Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: May 2015
 
 

How to Configure the Zone

Note that the only required elements to create a non-global zone are the zonename and zonepath properties for zones with a rootzpool resource. Other resources and properties are optional. Some optional resources also require choices between alternatives, such as the decision to use either the dedicated-cpu resource or the capped-cpu resource. See Zone Configuration Data in Introduction to Oracle Solaris Zones for information on available zonecfg properties and resources.

You must be the global administrator or a user with appropriate authorizations in the global zone to perform this procedure.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  2. Set up a zone configuration with the zone name you have chosen.

    The name my-zone is used in this example procedure.

    global# zonecfg -z my-zone

    If this is the first time you have configured this zone, you will see the following system message:

    my-zone: No such zone configured
    Use 'create' to begin configuring a new zone.
  3. Create the new zone configuration.

    This procedure uses the default settings.

    zonecfg:my-zone> create
    create: Using system default template 'SYSdefault'
  4. Set the zone path, /zones/my-zone in this procedure.
    zonecfg:my-zone> set zonepath=/zones/my-zone

    The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that if the parent directory of the zone path exists, it must be the mount point of a mounted dataset.

    If the token %{zonename} had been used instead of explicitly having the zone's name within the zonepath, Unified Archive and zones tools would replace the existing zone name with the new new zone name when the zone is cloned.

    zonecfg:my-zone> set zonepath=/zones/%{zonename}

    See zonecfg template Property in Introduction to Oracle Solaris Zones .

  5. Set the autoboot value.

    If set to true, the zone is automatically booted when the global zone is booted. The default value is false. Note that for the zones to autoboot, the zones service svc:/system/zones:default must also be enabled. This service is enabled by default.

    zonecfg:my-zone> set autoboot=true
  6. Set persistent boot arguments for a zone.
    zonecfg:my-zone> set bootargs="-m verbose"
  7. Dedicate one CPU to this zone.
    zonecfg:my-zone> add dedicated-cpu
    1. Set the number of CPUs.
      zonecfg:my-zone:dedicated-cpu> set ncpus=1-2
    2. (Optional) Set the importance.
      zonecfg:my-zone:dedicated-cpu> set importance=10

      The default is 1.

    3. End the specification.
      zonecfg:my-zone:dedicated-cpu> end
  8. Revise the default set of privileges.
    zonecfg:my-zone> set limitpriv="default,sys_time"

    This line adds the ability to set the system clock to the default set of privileges.

  9. Set the scheduling class to FSS.
    zonecfg:my-zone> set scheduling-class=FSS
  10. Add a memory cap.
    zonecfg:my-zone> add capped-memory
    1. Set the memory cap.
      zonecfg:my-zone:capped-memory> set physical=1g
    2. Set the swap memory cap.
      zonecfg:my-zone:capped-memory> set swap=2g
    3. Set the locked memory cap.
      zonecfg:my-zone:capped-memory> set locked=500m
    4. End the memory cap specification.
      zonecfg:my-zone:capped-memory> end

    Note -  To use the capped-memory resource, the resource-cap package must be installed in the global zone.
  11. Add a file system.
    zonecfg:my-zone> add fs
    1. Set the mount point for the file system, /usr/local in this procedure.
      zonecfg:my-zone:fs> set dir=/usr/local
    2. Specify that /opt/local in the global zone is to be mounted as /usr/local in the zone being configured.
      zonecfg:my-zone:fs> set special=/opt/local

      In the non-global zone, the /usr/local file system will be readable and writable.

    3. Specify the file system type, lofs in this procedure.
      zonecfg:my-zone:fs> set type=lofs

      The type indicates how the kernel interacts with the file system.

    4. End the file system specification.
      zonecfg:my-zone:fs> end

    This step can be performed more than once to add more than one file system.

  12. Set the hostid if necessary.
    zonecfg:my-zone> set hostid=80f0c086
  13. Add a ZFS dataset named sales in the storage pool tank.
    zonecfg:my-zone> add dataset
    1. Specify the path to the ZFS dataset sales.
      zonecfg:my-zone> set name=tank/sales
    2. End the dataset specification.
      zonecfg:my-zone> end

    The zone administrator can create and destroy snapshots, file systems, and volumes within the dataset. The zone administrator can modify properties of the dataset, and control compression and encryption.

  14. Create an exclusive-IP zone with an automatic VNIC.
    zonecfg:my-zone> set ip-type=exclusive
    zonecfg:my-zone> add anet
    1. Specify auto as the underlying link for the link to be created.
      zonecfg:my-zone:anet> set lower-link=auto

      Thezoneadmd daemon automatically selects the link over which the VNIC will be created each time the zone boots. The IPoIB links are skipped when selecting the data-link.

    2. End the specification.
      zonecfg:my-zone:anet> end
  15. Add a device.
    zonecfg:my-zone> add device
    1. Set the device match, /dev/sound/* in this procedure.
      zonecfg:my-zone:device> set match=/dev/sound/*
    2. End the device specification.
      zonecfg:my-zone:device> end

    This step can be performed more than once to add more than one device.

  16. Add Open Fabrics User Verbs (OFUV) devices for components of OFUV other than IB diagnostic tools.
    zonecfg:my-zone> add device
    1. Set the device match, infiniband/ofs/* in this procedure.
      zonecfg:my-zone:device> set match=infiniband/ofs/*
    2. End the device specification.
      zonecfg:my-zone:device> end

    IB diagnostic tools are not supported in non-global zones. Devices added can be used with components of OFUV, such as verbs and rdma_cm.

    This step can be performed more than once to add more than one device.

  17. Add OFUV devices for components of OFUV other than IB diagnostic tools.
    zonecfg:my-zone> add device
    1. Set the device match, infiniband/hca/* in this procedure.
      zonecfg:my-zone:device> set match=infiniband/hca/*
    2. End the device specification.
      zonecfg:my-zone:device> end

    IB diagnostic tools are not supported in non-global zones. Devices added can be used with components of OFUV, such as verbs and rdma_cm.

    This step can be performed more than once to add more than one device.

  18. To allow disk labeling with the format command, an entire disk/LUN should be delegated to a zone, and the allow-partition property should be set.
    zonecfg:my-zone> add device
    1. Set the device match, /dev/*dsk/c2t40d3* in this procedure.
      zonecfg:my-zone:device> set match=/dev/*dsk/c2t40d3*
    2. Set allow-partition to be true.
      zonecfg:my-zone:device> set allow-partition=true
    3. End the device specification.
      zonecfg:my-zone:device> end

    This step can be performed more than once to add more than one device.

  19. To allow uscsi operations on a disk, the allow-raw-io property should be set.
    zonecfg:my-zone> add device
    1. Set the device match, /dev/*dsk/c2t40d3* in this procedure.
      zonecfg:my-zone:device> set match=/dev/*dsk/c2t40d3*
    2. Set allow-raw-io to be true.
      zonecfg:my-zone:device> set allow-raw-io=true
    3. End the device specification.
      zonecfg:my-zone:device> end

      Caution

      Caution  -  Allowing a zone to perform uscsi operations on a disk also allows the zone to access any other device connected to the same bus as the disk. Therefore, enabling this capability could create a security risk and allow for attacks against the global zone or other zones that use resources on the same bus. For more information, see uscsi(7I).


    This step can be performed more than once to add more than one device.

  20. Add a zone-wide resource control by using the property name.
    zonecfg:my-zone> set max-sem-ids=10485200

    This step can be performed more than once to add more than one resource control.

  21. Add a comment by using the attr resource type.
    zonecfg:my-zone> add attr
    1. Set the name to comment.
      zonecfg:my-zone:attr> set name=comment
    2. Set the type to string.
      zonecfg:my-zone:attr> set type=string
    3. Set the value to a comment that describes the zone.
      zonecfg:my-zone:attr> set value="This is my work zone."
    4. End the attr resource type specification.
      zonecfg:my-zone:attr> end
  22. Verify the zone configuration for the zone.
    zonecfg:my-zone> verify
  23. Commit the zone configuration for the zone.
    zonecfg:my-zone> commit
  24. Exit the zonecfg command.
    zonecfg:my-zone> exit

    Note that even if you did not explicitly type commit at the prompt, a commit is automatically attempted when you type exit or an EOF occurs.

Using Multiple Subcommands From the Command Line


Tip  -  The zonecfg command also supports multiple subcommands, quoted and separated by semicolons, from the same shell invocation.
global# zonecfg -z my-zone "create ; set zonepath=/zones/my-zone"
For shared-IP zones, a static address can only be assigned in a zonecfg net resource. It cannot be supplied on the command line.