Introduction to Oracle® Solaris Zones

Exit Print View

Updated: December 2014
 
 

Resource Type Properties

Resources also have properties to configure. The following properties are associated with the resource types shown.

admin

Define the user name and the authorizations for that user for a given zone.

zonecfg:my-zone> add admin
zonecfg:my-zone:admin> set user=zadmin
zonecfg:my-zone:admin> set auths=login,manage
zonecfg:my-zone:admin> end

The following values can be used for the auths property:

  • login (solaris.zone.login)

  • manage (solaris.zone.manage)

  • clone (solaris.zone.clonefrom)

Note that these auths do not enable you to create a zone. This capability is included in the Zone Security profile.

solaris and solaris10 Only: rootzpool

storage

Identify the storage object URI to provide a dedicated ZFS zpool for zone installation. For information on URIs and the allowed values for storage, see solaris and solaris10 Only:rootzpool Resource. During zone installation, the zpool is automatically created, or a pre-created zpool is imported. The name my-zone_rpool is assigned.

zonecfg:my-zone> add rootzpool
zonecfg:my-zone:rootzpool> add storage dev:dsk/c4t1d0
zonecfg:my-zone:rootzpool> end

You can add an additional storage property if you are creating a mirrored configuration:

add storage dev:dsk/c4t1d0
add storage dev:dsk/c4t3d0

Only one rootzpool resource can be configured for a zone.

solaris and solaris10 Only: zpool

storage, name

Define one or more storage object URIs to delegate a zpool to the zone. For information on URIs and the allowed values for the storage property, see solaris and solaris10 Only:rootzpool Resource. The allowed values for the name property are defined in the zpool(1M) man page.

In this example, a zpool storage resource is delegated to the zone. The zpool is automatically created, or a previously created zpool is imported during installation. The name of the zpool is my-zone_pool1.

zonecfg:my-zone> add zpool
zonecfg:my-zone:zpool> set name=pool1
zonecfg:my-zone:zpool> add storage dev:dsk/c4t2d0 
zonecfg:my-zone:zpool> add storage dev:dsk/c4t4d0 
zonecfg:my-zone:zpool> end

A zone configuration can have one or more zpool resources.

dedicated-cpu

ncpus, importance, cores, cpus, sockets

Specify the number of CPUs and, optionally, the relative importance of the pool. The following example specifies a CPU range for use by the zone my-zone. importance is also set.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-3
zonecfg:my-zone:dedicated-cpu> set importance=2
zonecfg:my-zone:dedicated-cpu> end

Persistently assign cores 0, 1, 2, and 3 to the zone my-zone. The following dedicated-cpu example uses cores, but cpus=, cores=, and sockets= can all be used.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set cores=0-3
zonecfg:my-zone:dedicated-cpu> end
virtual-cpu

ncpus

Specify the number of CPUs. The following example specifies 3 CPUs for the zone my-zone.

zonecfg:my-zone> add virtual-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=3
zonecfg:my-zone:dedicated-cpu> end
capped-cpu

ncpus

Specify the number of CPUs. The following example specifies a CPU cap of 3.5 CPUs for the zone my-zone.

zonecfg:my-zone> add capped-cpu
zonecfg:my-zone:capped-cpu> set ncpus=3.5
zonecfg:my-zone:capped-cpu> end
capped-memory

physical, swap, locked

Specify the memory limits for the zone my-zone. Each limit is optional, but at least one must be set.

zonecfg:my-zone> add capped-memory
zonecfg:my-zone:capped-memory> set physical=50m
zonecfg:my-zone:capped-memory> set swap=100m
zonecfg:my-zone:capped-memory> set locked=30m
zonecfg:my-zone:capped-memory> end

To use capped-memory resource, the resource-cap package must be installed in the global zone.

fs

dir, special, raw, type, options

The fs resource parameters supply the values that determine how and where to mount file systems. The fs parameters are defined as follows:

dir

Specifies the mount point for the file system

special

Specifies the block special device name or directory from the global zone to mount

raw

Specifies the raw device on which to run fsck before mounting the file system (not applicable to ZFS)

type

Specifies the file system type

options

Specifies mount options similar to those found with the mount command

The lines in the following example specify that the dataset named pool1/fs1 in the global zone is to be mounted as /shared/fs1 in a zone being configured. The file system type to use is ZFS.

zonecfg:my-zone> add fs
zonecfg:my-zone:fs> set dir=/shared/fs1
zonecfg:my-zone:fs> set special=pool1/fs1
zonecfg:my-zone:fs> set type=zfs
zonecfg:my-zone:fs> end

For more information on parameters, see The o nosuid Option in Creating and Using Oracle Solaris Zones , Security Restrictions and File System Behavior in Creating and Using Oracle Solaris Zones , and the fsck (1M) and mount (1M) man pages. Also note that section 1M man pages are available for mount options that are unique to a specific file system. The names of these man pages have the form mount_filesystem.


Note - The quota command documented in quota(1M) cannot be used to retrieve quota information for UFS file systems added through this resource.
dataset name, alias

name

The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.

zonecfg:my-zone> add dataset
zonecfg:my-zone> set name=tank/sales
zonecfg:my-zone> end

A delegated dataset can have a non-default alias as shown in the following example. Note that a dataset alias cannot contain a forward slash (/).

zonecfg:my-zone> add dataset
zonecfg:my-zone:dataset> set name=tank/sales
zonecfg:my-zone:dataset> set alias=data
zonecfg:my-zone:dataset> end

To revert to the default alias, use clear alias.

zonecfg:my-zone> clear alias
anet

linkname, lower-link, allowed-address, auto-mac-address, configure-allowed-address, defrouter, linkmode (IPoIB), mac-address (non-IPoIB), mac-slot (non-IPoIB),mac-prefix (non-IPoIB), mtu, maxbw, pkey (IPoIB), priority, vlan-id (non-IPoIB), rxfanout, rxrings, txrings, link-protection, allowed-dhcp-cids

solaris Only: Do not set the following anet properties for IPoIB data-links in zonecfg.

  • mac-address

  • mac-prefix

  • mac-slot

  • vlan-id

Do not set the following anet properties for non-IPoIB data-links in zonecfg.

  • linkmode

  • pkey

Set only the following properties for an EVS anet resource:

  • linkname

  • evs

  • vport

  • configure-allowed-address

The anet resource creates an automatic VNIC interface or an IPoIB interface when the zone boots, and deletes the VNIC or IPoIB interface when the zone halts. Note that the solaris-kz brand does not support IPoIB. The resource properties are managed through the zonecfg command. See the zonecfg (1M) man page for the complete text on properties available.

lower-link

Specifies the underlying link for the link to be created. When set to auto, the zoneadmd daemon automatically chooses the link over which the VNIC is created each time the zone boots. You can specify any link on which you can create a VNIC as the lower-link for an anet resource.

All IPoIB links are skipped when selecting the data-link for creating the VNIC automatically during boot.

linkname

Specify a name for the automatically created VNIC interface or IPoIB interface. Note that solaris-kz does not support IPoIB.

mac-address (not for IPoIB)

Set the VNIC MAC address based on the specified value or keyword. If the value is not a keyword, it is interpreted as a unicast MAC address. See the zonecfg (1M) man page for supported keywords. If a random MAC address is selected, the generated address is preserved across zone boots, and zone detach and attach operations. When the default policy auto-mac-address is used, Oracle Solaris Zones can obtain a random mac-address.

pkey (IPoIB only)

Set the partition key to be used for creating the IPoIB data-link interface. This property is mandatory. The specified pkey is always treated as hexadecimal, whether or not it has the 0x prefix.

linkmode (IPoIB only)

Sets the linkmode for the data-link interface. The default value is cm. Valid values are:

cm (the default)

Connected Mode. This mode uses a default MTU of 65520 bytes. and supports a maximum MTU of 65535 bytes.

ud

Unreliable Datagram Mode. If Connected Mode is not available for a remote node, Unreliable Datagram mode is automatically used instead. This mode uses a default MTU of 2044 and supports a maximum MTU of 4092 bytes.

allowed-address

Configure an IP address for the exclusive-IP zone and also limit the set of configurable IP addresses that can be used by an exclusive-IP zone. To specify multiple addresses, use a list of comma-separated IP addresses.

defrouter

The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks.

Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.

When the zonecfg command creates a zone using the SYSdefault template, an anet resource with the following properties is automatically included in the zone configuration if no other IP resources are set. The linkname is automatically created over the physical Ethernet link and set to the first available name of the form netN, net0. To change the default values, use the zonecfg command.

When the default policy auto is used, an appropriate mac-address is assigned:

Oracle Solaris Zone

random mac-address

Oracle Solaris Kernel Zone

random mac-address

Oracle Solaris Zone under kernel zone

factory mac-address

Oracle VM Server for SPARC guest domain

factory mac-address

Oracle Solaris Kernel Zone running on Oracle VM Server for SPARC guest domain

factory mac-address

The default policy creates an automatic VNIC over the physical Ethernet link, for example, net0, and assigns the MAC address to the VNIC. The optional lower-link property is set to the underlying link, vnic1, over which the automatic VNIC is to be created. VNIC properties such as the link name, underlying physical link, MAC address, bandwidth limit, as well as other VNIC properties, can be specified by using the zonecfg command. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add anet
zonecfg:my-zone:anet> set linkname=net0
zonecfg:my-zone:anet> set lower-link=auto
zonecfg:my-zone:anet> set mac-address=random
zonecfg:my-zone:anet> set link-protection=mac-nospoof
zonecfg:my-zone:anet> end

The following example shows a solaris brand zone configured with an IPoIB data-link interface over the physical link net5 with the IB partition key 0xffff:

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone:anet> add anet
zonecfg:my-zone:anet> set linkname=ib0
zonecfg:my-zone:anet> set lower-link=net5
zonecfg:my-zone:anet> set pkey=0xffff
zonecfg:my-zone:anet> end

For more information on properties, see the zonecfg(1M) man page. For additional information on the link properties, see the dladm(1M) man page.

net

address, allowed-addressphysical, defrouter


Note - For a shared-IP zone, both the IP address and the physical device must be specified. Optionally, the default router can be set.

For an exclusive-IP zone, only the physical interface must be specified.

  • The allowed-address property limits the set of configurable IP addresses that can be used by an exclusive-IP zone.

  • The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks.

  • Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.

  • Traffic from a zone with a default router will go out to the router before coming back to the destination zone.

When shared-IP zones exist on different subnets, do not configure a data-link in the global zone.


In the following example for a shared-IP zone, the physical interface nge0 is added to the zone with an IP address of 192.168.0.1. To list the network interfaces on the system, type:

global# ipadm show-if -po ifname,class,active,persistent
lo0:loopback:yes:46--
nge0:ip:yes:----

Each line of the output, other than the loopback lines, will have the name of a network interface. Lines that contain loopback in the descriptions do not apply to cards. The 46 persistent flags indicate that the interface is configured persistently in the global zone. The yes active value indicates that the interface is currently configured, and the class value of ip indicates that nge0 is a non-loopback interface. The default route is set to 10.0.0.1 for the zone. Setting the defrouter property is optional. Note that ip-type=shared is required.

zonecfg:my-zone> set ip-type=shared
zonecfg:my-zone> add net
zonecfg:my-zone:net> set physical=vnic1
zonecfg:my-zone:net> set address=192.168.0.1
zonecfg:my-zone:net> set defrouter=10.0.0.1
zonecfg:my-zone:net> end

In the following example for an exclusive-IP zone, a VNIC is used for the physical interface, which is a VLAN. To determine which data-links are available, use the command dladm show-link. The allowed-address property constrains the IP addresses that the zone can use. The defrouter property is used to set a default route. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add net
zonecfg:myzone:net> set allowed-address=10.1.1.32/24
zonecfg:my-zone:net> set physical=vnic1
zonecfg:myzone:net> set defrouter=10.1.1.1
zonecfg:my-zone:net> end

Only the physical device type will be specified in the add net step. The physical property can be a VNIC.


Note - The Oracle Solaris operating system supports all Ethernet-type interfaces, and their data-links can be administered with the dladm command.
device

match, allow-partition, allow-raw-io

The device name to match can be a pattern to match or an absolute path. Both allow-partition and allow-raw-io can be set to true or false. The default is false. allow-partition enables partitioning. allow-raw-io enables uscsi. For more information on these resources, see zonecfg(1M).

Restrictions on what can be specified in the device:match resource property for solaris-kz zones include the following:

  • Only one resource is allowed per LUN.

  • Slices and partitions are not supported.

  • Support is only provided for raw disk devices.

  • The supported device paths are lofi, ramdisk, dsk, and zvols.

In the following example, uscsi operations on a disk device are included in a solaris zone configuration.

zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/*dsk/cXtYdZ*
zonecfg:my-zone:device> set allow-raw-io=true
zonecfg:my-zone:device> end

Veritas volume manager devices are delegated to a non-global zone by using add device.

In the following example, a storage device is added to a solaris-kz zone:

zonecfg:my-zone> add device
zonecfg:my-zone:device> set storage=iscsi:///luname.naa.600144f03d70c80000004ea57da10001
zonecfg:my-zone:device> set bootpri=0
zonecfg:my-zone:device> end
rctl

name, value

The following zone-wide resource controls are available.

  • zone.cpu-cap

  • zone.cpu-shares (preferred: cpu-shares)

  • zone.max-locked-memory

  • zone.max-lofi

  • zone.max-lwps (preferred: max-lwps)

  • zone.max-msg-ids (preferred: max-msg-ids)

  • zone.max-processes(preferred: max-processes

  • zone.max-sem-ids (preferred: max-sem-ids)

  • zone.max-shm-ids (preferred: max-shm-ids)

  • zone.max-shm-memory (preferred: max-shm-memory)

  • zone.max-swap

Note that the preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource, as shown in How to Configure the Zone in Creating and Using Oracle Solaris Zones . If zone-wide resource control entries in a zone are configured using add rctl, the format is different than resource control entries in the project database. In a zone configuration, the rctl resource type consists of three name/value pairs. The names are priv, limit, and action. Each of the names takes a simple value.

zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.cpu-shares
zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none)
zonecfg:my-zone:rctl> end
zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.max-lwps
zonecfg:my-zone:rctl> add value (priv=privileged,limit=100,action=deny)
zonecfg:my-zone:rctl> end

For general information about resource controls and attributes, see Chapter 6, About Resource Controls, in Administering Resource Management in Oracle Solaris 11.2 and Resource Controls Used in Non-Global Zones in Creating and Using Oracle Solaris Zones .

attr

name, type, value

In the following example, a comment about a zone is added.

zonecfg:my-zone> add attr
zonecfg:my-zone:attr> set name=comment
zonecfg:my-zone:attr> set type=string
zonecfg:my-zone:attr> set value="Production zone"
zonecfg:my-zone:attr> end

You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.