If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege name, an attempt to verify, ready, or boot the zone will fail with an error message such as the following:
zonecfg:zone5>set limitpriv="basic" global$ zoneadm -z zone5 boot required privilege "sys_mount" is missing from the zone's privilege set zoneadm: zone zone5 failed to verify
To fix the problem, add to the zone's limitpriv property. The following example shows how to add the DTrace privileges to a zone.Example 35 Adding DTrace Privileges to a Non-Global Zone
In this example, the administrator adds DTrace privileges to an installed non-global zone that is not booted. When added to a zone, DTrace privileges enable the use of the DTrace facility. Users with the DTrace Toolkit rights profile as well as the appropriate Zones rights profiles will be able to use DTrace functionality as described in Running DTrace in a Non-Global Zone.
From the global zone, the administrator adds the dtrace_proc and dtrace_user privileges to the non-global zone named dev-zone.
global# zonecfg -z dev-zone zonecfg:dev-zone> set limitpriv="default,dtrace_proc,dtrace_user" zonecfg:dev-zone> exit
The administrator then boots the zone, logs in as developer-1 who has been assigned the DTrace Toolkit rights profile only, and tests that developer-1 can use the dtrace command.
global# zoneadm -z zonename boot
# su developer-1 developer-1$ zlogin dev-zone dev-zone: developer-1$ dtrace -l
For more information, see the zonecfg(8) man page and limitpriv Global Property in Oracle Solaris Zones Configuration Resources.