The following sections describe the resource types and resource type properties of a zone. See also the zonecfg(8) man page.
For information about which resource types and their properties support Live Zone Reconfiguration in non-global and kernel zones, see Resource Types and Global Properties That Support Live Zone Reconfiguration.
The admin setting allows you to set zone administration authorization. Note that these auths do not allow you to create a zone. This capability is included in the Zone Security rights profile. For details about the Zone rights profiles, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones.
Properties: name, auths, user
Specify the user name.
Specify the authorizations for the user name.
The values for the auths property are as follows:
This authorization allows the specified zone to be used as a source from which to clone a new zone. Subcommands that make a copy of another zone require the authorization solaris.zone.clonefrom/source_zone.
This authorization allows modification of the persistent configuration of the zone by using the authorization solaris.zone.config/zonename.
This authorization allows inspection and modification of the live zone configuration by using the authorization solaris.zone.liveconfig/zonename. For more information about the live zone configuration, see Live Zone Reconfiguration of Kernel Zones in Creating and Using Oracle Solaris Kernel Zones and Live Zone Reconfiguration of Kernel Zones in Creating and Using Oracle Solaris Kernel Zones.
This authorization allows authenticated use of zlogin into this zone. The authorization solaris.zone.login/zonename is required for interactive logins. Password authentication takes place in the zone. For more information, see the zlogin(1) man page.
This authorization allows normal management of the configured zone. For non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.
This authorization allows a user to perform all types of migration, cold, warm, and live, for a specific zone.
This authorization allows a user to do cold and warm migration of a specific zone.
For examples, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones and Rights Required to Perform Kernel Zone Migrations in Creating and Using Oracle Solaris Kernel Zones.
For more information about authorizations, see the auths(1), auth_attr(5), and user_attr(5) man pages.
The anet resource type automatically creates a temporary VNIC interface for the exclusive-IP zone when the zone boots. The VNIC is deleted when the zone halts.
Properties:
For descriptions of these properties, see the zonecfg(8) man page.
For solaris-kz zones only, in addition to static configuration of anet MAC addresses and VLAN IDs, there is dynamic MAC address and VLAN ID configuration. A zone can push the MAC address and VLAN ID it requires to the host, and VNIC creation succeeds in this address.
To determine which MAC prefixes and VLAN IDs are allowed, use the dladm show-phys command with the –o option:
global$ dladm show-phys -o link,media,device,allowed-addresses,allowed-vids
LINK MEDIA DEVICE ALLOWED-ADDRESSES ALLOWED-VIDS
net0 Ethernet zvnet0 fa:16:3f, 100-199,
fa:80:20:21:22 400-498,500
The allowed-mac-address property of the anet resource type provides a set of MAC address prefixes. A kernel zone can create a VNIC with a MAC address that is one of the MAC address prefixes in the allowed-mac-address list. These prefixes can be 1 to 5 octets in length.
zonecfg:my-kernelzone> add anet zonecfg:my-kernelzone:anet> add mac zonecfg:my-kernelzone:anet:mac> add allowed-mac-address fa:16:3f zonecfg:my-kernelzone:anet:mac> add allowed-mac-address fa:80:20:21:22 zonecfg:my-kernelzone:anet:mac> end zonecfg:my-kernelzone:anet> end
The allowed-mac-address property does not affect the mac-address property. The allowed-mac-address property controls the additional MAC addresses for the anet resource type.
You can also use the special keyword any to match any MAC address.
The allowed-vlan-ids property of the anet resource type specifies the range of VLAN IDs that can be dynamically configured for that anet. Setting allowed-vlan-ids to the special keyword any allows the zone to use any valid VLAN ID.
zonecfg:my-kernelzone> add anet zonecfg:my-kernelzone:anet> add vlan zonecfg:my-kernelzone:anet:vlan> add allowed-vlan-ids 100-199 zonecfg:my-kernelzone:anet:vlan> add allowed-vlan-ids 400-498 zonecfg:my-kernelzone:anet:vlan> add allowed-vlan-ids 500 zonecfg:my-kernelzone:anet:vlan> end zonecfg:my-kernelzone:anet> end
The allowed-vlan-ids property does not affect the anet vlan-id property. The allowed-vlan-ids property only controls the additional VLAN IDs for the anet resource type.
For solaris-kz zones only, you can create and administer single root I/O (SR-IOV) NIC virtual functions (VF) on kernel zones by using the iov property of the anet resource type. Do not set the iov property to auto or on if any of the following properties are set:
If the iov property is already set to auto or on, then setting any of these properties fails.
For examples and more information, see Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones and the zonecfg(8) man page.
For solaris zones only, do not use the zonecfg utility to set the following anet properties for IPoIB datalinks.
For non-IPoIB datalinks, do not use the zonecfg utility to set the following anet properties.
For an EVS anet resource, set only the following properties:
The anet resource type creates an automatic VNIC interface or an IPoIB interface when the zone boots, and deletes the VNIC or IPoIB interface when the zone halts.
Configure an IP address for the exclusive-IP zone and also limit the set of configurable IP addresses that can be used by an exclusive-IP zone. To specify multiple addresses, use a list of comma-separated IP addresses.
Set to support the dladm link property autopush.
The following example automatically pushes the ipsecah streams module onto net0 when the IP interface is plumbed inside the zone:
global$ pfbash zonecfg -z my-zone zonecfg:my-zone> select anet linkname=net0 zonecfg:my-zone:anet> set autopush=ipsecah zonecfg:my-zone:anet> end zonecfg:my-zone> exit
If multiple modules are listed, they are pushed in the order specified.
zonecfg:my-zone:anet> set autopush="ipsecah ipsecesp"
The defrouter property is used to set a default route when the non-global zone and the global zone reside on separate networks.
Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.
Indicates the ETS bandwidth on the TX side. See the dladm(8) man page for more information about this property.
See Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones. For specific information about shadow VNICS used to provide network statistics, see Using Virtual Functions and Shadow VNICs With Kernel Zones in Creating and Using Oracle Solaris Kernel Zones.
Specifies the underlying link for the link to be created. When set to auto, the zoneadmd daemon automatically chooses the link over which the VNIC is created each time the zone boots. You can specify any link on which you can create a VNIC as the lower-link for an anet resource.
All IPoIB links are skipped when selecting the datalink for creating the VNIC automatically during boot.
Sets the link-mode for the datalink interface. The default value is cm. Valid values are as follows:
Connected Mode. This mode uses a default MTU of 65520 bytes. and supports a maximum MTU of 65535 bytes.
Unreliable Datagram Mode. If Connected Mode is not available for a remote node, Unreliable Datagram mode is automatically used instead. This mode uses a default MTU of 2044 and supports a maximum MTU of 4092 bytes.
Specify a name for the automatically created VNIC interface or IPoIB interface. Note that solaris-kz does not support IPoIB.
Set the VNIC MAC address based on the specified value or keyword. If the value is not a keyword, it is interpreted as a unicast MAC address. See the zonecfg(8) man page for supported keywords.
If a random MAC address is selected, the generated address is preserved across zone boots, and zone detach and attach operations. When the default policy auto-mac-address is used, Oracle Solaris Zones can obtain a random mac-address.
Sets the partition key to be used for creating the IPoIB datalink interface. This property is mandatory. The specified pkey is always treated as hexadecimal, whether or not it has the 0x prefix.
Set this property to allow a zone to use the hardware ring group capability of the Ethernet link. The possible values for this property are as follows:
The system determines whether exclusive or shared is used on a particular lower-link. This is the default value.
Use an exclusive hardware ring group. If an exclusive hardware ring group is not available, anet creation fails.
Do not use a dedicated hardware ring group.
Enable VLAN or PVLAN tagging for this VNIC and specify an ID for the VLAN tag. There is no default value. If this property is not set, the VNIC does not participate in any VLAN.
See the dladm(8) man page for the supported VLAN ID format.
When the zonecfg command creates a zone by using the SYSdefault template, an anet resource with the following properties is automatically included in the zone configuration if no other IP resources are set. The linkname is automatically created over the physical Ethernet link and set to the first available name of the form netN, netX. To change the default values, use the zonecfg command.
When the default policy auto is used, an appropriate mac-address is assigned as follows:
Oracle Solaris zones – Random mac-address
Oracle Solaris kernel zones – Random mac-address
Oracle Solaris zones under a kernel zone – Factory mac-address
Oracle VM Server for SPARC guest domains – Factory mac-address
Oracle Solaris kernel zones running on an Oracle VM Server for SPARC guest domain – Factory mac-address
The default policy creates an automatic VNIC over the physical Ethernet link, for example, net0, and assigns the MAC address to the VNIC. The optional lower-link property is set to the underlying link, vnic1, over which the automatic VNIC is to be created. VNIC properties such as the link name, underlying physical link, MAC address, bandwidth limit, as well as other VNIC properties, can be specified by using the zonecfg command.
zonecfg:my-zone> set ip-type=exclusive zonecfg:my-zone> add anet zonecfg:my-zone:anet> set linkname=net0 zonecfg:my-zone:anet> set lower-link=auto zonecfg:my-zone:anet> set mac-address=random zonecfg:my-zone:anet> set link-protection=mac-nospoof zonecfg:my-zone:anet> end
The following example shows a solaris brand zone configured with an IPoIB datalink interface over the physical link net5 with the IB partition key 0xffff.
zonecfg:my-zone> set ip-type=exclusive zonecfg:my-zone:anet> add anet zonecfg:my-zone:anet> set linkname=ib0 zonecfg:my-zone:anet> set lower-link=net5 zonecfg:my-zone:anet> set pkey=0xffff zonecfg:my-zone:anet> end
The following example shows how to configure VLANs with zones. The vlan-id property is not supported on IPoIB datalinks.
zonecfg:my-zone:anet> add anet zonecfg:my-zone:anet> set linkname=net0 zonecfg:my-zone:anet> set lower-link=net0 zonecfg:my-zone:anet> set vlan-id=101 zonecfg:my-zone:anet> end
A kernel zone can serve as the global zone to solaris non-global zones. For information about managing solaris zones in kernel zones, see Managing Non-Global Zones in Kernel Zones in Creating and Using Oracle Solaris Kernel Zones, and How to Add Multiple MAC Addresses to a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.
For more information about properties, see the zonecfg(8) man page. For additional information about the link properties, see the dladm(8) man page.
This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alphanumeric character. The name property can contain alphanumeric characters, hyphens (-), and periods (.). Attribute names beginning with zone. are reserved for use by the system.
Properties: name, type, value
In the following example, a comment about a zone is added.
zonecfg:my-zone> add attr zonecfg:my-zone:attr> set name=comment zonecfg:my-zone:attr> set type=string zonecfg:my-zone:attr> set value="Production zone" zonecfg:my-zone:attr> end
For more information, see How to Create and Deploy a Non-Global Zone in Creating and Using Oracle Solaris Zones.
The capped-cpu resource type provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone.
Properties: ncpus
When used in conjunction with processor sets, CPU caps limit CPU usage within a set. This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running.
Specifies the limit on CPU usage as a positive decimal with two digits to the right of the decimal, which corresponds to units of CPUs. A value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system. The property does not accept a range.
The following example specifies a CPU cap of 3.5 CPUs for the zone.
zonecfg:my-zone> add capped-cpu zonecfg:my-zone:capped-cpu> set ncpus=3.5 zonecfg:my-zone:capped-cpu> end
This resource type groups the properties used when capping memory for the zone. To use the capped-memory resource type, the service/resource-cap package must be installed in the global zone.
Properties:
For solaris zones only, the capped-memory resource type provides limits for physical, swap, and locked memory. At least one of these properties must be specified.
The following example specifies the memory limits for the zone. Each limit is optional, but at least one limit must be set.
zonecfg:my-zone> add capped-memory zonecfg:my-zone:capped-memory> set physical=50m zonecfg:my-zone:capped-memory> set swap=100m zonecfg:my-zone:capped-memory> set locked=30m zonecfg:my-zonee:capped-memory> end
For solaris-kz zones only, the capped-memory resource type provides limits for physical memory. The pagesize-policy specifies the policy for using large pages for physical memory.
The values for the pagesize-policy property are as follows:
Provide the largest possible page size, scaling down the page size if the system cannot allocate all physical memory with a particular page size. The priority is to boot the zone.
Allocate only the largest possible page size for the kernel zone's physical memory. If all the pages are not assigned, the zone cannot be booted.
Choose the lowest allowable page size required to boot the kernel zone for the particular platform.
The following example specifies the memory limits for the zone by using the physical and pagesize-policy properties.
zonecfg:my-kz> add capped-memory zonecfg:my-kz:capped-memory> set physical=4g zonecfg:my-kz:capped-memory> set pagesize-policy=largest-available zonecfg:my-kz:capped-memory> end
If a kernel zone pagesize-policy property is cleared or not set, the zone uses the lowest allowable page size required to boot on the particular platform on which it is running. You must clear pagesize-policy if you want to migrate a kernel zone that was created in Oracle Solaris 11.4 to an earlier Oracle Solaris release that does not support the pagesize-policy property, such as the initial release of Oracle Solaris 11.3.
The only dataset type you can use with a dataset resource is a ZFS file system. Add a ZFS dataset resource to enable the delegation of storage administration to a non-global zone.
Properties: name, alias
After a dataset is delegated to a non-global zone, the zoned property is automatically set. A zoned file system cannot be mounted in the global zone because the zone administrator might have to set the mount point to an unacceptable value.
The zone administrator can perform the following storage administration tasks:
Create and destroy file systems within that dataset
Modify properties of the dataset
Create child file systems and clones of its descendants
The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone.
ZFS datasets can be added to a zone in the following ways.
As an lofs mounted file system, when the goal is solely to share space with the global zone
As a delegated dataset
When the zonecfg template property is used, if a rootzpool resource type is not specified, the default zonepath dataset is rootpool/VARSHARE/zones/zonename. The dataset is created by the svc-zones service with a mountpoint /system/zones. The remaining properties are inherited from rootpool/VARSHARE/zones/.
For more information, see Chapter 10, Oracle Solaris ZFS Advanced Topics in Managing ZFS File Systems in Oracle Solaris 11.4, File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones and the datasets(7) man page.
For information about dataset issues, see Chapter 11, Troubleshooting Miscellaneous Oracle Solaris Zones Problems in Creating and Using Oracle Solaris Zones.
The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.
zonecfg:my-zone> add dataset zonecfg:my-zone> set name=tank/sales zonecfg:my-zone> end
A delegated dataset can have a non-default alias as shown in the following example. Note that a dataset alias cannot contain a forward slash (/).
zonecfg:my-zone> add dataset zonecfg:my-zone:dataset> set name=tank/sales zonecfg:my-zone:dataset> set alias=data zonecfg:my-zone:dataset> end
The %{zonename} token can be used for the name property.
To revert to the default alias, use the clear alias command.
zonecfg:my-zone> clear alias
This resource type dedicates a subset of the system's processors to the zone while it is running. When the zone boots, the system dynamically creates a temporary pool for use while the zone is running. With specification in zonecfg, pool settings propagate during migrations.
Properties:
The dedicated-cpu resource type provides limits for ncpus and, optionally, importance. It also sets persistent dedicated-cpu resources for cores, cpus, and sockets.
Assign specific cores to zone persistently.
Assign specific CPUs to a zone persistently.
If you are using a CPU range to achieve dynamic behavior, also set the importance property. The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold.
If the poold service is not running, then the importance property is ignored. If poold is running and importance is not set, the importance default is 1. For more information, see pool.importance Property Constraint in Administering Resource Management in Oracle Solaris 11.4.
Specify the number of CPUs or specify a range, such as 2-4 CPUs.
If you specify a range because you want dynamic resource pool behavior, also do the following:
Set the importance property.
Enable the poold service. For instructions, see Enabling and Disabling the Pools Facility in Administering Resource Management in Oracle Solaris 11.4.
Assign specified number of sockets persistently.
To eliminate inconsistent results across host reboots, use dedicated-cpu:cpus to specify the exact CPUs to use. Use the dedicated-cpu resource type instead of the automatic virtual-cpu resource type, which can only specify ncpus.
The following example specifies a CPU range for use by the zone and sets the importance level.
zonecfg:my-zone> add dedicated-cpu zonecfg:my-zone:dedicated-cpu> set ncpus=1-3 zonecfg:my-zone:dedicated-cpu> set importance=2 zonecfg:my-zone:dedicated-cpu> end
The following output shows the granularity of assigning core, cpu, socket, and a locality groups to a zone:
global$ psrinfo -tL
socket: 0 (lgroups: 1, 0)
core: 0
cpus: 0-7
core: 1
cpus: 8-15
core: 2
cpus: 16-23
core: 3
cpus: 24-31
...
core: 7
cpus: 56-63
socket: 1 (lgroups: 2, 0)
core: 8
cpus: 64-71
...
core: 15
cpus: 120-127
The following example persistently assigns cores 0, 1, 2, and 3 as a range to the zone. The example could potentially also have set values for cpus=, sockets=, and locality groups. For more information about locality groups, see Adding CPUs from a Locality Group to a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.
zonecfg:my-zone> add dedicated-cpu zonecfg:my-zone:dedicated-cpu> set cores=0-3 zonecfg:my-zone:dedicated-cpu> end
The device resource type is used to add virtual disks to a non-global zone's platform. The device resource type is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.
Properties:
The match property is only supported on solaris zones. For solaris-kz zones, use the storage property.
The device name to match can be a pattern to match or an absolute path. The following tokens are supported for the match and storage properties:
For kernel zones, the following properties can be set to true or false; the default is false:
The allow-partition property enables partitioning.
The allow-raw-io property enables uscsi.
The allow-mhd property enables multi-host disk control operations.
For more information about these resources, see the solaris(7), solaris-kz(7), and zonecfg(8) man pages.
In the following example, uscsi operations on a disk device are added to a solaris zone configuration.
zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/*dsk/cXtYdZ* zonecfg:my-zone:device> set allow-raw-io=true zonecfg:my-zone:device> end
Veritas Volume Manager devices are delegated to a non-global zone by using the add device command.
In the following example, a storage device is added to a solaris-kz zone:
zonecfg:my-zone> add device zonecfg:my-zone:device> set storage=iscsi:///luname.naa.600144f03d70c80000004ea57da10001 zonecfg:my-zone:device> set bootpri=0 zonecfg:my-zone:device> end
If using a zone configuration token for the storage property, when a new instance of the device resource type is added to a zone configuration, the system displays output similar to the following:
device 0:
storage.template: dev:/dev/zvol/dsk/%{global-rootzpool}/VARSHARE/zones/%{zonename}/disk%{id}
storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/kernel-zone1/disk0
id: 0
bootpri: 0
Because storage is the only property that has a default value, only this property contains a value in the info output displayed after adding the resource.
Caution - Before adding devices, review Device Use in Non-Global Zones in Creating and Using Oracle Solaris Zones and Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones for restrictions and security concerns. |
Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource type specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones.
The quota command documented in the quota(8) man page cannot be used to retrieve quota information for UFS file systems added through the fs resource type.
Properties:
The fs resource type properties supply the values that determine how and where to mount file systems. The fs properties are defined as follows:
Specifies the mount point for the file system
Specifies mount options similar to those found with the mount command
Specifies the raw device on which to run fsck before mounting the file system (not applicable to ZFS)
Specifies the block special device name or directory from the global zone to mount
Specifies the file system type
The lines in the following example specify that the dataset named pool1/fs1 in the global zone is to be mounted as /shared/fs1 in a zone being configured. The file system type used is ZFS.
zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/shared/fs1 zonecfg:my-zone:fs> set special=pool1/fs1 zonecfg:my-zone:fs> set type=zfs zonecfg:my-zone:fs> end
For more information about parameters, see the following documentation:
Security Restrictions and File System Behavior in Creating and Using Oracle Solaris Zones
mount(8) man page
fsck(8) man page
Section 8 man pages for mount options of a specific file system. The names of these man pages have the form mount_filesystem(8), for example, mount_nfs(8).
The ib-vhca resource type automatically creates a temporary virtual InfiniBand HCA device for an exclusive-IP zone when the zone boots. The device is deleted when the zone halts.
Also see Managing Network Virtualization and Network Resources in Oracle Solaris 11.4.
Properties:
The ib-vhca resource type specifies the physical function (PF) that is used to allocate a virtual function (VF). The ib-vhca resource type is supported in Live Zone Reconfiguration of a kernel zone.
Unique identifier for the ib-vhca resource type.
Sets the physical InfiniBand device to use for configuration of the virtual InfiniBand device. To obtain the device name, use the ibadm command.
Use the port property to specify the allowable pkeys for the allocated VF.
The id value is used to uniquely identify the port resource. The id corresponds to the physical port number, which is typically 1 or 2.
Specifies the InfiniBand Partition key value. The pkey value can be either of the following:
The keyword auto - Use the auto keyword to automatically generate and assign a pkey value based on the over-hca value specified.
A comma-separated list of hexadecimal values - Do not use the 0x prefix to specify the hexadecimal value.
Specifies whether the virtual HCA can use Subnet Management Packets (SMPs). The default value, which does not have to be explicitly set, is off.
If the value of this property is on, SMPs are allowed for this virtual HCA.
When using the on setting, M_Keys should be set on fabric components.
If the value is off, SMPs cannot be used with this virtual HCA.
If the value is readonly, this virtual HCA can use query SMP operations, but not set operations.
Use the following steps to allocate a VF in a kernel zone:
Virtualize the PF by using the ibadm command as described in the ibadm(8) man page.
Use the zonecfg command to allocate a VF to a kernel zone. Note that a specific VF index is not specified. At boot time, an available VF is dynamically allocated from the specified PF to the kernel zone by the zoneadmd command. If a VF is not available, the resource allocation fails.
The following example adds an ib-vhca resource type to the running kernel zone for a device named dev0. This virtual HCA can only query Subnet Management Packets (SMP) operations. This virtual HCA cannot set operations.
global$ pfbash zonecfg -z zone-kz zonecfg:zone-kz> add ib-vhca zonecfg:zone-kz:ib-vhca> set over-hca=dev0 zonecfg:zone-kz:ib-vhca> set smi-enabled=readonly zonecfg:zone-kz:ib-vhca> end zonecfg:zone-kz>end global$ zonecfg -z zone-kz apply
Encryption key. Provides administrative access to the cryptographic key used for kernel zone suspend images and host data as described in the solaris-kz(7) man page.
Properties: raw
The value of the raw property cannot be set directly, except with the command_file mode.
The net resource type assigns an existing network interface in the global zone to the non-global zone. The network interface resource type is the interface name. Each zone can have network interfaces that are set up when the zone transitions from the installed state to the ready state.
Properties:
For a shared-IP zone, both the IP address and the physical device must be specified. Optionally, the default router can be set. For an exclusive-IP zone, only the physical interface must be specified.
The allowed-address property limits the set of configurable IP addresses that can be used by an exclusive-IP zone.
The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks. Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone. Traffic from a zone with a default router will go out to the router before coming back to the destination zone.
When shared-IP zones exist on different subnets, do not configure a data-link in the global zone.
In the following example for a shared-IP zone, the physical interface nge0 is added to the zone with an IP address of 192.168.0.1. To list the network interfaces on the system, type:
global$ ipadm show-if -po ifname,class,active,persistent lo0:loopback:yes:46-- nge0:ip:yes:----
Each line of the output, other than the loopback lines, will have the name of a network interface. Lines that contain loopback in the descriptions do not apply to cards. The 46 persistent flags indicate that the interface is configured persistently in the global zone. The yes active value indicates that the interface is currently configured, and the class value of ip indicates that nge0 is a non-loopback interface. The default route is set to 10.0.0.1 for the zone. Setting the defrouter property is optional. Note that ip-type=shared is required.
zonecfg:my-zone> set ip-type=shared zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=vnic1 zonecfg:my-zone:net> set address=192.168.0.1 zonecfg:my-zone:net> set defrouter=10.0.0.1 zonecfg:my-zone:net> end
In the following example for an exclusive-IP zone, a VNIC is used for the physical interface, which is a VLAN. To determine which datalinks are available, use the command dladm show-link. The allowed-address property constrains the IP addresses that the zone can use. The defrouter property is used to set a default route. Note that ip-type=exclusive must also be specified.
zonecfg:my-zone> set ip-type=exclusive zonecfg:my-zone> add net zonecfg:my-zone:net> set allowed-address=10.1.1.32/24 zonecfg:my-zone:net> set physical=vnic1 zonecfg:my-zone:net> set defrouter=10.1.1.1 zonecfg:my-zone:net> end
Only the physical device type will be specified in the add net step. The physical property can be a VNIC.
Provides N_Port_ID Virtualization (NPIV) support in Oracle Solaris zones and Oracle Solaris 10 Zones.
Properties: over-hba, virtual-port-wwn
The npiv resource type is used to configure zones that have NPIV fibre channel devices as back-end storage for the zone root file system, and use other devices for data.
Disks visible through the NPIV port are also visible inside the zone. Disks added to the fabric are visible automatically from within the zone. Disks removed from the fabric are automatically removed from the zone view.
The virtual-port-wwn and over-hba properties are both optional.
The virtual-port-wwn property contains the port world wide name (PWWN) for the npiv port to be created. The port is automatically generated if not specified by users. To override the default virtual-port-wwn property value, use the following command from inside the npiv resource scope:
zonecfg:my-zone:npiv> set virtual-port-wwn=World-Wide-Name
The zonecfg command verifies that the string is valid.
The following example delegates two npiv resources to the zone. The two npiv ports are automatically created during zone installation.
zonecfg:my-zone> add npiv zonecfg:my-zone:npiv> set virtual-port-wwn=2100000000000001 zonecfg:my-zone:npiv> set over-hba=c9 zonecfg:my-zone:npiv> end zonecfg:my-zone> add npiv zonecfg:my-zone:npiv> end
The rctl resource type is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.
See Setting Zone-Wide Resource Controls for more information.
Properties: name, value
The following zone-wide resource controls are available.
The simplest method to set a zone-wide resource control is to use the global property name instead of the rctl resource control name, as shown in How to Create and Deploy a Non-Global Zone in Creating and Using Oracle Solaris Zones. If zone-wide resource control entries in a zone are configured by using the zonecfg add rctl command, the format is different than resource control entries made in the project database. In a zone configuration, an rctl resource consists of three name-value pairs. The names are priv, limit, and action. Each name takes a simple value. For example:
zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.cpu-shares zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none) zonecfg:my-zone:rctl> end
For general information about resource controls and attributes, see Chapter 6, About Resource Controls in Administering Resource Management in Oracle Solaris 11.4 and Resource Controls Used in Non-Global Zones in Creating and Using Oracle Solaris Zones.
Identify the storage object URI to provide a dedicated ZFS storage pool (zpool) for zone installation.
Properties: storage
The optional rootzpool resource type is used to create a dedicated ZFS storage pool for zone installation for solaris brand zones. The zone root zpool can be hosted on shared storage devices defined by one or more Universal Resource Identifiers (URIs). The required storage property identifies the storage object URI to contain the root zfs file system for a zone.
Only one rootzpool resource can be defined for a given zone. The storage is automatically configured for the zone when the zone is booted.
The corresponding zpools are automatically created or imported during zone installation or zone attach operations. To reuse a pre-created zpool for a zone installation, the zpool must be exported from the system. The name my-zone_rpool is assigned. For both the rootzpool and zpool resource types, you can automatically create zpool mirrors as soon as the zone is installed. For more information, see Chapter 12, Oracle Solaris Zones on Shared Storage in Creating and Using Oracle Solaris Zones.
The storage property supports the following URI types:
Local device path URI. Formats are as follows:
dev:local-path-under-/dev dev://absolute-path-with-dev dev:absolute-path-with-dev
Examples:
dev:dsk/c7t0d0s0 dev:///dev/dsk/c7t0d0s0 dev:/dev/dsk/c7t0d0s0 dev:chassis/SYS/HD1/disk
Fibre Channel (FC) and Serial Attached SCSI (SAS). Formats are as follows:
lu:luname.naa.ID lu:luname.eui.ID lu:initiator.naa.ID,target.naa.ID,luname.naa.ID lu:initiator.naa.ID,target.naa.ID,luname.eui.ID
Examples:
lu:luname.naa.5000c5000288fa25 lu:luname.eui.0021280001cf80f6 lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.naa.5000c5000288fa25 lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.eui.0021280001cf80f6
iSCSI URI. Formats are as follows:
iscsi:///luname.naa.ID iscsi:///luname.eui.ID iscsi://host[:port]/luname.naa.ID iscsi://host[:port]/luname.eui.ID iscsi:///target.IQN,lun.LUN iscsi://host[:port]/target.IQN,lun.LUN
Examples:
iscsi:///luname.eui.0021280001cf80f6 iscsi:///luname.naa.600144f03d70c80000004ea57da10001 iscsi://[::1]/luname.naa.600144f03d70c80000004ea57da10001 iscsi://127.0.0.1/luname.naa.600144f03d70c80000004ea57da10001 iscsi://hostname:1234/luname.eui.0021280001cf80f6 iscsi://hostname:3260/luname.naa.600144f03d70c80000004ea57da10001 iscsi://127.0.0.1/target.iqn.com.sun:02:d0f2d311-f703,lun.0 iscsi:///target.iqn.com.sun:02:d0f2d311-f703,lun.6 iscsi://[::1]:1234/target.iqn.com.sun:02:d0f2d311-f703,lun.2 iscsi://hostname:1234/target.iqn.com.sun:4db41b76-e3d7-cd2f-bf2d-9abef784d76c,lun.0
The following configuration example adds a rootzpool resource with two storage devices, for creating a mirrored configuration:
zonecfg:my-zone> add rootzpool zonecfg:my-zone:rootzpool> add storage dev:dsk/c4t1d0 zonecfg:my-zone:rootzpool> add storage dev:dsk/c4t3d0 zonecfg:my-zone:rootzpool> end
When the zone is uninstalled or detached, the following actions take place:
The corresponding zpools are automatically exported or destroyed.
The storage resources are automatically unconfigured.
The suriadm tool is used to administer shared objects that are based on storage URIs. For information about IDs, the Name Address Authority (NAA), and obtaining URIs for existing storage objects, see the suriadm(8) and suri(7) man pages.
The set of Oracle Solaris Service Management Facility (SMF) Fault Management Resource Identifiers (FMRIs) that establish the dependencies for the zone are defined in the smf-dependency resource type.
Properties: fmri, name, grouping
global$ pfbash zonecfg -z my-zone zonecfg:my-zone> add smf-dependency zonecfg:my-zone> set name=firewall zonecfg:my-zone> set fmri=svc:/system/zones/zone:appfirewall zonecfg:my-zone> set fmri=svc:/system/zones/zone:appnat zonecfg:my-zone> set grouping=require_any zonecfg:my-zone> end zonecfg:my-zone> exit
All SMF dependencies for a zone will be of type service and have restart_on set to none.
For more information, see Zones and the Service Management Facility in Creating and Using Oracle Solaris Zones and the zonecfg(8) man page.
The verified-boot resource type controls a kernel zone's boot policy and certificate settings. The properties are:
The cert property specifies the location of the elfsign(1) X.509 public key certificate on the system. You specify the certificate location with a URI of the X.509 cert file. For a local file, the certificate must be located in the global zone's file system. For remote URIs, the URI must be accessible from the global zone.
Use the add subcommand to add a certificate. You can add up to seven certificates on each kernel zone.
The policy property regulates the verification of the unix, genunix and other kernel modules. The possible values for this property are as follows:
Prints a warning message if elfsign signature verification fails. The kernel module does not load.
No action occurs if elfsign signature verification fails.
Note: A verified-boot resource is not enabled if the policy value is set to none.
Prints a warning message if elfsign verification fails. This is the default value.
This example creates the kernel zone kz1 on the system global. The verified-boot policy value is set to enforce. This directs the kernel to not boot if boot file signature verification fails and to print an error message on failure.
global$ pfbash zonecfg -z kz1 kz1: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:kz1> create -t SYSsolaris-kz zonecfg:kz1> set zonepath=/rpool/zones/kz1 zonecfg:kz1> set autoboot=true zonecfg:kz1> add verified-boot zonecfg:kz1:verified-boot> set policy=enforce zonecfg:kz1:verified-boot> end zonecfg:kz1> verify zonecfg:kz1> commit zonecfg:kz1> exitExample 8 Configuring Kernel Zone Verified Boot With Multiple Certificates
This example demonstrates adding a verified-boot resource to an already-configured kernel zone kz2 on the host system global. Two certificates are added to the configuration.
global$ pfbash zonecfg -z kz2
zonecfg:kz2> add verified-boot
zonecfg:kz2:verified-boot> set policy=warning
zonecfg:kz2:verified-boot> add cert file:///etc/certs/elfsign/SOLARIS-KZ
zonecfg:kz2:verified-boot> add cert http://example/keydist/cert.pem
zonecfg:kz2:verified-boot> info
verified-boot:
policy: warning
cert: file:///etc/certs/elfsign/SOLARIS-KZ
cert: http://example/keydist/cert.pem
zonecfg:kz2:verified-boot> end
zonecfg:kz2> verify
zonecfg:kz2> commit
Use the virtual-cpu resource to set the number of kernel zone virtual CPUs (VCPUs) if you want to assign a number other than the default. The resource dedicates a subset of the system's processors to the zone while it is running. The virtual-cpu resource provides limits for ncpus.
Properties: ncpus
The default kernel zone configuration has 4 VCPUs. Each virtual-cpu can use up to 1 host CPU of compute power, but could get less if there is contention for host CPU resources. The host CPUs allocated to the kernel zone are defined by the ncpus value. You can add more CPUs to the kernel zone by adding the virtual-cpu property.
If a kernel zone is in a pool that was created by using either the dedicated-cpu resource type or the pool global property, then the number of virtual CPUs created match the size of that pool. VCPUs are not sized based on the number of FSS shares.
If CPU resources are shared between a number of consumers, there might be periods of time when the host system "de-schedules" all or part of the kernel zone.
Stolen time indicates the time when the kernel zone cannot run because the host might be using CPU resources for other purposes. The CPU accounting state CMS_STOLEN displays the time a CPU spends in this state. The time is always zero for hosts running on physical hardware. For CPUs running as part of a kernel zone, a non-zero value of this state reflects the amount of time a virtual CPU did not actually have access to a physical CPU. Stolen time is reported by the zonestat, mpstat, iostat, and vmstat commands and by other utilities.
Specifies the number of CPUs.
The following example specifies 3 CPUs for the zone.
zonecfg:my-zone> add virtual-cpu zonecfg:my-zone:dedicated-cpu> set ncpus=3 ; end
Define one or more storage object URIs to delegate a zpool to the zone.
Properties: name, storage
A zpool can be delegated to a non-global zone by configuring the optional zpool resource in the zonecfg utility. The zpool is automatically configured for the zone when it is booted. The corresponding zpools are automatically created or imported during zone installation or zone attach operations. A zone configuration can have one or more zpool resources.
The name property is mandatory for the zpool resource. The property is used in the name for a zpool delegated to the zone. The ZFS file system name component cannot contain a forward slash (/).
The assigned name of the newly created or imported zpool is the value of the name property. This is the zpool name visible inside the non-global zone. The assigned name of the newly created or imported zpool name has the form zonename_zpool-name when displayed from the global zone.
The allowed values for the name property are defined in the zpool(8) man page.
The required storage property identifies the storage object URI associated with this resource.
The storage property is managed using the following settings in the zpool resource scope:
add storage URI string
remove storage URI string
For information about URIs and the allowed values for the storage property, see rootzpool Resource Type (solaris and solaris10 Only).
When the zone is uninstalled or detached, the following actions take place:
The corresponding zpools are automatically exported or destroyed.
The storage resources are automatically unconfigured.
In the following example, a zpool storage resource is delegated to the zone. The zpool is automatically created, or a previously created zpool is imported during installation. The name of the zpool is pool1.
zonecfg:my-zone> add zpool zonecfg:my-zone:zpool> set name=pool1 zonecfg:my-zone:zpool> add storage dev:dsk/c4t2d0 zonecfg:my-zone:zpool> add storage dev:dsk/c4t4d0 ; end