Go to main content

Oracle® Solaris Zones Configuration Resources

Exit Print View

Updated: October 2019
 
 

Zone Resource Types and Their Properties

The following sections describe the resource types and resource type properties of a zone. See also the zonecfg(8) man page.


Tip  -  You can use the export subcommand to print a zone configuration to standard output. The configuration is saved in a form that can be used in a command file.

For information about which resource types and their properties support Live Zone Reconfiguration in non-global and kernel zones, see Resource Types and Global Properties That Support Live Zone Reconfiguration.

admin Resource Type

The admin setting allows you to set zone administration authorization. Note that these auths do not allow you to create a zone. This capability is included in the Zone Security rights profile. For details about the Zone rights profiles, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones.

Properties: name, auths, user

user Property

Specify the user name.

auths Property

Specify the authorizations for the user name.

The values for the auths property are as follows:

clone (solaris.zone.clonefrom)

This authorization allows the specified zone to be used as a source from which to clone a new zone. Subcommands that make a copy of another zone require the authorization solaris.zone.clonefrom/source_zone.

config (solaris.zone.config)

This authorization allows modification of the persistent configuration of the zone by using the authorization solaris.zone.config/zonename.

liveconfig (solaris.zone.liveconfig)

This authorization allows inspection and modification of the live zone configuration by using the authorization solaris.zone.liveconfig/zonename. For more information about the live zone configuration, see Live Zone Reconfiguration of Kernel Zones in Creating and Using Oracle Solaris Kernel Zones and Live Zone Reconfiguration of Kernel Zones in Creating and Using Oracle Solaris Kernel Zones.

login (solaris.zone.login)

This authorization allows authenticated use of zlogin into this zone. The authorization solaris.zone.login/zonename is required for interactive logins. Password authentication takes place in the zone. For more information, see the zlogin(1) man page.

manage (solaris.zone.manage)

This authorization allows normal management of the configured zone. For non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.

migrate (solaris.zone.migrate)

This authorization allows a user to perform all types of migration, cold, warm, and live, for a specific zone.

migrate.cold (solaris.zone.migrate.cold)

This authorization allows a user to do cold and warm migration of a specific zone.


Note -  When migrating a kernel zone using authorizations set through the admin resource type on the source system, the zone configuration must be pre-defined on the target system for the migration to succeed.

For examples, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones and Rights Required to Perform Kernel Zone Migrations in Creating and Using Oracle Solaris Kernel Zones.

For more information about authorizations, see the auths(1), auth_attr(5), and user_attr(5) man pages.

anet Resource Type

The anet resource type automatically creates a temporary VNIC interface for the exclusive-IP zone when the zone boots. The VNIC is deleted when the zone halts.

Properties:

  • allowed-address
  • allowed-dhcp-cids
  • allowed-mac-address
  • allowed-vlan-ids
  • auto-mac-address
  • autopush
  • bwshare
  • configure-allowed-address
  • cos
  • defrouter
  • etsbw-lcl
  • evs
  • id
  • iov
  • linkmode (IPoIB)
  • link-protection
  • linkname
  • lower-link (IPoIB)
  • mac (solaris-kz only)
  • mac-address (non-IPoIB)
  • mac-prefix (non-IPoIB)
  • mac-slot (non-IPoIB)
  • maxbw
  • mtu
  • pkey (IPoIB)
  • priority
  • ring-group
  • rxfanout
  • rxrings
  • txrings
  • vlan (solaris-kz only)
  • vlan-id (non-IPoIB)
  • vport
  • vsi-mgrid
  • vsi-typeid
  • vsi-vers

For descriptions of these properties, see the zonecfg(8) man page.

For solaris-kz zones only, in addition to static configuration of anet MAC addresses and VLAN IDs, there is dynamic MAC address and VLAN ID configuration. A zone can push the MAC address and VLAN ID it requires to the host, and VNIC creation succeeds in this address.


Note -  Dynamic configuration cannot be used on single root I/O-based anet configurations, which have the iov property set to on.

To determine which MAC prefixes and VLAN IDs are allowed, use the dladm show-phys command with the –o option:

global$ dladm show-phys -o link,media,device,allowed-addresses,allowed-vids
LINK   MEDIA       DEVICE   ALLOWED-ADDRESSES   ALLOWED-VIDS
net0   Ethernet    zvnet0   fa:16:3f,           100-199,
                            fa:80:20:21:22      400-498,500
  • The allowed-mac-address property of the anet resource type provides a set of MAC address prefixes. A kernel zone can create a VNIC with a MAC address that is one of the MAC address prefixes in the allowed-mac-address list. These prefixes can be 1 to 5 octets in length.

    zonecfg:my-kernelzone> add anet
    zonecfg:my-kernelzone:anet> add mac
    zonecfg:my-kernelzone:anet:mac> add allowed-mac-address fa:16:3f
    zonecfg:my-kernelzone:anet:mac> add allowed-mac-address fa:80:20:21:22
    zonecfg:my-kernelzone:anet:mac> end
    zonecfg:my-kernelzone:anet> end

    The allowed-mac-address property does not affect the mac-address property. The allowed-mac-address property controls the additional MAC addresses for the anet resource type.

    You can also use the special keyword any to match any MAC address.

  • The allowed-vlan-ids property of the anet resource type specifies the range of VLAN IDs that can be dynamically configured for that anet. Setting allowed-vlan-ids to the special keyword any allows the zone to use any valid VLAN ID.

    zonecfg:my-kernelzone> add anet
    zonecfg:my-kernelzone:anet> add vlan
    zonecfg:my-kernelzone:anet:vlan> add allowed-vlan-ids 100-199
    zonecfg:my-kernelzone:anet:vlan> add allowed-vlan-ids 400-498
    zonecfg:my-kernelzone:anet:vlan> add allowed-vlan-ids 500
    zonecfg:my-kernelzone:anet:vlan> end
    zonecfg:my-kernelzone:anet> end

    The allowed-vlan-ids property does not affect the anet vlan-id property. The allowed-vlan-ids property only controls the additional VLAN IDs for the anet resource type.

For solaris-kz zones only, you can create and administer single root I/O (SR-IOV) NIC virtual functions (VF) on kernel zones by using the iov property of the anet resource type. Do not set the iov property to auto or on if any of the following properties are set:

  • allowed-address
  • allowed-dhcp-cids
  • configure-allowed-address
  • cos
  • defrouter
  • etsbw-lcl
  • evs
  • link-protection
  • max-bw
  • mtu
  • priority
  • rx-fanout
  • rx-rings
  • vlan-id
  • ring-group
  • vport
  • vsi-mgrid
  • vsi-typeid
  • vsi-vers

If the iov property is already set to auto or on, then setting any of these properties fails.

For examples and more information, see Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones and the zonecfg(8) man page.


Note -  For kernel zone warm migrations, unless both the operating system instance and the kernel zone are running Oracle Solaris 11.4, suspend and resume operations are not supported if the zonecfg iov property is set to auto or on. For further information about kernel zone suspend and resume operations, see Using Warm Migration to Migrate a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.

For solaris zones only, do not use the zonecfg utility to set the following anet properties for IPoIB datalinks.

  • mac-address
  • mac-prefix
  • mac-slot
  • vlan-id

For non-IPoIB datalinks, do not use the zonecfg utility to set the following anet properties.

  • link-mode
  • pkey

For an EVS anet resource, set only the following properties:

  • configure-allowed-address
  • evs
  • linkname
  • vport

The anet resource type creates an automatic VNIC interface or an IPoIB interface when the zone boots, and deletes the VNIC or IPoIB interface when the zone halts.


Note -  The solaris-kz brand does not support IPoIB.
allowed-address Property

Configure an IP address for the exclusive-IP zone and also limit the set of configurable IP addresses that can be used by an exclusive-IP zone. To specify multiple addresses, use a list of comma-separated IP addresses.

autopush Property

Set to support the dladm link property autopush.

The following example automatically pushes the ipsecah streams module onto net0 when the IP interface is plumbed inside the zone:

global$ pfbash zonecfg -z my-zone
zonecfg:my-zone> select anet linkname=net0
zonecfg:my-zone:anet> set autopush=ipsecah
zonecfg:my-zone:anet> end
zonecfg:my-zone> exit

If multiple modules are listed, they are pushed in the order specified.

zonecfg:my-zone:anet> set autopush="ipsecah ipsecesp"
defrouter Property

The defrouter property is used to set a default route when the non-global zone and the global zone reside on separate networks.

Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone.

etsbw-lcl Property

Indicates the ETS bandwidth on the TX side. See the dladm(8) man page for more information about this property.

iov Property

See Managing Single-Root I/O NIC Virtualization on Kernel Zones in Creating and Using Oracle Solaris Kernel Zones. For specific information about shadow VNICS used to provide network statistics, see Using Virtual Functions and Shadow VNICs With Kernel Zones in Creating and Using Oracle Solaris Kernel Zones.

lower-link Property

Specifies the underlying link for the link to be created. When set to auto, the zoneadmd daemon automatically chooses the link over which the VNIC is created each time the zone boots. You can specify any link on which you can create a VNIC as the lower-link for an anet resource.

All IPoIB links are skipped when selecting the datalink for creating the VNIC automatically during boot.

link-mode Property (IPoIB only)

Sets the link-mode for the datalink interface. The default value is cm. Valid values are as follows:

cm (the default)

Connected Mode. This mode uses a default MTU of 65520 bytes. and supports a maximum MTU of 65535 bytes.

ud

Unreliable Datagram Mode. If Connected Mode is not available for a remote node, Unreliable Datagram mode is automatically used instead. This mode uses a default MTU of 2044 and supports a maximum MTU of 4092 bytes.

linkname Property

Specify a name for the automatically created VNIC interface or IPoIB interface. Note that solaris-kz does not support IPoIB.

mac-address Property (not for IPoIB)

Set the VNIC MAC address based on the specified value or keyword. If the value is not a keyword, it is interpreted as a unicast MAC address. See the zonecfg(8) man page for supported keywords.

f a random MAC address is selected, the generated address is preserved across zone boots, and zone detach and attach operations. When the default policy auto-mac-address is used, Oracle Solaris Zones can obtain a random mac-address.

pkey Property (IPoIB only)

Sets the partition key to be used for creating the IPoIB datalink interface. This property is mandatory. The specified pkey is always treated as hexadecimal, whether or not it has the 0x prefix.

ring-group Property

Set this property to allow a zone to use the hardware ring group capability of the Ethernet link. The possible values for this property are as follows:

auto

The system determines whether exclusive or shared is used on a particular lower-link. This is the default value.

exclusive

Use an exclusive hardware ring group. If an exclusive hardware ring group is not available, anet creation fails.

shared

Do not use a dedicated hardware ring group.

vlan-id Property (not for IPoIB)

Enable VLAN or PVLAN tagging for this VNIC and specify an ID for the VLAN tag. There is no default value. If this property is not set, the VNIC does not participate in any VLAN.


Note -  The vlan-id property is not supported on IPoIB datalinks.

See the dladm(8) man page for the supported VLAN ID format.

When the zonecfg command creates a zone by using the SYSdefault template, an anet resource with the following properties is automatically included in the zone configuration if no other IP resources are set. The linkname is automatically created over the physical Ethernet link and set to the first available name of the form netN, netX. To change the default values, use the zonecfg command.

When the default policy auto is used, an appropriate mac-address is assigned as follows:

  • Oracle Solaris zones – Random mac-address

  • Oracle Solaris kernel zones – Random mac-address

  • Oracle Solaris zones under a kernel zone – Factory mac-address

  • Oracle VM Server for SPARC guest domains – Factory mac-address

  • Oracle Solaris kernel zones running on an Oracle VM Server for SPARC guest domain – Factory mac-address

The default policy creates an automatic VNIC over the physical Ethernet link, for example, net0, and assigns the MAC address to the VNIC. The optional lower-link property is set to the underlying link, vnic1, over which the automatic VNIC is to be created. VNIC properties such as the link name, underlying physical link, MAC address, bandwidth limit, as well as other VNIC properties, can be specified by using the zonecfg command.


Note -  The ip-type=exclusive property must also be specified.
zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add anet
zonecfg:my-zone:anet> set linkname=net0
zonecfg:my-zone:anet> set lower-link=auto
zonecfg:my-zone:anet> set mac-address=random
zonecfg:my-zone:anet> set link-protection=mac-nospoof
zonecfg:my-zone:anet> end

The following example shows a solaris brand zone configured with an IPoIB datalink interface over the physical link net5 with the IB partition key 0xffff.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone:anet> add anet
zonecfg:my-zone:anet> set linkname=ib0
zonecfg:my-zone:anet> set lower-link=net5
zonecfg:my-zone:anet> set pkey=0xffff
zonecfg:my-zone:anet> end

The following example shows how to configure VLANs with zones. The vlan-id property is not supported on IPoIB datalinks.

zonecfg:my-zone:anet> add anet
zonecfg:my-zone:anet> set linkname=net0
zonecfg:my-zone:anet> set lower-link=net0
zonecfg:my-zone:anet> set vlan-id=101
zonecfg:my-zone:anet> end

A kernel zone can serve as the global zone to solaris non-global zones. For information about managing solaris zones in kernel zones, see Managing Non-Global Zones in Kernel Zones in Creating and Using Oracle Solaris Kernel Zones, and How to Add Multiple MAC Addresses to a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.

For more information about properties, see the zonecfg(8) man page. For additional information about the link properties, see the dladm(8) man page.

attr Resource Type

This generic attribute can be used for user comments or by other subsystems. The name property of an attr must begin with an alphanumeric character. The name property can contain alphanumeric characters, hyphens (-), and periods (.). Attribute names beginning with zone. are reserved for use by the system.

Properties: name, type, value

In the following example, a comment about a zone is added.

zonecfg:my-zone> add attr
zonecfg:my-zone:attr> set name=comment
zonecfg:my-zone:attr> set type=string
zonecfg:my-zone:attr> set value="Production zone"
zonecfg:my-zone:attr> end

For more information, see How to Create and Deploy a Non-Global Zone in Creating and Using Oracle Solaris Zones.

capped-cpu Resource Type

The capped-cpu resource type provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone.

Properties: ncpus


Note -  The capped-cpu resource type and the dedicated-cpu resource type are incompatible.

When used in conjunction with processor sets, CPU caps limit CPU usage within a set. This resource sets a limit on the amount of CPU resources that can be consumed by the zone while it is running.


Note -  When setting the capped-cpu resource type, you can use a decimal number for the unit. The value correlates to the zone.cpu-cap resource control, but the setting is scaled down by 100. A setting of 1 is equivalent to a setting of 100 for the resource control.
ncpus Property

Specifies the limit on CPU usage as a positive decimal with two digits to the right of the decimal, which corresponds to units of CPUs. A value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system. The property does not accept a range.


Note -  Applications that auto-size and automatically scale to the number of available CPUs might not recognize a capped-cpu restriction. Seeing all CPUs as available can adversely affect scaling and performance in applications such as the Oracle database and Java virtual machines (JVM). It can appear that the application is not working or usable. The JVM should not be used with capped-cpu if performance is critical. Applications in affected categories can use the dedicated-cpu resource type.

The following example specifies a CPU cap of 3.5 CPUs for the zone.

zonecfg:my-zone> add capped-cpu
zonecfg:my-zone:capped-cpu> set ncpus=3.5
zonecfg:my-zone:capped-cpu> end

capped-memory Resource Type

This resource type groups the properties used when capping memory for the zone. To use the capped-memory resource type, the service/resource-cap package must be installed in the global zone.

Properties:

  • locked
  • pagesize-policy (solaris-kz only)
  • physical
  • swap
  • For solaris zones only, the capped-memory resource type provides limits for physical, swap, and locked memory. At least one of these properties must be specified.

    The following example specifies the memory limits for the zone. Each limit is optional, but at least one limit must be set.

    zonecfg:my-zone> add capped-memory
    zonecfg:my-zone:capped-memory> set physical=50m
    zonecfg:my-zone:capped-memory> set swap=100m
    zonecfg:my-zone:capped-memory> set locked=30m
    zonecfg:my-zonee:capped-memory> end
  • For solaris-kz zones only, the capped-memory resource type provides limits for physical memory. The pagesize-policy specifies the policy for using large pages for physical memory.

    The values for the pagesize-policy property are as follows:

    largest-available

    Provide the largest possible page size, scaling down the page size if the system cannot allocate all physical memory with a particular page size. The priority is to boot the zone.

    largest-only

    Allocate only the largest possible page size for the kernel zone's physical memory. If all the pages are not assigned, the zone cannot be booted.

    smallest-only

    Choose the lowest allowable page size required to boot the kernel zone for the particular platform.

    The following example specifies the memory limits for the zone by using the physical and pagesize-policy properties.

    zonecfg:my-kz> add capped-memory
    zonecfg:my-kz:capped-memory> set physical=4g
    zonecfg:my-kz:capped-memory> set pagesize-policy=largest-available
    zonecfg:my-kz:capped-memory> end

    If a kernel zone pagesize-policy property is cleared or not set, the zone uses the lowest allowable page size required to boot on the particular platform on which it is running. You must clear pagesize-policy if you want to migrate a kernel zone that was created in Oracle Solaris 11.4 to an earlier Oracle Solaris release that does not support the pagesize-policy property, such as the initial release of Oracle Solaris 11.3.

dataset Resource Type (solaris and solaris10 Only)

The only dataset type you can use with a dataset resource is a ZFS file system. Add a ZFS dataset resource to enable the delegation of storage administration to a non-global zone.

Properties: name, alias


Note -  Use the device resource type instead of the dataset resource type in kernel zones.

After a dataset is delegated to a non-global zone, the zoned property is automatically set. A zoned file system cannot be mounted in the global zone because the zone administrator might have to set the mount point to an unacceptable value.

    The zone administrator can perform the following storage administration tasks:

  • Create and destroy file systems within that dataset

  • Modify properties of the dataset

  • Create child file systems and clones of its descendants

The zone administrator cannot affect datasets that have not been added to the zone or exceed any top level quotas set on the dataset assigned to the zone.

ZFS datasets can be added to a zone in the following ways.

  • As an lofs mounted file system, when the goal is solely to share space with the global zone

  • As a delegated dataset

When the zonecfg template property is used, if a rootzpool resource type is not specified, the default zonepath dataset is rootpool/VARSHARE/zones/zonename. The dataset is created by the svc-zones service with a mountpoint /system/zones. The remaining properties are inherited from rootpool/VARSHARE/zones/.

For more information, see Chapter 10, Oracle Solaris ZFS Advanced Topics in Managing ZFS File Systems in Oracle Solaris 11.4, File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones and the datasets(7) man page.

For information about dataset issues, see Chapter 11, Troubleshooting Miscellaneous Oracle Solaris Zones Problems in Creating and Using Oracle Solaris Zones.

The lines in the following example specify that the dataset sales is to be visible and mounted in the non-global zone and no longer visible in the global zone.

zonecfg:my-zone> add dataset
zonecfg:my-zone> set name=tank/sales
zonecfg:my-zone> end

A delegated dataset can have a non-default alias as shown in the following example. Note that a dataset alias cannot contain a forward slash (/).

zonecfg:my-zone> add dataset
zonecfg:my-zone:dataset> set name=tank/sales
zonecfg:my-zone:dataset> set alias=data
zonecfg:my-zone:dataset> end

The %{zonename} token can be used for the name property.

To revert to the default alias, use the clear alias command.

zonecfg:my-zone> clear alias

dedicated-cpu Resource Type

This resource type dedicates a subset of the system's processors to the zone while it is running. When the zone boots, the system dynamically creates a temporary pool for use while the zone is running. With specification in zonecfg, pool settings propagate during migrations.


Note -  The dedicated-cpu resource type is incompatible with the capped-cpu resource type and with the cpu-shares resource control.

Properties:

  • cores
  • cpus
  • importance
  • ncpus
  • sockets

The dedicated-cpu resource type provides limits for ncpus and, optionally, importance. It also sets persistent dedicated-cpu resources for cores, cpus, and sockets.

cores Property

Assign specific cores to zone persistently.

cpus Property

Assign specific CPUs to a zone persistently.

importance Property

If you are using a CPU range to achieve dynamic behavior, also set the importance property. The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold.

If the poold service is not running, then the importance property is ignored. If poold is running and importance is not set, the importance default is 1. For more information, see pool.importance Property Constraint in Administering Resource Management in Oracle Solaris 11.4.

ncpus Property

Specify the number of CPUs or specify a range, such as 2-4 CPUs.

If you specify a range because you want dynamic resource pool behavior, also do the following:

sockets Property

Assign specified number of sockets persistently.

To eliminate inconsistent results across host reboots, use dedicated-cpu:cpus to specify the exact CPUs to use. Use the dedicated-cpu resource type instead of the automatic virtual-cpu resource type, which can only specify ncpus.


Note -  Applications that auto-size and automatically scale to the number of available CPUs might not recognize a capped-cpu restriction. Seeing all CPUs as available can adversely affect scaling and performance in applications such as the Oracle database and Java virtual machines (JVM). It can appear that the application is not working or not usable. The JVM should not be used with capped-cpu if performance is critical. Applications in affected categories can use the dedicated-cpu resource type.

The following example specifies a CPU range for use by the zone and sets the importance level.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-3
zonecfg:my-zone:dedicated-cpu> set importance=2
zonecfg:my-zone:dedicated-cpu> end

The following output shows the granularity of assigning core, cpu, socket, and a locality groups to a zone:

global$ psrinfo -tL
socket: 0 (lgroups: 1, 0)
  core: 0
    cpus: 0-7
  core: 1
    cpus: 8-15
  core: 2
    cpus: 16-23
  core: 3
    cpus: 24-31 
...
  core: 7
    cpus: 56-63
socket: 1 (lgroups: 2, 0)
  core: 8
    cpus: 64-71
...
  core: 15
    cpus: 120-127 

The following example persistently assigns cores 0, 1, 2, and 3 as a range to the zone. The example could potentially also have set values for cpus=, sockets=, and locality groups. For more information about locality groups, see Adding CPUs from a Locality Group to a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set cores=0-3
zonecfg:my-zone:dedicated-cpu> end

device Resource Type

The device resource type is used to add virtual disks to a non-global zone's platform. The device resource type is the device matching specifier. Each zone can have devices that should be configured when the zone transitions from the installed state to the ready state.


Note -  To use UFS file systems in a non-global zone through the device resource type, the system/file-system/ufs package must be installed into the zone after installation or through the AI manifest script.

Properties:

  • allow-mhd
  • allow-partition
  • allow-raw-io
  • match (solaris only)
  • storage

The match property is only supported on solaris zones. For solaris-kz zones, use the storage property.

The device name to match can be a pattern to match or an absolute path. The following tokens are supported for the match and storage properties:

  • %{zonename}
  • %{id}
  • %{global-rootzpool}

    For kernel zones, the following properties can be set to true or false; the default is false:

  • The allow-partition property enables partitioning.

  • The allow-raw-io property enables uscsi.

  • The allow-mhd property enables multi-host disk control operations.

For more information about these resources, see the solaris(7), solaris-kz(7), and zonecfg(8) man pages.


Note -  Do not use the match resource property for solaris-kz zones.. Use the storage property. The storage property and storage URI are used to specify disk LUNs for kernel zones. In existing zone configurations, The match property is converted to storage automatically.

In the following example, uscsi operations on a disk device are added to a solaris zone configuration.

zonecfg:my-zone> add device
zonecfg:my-zone:device> set match=/dev/*dsk/cXtYdZ*
zonecfg:my-zone:device> set allow-raw-io=true
zonecfg:my-zone:device> end

Veritas Volume Manager devices are delegated to a non-global zone by using the add device command.

In the following example, a storage device is added to a solaris-kz zone:

zonecfg:my-zone> add device
zonecfg:my-zone:device> set storage=iscsi:///luname.naa.600144f03d70c80000004ea57da10001
zonecfg:my-zone:device> set bootpri=0
zonecfg:my-zone:device> end

If using a zone configuration token for the storage property, when a new instance of the device resource type is added to a zone configuration, the system displays output similar to the following:

    device 0:
        storage.template: dev:/dev/zvol/dsk/%{global-rootzpool}/VARSHARE/zones/%{zonename}/disk%{id}
        storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/kernel-zone1/disk0
        id: 0
        bootpri: 0

Because storage is the only property that has a default value, only this property contains a value in the info output displayed after adding the resource.

fs Resource Type

Each zone can have various file systems that are mounted when the zone transitions from the installed state to the ready state. The file system resource type specifies the path to the file system mount point. For more information about the use of file systems in zones, see File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones.


Note -  To use UFS file systems in a non-global zone through the fs resource type, the system/file-system/ufs package must be installed into the zone after installation or through the AI manifest script.

The quota command documented in the quota(8) man page cannot be used to retrieve quota information for UFS file systems added through the fs resource type.


Properties:

  • dir
  • options
  • raw
  • special
  • type

The fs resource type properties supply the values that determine how and where to mount file systems. The fs properties are defined as follows:

dir Property

Specifies the mount point for the file system

options Property

Specifies mount options similar to those found with the mount command

raw Property

Specifies the raw device on which to run fsck before mounting the file system (not applicable to ZFS)

special Property

Specifies the block special device name or directory from the global zone to mount

type Property

Specifies the file system type

The lines in the following example specify that the dataset named pool1/fs1 in the global zone is to be mounted as /shared/fs1 in a zone being configured. The file system type used is ZFS.

zonecfg:my-zone> add fs
zonecfg:my-zone:fs> set dir=/shared/fs1
zonecfg:my-zone:fs> set special=pool1/fs1
zonecfg:my-zone:fs> set type=zfs
zonecfg:my-zone:fs> end

Note -  The quota command documented in the quota(8) man page cannot be used to retrieve quota information for UFS file systems added through this resource type.

ib-vhca Resource Type (solaris-kz Only)

The ib-vhca resource type automatically creates a temporary virtual InfiniBand HCA device for an exclusive-IP zone when the zone boots. The device is deleted when the zone halts.

Also see Managing Network Virtualization and Network Resources in Oracle Solaris 11.4.

Properties:

  • id
  • over-hca
  • port
  • smi-enabled

The ib-vhca resource type specifies the physical function (PF) that is used to allocate a virtual function (VF). The ib-vhca resource type is supported in Live Zone Reconfiguration of a kernel zone.

id Property

Unique identifier for the ib-vhca resource type.

over-hca Property

Sets the physical InfiniBand device to use for configuration of the virtual InfiniBand device. To obtain the device name, use the ibadm command.

port Property

Use the port property to specify the allowable pkeys for the allocated VF..

id Value

The id value is used to uniquely identify the port resource. The id corresponds to the physical port number, which is typically 1 or 2.

pkey Value

Specifies the InfiniBand Partition key value. The pkey value can be either of the following:

  • The keyword auto - Use the auto keyword to automatically generate and assign a pkey value based on the over-hca value specified.

  • A comma-separated list of hexadecimal values - Do not use the 0x prefix to specify the hexadecimal value.

smi-enabled Property

Specifies whether the virtual HCA can use Subnet Management Packets (SMPs). The default value, which does not have to be explicitly set, is off.

  • If the value of this property is on, SMPs are allowed for this virtual HCA.


    Note -  Do not use the value on without considering the possible security impact on the fabric. If smi-enabled is on, a kernel zones user can do SMP set operations through the ib-vhca resource type. A physical port can be disabled by SMPs that set the port state.

    When using the on setting, M_Keys should be set on fabric components.


  • If the value is off, SMPs cannot be used with this virtual HCA.

  • If the value is readonly, this virtual HCA can use query SMP operations, but not set operations.

Use the following steps to allocate a VF in a kernel zone:

  1. Virtualize the PF by using the ibadm command as described in the ibadm(8) man page.

  2. Use the zonecfg command to allocate a VF to a kernel zone. Note that a specific VF index is not specified. At boot time, an available VF is dynamically allocated from the specified PF to the kernel zone by the zoneadmd command. If a VF is not available, the resource allocation fails.

The following example adds an ib-vhca resource type to the running kernel zone for a device named dev0. This virtual HCA can only query Subnet Management Packets (SMP) operations. This virtual HCA cannot set operations.

global$ pfbash zonecfg -z zone-kz 
zonecfg:zone-kz> add ib-vhca
zonecfg:zone-kz:ib-vhca> set over-hca=dev0
zonecfg:zone-kz:ib-vhca> set smi-enabled=readonly
zonecfg:zone-kz:ib-vhca> end
zonecfg:zone-kz>end
global$ zonecfg -z zone-kz apply

keysource Resource Type

Encryption key. Provides administrative access to the cryptographic key used for kernel zone suspend images and host data as described in the solaris-kz(7) man page.

Properties: raw

The value of the raw property cannot be set directly, except with the command_file mode.

net Resource Type

The net resource type assigns an existing network interface in the global zone to the non-global zone. The network interface resource type is the interface name. Each zone can have network interfaces that are set up when the zone transitions from the installed state to the ready state.

Properties:

  • address
  • allowed-address
  • configure-allowed-address
  • defrouter
  • id
  • physical

For a shared-IP zone, both the IP address and the physical device must be specified. Optionally, the default router can be set. For an exclusive-IP zone, only the physical interface must be specified.

allowed-address Property

The allowed-address property limits the set of configurable IP addresses that can be used by an exclusive-IP zone.

defrouter Property

The defrouter property can be used to set a default route when the non-global zone and the global zone reside on separate networks. Any zone that has the defrouter property set must be on a subnet that is not configured for the global zone. Traffic from a zone with a default router will go out to the router before coming back to the destination zone.

When shared-IP zones exist on different subnets, do not configure a data-link in the global zone.

In the following example for a shared-IP zone, the physical interface nge0 is added to the zone with an IP address of 192.168.0.1. To list the network interfaces on the system, type:

global$ ipadm show-if -po ifname,class,active,persistent
lo0:loopback:yes:46--
nge0:ip:yes:----

Each line of the output, other than the loopback lines, will have the name of a network interface. Lines that contain loopback in the descriptions do not apply to cards. The 46 persistent flags indicate that the interface is configured persistently in the global zone. The yes active value indicates that the interface is currently configured, and the class value of ip indicates that nge0 is a non-loopback interface. The default route is set to 10.0.0.1 for the zone. Setting the defrouter property is optional. Note that ip-type=shared is required.

zonecfg:my-zone> set ip-type=shared
zonecfg:my-zone> add net
zonecfg:my-zone:net> set physical=vnic1
zonecfg:my-zone:net> set address=192.168.0.1
zonecfg:my-zone:net> set defrouter=10.0.0.1
zonecfg:my-zone:net> end

In the following example for an exclusive-IP zone, a VNIC is used for the physical interface, which is a VLAN. To determine which datalinks are available, use the command dladm show-link. The allowed-address property constrains the IP addresses that the zone can use. The defrouter property is used to set a default route. Note that ip-type=exclusive must also be specified.

zonecfg:my-zone> set ip-type=exclusive
zonecfg:my-zone> add net
zonecfg:my-zone:net> set allowed-address=10.1.1.32/24
zonecfg:my-zone:net> set physical=vnic1
zonecfg:my-zone:net> set defrouter=10.1.1.1
zonecfg:my-zone:net> end

Only the physical device type will be specified in the add net step. The physical property can be a VNIC.


Note -  Oracle Solaris supports all Ethernet-type interfaces. You can administer datalinks with the dladm command.

npiv Resource Type

Provides N_Port_ID Virtualization (NPIV) support in Oracle Solaris zones and Oracle Solaris 10 Zones.

Properties: over-hba, virtual-port-wwn

The npiv resource type is used to configure zones that have NPIV fibre channel devices as back-end storage for the zone root file system, and use other devices for data.

Disks visible through the NPIV port are also visible inside the zone. Disks added to the fabric are visible automatically from within the zone. Disks removed from the fabric are automatically removed from the zone view.

The virtual-port-wwn and over-hba properties are both optional.

The virtual-port-wwn property contains the port world wide name (PWWN) for the npiv port to be created. The port is automatically generated if not specified by users. To override the default virtual-port-wwn property value, use the following command from inside the npiv resource scope:

zonecfg:my-zone:npiv> set virtual-port-wwn=World-Wide-Name

The zonecfg command verifies that the string is valid.

The following example delegates two npiv resources to the zone. The two npiv ports are automatically created during zone installation.

zonecfg:my-zone> add npiv
zonecfg:my-zone:npiv> set virtual-port-wwn=2100000000000001
zonecfg:my-zone:npiv> set over-hba=c9
zonecfg:my-zone:npiv> end
zonecfg:my-zone> add npiv
zonecfg:my-zone:npiv> end

rctl Resource Type

The rctl resource type is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state.

See Setting Zone-Wide Resource Controls for more information.


Note -  To configure zone-wide controls using the set global-property-name subcommand of zonecfg instead of using the rctl resource type, see How to Create and Deploy a Non-Global Zone in Creating and Using Oracle Solaris Zones.

Properties: name, value

The following zone-wide resource controls are available.

  • zone.cpu-cap resource control
  • zone.cpu-shares resource control (preferred: cpu-shares global property)
  • zone.max-adi-metadata-memory resource control
  • zone.max-locked-memory resource control
  • zone.max-lofi resource control
  • zone.max-lwps resource control (preferred: max-lwps global property)
  • zone.max-msg-ids resource control (preferred: max-msg-ids global property)
  • zone.max-processes resource control (preferred: max-processes global property)
  • zone.max-sem-ids resource control (preferred: max-sem-ids global property)
  • zone.max-shm-ids resource control (preferred: max-shm-ids global property)
  • zone.max-shm-memory resource control (preferred: max-shm-memory global property)
  • zone.max-swap resource control

The simplest method to set a zone-wide resource control is to use the global property name instead of the rctl resource control name, as shown in How to Create and Deploy a Non-Global Zone in Creating and Using Oracle Solaris Zones. If zone-wide resource control entries in a zone are configured by using the zonecfg add rctl command, the format is different than resource control entries made in the project database. In a zone configuration, an rctl resource consists of three name-value pairs. The names are priv, limit, and action. Each name takes a simple value. For example:

zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.cpu-shares
zonecfg:my-zone:rctl> add value (priv=privileged,limit=10,action=none)
zonecfg:my-zone:rctl> end

For general information about resource controls and attributes, see Chapter 6, About Resource Controls in Administering Resource Management in Oracle Solaris 11.4 and Resource Controls Used in Non-Global Zones in Creating and Using Oracle Solaris Zones.

rootzpool Resource Type (solaris and solaris10 Only)

Identify the storage object URI to provide a dedicated ZFS storage pool (zpool) for zone installation.

Properties: storage

The optional rootzpool resource type is used to create a dedicated ZFS storage pool for zone installation for solaris brand zones. The zone root zpool can be hosted on shared storage devices defined by one or more Universal Resource Identifiers (URIs). The required storage property identifies the storage object URI to contain the root zfs file system for a zone.

Only one rootzpool resource can be defined for a given zone. The storage is automatically configured for the zone when the zone is booted.

The corresponding zpools are automatically created or imported during zone installation or zone attach operations. To reuse a pre-created zpool for a zone installation, the zpool must be exported from the system. The name my-zone_rpool is assigned. For both the rootzpool and zpool resource types, you can automatically create zpool mirrors as soon as the zone is installed. For more information, see Chapter 12, Oracle Solaris Zones on Shared Storage in Creating and Using Oracle Solaris Zones.

storage Property

The storage property supports the following URI types:

dev

Local device path URI. Formats are as follows:

dev:local-path-under-/dev
dev://absolute-path-with-dev
dev:absolute-path-with-dev

Examples:

dev:dsk/c7t0d0s0
dev:///dev/dsk/c7t0d0s0
dev:/dev/dsk/c7t0d0s0
dev:chassis/SYS/HD1/disk
lu (Logical Unit)

Fibre Channel (FC) and Serial Attached SCSI (SAS). Formats are as follows:

lu:luname.naa.ID
lu:luname.eui.ID
lu:initiator.naa.ID,target.naa.ID,luname.naa.ID
lu:initiator.naa.ID,target.naa.ID,luname.eui.ID

Examples:

lu:luname.naa.5000c5000288fa25
lu:luname.eui.0021280001cf80f6
lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.naa.5000c5000288fa25
lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.eui.0021280001cf80f6
iscsi

iSCSI URI. Formats are as follows:

iscsi:///luname.naa.ID
iscsi:///luname.eui.ID
iscsi://host[:port]/luname.naa.ID
iscsi://host[:port]/luname.eui.ID
iscsi:///target.IQN,lun.LUN
iscsi://host[:port]/target.IQN,lun.LUN

Examples:

iscsi:///luname.eui.0021280001cf80f6
iscsi:///luname.naa.600144f03d70c80000004ea57da10001
iscsi://[::1]/luname.naa.600144f03d70c80000004ea57da10001
iscsi://127.0.0.1/luname.naa.600144f03d70c80000004ea57da10001
iscsi://hostname:1234/luname.eui.0021280001cf80f6
iscsi://hostname:3260/luname.naa.600144f03d70c80000004ea57da10001

iscsi://127.0.0.1/target.iqn.com.sun:02:d0f2d311-f703,lun.0
iscsi:///target.iqn.com.sun:02:d0f2d311-f703,lun.6
iscsi://[::1]:1234/target.iqn.com.sun:02:d0f2d311-f703,lun.2
iscsi://hostname:1234/target.iqn.com.sun:4db41b76-e3d7-cd2f-bf2d-9abef784d76c,lun.0

The following configuration example adds a rootzpool resource with two storage devices, for creating a mirrored configuration:

zonecfg:my-zone> add rootzpool
zonecfg:my-zone:rootzpool> add storage dev:dsk/c4t1d0
zonecfg:my-zone:rootzpool> add storage dev:dsk/c4t3d0
zonecfg:my-zone:rootzpool> end

When the zone is uninstalled or detached, the following actions take place:

  • The corresponding zpools are automatically exported or destroyed.

  • The storage resources are automatically unconfigured.

The suriadm tool is used to administer shared objects that are based on storage URIs. For information about IDs, the Name Address Authority (NAA), and obtaining URIs for existing storage objects, see the suriadm(8) and suri(7) man pages.

smf-dependency Resource Type

The set of Oracle Solaris Service Management Facility (SMF) Fault Management Resource Identifiers (FMRIs) that establish the dependencies for the zone are defined in the smf-dependency resource type.

Properties: fmri, name, grouping

global$ pfbash zonecfg -z my-zone
zonecfg:my-zone> add smf-dependency
zonecfg:my-zone> set name=firewall
zonecfg:my-zone> set fmri=svc:/system/zones/zone:appfirewall
zonecfg:my-zone> set fmri=svc:/system/zones/zone:appnat
zonecfg:my-zone> set grouping=require_any
zonecfg:my-zone> end
zonecfg:my-zone> exit

All SMF dependencies for a zone will be of type service and have restart_on set to none.

For more information, see Zones and the Service Management Facility in Creating and Using Oracle Solaris Zones and the zonecfg(8) man page.

verified-boot Resource Type

The verified-boot resource type controls a kernel zone's boot policy and certificate settings. The properties are:

cert Property

The cert property specifies the location of the elfsign(1) X.509 public key certificate on the system. You specify the certificate location with a URI of the X.509 cert file. For a local file, the certificate must be located in the global zone's file system. For remote URIs, the URI must be accessible from the global zone.

Use the add subcommand to add a certificate. You can add up to seven certificates on each kernel zone.

policy Property

The policy property regulates the verification of the unix, genunix and other kernel modules. The possible values for this property are as follows:

enforce

Prints a warning message if elfsign signature verification fails. The kernel module does not load.

none

No action occurs if elfsign signature verification fails.

Note: A verified-boot resource is not enabled if the policy value is set to none.

warning

Prints a warning message if elfsign verification fails. This is the default value.

Example 7  Enabling Verified Boot in a Kernel Zone

This example creates the kernel zone kz1 on the system global. The verified-boot policy value is set to enforce. This directs the kernel to not boot if boot file signature verification fails and to print an error message on failure.

global$ pfbash zonecfg -z kz1
kz1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:kz1> create -t SYSsolaris-kz
zonecfg:kz1> set zonepath=/rpool/zones/kz1
zonecfg:kz1> set autoboot=true
zonecfg:kz1> add verified-boot
zonecfg:kz1:verified-boot> set policy=enforce
zonecfg:kz1:verified-boot> end
zonecfg:kz1> verify
zonecfg:kz1> commit
zonecfg:kz1> exit
Example 8  Configuring Kernel Zone Verified Boot With Multiple Certificates

This example demonstrates adding a verified-boot resource to an already-configured kernel zone kz2 on the host system global. Two certificates are added to the configuration.

global$ pfbash zonecfg -z kz2
zonecfg:kz2> add verified-boot
zonecfg:kz2:verified-boot> set policy=warning
zonecfg:kz2:verified-boot> add cert file:///etc/certs/elfsign/SOLARIS-KZ
zonecfg:kz2:verified-boot> add cert http://example/keydist/cert.pem
zonecfg:kz2:verified-boot> info
verified-boot:
   policy: warning
    cert: file:///etc/certs/elfsign/SOLARIS-KZ
    cert: http://example/keydist/cert.pem
zonecfg:kz2:verified-boot> end
zonecfg:kz2> verify
zonecfg:kz2> commit

virtual-cpu Resource Type (solaris-kz Only)

Use the virtual-cpu resource to set the number of kernel zone virtual CPUs (VCPUs) if you want to assign a number other than the default. The resource dedicates a subset of the system's processors to the zone while it is running. The virtual-cpu resource provides limits for ncpus.

Properties: ncpus

The default kernel zone configuration has 4 VCPUs. Each virtual-cpu can use up to 1 host CPU of compute power, but could get less if there is contention for host CPU resources. The host CPUs allocated to the kernel zone are defined by the ncpus value. You can add more CPUs to the kernel zone by adding the virtual-cpu property.

If a kernel zone is in a pool that was created by using either the dedicated-cpu resource type or the pool global property, then the number of virtual CPUs created match the size of that pool. VCPUs are not sized based on the number of FSS shares.

If CPU resources are shared between a number of consumers, there might be periods of time when the host system "de-schedules" all or part of the kernel zone.

Stolen time indicates the time when the kernel zone cannot run because the host might be using CPU resources for other purposes. The CPU accounting state CMS_STOLEN displays the time a CPU spends in this state. The time is always zero for hosts running on physical hardware. For CPUs running as part of a kernel zone, a non-zero value of this state reflects the amount of time a virtual CPU did not actually have access to a physical CPU. Stolen time is reported by the zonestat, mpstat, iostat, and vmstat commands and by other utilities.

ncpus Property

Specifies the number of CPUs.


Note -  If the dedicated-cpu resource is already defined, the default number of virtual CPUs configured in the virtual platform matches the lower value of the ncpus range in the dedicated-cpu resource. You do not need to set both the dedicated-cpu and the virtual-cpu resources.

The following example specifies 3 CPUs for the zone.

zonecfg:my-zone> add virtual-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=3 ; end

zpool Resource Type (solaris and solaris10 Only)

Define one or more storage object URIs to delegate a zpool to the zone.

Properties: name, storage

A zpool can be delegated to a non-global zone by configuring the optional zpool resource in the zonecfg utility. The zpool is automatically configured for the zone when it is booted. The corresponding zpools are automatically created or imported during zone installation or zone attach operations. A zone configuration can have one or more zpool resources.

name Property

The name property is mandatory for the zpool resource. The property is used in the name for a zpool delegated to the zone. The ZFS file system name component cannot contain a forward slash (/).

The assigned name of the newly created or imported zpool is the value of the name property. This is the zpool name visible inside the non-global zone. The assigned name of the newly created or imported zpool name has the form zonename_zpool-name when displayed from the global zone.

The allowed values for the name property are defined in the zpool(8) man page.

storage Property

The required storage property identifies the storage object URI associated with this resource.

The storage property is managed using the following settings in the zpool resource scope:

  • add storage URI string

  • remove storage URI string


Note -  A zone installation can fail when a storage object contains preexisting partitions, zpools, or UFS file systems. For more information, see Troubleshooting Installation in Creating and Using Oracle Solaris Zones.

For information about URIs and the allowed values for the storage property, see rootzpool Resource Type (solaris and solaris10 Only).

    When the zone is uninstalled or detached, the following actions take place:

  • The corresponding zpools are automatically exported or destroyed.

  • The storage resources are automatically unconfigured.

In the following example, a zpool storage resource is delegated to the zone. The zpool is automatically created, or a previously created zpool is imported during installation. The name of the zpool is pool1.

zonecfg:my-zone> add zpool
zonecfg:my-zone:zpool> set name=pool1
zonecfg:my-zone:zpool> add storage dev:dsk/c4t2d0
zonecfg:my-zone:zpool> add storage dev:dsk/c4t4d0 ; end