Note that the only required elements to create a non-global zone are the zonename and zonepath properties for zones with a rootzpool resource. Other resources and properties are optional. Some optional resources also require choices between alternatives, such as the decision to use either the dedicated-cpu resource or the capped-cpu resource. See Zone Configuration Data in Introduction to Oracle Solaris Zones for information on available zonecfg properties and resources.
You must be the global administrator or a user with appropriate authorizations in the global zone to perform this procedure.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
The name my-zone is used in this example procedure.
global# zonecfg -z my-zone
If this is the first time you have configured this zone, you will see the following system message:
my-zone: No such zone configured Use 'create' to begin configuring a new zone.
This procedure uses the default settings.
zonecfg:my-zone> create create: Using system default template 'SYSdefault'
zonecfg:my-zone> set zonepath=/zones/my-zone
The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that if the parent directory of the zone path exists, it must be the mount point of a mounted dataset.
If the token %{zonename} had been used instead of explicitly having the zone's name within the zonepath, Unified Archive and zones tools would replace the existing zone name with the new new zone name when the zone is cloned.
zonecfg:my-zone> set zonepath=/zones/%{zonename}
See zonecfg template Property in Introduction to Oracle Solaris Zones .
If set to true, the zone is automatically booted when the global zone is booted. The default value is false. Note that for the zones to autoboot, the zones service svc:/system/zones:default must also be enabled. This service is enabled by default.
zonecfg:my-zone> set autoboot=true
zonecfg:my-zone> set bootargs="-m verbose"
zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-2
zonecfg:my-zone:dedicated-cpu> set importance=10
The default is 1.
zonecfg:my-zone:dedicated-cpu> end
zonecfg:my-zone> set limitpriv="default,sys_time"
This line adds the ability to set the system clock to the default set of privileges.
zonecfg:my-zone> set scheduling-class=FSS
zonecfg:my-zone> add capped-memory
zonecfg:my-zone:capped-memory> set physical=1g
zonecfg:my-zone:capped-memory> set swap=2g
zonecfg:my-zone:capped-memory> set locked=500m
zonecfg:my-zone:capped-memory> end
zonecfg:my-zone> add fs
zonecfg:my-zone:fs> set dir=/usr/local
zonecfg:my-zone:fs> set special=/opt/local
In the non-global zone, the /usr/local file system will be readable and writable.
zonecfg:my-zone:fs> set type=lofs
The type indicates how the kernel interacts with the file system.
zonecfg:my-zone:fs> end
This step can be performed more than once to add more than one file system.
zonecfg:my-zone> set hostid=80f0c086
zonecfg:my-zone> add dataset
zonecfg:my-zone> set name=tank/sales
zonecfg:my-zone> end
The zone administrator can create and destroy snapshots, file systems, and volumes within the dataset. The zone administrator can modify properties of the dataset, and control compression and encryption.
zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add anet
zonecfg:my-zone:anet> set lower-link=auto
Thezoneadmd daemon automatically selects the link over which the VNIC will be created each time the zone boots. The IPoIB links are skipped when selecting the data-link.
zonecfg:my-zone:anet> end
zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/sound/*
zonecfg:my-zone:device> end
This step can be performed more than once to add more than one device.
zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=infiniband/ofs/*
zonecfg:my-zone:device> end
IB diagnostic tools are not supported in non-global zones. Devices added can be used with components of OFUV, such as verbs and rdma_cm.
This step can be performed more than once to add more than one device.
zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=infiniband/hca/*
zonecfg:my-zone:device> end
IB diagnostic tools are not supported in non-global zones. Devices added can be used with components of OFUV, such as verbs and rdma_cm.
This step can be performed more than once to add more than one device.
zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/*dsk/c2t40d3*
zonecfg:my-zone:device> set allow-partition=true
zonecfg:my-zone:device> end
This step can be performed more than once to add more than one device.
zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/*dsk/c2t40d3*
zonecfg:my-zone:device> set allow-raw-io=true
zonecfg:my-zone:device> end
Caution - Allowing a zone to perform uscsi operations on a disk also allows the zone to access any other device connected to the same bus as the disk. Therefore, enabling this capability could create a security risk and allow for attacks against the global zone or other zones that use resources on the same bus. For more information, see uscsi(7I). |
This step can be performed more than once to add more than one device.
zonecfg:my-zone> set max-sem-ids=10485200
This step can be performed more than once to add more than one resource control.
zonecfg:my-zone> add attr
zonecfg:my-zone:attr> set name=comment
zonecfg:my-zone:attr> set type=string
zonecfg:my-zone:attr> set value="This is my work zone."
zonecfg:my-zone:attr> end
zonecfg:my-zone> verify
zonecfg:my-zone> commit
zonecfg:my-zone> exit
Note that even if you did not explicitly type commit at the prompt, a commit is automatically attempted when you type exit or an EOF occurs.
global# zonecfg -z my-zone "create ; set zonepath=/zones/my-zone"For shared-IP zones, a static address can only be assigned in a zonecfg net resource. It cannot be supplied on the command line.