Oracle^® Solaris Zones Configuration Resources

Configurable Resources and Properties for Zones

This section covers the required and optional zone resources and properties that can be configured. Only the zone name is required. Additional information is provided in Zone Configuration Data. For more information about configuration options that are specific to a particular brand of zone, see the solaris(5) and solaris-kz(5) man pages.

Zone Name

You must choose a name for your zone.

Zone Path

If you do not specify the path, the default value of zonepath is /system/zones/%{zonename}. If the zone configuration does not have a rootzpool resource, the ZFS dataset %{global-rootzpool}/VARSHARE/system/zones/%{zonename}, is created and mounted at /system/zones/%{zonename}.

If you choose a path for your zone, the zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that the parent directory of the zone path must also be a dataset. The parent of the zonepath must be a ZFS dataset only if the zonepath dataset is not automatically created.

Kernel zones do not support the zonepath property. The zone root is contained within a ZFS volume. The device onto which the zone is installed is specified with a device resource that has the bootpri property set to any positive integer value.

Zone Autoboot

The autoboot property setting determines whether the zone is automatically booted when the global zone is booted. The zones service, svc:/system/zones:default, must also be enabled.

solaris and solaris10 Only: global-time Property

Set the global-time property to specify whether you want to allow changing either the zone-specific time or the system-wide time from within the non-global zone.

• A value of global-time=true for the global-time property indicates that the zone is allowed to set system-wide time.

• A value of global-time=false for the global-time property indicates the zone is allowed to set zone-specific time.

Example 3  Enabling Zone to Set Zone-Specific Time

# zonecfg -z my-zone
zonecfg:my-zone> set global-time=false
zonecfg:my-zone> exit

You should assign a value for the global-time property. However, if the value is not set but the sys_time privilege is explicitly assigned using the limitpriv property, the value of the global-time is treated as true. If the sys_time privilege is not explicitly assigned by using the limitpriv property, global-time is treated as false.

Depending on the global-time property setting in Oracle Solaris 11.3, a non-global zone process with the sys_time privilege can manipulate either the virtual zone-specific time or the system-wide time by using the following system calls.

• stime(2)

• clock_settime(3C)

• An IA-specific real-time clock (RTC) call to write time of day clock

See Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones for more information on privileges.

file-mac-profile Property for Immutable Zones

Use the file-mac-profile to configure Immutable Zones with read-only roots.

For more information, see Chapter 11, Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones.

admin Resource for Zones

The admin setting allows you to set zone administration authorization. The preferred method for defining authorizations is through the zonecfgcommand.

auths

Specify the authorizations for the user name.

The values for auths are:

solaris.zone.clonefrom

If RBAC is in use, allows the specified zone to be used as a source from which to clone a new zone. Subcommands that make a copy of another zone require the authorization solaris.zone.clonefrom/source_zone.

solaris.zone.config

If RBAC is in use, allows modification of the persistent configuration of the zone by using the authorization solaris.zone.config/zonename. For more information on the persistent configuration, see Chapter 6, Live Zone Reconfiguration in Creating and Using Oracle Solaris Zones.

solaris.zone.liveconfig

If RBAC is in use, allows inspection and modification of the live zone configuration by using the authorization solaris.zone.liveconfig/zonename. For more information on the live zone configuration, see Chapter 6, Live Zone Reconfiguration in Creating and Using Oracle Solaris Zones.

solaris.zone.login

If RBAC is in use, allows authenticated use of zlogin into this zone. The authorization solaris.zone.login/zonename is required for interactive logins. Password authentication takes place in the zone. For more information, see zlogin(1) and Chapter 4, About Non-Global Zone Login in Creating and Using Oracle Solaris Zones.

solaris.zone.manage

If RBAC is in use, allows normal management of the configured zone. For non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.

user

Specify the user name.

For more information on authorizations, see auths(1), auth_attr(4), and user_attr(4).

dedicated-cpu Zone Resource

Use the dedicated-cpu resource to specify that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system dynamically creates a temporary pool for use while the zone is running.

With specification in zonecfg, pool settings propagate during migrations.

The dedicated-cpu resource sets limits for ncpus, and optionally, importance.

importance

If you are using a CPU range to achieve dynamic behavior, also set the importance property. The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, the importance default is 1. For more information, see pool.importance Property Constraint in Administering Resource Management in Oracle Solaris 11.3.

ncpus

Specify the number of CPUs or specify a range, such as 2–4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:

• Set the importance property.

• Enable the poold service. For instructions, see How to Enable the Dynamic Resource Pools Service Using svcadm in Administering Resource Management in Oracle Solaris 11.3.

Use the following properties to set persistent dedicated-cpu resources for cpus, cores and sockets.

cpus

Assign specific CPUs to a zone persistently.

cores

Assign specific cores to zone persistently.

sockets

Assign specified number of sockets persistently.

To eliminate inconsistent results across system reboots, use dedicated-cpu:cpus to specify the exact CPUs to use. Use the dedicated-cpu resource instead of the automatic virtual-cpu resource, which only specifies ncpus.

solaris-kz Only: virtual-cpu Resource

Use the virtual-cpu resource to set the number of kernel zone virtual CPUs (VCPUs) if you want to assign a number other than the default.

The default kernel zone configuration has 4 VCPUs. Each virtual-cpu can use up to 1 CPU of compute power, but could get less if there is contention for system CPU resources. The CPUs allocated to the kernel zone are defined by the ncpus value. You can add more CPUs to the kernel zone by adding the virtual-cpu property.

If a kernel zone is in a pool that was created by using the dedicated-cpu or the pool resource, then the number of virtual CPUs created match the size of that pool. Note that VCPUs are not sized based on the number of FSS shares.

If CPU resources are shared between a number of consumers, there might be periods of time when the system "de-schedules" all or part of the kernel zone.

Stolen time indicates the time when the kernel zone cannot run because the system might be using CPU resources for other purposes.

The CPU accounting state CMS_STOLEN displays the time a CPU spends in this state. The time is always zero for systems running on physical hardware. For CPUs running as part of a kernel zone, a non-zero value of this state reflects the amount of time a virtual CPU did not actually have access to a physical CPU. Stolen time is reported by zonestat(1), mpstat(1M), iostat(1M), vmstat(1M), and other utilities.

Note that if the dedicated-cpu resource is already defined, the default number of virtual CPUs configured in the virtual platform matches the lower value of the ncpus range in the dedicated-cpu resource. You do not need to set both the dedicated-cpu and the virtual-cpu resources.

capped-cpu Zone Resource

The capped-cpu resource provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone. When used in conjunction with processor sets, CPU caps limit CPU usage within a set. The capped-cpu resource has a single ncpus property that is a positive decimal with two digits to the right of the decimal. This property corresponds to units of CPUs. The resource does not accept a range. The resource does accept a decimal number. When specifying ncpus, a value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system.

Scheduling Class

You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among zones, based on their importance. This importance is expressed by the number of shares of CPU resources that you assign to each zone. Even if you are not using FSS to manage CPU resource allocation between zones, you can set the zone's scheduling-class to use FSS so that you can set shares on projects within the zone.

When you explicitly set the cpu-shares property, the fair share scheduler (FSS) is used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class. The following actions set the scheduling class for a zone:

• You can use the scheduling-class property in zonecfg to set the scheduling class for the zone.

• You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default. SeeIntroduction to Resource Pools in Administering Resource Management in Oracle Solaris 11.3 and How to Associate a Pool With a Scheduling Class in Administering Resource Management in Oracle Solaris 11.3 .

• If the cpu-shares resource control is set and FSS has not been set as the scheduling class for the zone through another action, zoneadmd sets the scheduling class to FSS when the zone boots.

• If the scheduling class is not set through any other action, the zone inherits the system default scheduling class.

Note that you can use the priocntl command described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.

capped-memory Resource and Physical Memory Control

To use the capped-memory resource, the resource-cap package must be installed in the global zone. Also see capped-memory in Resource Types and Properties.

solaris Zones and the capped-memory Zone Resource

For native (solaris) branded zones, the capped-memory resource sets limits for physical, swap, and locked memory properties. Each limit is optional, but at least one must be set.

• Determine values for the physical property if you plan to cap memory for a native zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone.

  The physical property of the capped-memory resource represents a soft RAM allocation limit that is enforced by rcapd. If a zone hits its physical limit, the zone can continue to allocate RAM, but paging to the swap device will occur even when there's no overall memory shortfall on the system. Paging can generate large amounts of I/O, which can negatively impact other operations on the system. In contrast, limiting swap has no direct impact on the paging activity of the system. Setting swap without setting physical can be an effective way to limit the amount of memory used by a native zone.

• When you limit the amount of swap a zone can allocate, you also limit the amount of RAM the zone can allocate. A zone cannot allocate more RAM than it has swap. If a zone hits its swap limit, new memory allocations in that zone will fail even when there is no overall memory shortfall on the system.

  The swap property of the capped-memory resource is the preferred way to set the zone.max-swap resource control for a native zone.

• The locked property of the capped-memory resource is the preferred way to set the zone.max-locked-memory resource control for a native zone.

For more information, see the following documentation:

• Chapter 10, About Controlling Physical Memory by Using Resource Capping in Administering Resource Management in Oracle Solaris 11.3

• Chapter 11, Administering the Resource Capping Daemon in Administering Resource Management in Oracle Solaris 11.3

• How to Configure the Zone in Creating and Using Oracle Solaris Zones

To temporarily set a resource cap for a zone, see How to Specify a Temporary Resource Cap for a Zone in Administering Resource Management in Oracle Solaris 11.3.

solaris-kz Zones and the capped-memory Resource

For kernel zones, the physical property is required. The physical property represents the amount of RAM reserved for the kernel zone's memory. When you specify the physical property, you can also specify the pagesize-policy property, which sets the policy for using large pages for physical memory.

For kernel zones, the swap and locked limits are not allowed. The rcapd utility is not used. Live Zone Reconfiguration is not supported.

The default SYSsolaris-kz template sets the pagesize-policy to largest-available, which is the recommended value.

Oracle Solaris systems that do not support the pagesize-policy property use a compatible default pagesize. Clearing the pagesize-policy property is required to live migrate a kernel zone to an older Oracle Solaris instance, or to resume a kernel zone on an older Oracle Solaris instance.

The pagesize-policy property values are described in Resource Type Properties.

See Managing Kernel Zone Memory in Creating and Using Oracle Solaris Kernel Zones for more information about these properties and examples for setting them.

For more information, also see the solaris-kz(5) man page.

solaris and solaris10 Only: npiv Resource

The npiv resource supports N_Port_ID Virtualization (NPIV) in Oracle Solaris Zones and Oracle Solaris 10 Zones. The npiv resource is used to configure zones that have fibre channel devices as back-end storage for the zone root file system, and use other devices for data.

The following example delegates two npiv resources to the zone my-zone. Both virtual-port-wwn and over-hba are optional. The two npiv ports are automatically created during zone installation.

zonecfg:my-zone> add npiv
zonecfg:my-zone:npiv> set virtual-port-wwn=2100000000000001
zonecfg:my-zone:npiv> set over-hba=c9
zonecfg:my-zone:npiv> end
zonecfg:my-zone> add npiv
zonecfg:my-zone:npiv> end
zonecfg:my-zone>

Disks visible through the NPIV port are also visible inside the zone. Disks added to the fabric are visible automatically from within the zone. Disks removed from the fabric are automatically removed from the zone view.

The virtual-port-wwn property type is optional for the npiv resource type. It contains the port world wide name (PWWN) for the npiv port to be created. The port is automatically generated if not specified by users. To override the default virtual-port-wwn property value, use the following command from inside the npiv resource scope:

zonecfg:my-zone:npiv> set virtual-port-wwn=World Wide Name

The zonecfg command verifies that the string is valid.

solaris and solaris10 Only: rootzpool Resource

The optional rootzpool resource in the zonecfg utility is used to create a dedicated zpool for zone installation for solaris and solaris10 brand zones. The zone root zpool can be hosted on shared storage devices defined by one or more Universal Resource Identifiers (URIs). The required storage property identifies the storage object URI to contain the root zfs file system for a zone. Only one rootzpool can be defined for a given zone. The storage is automatically configured for the zone when the zone is booted.

The corresponding zpools are automatically created or imported during zone installation or zone attach operations. For both the rootzpool and zpool resources, you can automatically create zpool mirrors as soon as the zone is installed. For more information, see Chapter 13, Getting Started With Oracle Solaris Zones on Shared Storage in Creating and Using Oracle Solaris Zones.

When the zone is uninstalled or detached, the following actions take place:

• The corresponding zpools are automatically exported or destroyed.

• The storage resources are automatically unconfigured.

To reuse a pre-created zpool for a zone installation, the zpool must be exported from the system.

The zones framework supports the following URI types:

• dev

  Local device path URI

  Format:

  dev:local-path-under-/dev
  dev://absolute-path-with-dev
  dev:absolute-path-with-dev

  Examples:

  dev:dsk/c7t0d0s0
  dev:///dev/dsk/c7t0d0s0
  dev:/dev/dsk/c7t0d0s0
  dev:chassis/SYS/HD1/disk

• lu (Logical Unit)

  Fibre Channel (FC) and Serial Attached SCSI (SAS)

  Format:

  lu:luname.naa.ID
  lu:luname.eui.ID
  lu:initiator.naa.ID,target.naa.ID,luname.naa.ID
  lu:initiator.naa.ID,target.naa.ID,luname.eui.ID

  Examples:

  lu:luname.naa.5000c5000288fa25
  lu:luname.eui.0021280001cf80f6
  lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.naa.5000c5000288fa25
  lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.eui.0021280001cf80f6 

• iscsi

  iSCSI URI

  Format:

  iscsi:///luname.naa.ID
  iscsi:///luname.eui.ID
  iscsi://host[:port]/luname.naa.ID
  iscsi://host[:port]/luname.eui.ID
  iscsi:///target.IQN,lun.LUN
  iscsi://host[:port]/target.IQN,lun.LUN 

  Examples:

  iscsi:///luname.eui.0021280001cf80f6
  iscsi:///luname.naa.600144f03d70c80000004ea57da10001
  iscsi://[::1]/luname.naa.600144f03d70c80000004ea57da10001
  iscsi://127.0.0.1/luname.naa.600144f03d70c80000004ea57da10001
  iscsi://hostname:1234/luname.eui.0021280001cf80f6
  iscsi://hostname:3260/luname.naa.600144f03d70c80000004ea57da10001
  
  iscsi://127.0.0.1/target.iqn.com.sun:02:d0f2d311-f703,lun.0
  iscsi:///target.iqn.com.sun:02:d0f2d311-f703,lun.6
  iscsi://[::1]:1234/target.iqn.com.sun:02:d0f2d311-f703,lun.2
  iscsi://hostname:1234/target.iqn.com.sun:4db41b76-e3d7-cd2f-bf2d-9abef784d76c,lun.0 

The suriadm tool is used to administer shared objects based on storage URIs. For information about IDs, the Name Address Authority (NAA), and obtaining URIs for existing storage objects, see the suriadm(1M) and suri(5) man pages.

The system names the newly created or imported rootzpool for its associated zone. The assigned name has the form zonename_rpool.

The storage property is managed using the following commands from inside the rootzpool resource scope:

• add storage URI string

• remove storage URI string

Adding a zpool Resource Automatically

A zpool can be delegated to a non-global zone by configuring the optional zpool resource in the zonecfg utility. The zpool is automatically configured for the zone when it is booted.

The corresponding zpools are automatically created or imported during zone installation or zone attach operations.

When the zone is uninstalled or detached, the following actions take place:

• The corresponding zpools are automatically exported or destroyed.

• The storage resources are automatically unconfigured.

The required storage property identifies the storage object URI associated with this resource.

The storage property is managed using the following settings in the zpool resource scope:

• add storage URI string

• remove storage URI string

The name property is mandatory for the zpool resource. The property is used in the name for a zpool delegated to the zone. The ZFS file system name component cannot contain a forward slash (/).

The assigned name of the newly created or imported zpool is the value of the name property. This is the zpool name visible inside the non-global zone. The assigned name of the newly created or imported zpool name has the form zonename_name when displayed from the global zone.

solaris-kz SPARC Only: Kernel Zone Migration Class and Host Compatibility Level

Only features enabled by both migration class and host compatibility level are visible to a kernel zone. To migrate a kernel zone, you must ensure that the feature set visible to the kernel zone matches on both the source and target hosts by configuring the migration class cpu-arch and the host-compatible properties.

If not set, the default value of cpu-arch is native. The zone boots with the same CPU class as the host. You can migrate the zone between CPU types that are compatible with the CPU class of the host. By default, Silicon Secured Memory (SSM), also known as ADI, is turned off for a kernel zone.

solaris-kz SPARC Only: Cross-CPU Migration

Use the cpu-arch global property to configure kernel zones with a specific CPU class. The CPU class can be independent of the host CPU class, to ensure a safe migration between different CPU types. If an Oracle VM Server for SPARC guest domain is booted with a specific class, the guest can be migrated safely among all platforms with compatible CPU types. Kernel zones use the same set of CPU classes as guest domains.

If not set, the default value of cpu-arch is native. The zone boots with the same CPU class as the host. You can migrate the zone between CPU types that are compatible with the CPU class of the host.

The host does not resume a zone previously suspended on an incompatible platform. The host also does not boot a zone if the migration class is set to an incompatible value for the host platform. For example, a guest on a T5 will not boot if cpu-arch is set to sparc64-class1. The CPU class of the zone cannot exceed the limits of the CPU class of the host.

A kernel zone booted with the generic class cannot be migrated to systems earlier than the SPARC T4. Kernel zones run on SPARC T4 and Fujitsu SPARC M12, Fujitsu M10, or SPARC M10, and later supported systems.

cpu-arch={generic | migration-class1 | sparc64-class1}

The values are:

generic

Kernel zone can perform a CPU-type-independent migration between systems newer than T4.

migration-class1

Kernel zone can perform cross-CPU type migration between SPARC T4, SPARC T5, SPARC T7, SPARC S7, SPARC M5, SPARC M6, and SPARC M7.

sparc64-class1

Kernel zone can perform cross-CPU type migration between Fujitsu SPARC M12, Fujitsu M10, and SPARC M10.

Setting and checking the cpu-arch property:

$ zonecfg -z vzl
zonecfg:vzl> info cpu-arch
cpu-arch: generic
zonecfg:vzl> set cpu-arch=migration-class1
zonecfg:vzl> info cpu-arch
cpu-arch: migration-class1
zonecfg:vzl> exit

solaris-kz SPARC Only: host-compatible Property

Use the host-compatible property adi to enable the Silicon Secured Memory (SSM) feature, also known as ADI. By default, SSM is turned off for a kernel zone. To enable SSM, you must set the host-compatible modifier. In the global zone, on SSM capable hardware, SSM is always turned on.

If no value is set, the default host compatibility level of a kernel zone includes only features supported in the Oracle Solaris 11.2 release.

The host-compatibility levels are as follows:

• adi – Set the adi modifier to enable the SSM feature. The adi modifier can only be used with the default compatibility level.

  host-compatible=adi

  The host-compatible modifier cannot be used to enable SSM if the SSM feature is not supported by the migration class.

• level1 – If all of your systems are running the Oracle Solaris 11.3 release, set the host-compatible property to level1, which allows enabling of all features available in the release. The level1 level includes SSM, SPARC M7 DAX Data Analytics Accelerator (DAX) coprocessors, and VA Mask features. On DAX capable hardware, DAX is always turned on in the global zone. The level1 setting might prevent the kernel zone from being migrated to other hosts that are running an older release of Oracle Solaris.

  host-compatible=level1

• native – Set the native host compatibility level to support all features in the current version of Oracle Solaris, including SSM. Note that the native host compatibility level might prevent the kernel zone from being migrated to a host running a different release of Oracle Solaris.

  host-compatible=native

Zone Network Interfaces

Zone network interfaces configured by the zonecfg utility to provide network connectivity are automatically set up and placed in the zone when it is booted.

The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.

There are two IP types available for non-global zones, shared-IP and exclusive-IP. Exclusive IP is the default IP type. A shared-IP zone shares a network interface with the global zone. Configuration in the global zone must be done by the ipadm utility to use shared-IP zones. An exclusive-IP zone must have a dedicated network interface. If the exclusive-IP zone is configured using the anet resource, a dedicated VNIC is automatically created and assigned to that zone. By using the automated anet resource, the requirement to create and configure data-links in the global zone and assign the data-links to non-global zones is eliminated.

Use the anet resource to accomplish the following:

• Allow the global zone administrator to choose specific names for the data-links assigned to non-global zones

• Allow multiple zones to use data-links of the same name

If some addresses must be automatically configured and other addresses must be available to be brought online and offline within the zone, multiple anet resources can be used. For example, the following configuration has two anet resources. The first automatically configures the 192.0.2.3 on one of the zone's interfaces. The second allows the zone to configure only 192.0.2.100 and 192.0.2.101 on the other interface.

zonecfg:my-zone> select anet linkname=net0
zonecfg:my-zone:anet> set allowed-address=192.0.2.3/24
zonecfg:my-zone:anet> set configure-allowed-address=true
zonecfg:my-zone:anet> end
zonecfg:my-zone> add anet
zonecfg:my-zone:anet> set allowed-address=192.0.2.100/24,192.0.2.101/24
zonecfg:my-zone:anet> set configure-allowed-address=false
zonecfg:my-zone:anet> end
zonecfg:my-zone>

For backward compatibility, preconfigured data-links can be assigned to non-global zones.

For information about IP features in each type, see Networking in Exclusive-IP Non-Global Zones in Creating and Using Oracle Solaris Zones and Networking in Shared-IP Non-Global Zones in Creating and Using Oracle Solaris Zones.

About Data-Links

A data-link is a physical interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. A data-link is also referred to as a physical interface, for example, a Network Interface Card (NIC). The data-link is the physical property configured by using zonecfg (1M) . The physical property can be a VNIC.

By default in Oracle Solaris 11, physical network device names use generic names, such as net0, instead of device driver names, such as nxge0.

For information about using IP over InfiniBand (IPoIB) in zones, see the anet description in Resource Type Properties.

About Elastic Virtual Switch and Zones

For an anet resource that connects to an Elastic Virtual Switch (EVS) with the evs and vport properties set, the properties of that anet resource are encapsulated in the evs and vport pair.

You cannot change any of the following properties for an EVS anet resource:

• allowed-address

• defrouter

• lower-link

• mac-address

• maxbw

• mtu

• priority

• vlan-id

The only properties that you can set for an EVS anet resource are the following:

• configure-allowed-address

• evs

• linkname

• vport

You must also set the tenant resource. Tenants are used for namespace management. The EVS resources defined within a tenant are not visible outside that tenant's namespace.

The following input for a zone named evszone sets the tenant resource for a tenant named tenantA. The zonecfg anet resource properties create a VNIC for a zone that has an anet resource that connects to an EVS named evsa and a VPort named vport0:

zonecfg:evszone> set tenant=tenantA
zonecfg:evszone> add anet
zonecfg:evszone> set evs=EVSA
zonecfg:evszone> set vport=vport0

For more information, see Chapter 5, About Elastic Virtual Switches in Managing Network Virtualization and Network Resources in Oracle Solaris 11.3.

Shared-IP Non-Global Zones

A shared-IP zone uses an existing IP interface from the global zone. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:

• The non-global zone is to use the same data-link that is used by the global zone, regardless of whether the global and non-global zones are on the same subnet.

• You do not want the other capabilities that the exclusive-IP zone provides.

Shared-IP zones are assigned one or more IP addresses using the net resource of the zonecfg command. The data-link names must also be configured in the global zone.

In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.

To use the shared-IP type networking configuration in the global zone, you must use ipadm, not automatic network configuration. To determine whether networking configuration is being done by ipadm, run the following command. The response displayed must be DefaultFixed.

# svcprop -p netcfg/active_ncp svc:/network/physical:default
DefaultFixed

The IP addresses assigned to shared-IP zones are associated with logical network interfaces.

The ipadm command can be used from the global zone to assign or remove logical interfaces in a running zone.

To add interfaces, use the following command:

global# ipadm set-addrprop -p zone=my-zone net0/addr1

To remove interfaces, use one of the following commands:

global# ipadm set-addrprop -p zone=global net0/addr

or:

global# ipadm reset-addrprop -p zone net0/addr1

For more information, see Shared-IP Network Interfaces in Creating and Using Oracle Solaris Zones.

Exclusive-IP Non-Global Zones

Exclusive-IP is the default networking configuration for non-global zones.

An exclusive-IP zone has its own IP-related state and one or more dedicated data-links.

The following features can be used in an exclusive-IP zone:

• DHCPv4 and IPv6 stateless address autoconfiguration

• IP Filter, including network address translation (NAT) functionality

• IP Network Multipathing (IPMP)

• IP routing

• ipadm for setting TCP/UDP/SCTP as well as IP/ARP-level tunables

• IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association

There are two ways to configure exclusive-IP zones:

• Use the anet resource of the zonecfg utility to automatically create a temporary VNIC for the zone when the zone boots and delete it when the zone halts.

• Preconfigure the data-link in the global zone and assigned it to the exclusive-IP zone by using the net resource of the zonecfg utility. The data-link is specified by using the physical property of the net resource. The physical property can be a VNIC. The address property of the net resource is not set.

  Note that an assigned data-link enables the snoop command to be used.

By default, an exclusive-IP zone can configure and use any IP address on the associated interface. Optionally, a comma-separated list of IP addresses can be specified using the allowed-address property. The exclusive-IP zone cannot use IP addresses that are not in the allowed-address list. Moreover, all the addresses in the allowed-address list will automatically be persistently configured for the exclusive-IP zone when the zone is booted. If this interface configuration is not wanted, then the configure-allowed-address property must be set to false. The default value is true.

If some addresses must be automatically configured and some addresses must be able to be brought online and offline within the zone, multiple anet resources can be used. For example, this configuration will have two anet resources. The first anet resource automatically configures the address 192.168.3.3 on one of the zone's interface. The second anet resource permits the zone to configure only 192.168.3.100 and 192.168.3.101 on the other interface.

zonecfg:my-zone> select anet linkname=net0
zonecfg:my-zone:anet> set allowed-address=192.168.3.3/24
zonecfg:my-zone:anet> set configure-allowed-address=true
zonecfg:my-zone:anet> end
zonecfg:my-zone> add anet
zonecfg:my-zone:anet> set allowed-address=192.168.3.100/24,192.168.3.101/24
zonecfg:my-zone:anet> set configure-allowed-address=false
zonecfg:my-zone:anet> end
zonecfg:my-zone>

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. See Creating and Using Oracle Solaris Zones for usage examples.

Inside a running exclusive-IP zone that is assigned its own set of data-links, the ipadm command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as in the global zone, by using the sysconfig interface described in the sysconfig(1M) man page.

The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command.

global$ zlogin zone1 ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
nge0/v4           dhcp     ok           10.134.62.47/24
lo0/v6            static   ok           ::1/128
nge0/_a           addrconf ok           fe80::2e0:81ff:fe5d:c630/10

Reliable Datagram Sockets Support in Non-Global Zones

The Reliable Datagram Sockets (RDS) IPC protocol is supported in both exclusive-IP and shared-IP non-global zones. The RDSv3 driver is enabled as SMF service rds. By default, the service is disabled after installation. The service can be enabled within a given non-global zone by a zone administrator granted appropriate authorizations. After zlogin, rds can be enabled in each zone in which it is to run.

Example 4  How to Enable the rds Service in a Non-Global Zone

1. To enable RDSv3 service in an exclusive-IP or shared-IP zone, log in to the zone with the zlogin command and execute the svcadm enable command:

   # svcadm enable rds

2. Verify that rds is enabled:

   # svcs rds
       STATE          STIME    FMRI
       online         22:50:53 svc:/system/rds:default

For more information, see the svcadm(1M) man page.

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, in an exclusive-IP zone, the root user or user with the required rights profile can send spoofed packets on those data-links, just as can be done in the global zone. IP address spoofing can be disabled by setting the allowed-address property. For the anet resource, additional protections such as mac-nospoof and dhcp-nospoof can be enabled by setting the link-protection property.

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same system.

File Systems Mounted in Zones

Each zone has a ZFS dataset delegated to it by default. This default delegated dataset mimics the dataset layout of the default global zone dataset layout. A dataset called …/rpool/ROOT contains boot environments. This dataset should not be manipulated directly. The rpool dataset, which must exist, is mounted by default at …/rpool. The …/rpool/export, and .../rpool/export/home datasets are mounted at /export and /export/home. These non-global zone datasets have the same uses as the corresponding global zone datasets, and can be managed in the same way. The zone administrator can create additional datasets within the …/rpool, …/rpool/export, and …/rpool/export/home datasets.

Do not use the zfs command described in the zfs(1M) man page to create, delete, or rename file systems within the hierarchy that starts at the zone's rpool/ROOT file system. The zfs command can be used to set properties other than canmount, mountpoint, sharesmb, zoned, com.oracle.*:*, com.sun:*, and org.opensolaris.*.*.

Generally, the file systems mounted in a zone include the following:

• The set of file systems mounted when the virtual platform is initialized

• The set of file systems mounted from within the application environment itself

These sets can include, for example, the following file systems:

• ZFS file systems with a mountpoint other than none or legacy that also have a value of yes for the canmount property.

• File systems specified in a zone's /etc/vfstab file.

• AutoFS and AutoFS-triggered mounts. autofs properties are set by using the sharectl described in sharectl(1M).

• Mounts explicitly performed by a zone administrator

  File system mounting permissions within a running native zone are also defined by the zonecfg fs-allowed property. This property does not apply to file systems mounted into the zone by using the zonecfg add fs or add dataset resources. By default, only mounts of file systems within a zone's default delegated dataset, hsfs file systems, and network file systems such as NFS, are permitted within a zone.

  ---

  Caution  -  Certain restrictions are placed on mounts other than the defaults performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.

  ---

There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones in Creating and Using Oracle Solaris Zones for more information.

For more information about datasets, see the datasets(5) man page. For more information about BEs, see Creating and Administering Oracle Solaris 11.3 Boot Environments.

File System Mounts and Updating

It is not supported to mount a file system in a way that hides any file, symbolic link, or directory that is part of the zone's system image as described in the pkg(5) man page. For example, if there are no packages installed that deliver content into /usr/local, it is permissible to mount a file system at /usr/local. However, if any package, including legacy SVR4 packages, delivers a file, directory, or symbolic link into a path that begins with /usr/local, it is not supported to mount a file system at /usr/local. It is supported to temporarily mount a file system at /mnt.

Due to the order in which file systems are mounted in a zone, it is not possible to have an fs resource mount a file system at /export/filesys if /export comes from the zone's rpool/export dataset or another delegated dataset.

Host ID in Zones

You can set a hostid property for the non-global zone that is different from the hostid of the global zone. This would be done, for example, in the case of a physical machine migrated into a zone on another system. Applications now inside the zone might depend on the original hostid. See Resource Types and Properties for more information.

/dev File System in Non-Global Zones

The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the /dev file system for the zone. For more information, see How to Configure the Zone in Creating and Using Oracle Solaris Zones.

Removable lofi Device in Non-Global Zones

A removable loopback file lofi device, which works like a CD-ROM device, can be configured in a non-global zone. You can change the file that the device maps to and create multiple lofi devices to use the same file in read-only mode. This type of lofi device is created by using the lofiadm command with the –r option. A file name is not required at creation time. During the lifecycle of a removable lofi device, a file can be associated with an empty device, or dissociated from a device that is not empty. A file can be associated with multiple removable lofi devices safely at the same time. A removable lofi device is read-only. You cannot remap a file that has been mapped to either a normal read-write lofi device or to a removable lofi device. The number of potential lofi devices is limited by the zone.max-lofi resource control, which can be set by using the zonecfg command in the global zone.

Once created, a removable lofi device is read-only. The lofi driver will return an error on any write operation to a removable lofi device.

The lofiadm command is also used to list removable lofi devices.

Example 5  Create a Removable lofi Device With an Associated File

# lofiadm -r /path/to/file 
/dev/lofi/1

Example 6  Create an Empty Removable lofi Device

# lofiadm -r 
/dev/lofi/2

Example 7  Insert a File Into a Removable lofi Device

# lofiadm -r /path/to/file /dev/lofi/1
/dev/lofi/1

For more information, see the lofiadm(1M), zonecfg(1M), and lofi(7D) man pages. Also see Figure 3, Table 3, Zone-Wide Resource Controls.

Disk Format Support in Non-Global Zones

Disk partitioning and use of the uscsi command are enabled through the zonecfg tool. See device in Resource Type Properties for an example. For more information on the uscsi command, see uscsi(7I).

• Delegation is only supported for solaris zones.

• Disks must use the sd target as shown by using the prtconf command with the –D option. See prtconf(1M).

Kernel Zones Device Resources With Storage URIs

The following support is available:

• Devices that are used as disks are supported. This support includes whole physical disks, whole physical or virtual disks on a SAN, devices in conjunction with Oracle Solaris Cluster, and ZFS volumes.

• Kernel zones also support NFS-based storage objects through nfs: URI.

  The NFS URI specifies an object based on a lofi device created on the given NFS file. The NFS file is accessed with credentials derived from user and group. user and group can be given as user names or as user IDs. The host can be given as an IPv4 address, as an IPv6 address, or as a host name. IPv6 addresses must be enclosed in square brackets ([]).

  Format:

  nfs://user:group@host[:port]/nfs-share-path/file

  Examples:

  nfs://admin:staff@host/export/test/nfs_file
  nfs://admin:staff@host:1000/export/test/nfs_file

• Kernel zones support the bootpri and id properties in device resources.

  • Only set bootpri on disks that will be part of the root pool for the zone. If you set bootpri on disks that will not be part of the root pool for the zone, you could damage the data on the disk.

    Only set bootpri on devices that must be bootable.

  • id controls the instance of the disk in the kernel zone. for example, id=5 means that the disk will be c1d5 in the zone.

• The root zpool that is created on bootable solaris-kz disks can be imported into the global zone during installation. At this time, the root zpool is visible with the zpool command. See zpool(1M) for more information.

Example 8  Configuring a Storage URI to Create a Portable Zone Configuration

A device resource can also be used to configure a storage URI that makes the zone configuration portable to other systems.

# zonecfg -z my-zone
zonecfg:my-zone> add device
zonecfg:my-zone:device> set storage=nfs://user1:staff@host1/export/file1
zonecfg:my-zone:device> set create-size=4g

For more information, see the suri(5) man page.

Example 9  Viewing the Current Device Resources Configuration

To view information about the current configuration for device resources, use the info subcommand. For example:

$ zonecfg -z my-zone info device 
device: 
    match not specified
    storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/my-zone/disk0
    id: 0
    bootpri: 0
device:
    match not specified
    storage: nfs://user1:staff@host1/export/file1
    create-size: 4g

You can display the output for a specific zone by specifying the ID for the zone:

$ zonecfg -z my-zone info device id=1
device:
    match not specified
    storage: nfs://user1:staff@host1/export/file1
    create-size: 4g
    id: 1
    bootpri not specified

Configurable Privileges in Zones

When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:

• Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.

• Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.

For more information, see Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones, How to Configure the Zone in Creating and Using Oracle Solaris Zones, and privileges(5).

Associating Resource Pools With Zones

If you have configured resource pools on your system as described in Chapter 13, Creating and Administering Resource Pools in Administering Resource Management in Oracle Solaris 11.3, you can use the pool property to associate the zone with one of the resource pools when you configure the zone.

You can specify that a subset of the system's processors be dedicated to a non-global zone while it is running by using the dedicated-cpu resource. You can use dedicated-cpu properties to assign CPUs, cores, and sockets to a zone. The system dynamically creates a temporary pool for use while the zone is running. With specification through zonecfg, pool settings propagate during migrations. If you are configuring Oracle Solaris Kernel Zones, also see the virtual-cpu resource.

The pool property can be used to configure multiple zones that share the same pool.

Setting Zone-Wide Resource Controls

The global administrator or a user with appropriate authorizations can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.

These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone in Creating and Using Oracle Solaris Zones.

The preferred, simpler method for setting a zone-wide resource control is to use the property name or resource, such as capped-cpu, instead of the rctl resource, such as cpu-cap.

The zone.cpu-cap resource control sets an absolute limit on the amount of CPU resources that can be consumed by a zone. A value of 100 means 100 percent of one CPU as the setting. A value of 125 is 125 percent, because 100 percent corresponds to one full CPU on the system when using CPU caps.

The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on an Oracle Solaris System With Zones Installed in Creating and Using Oracle Solaris Zones. The global property name for this control is cpu-shares.

The zone.max-locked-memory resource control limits the amount of locked physical memory available to a zone. The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Available Resource Controls in Administering Resource Management in Oracle Solaris 11.3 for more information.

The zone.max-lofi resource control limits the number of potential lofi devices that can be created by a zone.

The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Available Resource Controls in Administering Resource Management in Oracle Solaris 11.3 for more information. The global property name for this control is max-lwps.

The zone.max-processes resource control enhances resource isolation by preventing a zone from using too many process table slots and thus affecting other zones. The allocation of the process table slots resource across projects within the zone can be set by using the project.max-processes resource control described in Available Resource Controls in Administering Resource Management in Oracle Solaris 11.3. The global property name for this control is max-processes. The zone.max-processes resource control can also encompass the zone.max-lwps resource control. If zone.max-processes is set and zone.max-lwps is not set, then zone.max-lwps is implicitly set to 10 times the zone.max-processes value when the zone is booted. Note that because both normal processes and zombie processes take up process table slots, the max-processes control thus protects against zombies exhausting the process table. Because zombie processes do not have any LWPs by definition, the max-lwps cannot protect against this possibility.

The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.

Global scope. The zone.max-adi-metadata-memory resource controls the maximum amount of metadata allocated for Silicon Secured Memory (SSM) enabled pageable memory. SSM is also known as ADI.

The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat –Z displays a SWAP column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting.

Table 3  Zone-Wide Resource Controls

Control Name Global Property Name Description Default Unit Value Used For zone.cpu-cap Absolute limit on the amount of CPU resources for this zone Quantity (number of CPUs), expressed as a percentage Note -  When setting as the capped-cpu resource, you can use a decimal number for the unit. zone.cpu-shares cpu-shares Number of fair share scheduler (FSS) CPU shares for this zone Quantity (shares) zone.max-locked-memory Total amount of physical locked memory available to a zone. If priv_proc_lock_memory is assigned to a zone, consider setting this resource control as well, to prevent that zone from locking all memory. Size (bytes) locked property of capped-memory zone.max-lofi max-lofi Limit on the number of potential lofi devices that can be created by a zone Quantity (number of lofi devices) zone.max-lwps max-lwps Maximum number of LWPs simultaneously available to this zone Quantity (LWPs) zone.max-msg-ids max-msg-ids Maximum number of message queue IDs allowed for this zone Quantity (message queue IDs) zone.max-processes max-processes Maximum number of process table slots simultaneously available to this zone Quantity (process table slots) zone.max-sem-ids max-sem-ids Maximum number of semaphore IDs allowed for this zone Quantity (semaphore IDs) zone.max-shm-ids max-shm-ids Maximum number of shared memory IDs allowed for this zone Quantity (shared memory IDs) zone.max-shm-memory max-shm-memory Total amount of System V shared memory allowed for this zone Size (bytes) zone.max-adi-metadata-memory Total amount of memory for storing Silicon Secured Memory (SSM) metadata of pages that might be written to backing store, expressed as a number of bytes. SSM is also known as ADI. Size (bytes) zone.max-swap Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone. Size (bytes) swap property of capped-memory

These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command in Creating and Using Oracle Solaris Zones. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.

Including a Comment for a Zone

You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone in Creating and Using Oracle Solaris Zones.