Insufficient Privileges Specified for the Zone
If the zone's privilege set contains a disallowed privilege, is missing a required privilege, or includes an unknown privilege name, an attempt to verify, ready, or boot the zone will fail with an error message such as the following:
zonecfg:zone5>set limitpriv="basic" global$ zoneadm -z zone5 boot required privilege "sys_mount" is missing from the zone's privilege set zoneadm: zone zone5 failed to verify
To fix the problem, add to the zone's limitpriv
property. The following example shows how to add the DTrace privileges to a zone.
Example 12-1 Adding DTrace Privileges to a Non-Global Zone
In this example, the administrator adds DTrace privileges to an installed non-global zone that is not booted. When added to a zone, DTrace privileges enable the use of the DTrace facility. Users with the DTrace Toolkit rights profile as well as the appropriate Zones rights profiles will be able to use DTrace functionality as described in Running DTrace in a Non-Global Zone.
-
From the global zone, the administrator adds the dtrace_proc and dtrace_user privileges to the non-global zone named
dev-zone
.global# zonecfg -z dev-zone zonecfg:dev-zone> set limitpriv="default,dtrace_proc,dtrace_user" zonecfg:dev-zone> exit
-
The administrator then boots the zone, logs in as
developer-1
who has been assigned the DTrace Toolkit rights profile only, and tests thatdeveloper-1
can use thedtrace
command.global# zoneadm -z zonename boot
# su developer-1 developer-1$ zlogin dev-zone dev-zone: developer-1$ dtrace -l
For more information, see the
zonecfg
(8) man page and limitpriv Global Property in Oracle Solaris Zones Configuration Resources.