the rctl resource, such as cpu-cap.

The zone.cpu-cap resource control sets an absolute limit on the amount of CPU resources that can be consumed by a zone. A value of 100 means 100 percent of one CPU as the setting. A value of 125 is 125 percent, because 100 percent corresponds to one full CPU on the system when using CPU caps.


Note - When setting the capped-cpu resource, you can use a decimal number for the unit. The value correlates to the zone.cpu-cap resource control, but the setting is scaled down by 100. A setting of 1 is equivalent to a setting of 100 for the resource control.


The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on an Oracle Solaris System With Zones Installed. The global property name for this control is cpu-shares.

The zone.max-locked-memory resource control limits the amount of locked physical memory available to a zone. The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Table 6-1 for more information.

The zone.max-lofi resource control limits the number of potential lofi devices that can be created by a zone.

The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Table 6-1 for more information. The global property name for this control is max-lwps.

The zone.max-processes resource control enhances resource isolation by preventing a zone from using too many process table slots and thus affecting other zones. The allocation of the process table slots resource across projects within the zone can be set by using the project.max-processes resource control described in Available Resource Controls. The global property name for this control is max-processes. The zone.max-processes resource control can also encompass the zone.max-lwps resource control. If zone.max-processes is set and zone.max-lwps is not set, then zone.max-lwps is implicitly set to 10 times the zone.max-processes value when the zone is booted. Note that because both normal processes and zombie processes take up process table slots, the max-processes control thus protects against zombies exhausting the process table. Because zombie processes do not have any LWPs by definition, the max-lwps cannot protect against this possibility.

The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.

The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat -Z displays a SWAP column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting.

Table 16-1 Zone-Wide Resource Controls

Control Name
Global Property Name
Description
Default Unit
Value Used For
zone.cpu-cap
Absolute limit on the amount of CPU resources for this zone
Quantity (number of CPUs), expressed as a percentage

Note - When setting as the capped-cpu resource, you can use a decimal number for the unit.


zone.cpu-shares
cpu-shares
Number of fair share scheduler (FSS) CPU shares for this zone
Quantity (shares)
zone.max-locked-memory
Total amount of physical locked memory available to a zone.

If priv_proc_lock_memory is assigned to a zone, consider setting this resource control as well, to prevent that zone from locking all memory.

Size (bytes)
locked property of capped-memory
zone.max-lofi
max-lofi
Limit on the number of potential lofi devices that can be created by a zone
Quantity (number of lofi devices)
zone.max-lwps
max-lwps
Maximum number of LWPs simultaneously available to this zone
Quantity (LWPs)
zone.max-msg-ids
max-msg-ids
Maximum number of message queue IDs allowed for this zone
Quantity (message queue IDs)
zone.max-processes
max-processes
Maximum number of process table slots simultaneously available to this zone
Quantity (process table slots)
zone.max-sem-ids
max-sem-ids
Maximum number of semaphore IDs allowed for this zone
Quantity (semaphore IDs)
zone.max-shm-ids
max-shm-ids
Maximum number of shared memory IDs allowed for this zone
Quantity (shared memory IDs)
zone.max-shm-memory
max-shm-memory
Total amount of System V shared memory allowed for this zone
Size (bytes)
zone.max-swap
Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone.
Size (bytes)
swap property of capped-memory

These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.

Including a Comment for a Zone

You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone.