Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019

Insufficient Privileges Specified for the Zone

If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege name, an attempt to verify, ready, or boot the zone will fail with an error message such as the following:

zonecfg:zone5>set limitpriv="basic"
global$ zoneadm -z zone5 boot
required privilege "sys_mount" is missing from the zone's privilege set
zoneadm: zone zone5 failed to verify

To fix the problem, add to the zone's limitpriv property. The following example shows how to add the DTrace privileges to a zone.

Example 35  Adding DTrace Privileges to a Non-Global Zone

In this example, the administrator adds DTrace privileges to an installed non-global zone that is not booted. When added to a zone, DTrace privileges enable the use of the DTrace facility. Users with the DTrace Toolkit rights profile as well as the appropriate Zones rights profiles will be able to use DTrace functionality as described in Running DTrace in a Non-Global Zone.

  1. From the global zone, the administrator adds the dtrace_proc and dtrace_user privileges to the non-global zone named dev-zone.

    global# zonecfg -z dev-zone
    zonecfg:dev-zone> set limitpriv="default,dtrace_proc,dtrace_user"
    zonecfg:dev-zone> exit
  2. The administrator then boots the zone, logs in as developer-1 who has been assigned the DTrace Toolkit rights profile only, and tests that developer-1 can use the dtrace command.

    global# zoneadm -z zonename boot
    # su developer-1
    developer-1$ zlogin dev-zone
    dev-zone: developer-1$ dtrace -l

For more information, see the zonecfg(8) man page and limitpriv Global Property in Oracle Solaris Zones Configuration Resources.