svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
zonecfg(8)
System Administration Commands zonecfg(8)
NAME
zonecfg - set up zone configuration
SYNOPSIS
zonecfg [-z zonename [-r]]
zonecfg [-z zonename [-r]] subcommand
zonecfg [-z zonename [-r]] -f command_file
zonecfg help [subcommand]
DESCRIPTION
The zonecfg utility creates, modifies, and lists the configuration of a
zone. The creation and modification functions are only available to
authorized users and require that the process is executed with an
effective user ID of root. Otherwise the zone configuration cannot be
modified.
A zone's configuration consists of a number of resources and proper‐
ties.
To simplify the user interface, zonecfg uses the concept of a scope.
The default scope is global.
The following synopsis of the zonecfg command is for non-interactive
usage:
zonecfg -z [-r] zonename subcommand
The zonecfg utility can run in two edit modes:
default
Allows to create, modify and list the persistent zone configuration
stored on the stable storage. Parameters changed through zonecfg in
the default mode do not affect a running zone. The zone must be
reconfigured using zoneadm(8) apply subcommand or rebooted for the
changes to take effect.
If no -z zonename option is supplied, then a configuration session
is started without any zone. This can be used to create a configu‐
ration that can be exported, but not persisted or applied.
The authorization solaris.zone.config/zonename is required to allow
changes in the persistent configuration.
live
Allows to retrieve, modify and list the live configuration of a
running zone. Parameters changed through zonecfg in the live mode
take effect immediately after they are committed and remain active
until the next zone reboot. The live mode is available only for a
running zone and requires the authorization solaris.zone.livecon‐
fig/zonename.
See the respective brand manual page for details on resources sup‐
ported by the live zone reconfiguration.
In addition to creating and modifying a zone, the zonecfg utility can
also be used to persistently specify the resource management settings
for the global zone or to configure the global zone as an immutable
global zone by specifying a file-mac-profile in combination with set‐
tings for fs-allowed, dataset, and devices.
In the following text, "rctl" is used as an abbreviation for "resource
control". See resource-controls(7) man page.
Every zone is configured with an associated brand. The brand determines
the user-level environment used within the zone, as well as various
behaviors for the zone when it is installed, boots, or is shutdown.
Once a zone has been installed the brand cannot be changed. The default
brand is determined by the installed distribution in the global zone.
Some brands do not support all of the zonecfg properties and resources.
See the brand-specific man page for more details on each brand. For an
overview of brands, see the brands(7) man page.
Resources
The following resource types are supported:
attr
Generic attribute.
capped-cpu
Limits for CPU usage.
capped-memory
Limits for physical, swap, and locked memory. Optionally specify
pagesize-policy or memory-reserve for physical memory of solaris-kz
brand zone.
dataset
ZFS dataset.
dedicated-cpu
Subset of the system's processors dedicated to this zone while it
is running.
device
Device.
fs
file-system
ib-vhca
Virtual InfiniBand device.
port
Port for virtual InfiniBand device. Port resource is only valid in
ib-vhca resource scope.
keysource
Encryption key
net
Network interface.
anet
Automatic network interface.
mac
Extra mac-address configured for a zone. Mac resource is only valid
within an anet resource.
vlan
Extra VLAN ID configured for a zone. VLAN resource is only valid
within an anet resource.
smf-dependency
SMF dependencies for the zone SMF instance.
admin
Delegated administrator.
rctl
Resource control.
suspend
Suspend image
rootzpool
Dedicated ZFS zpool for zone installation.
virtual-cpu
Virtual CPUs configured for the zone.
zpool
ZFS zpool delegated to the zone.
npiv
Fibre Channel NPIV port.
verified-boot
Verified Boot settings for the zone.
Multi-instance resources have an identifier which uniquely identifies
each instance of a resource. The identifier is a number displayed next
to the resource for every instance of all multi-instance resources, in
the output of info subcommand. The identifiers are automatically gener‐
ated and are not user modifiable, they are consistent only across a
zonecfg session.
Sparse and Whole Root Non-Global Zones
Previous releases of Oracle Solaris offered the notion of sparse root
zones. This functionality was intimately associated with the SVr4 pack‐
aging system and intended to save disk space and reduce administrative
effort.
The new packaging system, IPS, provides more flexibility when choosing
which packages to install in a zone. This, along with advances in file
system technology (notable among which is ZFS deduplication), means
that it was most sensible to remove sparse root zones. The benefits of
sparse root zones are provided for all zones by means of the combina‐
tion of IPS packaging and file system advances.
Properties
Each resource type has one or more properties. There are also some
global properties, that is, properties of the configuration as a whole,
rather than of some particular resource.
The following properties are supported:
(global)
zonename
(global)
description
(global)
zonepath
(global)
autoboot
(global)
autoshutdown
(global)
global-time
(global)
bootargs
(global)
boot-priority
(global)
pool
(global)
limitpriv
(global)
brand
(global)
cpu-shares
(global)
hostid
(global)
max-adi-metadata-memory
(global)
max-lwps
(global)
max-msg-ids
(global)
max-processes
(global)
max-sem-ids
(global)
max-shm-ids
(global)
max-shm-memory
(global)
scheduling-class
(global)
fs-allowed
(global)
file-mac-profile
(global)
tenant
(global)
cpu-arch
(global)
host-compatible
(global)
boot-disk-protection
(global)
hwprovider
fs
dir, special, raw, type, options
net
address, allowed-address, configure-allowed-address, physical,
defrouter, id
anet
linkname, lower-link, allowed-address, auto-mac-address, configure-
allowed-address, defrouter, mac-address, mac-slot, mac-prefix, mtu,
maxbw, bwshare, priority, vlan-id, vsi-typeid, vsi-vers, vsi-mgrid,
rxfanout, rxrings, txrings, link-protection, allowed-dhcp-cids,
pkey, linkmode, etsbw-lcl, cos, id, evs, vport, iov, vlan, ring-
group, autopush
mac
auto-mac-address, mac-address, mac-prefix, allowed-mac-address, id
vlan
vlan-id, dynamic-vlan-id
device
match, storage, create-size, allow-partition, allow-raw-io, allow-
mhd, id, bootpri, removable
ib-vhca
over-hca, smi-enabled, id
port
pkey, id
rctl
name, value
attr
name, type, value
dataset
name, alias
dedicated-cpu
ncpus, importance
cpus, cores, sockets
virtual-cpu
ncpus
capped-memory
physical, swap, locked, pagesize-policy, memory-reserve
capped-cpu
ncpus
admin
user, auths
rootzpool
storage
zpool
storage, name
npiv
virtual-port-wwn, over-hba
verified-boot
policy, cert
hostkey
raw
suspend
path, storage
As for the property values that are paired with these names, they are
either a string or a list of strings. The type allowed is property spe‐
cific. Single values can be optionally enclosed within quotation marks.
Lists have the syntax:
[<value>,...]
where each <value> is a string property. A list of a single value is
equivalent to specifying that value without the list syntax. That is,
"foo" is equivalent to "[foo]". A list can be empty (denoted by "[]").
The property types are described as follows:
global: zonename
The name of the zone.
global: description
An optional description of the zone. A string of up to 255 print‐
able US-ASCII characters. Enclose the value in double quotes for a
description with spaces.
global: zonepath
Path to zone's file system. The default value of zonepath is /sys‐
tem/zones/%{zonename}.
global: global-time
Boolean indicating that a zone can change global/system-wide time
(if true) or can change the zone-specific time (if false).
global: autoboot
Boolean indicating that a zone should be booted automatically at
system boot. Note that if the zones service is disabled, the zone
will not autoboot, regardless of the setting of this property. You
enable the zones service with a svcadm command, such as:
# svcadm enable svc:/system/zones:default
Replace enable with disable to disable the zones service. For more
information, see the svcadm(8) man page.
global: autoshutdown
Action to take for this zone on clean shutdown of the global zone.
Can be shutdown (a clean zone shutdown; the default); halt; or sus‐
pend.
global: bootargs
Arguments (options) to be passed to the zone bootup, unless options
are supplied to the zoneadm boot command, in which case those take
precedence. The valid arguments are described in zoneadm(8) man
page.
global: pool
Name of the resource pool that this zone must be bound to when
booted. This property is incompatible with the dedicated-cpu
resource.
global: limitpriv
The maximum set of privileges any process in this zone can obtain.
The property should consist of a comma-separated privilege set
specification as described in priv_str_to_set(3C) man page. Privi‐
leges can be excluded from the resulting set by preceding their
names with a dash (-) or an exclamation point (!). The special
privilege string "zone" is not supported in this context. If the
special string "default" occurs as the first token in the property,
it expands into a safe set of privileges that preserve the resource
and security isolation described in zones(7) man page. A missing or
empty property is equivalent to this same set of safe privileges.
The system administrator must take extreme care when configuring
privileges for a zone. Some privileges cannot be excluded through
this mechanism as they are required in order to boot a zone. In
addition, there are certain privileges which cannot be given to a
zone as doing so would allow processes inside a zone to unduly
affect processes in other zones. zoneadm(8) indicates when an
invalid privilege has been added or removed from a zone's privilege
set when an attempt is made to either "boot" or "ready" the zone.
See privileges(7) man page for a description of privileges. The
command "ppriv -l" (see ppriv(1) man page) produces a list of all
Oracle Solaris privileges. You can specify privileges as they are
displayed by ppriv. In privileges(7) man page, privileges are
listed in the form PRIV_privilege_name. For example, the privilege
sys_time, as you would specify it in this property, is listed in
privileges(7) man page as PRIV_SYS_TIME.
global: brand
The brand type of the zone
global: ip-type
A zone can either have its own exclusive instance of IP (the
default) or share the IP instance with the global zone. In the
default zone template, SYSdefault, ip-type is set to exclusive. In
the also-supplied SYSdefault-shared-ip template, ip-type is set to
shared.
This property takes the values exclusive and shared.
The shared-IP feature might be removed in a future release. We
strongly recommend using exclusive-IP. Once this feature is
removed, zones configured to use this feature will no longer boot.
To continue using your zones, please convert any zones which have
ip-type set to shared to have ip-type set to exclusive. In most
cases this will involve replacing zonecfg(8) "net" resources with
"anet" resources. If you have shared IP zones that are using inter‐
faces which are part of a global zone IPMP group, then you should
switch to using DLMP aggregations. In the global zone create a DLMP
aggregation on old IPMP interfaces and then then create a
zonecfg(8) "anet" resource where the lower-link points to the DLMP
aggregation. Limited shared-IP support will be retained for certain
multilevel server Trusted Extensions configurations.
global: hostid
A zone can emulate a 32-bit host identifier to ease system consoli‐
dation. A zone's hostid property is empty by default, meaning that
the zone does not emulate a host identifier. Zone host identifiers
must be hexadecimal values between 0 and FFFFFFFE. A 0x or 0X pre‐
fix is optional. Both uppercase and lowercase hexadecimal digits
are acceptable.
global: fs-allowed
A comma-separated list of additional file systems that can be
mounted within the zone; for example, ufs, pcfs. By default, only
hsfs(4FS) and network file systems can be mounted.
This property does not apply to file systems mounted into the zone
by means of add fs or add dataset.
Caution -
Allowing filesystem mounts other than the default might allow the
zone administrator to compromise the system with a bogus filesys‐
tem image.
Filesystems other than the default have not been audited for safe
usage by non-global zones. Using this option may subvert the
security of the zone. This may include causing panics on the sys‐
tem as a whole, or other problems, and hence this option should
only be used with caution.
global: file-mac-profile
Define which parts of the filesystem are exempted from the read-
only policy, that is, which parts of the filesystem the zone is
allowed to write to.
There are currently five supported values for this property: none,
strict, dynamic-zones, fixed-configuration, and flexible-configura‐
tion.
none makes the zone exactly the same as a normal, read or write
zone. Any other setting makes the zone an immutable zone. strict
allows no exceptions to the read-only policy. fixed-configuration
allows the zone to write to files in and below /var, except direc‐
tories containing configuration files:
/var/ld
/var/lib/postrun
/var/pkg
/var/spool/cron
/var/spool/postrun
/var/svc/manifest
dynamic-zones is equal to fixed-configuration but allows creating
and destroying non-global zones and kernel zones. This profile is
only valid for global zones, including the global zone of a kernel
zone.
flexible-configuration is equal to dynamic-zones, but allows writ‐
ing to files in /etc in addition.
global: tenant
Note -
To use this property and anet resource's evs and vport property,
install Elastic Virtual Switch (EVS) IPS packages and configure
the EVS controller as described in evsadm(8) man page and Manag‐
ing Network Virtualization and Network Resources in Oracle
Solaris 11.4.
Defines the name of the tenant that owns the EVS to which a VNIC
anet will be connected to. See evsadm(8) man page.
global: cpu-arch
Specify the migration class configured for a solaris-kz brand zone.
A migration class is used to enable hardware features that are com‐
patible between source and target hosts to enable live or warm
migration between them.
For information on the possible values of this property, see the
solaris-kz(7) man page.
global: host-compatible
Specify the host compatibility level configured for a solaris-kz
brand zone.
A compatibility level is used to enable features supported by the
version of Oracle Solaris running in global zone that are compati‐
ble between source and target host to enable live or warm migration
between them.
Only features enabled by both migration class and host compatibil‐
ity level are visible to the kernel zone.
Features included in a compatibility level can be extended by spec‐
ifying compatibility level modifiers. A modifier can only be used
with designated compatibility level as listed after each modifier.
For now, this only works on SPARC platform and is not supported on
x86 platform.
The possible host compatibility levels are:
native All features supported in current version of Oracle
Solaris are enabled, which may prevent it from being
migrated to other hosts running different version of Ora‐
cle Solaris.
level1 The level1 level includes the ADI, DAX, and VA Mask fea‐
tures.
If no value is set, the default kernel zone's host compatibility
level will only include features supported in Oracle Solaris 11.2.
The following virtinfo command can be used to find out what host
compatibility levels are supported by current version of Solaris,
if kernel zones are supported:
# virtinfo -c supported get host-compatible-levels kernel-zone
The possible compatibility level modifiers are:
adi Enables ADI feature and can only be used with default com‐
patibility level.
The generic syntax for this property is:
host-compatible=<compatible-level-name>[,modifier-name]...
While specifying modifiers for default compatibility level, the
syntax is:
host-compatible=<modifier-name>[,modifier-name]...
Note that a modifier cannot be used to enable a feature that is not
supported by the migration class.
global: boot-disk-protection
Enables or disables boot disk protection feature for a solaris-kz
branded zone. It can be set to on or off. The default value is off.
When set to on, the boot disks will be reserved through PGR reser‐
vation with host ID as the key and SCSI3_RESV_WRITEEXCLUSIVEREGIS‐
TRANTSONLY as the reservation type. The reservation will be
removed, after the zone is detached or uninstalled.
Since cluster software also uses PGR reservation on disks they man‐
age, this feature cannot be used on disks also managed by any other
cluster software. In that case, boot-disk-protection needs to be
set as to off. You can also reconfigure your cluster software run‐
ning in the global zone to not manage the boot disks.
Note that this feature requires all boot disks to be on storage
LUNs that support SCSI-3 PGR reservation. If any boot disk does not
meet this requirement, the zone cannot be attached or installed.
global: hwprovider
Configure the hardware manufacturer string returned by sysinfo(2)
with the SI_HW_PROVIDER command for a solaris10 branded zone. See
sysinfo(2) man page.
When set, the only valid property value is "Sun_Microsystems". When
this property is untouched or cleared, the hardware manufacturer
string in the global zone is used.
fs: dir, special, raw, type, options
Values needed to determine how, where, and so forth to mount file
systems. See mount(8), mount(2), fsck(8), and vfstab(5).
net: address, allowed-address, configure-allowed-address, physical,
defrouter, id
The net resource represents the assignment of a physical network
resource to a zone. The resource must exists in the global zone
prior to the assignment.
The network address is one of:
o a valid IPv4 address, optionally followed by '/' and a
prefix length
o a valid IPv6 address, which must be followed by '/' and
a prefix length
o a host name which resolves to an IPv4 address.
Note that host names that resolve to IPv6 addresses are not sup‐
ported.
The physical property represents the network interface name.
The value for the optional default router is specified similarly to
the network address except that it must not be followed by a '/'
(slash) and a network prefix length. To enable correct use of the
defrouter functionality, the zones that use the property must be on
a different subnet from the subnet on which the global zone
resides. Also, each zone (or set of zones) that uses a different
defrouter setting must be on a different subnet.
The id value is a positive integer used to identify the network
interface; see solaris-kz(7) man page.
A zone can be configured to be either exclusive-IP or shared-IP.
For a shared-IP zone, you must set both the physical and address
properties; setting the default router is optional. The interface
specified in the physical property must be plumbed in the global
zone prior to booting the non-global zone. However, if the inter‐
face is not used by the global zone, it should be configured down
in the global zone, and the default router for the interface should
be specified here. The allowed-address property cannot be set for a
shared-IP zone.
For an exclusive-IP zone, the physical property must be set and the
address property must not be set. Optionally, the set of IP
addresses that the exclusive-IP zone can use might be constrained
by specifying the allowed-address property. If allowed-address has
not been specified, then the exclusive-IP zone can use any IP
address on the associated physical interface for the net resource.
Otherwise, when allowed-address is specified, the exclusive-IP zone
cannot use IP addresses that are not in the allowed-address list
for the physical address. If configure-allowed-address is set to
true, the addresses specified by allowed-address are automatically
configured on the interface each time the zone boots. When it is
set to false, the allowed-address will not be configured on zone
boot. By default, configure-allowed-address is set to true when an
allowed-address is specified. In addition, when the allowed-address
list has been populated, the defrouter property can also be option‐
ally specified. However, if the defrouter value is specified and
configure-allowed-address is set to false, the defrouter value will
be ignored and an appropriate warning message will be shown. The
interface specified for the physical property must not be in use in
the global zone. If an allowed-address and default router are spec‐
ified by means of zonecfg, these will be applied to the interface
when it is enabled by means of ipadm(8) in the non-global, exclu‐
sive-IP zone, typically during zone boot. The non-global exclusive-
IP zone will not be able to apply any other addresses to that
interface, nor will it be able to transmit packets with a different
source address for the specified IP version. A default router set
up by means of zonecfg cannot be persistently deleted from within
the non-global exclusive-IP zone using the -p flag with route(8).
Note that a single datalink cannot be shared among multiple exclu‐
sive-IP zones.
Assigning an IPoIB VNIC to a solaris-kz brand zone is not currently
supported.
anet: linkname, lower-link, allowed-address, auto-mac-address, config‐
ure-allowed-address, defrouter, mac-address, mac-slot, mac-prefix, mtu,
maxbw, bwshare, priority, vlan-id, vsi-typeid, vsi-vers, vsi-mgrid,
rxfanout, rxrings, txrings, link-protection, allowed-dhcp-cids, pkey,
linkmode, etsbw-lcl, cos, id, evs, vport, mac, iov, vlan, ring-group,
autopush, lro
The anet resource represents the automatic creation of a network
resource for an exclusive-IP zone. When zonecfg creates a zone
using the default SYSdefault template, an anet resource with the
following properties is automatically included in the zone configu‐
ration:
linkname=net0
lower-link=auto
mac-address=auto
link-protection=mac-nospoof
When such a zone boots, a temporary VNIC or IPoIB datalink is auto‐
matically created for the zone. The VNIC or the IPoIB datalink is
deleted when the zone halts.
If there is an IP interface for the given anet resource configured
in the zone, it must be disabled or deleted first before calling
LZR to remove the anet resource from the zone. Otherwise, the
removal of the anet resource will fail.
Note -
To use EVS and VPort install Elastic Virtual Switch (EVS) IPS
packages, and then configure EVS controller as described in the
evsadm(8) man page and Managing Network Virtualization and Net‐
work Resources in Oracle Solaris 11.4.
An EVS is a virtual switch that spans one or more servers (physical
machines). It represents an isolated L2 segment, and provides net‐
work connectivity between the zones whose VNIC anets are connected
to it. A VPort is uniquely identified by 3-tuple <tenant, evs,
vport>, so a zone's configuration should include this information
if a VNIC anet need to be connected to an EVS.
Note -
For a VNIC anet connecting to an EVS, only allowed anet property
is linkname, as it acquires other properties from the VPort.
The supported properties are described below. All these properties
are optional. Only the global zone is allowed to modify the auto‐
matically created VNIC or IPoIB datalink or its properties. If a
property set in zonecfg cannot be assigned to the VNIC or IPoIB
datalink at its creation time, the zone will fail to boot.
linkname
Specify a name for the automatically created VNIC or IPoIB
datalink. By default, this property will be automatically set
to the first available name (for the zone) of the form netN,
where N is a non-negative integer. For example: net0, net1,
and so on. The info subcommand displays the automatically
selected linkname.
Multiple zones, including the global zone, can have links with
the same name at the same time.
evs
vport
If EVS is specified and optionally a VPort is specified, then
VNIC anet will be created by connecting to that EVS at that
VPort. If the global tenant property is specified, then EVS
will be searched in that tenant's namespace.
If VPort is specified, then the SLA properties (maxbw, cos, and
priority), IP address, and default router MAC address of the
VPort will be inherited by the VNIC. If VPort is not specified,
then EVS controller will generate a system VPort, (it will have
IP address, MAC address, and EVS' default SLA properties) and
then the VNIC will be connected to this system VPort.
The IP address anti-spoof will be enabled on the VNIC, by set‐
ting the allowed-ips VNIC property to that of the VPort's IP
address. VPort's IP address will be automatically configured on
the interface each time the zone boots. The default router IP
address associated with the VPort is also automatically config‐
ured in the zone.
See the evsadm(8) man page for more information on EVS and
VPorts.
lower-link
Specify the link over which the VNIC or IPoIB will be created.
This property has a default value of auto for Ethernet links.
If pkey is specified, lower-link must be specified with a valid
IPoIB phys class datalink. The administrator may explicitly
specify a value upon adding an anet resource. The link can be
any link accepted as an argument to dladm create-vnic's -l
option or to dladm create-part's -l option (see dladm(8) man
page). If this property is set to a linkname (other than auto)
and that link does not exist, then the zone will fail to boot.
When set to auto, the zoneadmd(8) daemon will automatically
choose the link over which the VNIC will be created each time
the zone boots. All IPoIB datalinks will be skipped when
selecting the default lower-link for creating the VNIC automat‐
ically during boot. A link will be chosen using the following
heuristic:
1. A link aggregation that has a link state of up.
2. Of the physical Ethernet links, choose the link with
the following:
a. Link state of up
b. Maximum number of available VFs (only if
iov=auto/on)
c. Supports exclusive ring groups (only if ring-
group=exclusive)
d. Maximum number of free mac-slots
e. The one with the alphabetically smallest name
3. If none is up, the datalink named net0 is used if it
exists.
If none of the above can be satisfied, the zone will fail to
boot.
allowed-address
See the description of the allowed-address property for exclu‐
sive-IP zones in the net resource.
auto-mac-address
Holds the list of the randomly generated MAC addresses when the
mac-address property is set to random or auto (only if a random
mac-address can be allocated), so that the zone reacquires the
same addresses on a persistent basis. To reset the randomly
generated addresses, an administrator needs to clear this prop‐
erty. For more information, see mac-address property below.
bwshare
Specify the bandwidth share for the VNIC. See bwshare property
in dladm(8) man page. This property is currently supported only
on certain NICs.
configure-allowed-address
See the description of the configure-allowed-address property
for exclusive-IP zones in the net resource.
cos
The 802.1p priority associated with the datalink. See dladm(8)
man page for details on this property.
defrouter
See the description of the defrouter property for exclusive-IP
zones in the net resource.
etsbw-lcl
Indicates the ETS bandwidth on the TX side. See dladm(8) man
page for details on this property.
mac-address
Set the VNIC's list of MAC addresses based on the specified
values or keywords. If an element of the list is not a keyword,
it is interpreted as a unicast MAC address. This property is
not supported on IPoIB datalinks. The supported keywords are:
o factory: Assign a factory MAC address to the VNIC.
o random: Assign a random MAC address to the VNIC. Use
the mac-prefix property to specify a prefix. Other‐
wise, a default prefix consisting of a valid IEEE
OUI with the local bit set will be used.
o auto: Try to assign random mac-address first if pos‐
sible, if NIC supports it, else try to assign a fac‐
tory mac-address. This is the default value.
If any random MAC addresses are selected, then the addresses
generated will be preserved across zone boots and zone
detach/attach. This will allow zones to retain their DHCP
leases by maintaining stable client IDs, and otherwise take
advantage of other benefits of having stable MAC addresses.
mac-prefix
Specify the list of MAC address prefixes to use if random MAC
address allocation is requested. Otherwise this property is
ignored. This property is not valid over IPoIB datalinks.
mac-slot
Specify the list of MAC address slot identifiers used if fac‐
tory MAC addresses are requested. Otherwise this property is
ignored. This property is not valid over IPoIB datalinks.
This setting is deprecated, and should not be used if any zones
have mac-address=factory or mac-address=auto settings, as those
zones may boot earlier, and acquire the slot first. If a par‐
ticular factory MAC address is needed, specify the address
explicitly in mac-address, and ensure that any other zones that
may use the slot will not boot before this zone.
allowed-mac-address
Specify the list of 1 to 5 octet long MAC prefixes. With this
set, a solaris-kz(7) brand zone can create a VNIC as long as
the MAC address of the VNIC begins with one of the MAC address
prefixes in the allowed-mac-address list.
For certain use cases, one will not know ahead of time the val‐
ues of MAC addresses that might be needed inside of a KZ. This
necessitates the need for dynamic MAC address configuration.
With this setting, guest would be able to push the MAC address
it needs to the host and let the creation of a VNIC succeed
inside it as long as the MAC address begins with one of the
entries in the list.
Any other properties of anet mac resource cannot be specified
when this property is specified.
Setting allowed-mac-address to a special keyword 'any', will
allow the guest to create a VNIC with any valid unicast MAC
address.
mtu
The maximum transmission unit of the VNIC in bytes. See mtu
property in dladm(8) man page.
maxbw
Specify the full duplex bandwidth for the VNIC. See maxbw prop‐
erty in dladm(8) man page. By default, the VNIC will use the
maxbw set on the lower-link and if none is set then there is no
bandwidth limit.
priority
Specify the relative priority for the VNIC. See the priority
property in dladm(8) man page for supported values and default.
ring-group
Setting this property allows a zone to make use of hardware
ring group capability of the Ethernet link. The possible values
of this property are:
auto The OS decides whether exclusive or shared used on
a particular lower-link (the default).
shared Do not use a dedicated hardware ring group.
exclusive Use a exclusive hardware ring group. If a exclu‐
sive hardware ring group is not available, anet
creation fails.
If this property is exclusive and lower-link is not specified,
the lower-link selection logic will take this into considera‐
tion in addition to other criteria (see lower-link property for
details).
This property has the following limitation:
o It is incompatible with anet iov property.
vlan-id
Enable VLAN or PVLAN tagging for this VNIC and specify a id for
the VLAN tag. There is no default value which means if this
property is not set then the VNIC does not participate in any
VLAN. This property is not supported on IPoIB datalinks. See
the dladm(8) man page for supported VLAN ID format.
vsi-typeid
Specify the VSI Type ID associated with a VNIC. See the
description in the dladm(8) man page.
vsi-vers
Specify the VSI Version associated with a VNIC. See the
description in the dladm(8) man page.
vsi-mgrid
Specify the VSI Manager ID associated with a VNIC. See the
description in the dladm(8) man page.
rxfanout
Specify the number of receive-side fanout threads. See the
description in the dladm(8) man page.
rxrings
Specify the receive rings for the VNIC. See the rxrings prop‐
erty in the dladm(8) man page for supported values and default.
txrings
Specify the transmit rings for the VNIC. See the txrings prop‐
erty in the dladm(8) man page for supported values and default.
link-protection
Enables one or more types of link protection using comma-sepa‐
rated values. See the protection property in dladm(8) man page
for supported values. It has a default value of mac-nospoof.
To disable link-protection altogether on an anet, set the link-
protection value to none. The assumption here is that either
anti-spoofing is not required (zone is either trusted or wraps
advanced network services) or is checked for elsewhere in the
system or network.
Note that adding ip-nospoof to this property will have no
effect unless allowed-address is also set. Setting allowed-
address will implicitly add ip-nospoof to the set of link-pro‐
tection (if link-protection is explicitly set to none, then ip-
nospoof will not be added), and clearing allowed-address will
remove it.
allowed-dhcp-cids
Setting this property will enable dhcp-nospoof on the VNIC. See
dladm(8) man page for details.
pkey
Specifies the InfiniBand Partition key value in hexadecimal.
pkey is always treated as hexadecimal, whether it has the 0x
prefix or not. This property is only valid for IPoIB datalinks.
linkmode
Sets the link transport service type on an IB partition
datalink. The default value is cm. This property is valid only
for IPoIB datalinks. Valid values are:
cm
Connected Mode. This mode uses a default MTU of 65520 and
supports a maximum MTU of 65535 bytes. If Connected Mode is
not available for a remote node, Unreliable Datagram mode
will automatically be used instead.
ud
Unreliable Datagram Mode. This mode uses a default MTU of
2044 and supports a maximum MTU of 4092 bytes.
iov
Setting this property allows a solaris-kz brand zone to make
use of SR-IOV VFs for network devices. The possible values of
this property are:
o auto: Use a VF if one is available, if not, fallback
to using a para-virtual device.
o on: Must use a VF. If a VF is not available, cre‐
ation of anet fails.
o off: Do not use a VF (the default).
If this property is auto/on and lower-link is not specified,
the lower link selection logic will take this into considera‐
tion in addition to other criteria (see lower-link property for
details).
Here are the limitations of this property:
o It can only be used with the solaris-kz brand zone.
o It is incompatible with all anet properties except
for lower-link, id, mac-address, mac-prefix, mac-
slot, maxbw, bwshare, and priority.
o iov can only be "off" or "auto" if lower-link is a
link aggregation.
lro
Large receive offload. Valid values are on, off, or auto. The
value auto is set to inherit the lower link's lro disposition
and is the default. This property is valid only for Ethernet
links. See the description in the dladm(8) man page for more
information.
Here are the limitations of this property:
o It can only be used with the solaris-kz brand zone.
autopush
The set of STREAMS modules to push on the stream associated with a
link when its DLPI device is opened. This property is a comma-
delimited list of module names. It may be used on exclusive-ip
zones only.
id
A positive integer used to identify the network interface; see the
solaris-kz(7) man page.
vlan: vlan-id, dynamic-vlan-id
The vlan resource is used to add extra VLAN IDs to the anet
resource. The Port VLAN ID for the anet is given by the anet:vlan-
id property.
vlan-id
specifies the VLAN ID for which frames must be received and
sent between the external network and the solaris-kz zone.
dynamic-vlan-id
Specify the list of VLAN IDs or VLAN IDs range. With this set,
a solaris-kz(7) brand zone can create a VNIC on a particular
VLAN as long as the VLAN ID is in the dynamic-vlan-id list.
For certain use cases, one will not know ahead of time the val‐
ues of VLAN IDs that might be needed inside of a KZ. This
necessitates the need for dynamic VLAN ID configuration. With
this setting, guest would be able to push the VLAN ID it needs
to the host and let the creation of a VNIC succeed inside it as
long as the VLAN ID is one of the entries in the list.
Any other properties of anet mac resource cannot be specified
when this property is specified.
Setting dynamic-vlan-id to a special keyword 'any', will allow
the guest to use any valid VLAN ID.
Specifying additional set of VLAN IDs provides an ability to place
zones and VNICs created inside of solaris-kz brand zone in their
own VLAN. This resource makes solaris-kz brand zone VLAN aware. The
host forwards the packets meant for these VLANs untouched (does not
strip the VLAN tag) to solaris-kz zone. The solaris-kz zone will
then forward the packet to the right client.
On the transmit side, packets on these VLANs will be tagged by
solaris-kz and passed onto the host. The host forwards the packets,
without stripping the tag, based on the destination MAC.
mac: auto-mac-address, mac-address, mac-prefix, id
The mac resource is used to add extra mac-addresses to the anet
resource, the primary mac address is given by the anet:mac-address
property.
auto-mac-address
Holds the list of the randomly generated MAC addresses when the
mac-address property (see below) is set to random or auto, so
that the zone re-acquires the same addresses on a persistent
basis. To reset the randomly generated addresses, an adminis‐
trator needs to clear this property.
mac-address
Sets the VNIC's list of MAC addresses based on the specified
values or keywords. If an element of the list is not a keyword,
it is interpreted as a uni-cast MAC address. This property is
not supported on IPoIB datalinks. The supported keywords are:
factory:
Assigns a factory MAC address to the VNIC. When a factory
MAC address is requested, the mac-slot property can be used
to specify the MAC address slot identifier. Otherwise, the
next available factory MAC address will be used.
random:
Assigns a random MAC address to the VNIC. Use the mac-pre‐
fix property to specify a prefix. Otherwise, a default pre‐
fix consisting of a valid IEEE OUI with the local bit set
will be used.
auto:
Assigns random mac-address, if NIC supports it, else it
tries to assign a factory mac-address. This is the default
value.
If any random MAC addresses are selected, then the addresses
generated will be preserved across zone boots and zone
detach/attach. This will allow zones to retain their DHCP
leases by maintaining stable client IDs, and otherwise take
advantage of other benefits of having stable MAC addresses.
mac-prefix
Specifies the list of MAC address prefixes to use if random MAC
address allocation is requested. Otherwise, this property is
ignored. This property is not valid over IPoIB datalinks.
The id value is a positive integer used to identify a resource
uniquely.
ib-vhca: over-hca, id, port
An ib-vhca resource represents the automatic creation of a virtual
Infiniband HCA device for a kernel zone. When such a zone boots, a
temporary VHCA is created. It is destroyed when the zone halts.
The supported properties are described below. All these properties
are optional. Only the host system's global zone is allowed to mod‐
ify the automatically VHCAs. If a property set in zonecfg cannot be
assigned to the VHCA at its creation time, the zone will fail to
boot.
over-hca
Sets the physical InfiniBand device to use for configuration of
the virtual InfiniBand device. The device name is as listed in
the ibadm command. For more information, see the ibadm(8) man
page.
smi-enabled
Specifies whether the virtual HCA can use Subnet Management
Packets (SMPs). If the value of this property is "on", then
SMPs are allowed for this virtual HCA. If this property is
"off" then SMPs cannot be used with this virtual HCA. If the
value is "readonly", then this virtual HCA can only use query
SMP operations and not "set" operations. The default value is
"off". The value "on" is not recommended without considering
the possible security impact on the fabric. When running with
"on", M_Keys should be set on fabric components.
id
Uniquely identifies the ib-vhca resource.
port: pkey, id
pkey
Specifies the InfiniBand Partition key value. The pkey value
can either be a keyword or a comma separated list of hexadeci‐
mal values. The 0x prefix should not be used for specifying the
hexadecimal value. The keyword allowed for pkey is:
auto Assigns an automatically generated pkey value based on
over-hca value specified. This is the default value.
id
Id is used to uniquely identify the port resource. Each id cor‐
responds to the physical port number.
The GUID assigned to each port on zone boot can be obtained by
inspecting the Live Configuration of the running zone.
device: match, storage, create-size, allow-partition, allow-raw-io,
allow-mhd, id, bootpri, removable
Device name to match. This can be a glob pattern to match or an
absolute pathname. Note that device resources and aliased datasets
can have namespace conflicts in /dev/zvol. See the dev(4FS) man
page.
Alternatively, the storage property can be set to a storage URI
(see suri(7)). In this case, the SURI is mapped when the zone
boots, and the matching device nodes are available inside the zone.
The SURI is unmapped when the zone halts. In this case, allow-par‐
tition is automatically set to true.
Note that only storage property can be used for kernel zones. The
match property is not supported. For more information, see the
solaris-kz(7) man page.
If the storage URI supports creation of the device, then create-
size may be set to describe the size of the device to be created.
If the storage URI exists and create-size is set, then create-size
is ignored.
allow-partition, allow-raw-io, and allow-mhd can be set to true or
false, and default to false. See NOTES.
Note -
In general, adding devices to a zone can compromise the security
of the system; see NOTES.
The id value is a positive integer used to identify the virtual
block device. For more information, see the solaris-kz(7) man page.
The bootpri property specifies the relative boot priority of a boot
disk. For more information, see the solaris-kz(7) man page.
The removable property may be set to true or false. Only file stor‐
age URIs support the true value. If set, the underlying lofi device
is set up as removable and read-only. See rmformat(1) for more
information.
rctl: name, value
The name and priv/limit/action triple of a resource control. See
the prctl(1) and rctladm(8) man pages. The preferred way to set
rctl values is to use the global property name associated with a
specific rctl.
Multiple rctl values may be given, and are of the form:
(priv=<value>,limit=<value>,action=<value>)
virtual-cpus: ncpus
Specify the number of virtual CPUs configured for a solaris-kz
brand zone. See the solaris-kz(7) man page.
attr: name, type, value
The name, type and value of a generic attribute. The type must be
one of int, uint, boolean or string, and the value must be of that
type. uint means unsigned, that is, a non-negative integer.
The name property of an attr resource is syntactically restricted
in a fashion similar but not identical to zone names: it must begin
with an alphanumeric, and can contain alphanumerics plus the hyphen
(-), underscore (_), and dot (.) characters. Attribute names begin‐
ning with "zone" are reserved for use by the system. Finally, the
autoboot and global-time global property must have a value of
"true" or "false".
dataset: name, alias
The name of a ZFS dataset to be accessed from within the zone. See
the zfs(8) man page. Each dataset is aliased such that it appears
as a virtual ZFS pool in the zone.
Note -
The only supported ZFS dataset type for a delegated dataset
resource is filesystem. Other dataset types, such as Volumes and
Snapshots cannot be added.
The alias is the name of this virtual pool. See the zpool(8) man
page for name restrictions that apply to ZFS pool names and as a
result also apply to dataset alias values. The alias rpool is
reserved from the zone's rpool dataset. Note that aliased datasets
and device resources can have namespace conflicts in /dev/zvol. See
the dev(4FS) man page.
Dataset to delegate must not be a descendant of any other delegated
dataset, including the zone's top-level delegated dataset.
global: cpu-shares
The number of Fair Share Scheduler (FSS) shares to allocate to this
zone. This property is incompatible with the dedicated-cpu
resource. This property is the preferred way to set the zone.cpu-
shares rctl.
global: max-adi-metadata-memory
Total amount of memory for storing ADI metadata of pages that may
be written to the backing store. This property is the preferred way
to set the zone.max-adi-metadata-memory rctl.
global: max-lwps
The maximum number of LWPs simultaneously available to this zone.
This property is the preferred way to set the zone.max-lwps rctl.
global: max-msg-ids
The maximum number of message queue IDs allowed for this zone. This
property is the preferred way to set the zone.max-msg-ids rctl.
global: max-processes
The maximum number of process table slots simultaneously available
to this zone. This property is the preferred way to set the
zone.max-processes rctl. Setting this property will implicitly set
the value of the max-lwps property to 10 times the number of
process slots unless the max-lwps property has been set explicitly.
global: max-sem-ids
The maximum number of semaphore IDs allowed for this zone. This
property is the preferred way to set the zone.max-sem-ids rctl.
global: max-shm-ids
The maximum number of shared memory IDs allowed for this zone. This
property is the preferred way to set the zone.max-shm-ids rctl.
global: max-shm-memory
The maximum amount of shared memory allowed for this zone. This
property is the preferred way to set the zone.max-shm-memory rctl.
A scale (K, M, G, T) can be applied to the value for this number
(for example, 1M is one megabyte).
global: scheduling-class
Specifies the scheduling class used for processes running in a
zone. When this property is not specified, the scheduling class is
established as follows:
o If the cpu-shares property or equivalent rctl is set,
the scheduling class FSS is used.
o If neither cpu-shares nor the equivalent rctl is set and
the zone's pool property references a pool that has a
default scheduling class, that class is used.
o Under any other conditions, the system default schedul‐
ing class is used.
dedicated-cpu: cpus, cores, sockets ncpus, importance
This resource will create a pool and processor set for exclusive
use by the zone when it boots. These processors are not available
for use by other zones or the global zone while the zone is run‐
ning. See the poolcfg(8) and pooladm(8) man pages for more informa‐
tion on pools.
The CPUs to dedicate can be specifically chosen, or automatically
chosen:
Choosing specific CPU resources
Set one of cpus, cores, or sockets to a list of CPU, core or
socket IDs. Use psrinfo -t and pooladm to see which CPUs, cores
and/or sockets are available.
These properties can be set to id list strings as described by
the resource-management(7).
If any of the specified resources are assigned to another zone
or pool, the zone will fail to boot. This includes subsets of
the assigned resources. For example, if an assigned socket has
a core assigned elsewhere.
If any of the specified CPU resources do not exist or are
faulted or offline, a warning will be displayed when the zone
boots. The zone will receive all of the specified CPU resources
that are online.
If a CPU resource is partially online, such as a core with some
CPUs faulted, the zone will receive the remaining online CPUs
from the core, and a warning will be displayed.
If none of the specified CPU resources are online, the zone
will fail to boot.
Automatically chosen CPUs resources
This can vary on each boot or live zone reconfiguration of the
zone.
Set ncpus to an integer range or scalar value. A range is
expressed using a -, such as 1-4 to represent one to four pro‐
cessors. If a range is specified, the quantity of CPUs dedi‐
cated to the zone may change while the zone is running.
Optionally set importance to configure the pool. Importance
value of the resource pool associated with the dedicated CPUs.
The importance value is an integer value. Pools with higher
importance are favored for CPU allocation when ranges are used.
See the libpool(3LIB) man page for a description of importance
based allocation.
If there are not sufficient available online CPUs to satisfy
the minimum or integer value set, the zone will fail to boot or
live reconfigure.
When automatic CPUs are configured, the specific CPUs dedicated
to the zone can change while it is running. For example, if a
CPU resource in use by an automatic running zone is assigned
elsewhere, the CPU resource will be replaced with another
available CPU resource. The quantity of CPU resources dedicated
to a running automatic CPU zone can also change within the con‐
straints the range specified.
solaris-kz branded zones cannot change CPUs while running. They
do not support a range value for ncpus. CPU resources in use by
running solaris-kz branded zones cannot be assigned elsewhere,
even if they are chosen automatically. Due to this, it is rec‐
ommended that zones using specific CPUs should be booted before
solaris-kz branded zones using automatic CPUs.
This resource is incompatible with both the pool and cpu-shares
properties. Only a single instance of this resource can be added to
the zone.
capped-memory: physical, swap, locked, pagesize-policy, memory-reserve
The physical, swap, locked caps on the memory that can be used by
this zone. A scale (K, M, G, T) can be applied to the value for
each of these numbers (for example, 1M is one megabyte). Each of
these three properties is optional but at least one property must
be set when adding this resource. Only a single instance of this
resource can be added to the zone. The physical property sets the
max-rss for this zone. This will be enforced by rcapd(8) running in
the global zone. The swap property is the preferred way to set the
zone.max-swap rctl. The locked property is the preferred way to set
the zone.max-locked-memory rctl.
The pagesize-policy and memory-reserve properties for the solaris-
kz brand are mutually exclusive. The pagesize-policy property is
used to specify a policy for using large page(s) for its physical
memory. The memory-reserve property is used to specify which memory
reserve pool service to allocate physical memory from. For more
information, see the solaris-kz(7) man page.
capped-cpu: ncpus
Sets a limit on the amount of CPU time that can be used by a zone.
The unit used translates to the percentage of a single CPU that can
be used by all user threads in a zone, expressed as a fraction (for
example, .75) or a mixed number (whole number and fraction, for
example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
1.25 means 125%, .75 mean 75%, and so forth. When projects within a
capped zone have their own caps, the minimum value takes prece‐
dence.
The capped-cpu property is an alias for zone.cpu-cap resource con‐
trol and is related to the zone.cpu-cap resource control. See
resource-controls(7).
global: boot-priority
Priority used by the zones delegated restarter when performing
autobooting of zones. The priority can be set to high, normal, and
low. For more information, see the svc.zones(8) man page.
smf-dependency: fmri, grouping, name
Defines the SMF dependencies for zone SMF instance. All SMF depen‐
dencies for a zone have restart_on as none. Each smf-dependency
resource must have one FMRI property. If grouping is omitted, the
default value require_all is used. Name is optional and should be
used only when grouping multiple FMRIs is required, such as in a
require_any dependency. Setting an existing name automatically
fills grouping. Names with prefix 'SMF-DEP-' are reserved for the
system and cannot be set. For more information about dependency
type, grouping, and restart_on definitions, see the smf(7) man
page.
admin: user, auths
Delegates zone administrative authorizations to the specified user
or role. The user must correspond to a valid local account. The
allowed values for auths are:
clonefrom
Allows the use of the specified zone as a source from which to
clone a new zone.
config
Allows to modify the persistent configuration of the zone.
liveconfig
Allows to inspect and to modify the live configuration of the
running zone.
login
Allows authenticated use of zlogin(1) into this zone.
manage
Allows normal management of the configured zone.
migrate
Allows migration of the zone between hosts. Migration is
allowed for installed and running zones.
migrate.cold
Allows cold migration of the zone between hosts. Migration is
only allowed for installed zones.
rootzpool: storage
Defines one or more storage resources to be used exclusively for a
dedicated ZFS pool containing the zone installation. The allowed
values for storage are defined in suri(7).
zpool: storage, name
Defines one or more storage resources to be used exclusively for a
zpool delegated to the zone. The allowed values for storage are
defined in suri(7) man page. The allowed values for name are
defined in zpool(8) man page. The name rpool is not permitted.
npiv: virtual-port-wwn, over-hba
Sets an unique 64bit port world wide name to an npiv with virtual-
port-wwn, which is optional and will be set with an automatically
generated wwn. users can still override this generated wwn.
Property over-hba is optional as well and it could be an empty
string, which means physical HBA ports are chosen in a round-robin
policy to spread them across the available ports. If this property
is set the value for over-hba must be an unsigned integer leading
by 'c' for one physical NPIV capable FC HBA controller as shown
under /dev/cfg/c*. Please refer to cfgadm_fp(8) man page for more
detailed information.
verified-boot: policy, cert
policy Controls ELF signature verification of bootloader and
kernel modules in the zones guest. Values can be set to
none, warning and enforce. none skips verification. warn‐
ing logs a message on verification failure. enforce
causes the module to not load on failure. By default,
policy is set to warning.
cert Adds customer-installed public key cert for third-party
and self-signed software. These cert files are used for
ELF signature verification in addition to the default
Oracle cert. The cert path can be added using file:///,
http:// or https:// URL.
keysource: raw
Provides administrative access to the cryptographic key used for
kernel zone suspend images and host data as described in solaris-
kz(7) man page. The value of raw cannot be set directly, except
with the command_file mode.
suspend: path, storage
Configures the location of a kernel zone's suspend image. Only one
suspend resource is allowed. If no suspend resource is present,
suspend and resume are not supported by the kernel zone. The sus‐
pend resource allows either path or storage to be specified, and
not both. If path is specified, it is the full path to which the
suspend file will be written and its parent directory must exist.
If storage is specified, it must be a device referenced by a stor‐
age URI as described in suri(7) man page. Currently, NFS type of
URI is not yet supported.
Using Kernel Statistics to Monitor CPU Caps
Using the kernel statistics (kstat(3KSTAT)) module caps, the system
maintains information for all capped projects and zones. You can access
this information by reading kernel statistics (kstat(3KSTAT)), specify‐
ing caps as the kstat module name. The following command displays ker‐
nel statistics for all active CPU caps:
# kstat caps::'/cpucaps/'
A kstat(8) command running in a zone displays only CPU caps relevant
for that zone and for projects in that zone. See EXAMPLES.
The following are cap-related arguments for use with kstat(8):
caps
The kstat module.
project_caps or zone_caps
kstat class, for use with the kstat -c option.
cpucaps_project_id or cpucaps_zone_id
kstat name, for use with the kstat -n option. id is the project or
zone identifier.
The following fields are displayed in response to a kstat(8) command
requesting statistics for all CPU caps.
module
In this usage of kstat, this field will have the value caps.
name
As described above, cpucaps_project_id or cpucaps_zone_id
above_sec
Total time, in seconds, spent above the cap.
below_sec
Total time, in seconds, spent below the cap.
maxusage
Maximum observed CPU usage.
nwait
Number of threads on cap wait queue.
usage
Current aggregated CPU usage for all threads belonging to a capped
project or zone, in terms of a percentage of a single CPU.
value
The cap value, in terms of a percentage of a single CPU.
zonename
Name of the zone for which statistics are displayed.
See EXAMPLES for sample output from a kstat command.
Configuration From Unified Archives
Unified Archives, created with archiveadm(8), provide a means for ar‐
chiving Oracle Solaris instances. Each Unified Archive may contain data
and metadata corresponding to one or more global and/or non-global
zones. By default, archiveadm(8) generates an archive that is suitable
for system or zone cloning. Optionally, archiveadm(8) may create an ar‐
chive that is suitable for system recovery.
If the zonecfg create -a archive [options] subcommand is used to con‐
figure a zone from an Unified Archive, archive creation options can
affect the degree to which the archived configuration is preserved:
when configuring from a clone archive, property values that are likely
to cause problems if they are the same for multiple hosts will take on
a default value. These properties are:
- host id
anet allowed-address
anet mac-address
anet:mac mac-address
net allowed-address
Additionally, if the archived zone name and the name of the zone being
installed do not match, some properties will be automatically updated
to reflect the new zone name:
zonepath If the last element of the zonepath matches the
archived zone name, the last element in the zonepath
is replaced with the new zone name.
dataset/alias For dataset resources, if the alias matches the
archived zone name, the alias is replaced with the new
zone name.
dataset/name For dataset resources, if the last element of the name
property matches the archived zone name, the last ele‐
ment in the name property is replaced with the new
zone name.
Configuration from a Unified Archive does not prevent the use of subse‐
quent commands to modify resources and property values as required.
OPTIONS
The following options are supported:
-f command_file
Specify the name of zonecfg command file. command_file is a text
file of zonecfg subcommands, one per line obtained from output of
export subcommand.
-r
Enables the live edit mode. Instructs zonecfg to edit the live con‐
figuration of a running zone instead of a persistent configuration
from a stable storage. When used, zonecfg retrieves a snapshot of
the current live zone configuration. The full set of zonecfg sub‐
commands is supported in this mode. The live configuration takes
effect immediately after it is committed and remains active until
the next zone reboot. The live mode is only allowed for a running
zone and requires the authorization solaris.zone.liveconfig/zone‐
name.
-z zonename
Specify the name of a zone. Zone names are case sensitive. Zone
names must begin with an alphanumeric character and can contain
alphanumeric characters, the underscore (_) the hyphen (-), and the
dot (.). The name global and all names beginning with SYS are
reserved and cannot be used.
TOKENS
The following tokens are supported for use in certain properties:
%{zonename} Evaluates to name of the zone.
%{id} Evaluates to id property of a particular
resource. This token is used within a resource
scope which supports id property.
%{global-rootzpool} Evaluates to global zone's rootzpool name.
%% Evaluates to %.
-----------------------------------------------------------------
|Resource | Property | Supported Tokens |
|---------------------------------------------------------------|
|global | zonepath | %{zonename} |
|---------------------------------------------------------------|
|dataset | name | %{zonename} |
|---------------------------------------------------------------|
|device | match | %{zonename}, %{id}, %{global-rootzpool} |
| | storage | %{zonename}, %{id}, %{global-rootzpool} |
|---------------------------------------------------------------|
|fs | raw | %{zonename} |
| | special | %{zonename} |
|---------------------------------------------------------------|
|net | physical | %{id} |
|---------------------------------------------------------------|
|anet | linkname | %{id} |
|---------------------------------------------------------------|
|suspend | storage | %{zonename}, %{global-rootzpool} |
| | path | %{zonename} |
|---------------------------------------------------------------|
|rootzpool | storage | %{zonename}, %{global-rootzpool} |
|---------------------------------------------------------------|
|zpool | storage | %{zonename}, %{global-rootzpool} |
-----------------------------------------------------------------
SUBCOMMANDS
You can use the add and select subcommands to select a specific
resource and change the scope to that resource. The select subcommand
can only be applied on resources that have been already added to the
zone configuration. Some resources, like anet, are added automatically.
The end and cancel subcommands are used to complete the resource speci‐
fication and revert the scope back to global. Certain subcommands, such
as add, remove and set, have different semantics in each scope.
zonecfg supports a semicolon-separated list of subcommands. For exam‐
ple:
# zonecfg -z myzone "add net; set physical=myvnic; end"
Subcommands which can result in destructive actions or loss of work
have an -F option to force the action. If input is from a terminal
device, the user is prompted when appropriate if such a command is
given without the -F option otherwise, if such a command is given with‐
out the -F option, the action is disallowed, with a diagnostic message
written to standard error.
The following subcommands are supported:
add resource-type
add property-name property-value (resource scope)
In the global scope or in a resource scope, begin the specification
for a given resource type. The scope is changed to that resource
type.
In the resource scope, add a property of the given name with the
given value. The syntax for property values varies with different
property types. In general, it is a simple value or a list of sim‐
ple values enclosed in square brackets, separated by commas
([foo,bar,baz]). See PROPERTIES.
cancel
Ends the resource specification and reset scope to global. Abandons
any partially specified resources. cancel is only applicable in the
resource scope.
clear property-name
Clears the value for the property to a default value.
commit [-n] [-q]
Default mode
Commits the current configuration from memory to stable stor‐
age. The configuration must be committed to be used by zoneadm.
Options -n and -q are not permitted in the default mode.
Live mode
Reconfigure the running zone to match the current in-memory
live configuration and print out performed actions. Applied
changes take effect immediately and remain active until to the
next zone reboot. If the live configuration externally changes
before the commit subcommand is invoked, the operation returns
an error. Such a case requires to reload the live configuration
and reapply desired changes for the commit to succeed.
The following options are supported:
-n Runs the reconfiguration in a dry run mode that does not
change the configuration of a running zone. The dry run
mode acts the same way as the real reconfiguration but
leaves the running zone intact. Use the dry run to review
actions that would be performed by the real reconfigura‐
tion.
-q Quiet mode. Suppresses all messages related to the zone
reconfiguration.
Until the in-memory configuration is committed you can remove
changes with the reload subcommand. The commit operation is
attempted automatically upon completion of a zonecfg session. Since
a configuration must be correct to be committed, this operation
automatically does a verify.
create [-F] [-a directory | -b | -t template]
create [-F] -a archive [-z archived_zone] [-x <cert|ca-cert|key>=path]
...
Create an in-memory configuration for the specified zone. Use cre‐
ate to begin to configure a new zone. See commit for saving this to
stable storage.
If you are overwriting an existing configuration, specify the -F
option to force the action. This can be used to re-import a whole
zone configuration by using zonecfg -f input.cfg with this
option. For zones in certain states, additional verification checks
are done. For example, an installed zone cannot change its brand.
create uses a default template of SYSdefault. The default template
can be changed on a system-wide basis using the default_template
SMF property of the svc:/system/zones:default service. An adminis‐
trator can override the default for this zone using -t (with a spe‐
cific template) or -b (to use a blank template).
Use the -a directory option to facilitate configuring a detached
zone on a new host. The path parameter is the zonepath location of
a detached zone that has been moved on to this new host. Once the
detached zone is configured, it should be installed using the
"zoneadm attach" command (see zoneadm(8) man page). All validation
of the new zone happens during the attach process, not during zone
configuration.
Use the -a archive option to facilitate configuring a zone from a
Unified Archive created with archiveadm(8). The archive may be an
absolute path or a file, http, or https URI. If the Unified Archive
contains multiple zones, the -z archived_zone option must be used
to specify which zone in the archive is to be used for configura‐
tion. If archive is accessed through an https URI, the -x option
may be used to specify the location of a certificate, CA certifi‐
cate, and/or key file. If specified, the cert, cacert, and key must
be in PEM format. See "Configuration From Unified Archives" section
above for more details.
Use the -b option to create a blank configuration. Without argu‐
ments, create applies the Oracle Sun default settings.
delete [-F]
Delete the specified configuration from memory and stable storage.
This action is instantaneous, no commit is necessary. A deleted
configuration cannot be reverted.
Specify the -F option to force the action.
end
End the resource specification. This subcommand is only applicable
in the resource scope. zonecfg checks to make sure the current
resource is completely specified. If so, it is added to the in-mem‐
ory configuration (see commit for saving this to stable storage)
and the scope reverts to global or a previous resource scope. If
the specification is incomplete, it issues an appropriate error
message.
export [-r] [-f output-file]
Print configuration to standard output. Includes only non-default
values explicitly set by the user. Use the -f option to print the
configuration to the output-file. This option produces output in a
form suitable for use in a command file. If the -r option is speci‐
fied, the output can be used for re-import when the zone already
exists.
help [subcommand]
Print general help or help about given topic.
info zonename | zonepath | autoboot | autoshutdown | brand | pool |
limitpriv | global-time
info [-a] [-i | -I] [resource-type [identifier | [property-name=prop‐
erty-value]*]]
Display information about the current configuration. If resource-
type is specified, it displays only information about resources of
the relevant type. If any identifier or property name value pairs
are specified, displays only information about resources meeting
the given criteria. In the resource scope, info displays informa‐
tion about the resource which is currently being added or modified.
This subcommand only displays properties with non-default values.
Use the -a option to print all the properties irrespective of their
value being default or non-default. See the EXAMPLES section.
Tokens may be displayed when a specific property or resource type
is requested in zonecfg interactive mode, as property-name.tem‐
plate: template-value. The evaluated output of this template value
is given by property-name: property-value. See EXAMPLES.
The following options are supported:
-i Always include identifiers
-I Never include identifiers
-a Display all properties (with and without default values).
remove [-F] resource-type [identifier | [property-name=property-value
... ]]
Remove the specified resource. If you have to remove only a single
instance of the resource, you must specify either the identifier or
enough property name-value pairs for the resource to be uniquely
identified. If no identifier or property name-value pairs are spec‐
ified, all instances will be removed. If there is more than one
instance of a resource-type, a confirmation is required, unless you
use the -F option.
select resource-type [identifier | [property-name=property-value ... ]]
Select the resource of the given type which matches the identifier
specified or the given property-name property-value pair criteria,
for modification. The scope is changed to that resource type. You
must specify enough property-name property-value pairs for the
resource to be uniquely identified.
set property-name=property-value
Set a given property name to the given value. Some properties (for
example, zonename and zonepath) are global while others are
resource-specific. This subcommand is applicable in both the global
and resource scopes.
verify [-v]
Verify the current configuration for correctness:
o All resources have all of their required properties
specified.
o A zonepath is specified.
If the -v option is specified, warnings will be issued if there is
a potential for devices specified in device resources to conflict
with and hide ZFS volumes created within aliased datasets. See
dev(4FS) man page.
reload [-F]
Discard any uncommitted changes and reload the configuration from a
stable storage (default mode) or retrieve an up-to-date configura‐
tion of the running zone (live mode). The -F option can be used to
force the action.
exit [-F]
Exit the zonecfg session. A commit is automatically attempted if
needed. You can also use an EOF character to exit zonecfg. The -F
option can be used to force the action.
EXAMPLES
Example 1 Creating the Environment for a New Zone
In the following example, zonecfg creates the environment for a new
zone. /usr/local is loopback mounted from the global zone into
/opt/local. /opt/sfw is loopback mounted from the global zone, a VNIC
over nxge0 is added to the zone with three IP addresses, and a limit on
the number of fair-share scheduler (FSS) CPU shares for a zone is set
using the rctl resource type. The example also shows how to select a
given resource for modification; in this case, by selecting the anet
resource that is automatically created by zonecfg.
example# zonecfg -z myzone
my-zone3: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:myzone> create
zonecfg:myzone> info zonepath
zonepath.template: /system/zones/%{zonename}
zonepath: /system/zones/myzone
zonecfg:myzone> set autoboot=true
zonecfg:myzone> add fs
zonecfg:myzone:fs> set dir=/opt/local
zonecfg:myzone:fs> set special=/usr/local
zonecfg:myzone:fs> set type=lofs
zonecfg:myzone:fs> add options [ro,nodevices]
zonecfg:myzone:fs> end
zonecfg:myzone> add fs
zonecfg:myzone:fs> set dir=/mnt
zonecfg:myzone:fs> set special=/dev/dsk/c0t0d0s7
zonecfg:myzone:fs> set raw=/dev/rdsk/c0t0d0s7
zonecfg:myzone:fs> set type=ufs
zonecfg:myzone:fs> end
zonecfg:myzone> add fs
zonecfg:myzone:fs> set dir=/opt/sfw
zonecfg:myzone:fs> set special=/opt/sfw
zonecfg:myzone:fs> set type=lofs
zonecfg:myzone:fs> add options [ro,nodevices]
zonecfg:myzone:fs> end
zonecfg:myzone> select anet linkname=net0
zonecfg:myzone:anet> set lower-link=nxge0
zonecfg:myzone:anet> set allowed-address="192.168.0.1/24, \
192.168.1.2/24,192.168.2.3/24"
zonecfg:myzone:anet> end
zonecfg:my-zone3> set cpu-shares=5
zonecfg:my-zone3> add capped-memory
zonecfg:my-zone3:capped-memory> set physical=50m
zonecfg:my-zone3:capped-memory> set swap=100m
zonecfg:my-zone3:capped-memory> end
zonecfg:myzone> exit
Example 2 Creating an Exclusive-IP Zone
The following example creates a zone that is assigned a VNIC named
net0. The link over which the VNIC is created is automatically deter‐
mined. The IP addresses and routing are configured inside the new zone
using ipadm(8).
example# zonecfg -z excl-ip
zonecfg:excl-ip> create
zonecfg:excl-ip> exit
Example 3 Creating a Shared-IP Zone
The following example creates a zone that shares an IP stack with the
global zone, and is assigned a single IP address and default router.
example# zonecfg -z shared-ip
zonecfg:shared-ip> create -b
zonecfg:shared-ip> set ip-type=shared
zonecfg:shared-ip> add net
zonecfg:shared-ip:net> set physical=nge0
zonecfg:shared-ip:net> set address=192.168.0.3/24
zonecfg:shared-ip:net> set defrouter=192.168.0.1
zonecfg:shared-ip:net> end
zonecfg:shared-ip> exit
Example 4 Associating a Zone with a Resource Pool
The following example shows how to associate an existing zone with an
existing resource pool:
example# zonecfg -z myzone
zonecfg:myzone> set pool=mypool
zonecfg:myzone> exit
For more information about resource pools, see pooladm(8), poolbind(8),
and poolcfg(8) man pages.
Example 5 Changing the Name of a Zone
Changing the zonename property is permitted only for zones in config‐
ured state. For zones in installed state, use the zoneadm(8) rename
subcommand. The following example shows how to change the name of an
existing zone:
example# zonecfg -z myzone
zonecfg:myzone> set zonename=myzone2
zonecfg:myzone2> exit
Example 6 Changing the Privilege Set of a Zone
The following example shows how to change the set of privileges. An
existing zone's processes will be limited to the next time the zone is
booted. In this particular case, the privilege set will be the standard
safe set of privileges that a zone normally has along with the privi‐
lege to use the profile and syscall providers of dtrace with some
caveats:
example# zonecfg -z myzone
zonecfg:myzone> set limitpriv="default,dtrace_user"
zonecfg:myzone2> exit
Example 7 Changing global-time property to set systime-wide time
example# zonecfg -z myzone
zonecfg:myzone> set global-time="true"
zonecfg:myzone2> exit
Example 8 Setting the zone.cpu-shares Property for the Global Zone
The following command sets the zone.cpu-shares property for the global
zone:
example# zonecfg -z global
zonecfg:global> set cpu-shares=5
zonecfg:global> exit
Example 9 Using Pattern Matching
The following commands illustrate zonecfg support for pattern matching.
In the zone flexlm, enter:
zonecfg:flexlm> add device
zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]"
zonecfg:flexlm:device> end
In the global zone, enter:
global# ls /dev/cua
a a000 a001 a002 a003 a004 a005 a006 a007 b
In the zone flexlm, enter:
flexlm# ls /dev/cua
a002 a003 a004 a005
Example 10 Setting a Cap for a Zone to Three CPUs
The following sequence uses the zonecfg command to set the CPU cap for
a zone to three CPUs.
zonecfg:myzone> add capped-cpu
zonecfg:myzone>capped-cpu> set ncpus=3
zonecfg:myzone>capped-cpu>capped-cpu> end
The preceding sequence, which uses the capped-cpu property, is equiva‐
lent to the following sequence, which makes use of the zone.cpu-cap
resource control.
zonecfg:myzone> add rctl
zonecfg:myzone:rctl> set name=zone.cpu-cap
zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none)
zonecfg:myzone:rctl> end
Example 11 Using kstat to Monitor CPU Caps
The following command displays information about all CPU caps.
# kstat -n /cpucaps/
module: caps instance: 0
name: cpucaps_project_0 class: project_caps
above_sec 0
below_sec 2157
crtime 821.048183159
maxusage 2
nwait 0
snaptime 235885.637253027
usage 0
value 18446743151372347932
zonename global
module: caps instance: 0
name: cpucaps_project_1 class: project_caps
above_sec 0
below_sec 0
crtime 225339.192787265
maxusage 5
nwait 0
snaptime 235885.637591677
usage 5
value 18446743151372347932
zonename global
module: caps instance: 0
name: cpucaps_project_201 class: project_caps
above_sec 0
below_sec 235105
crtime 780.37961782
maxusage 100
nwait 0
snaptime 235885.637789687
usage 43
value 100
zonename global
module: caps instance: 0
name: cpucaps_project_202 class: project_caps
above_sec 0
below_sec 235094
crtime 791.72983782
maxusage 100
nwait 0
snaptime 235885.637967512
usage 48
value 100
zonename global
module: caps instance: 0
name: cpucaps_project_203 class: project_caps
above_sec 0
below_sec 235034
crtime 852.104401481
maxusage 75
nwait 0
snaptime 235885.638144304
usage 47
value 100
zonename global
module: caps instance: 0
name: cpucaps_project_86710 class: project_caps
above_sec 22
below_sec 235166
crtime 698.441717859
maxusage 101
nwait 0
snaptime 235885.638319871
usage 54
value 100
zonename global
module: caps instance: 0
name: cpucaps_zone_0 class: zone_caps
above_sec 100733
below_sec 134332
crtime 821.048177123
maxusage 207
nwait 2
snaptime 235885.638497731
usage 199
value 200
zonename global
module: caps instance: 1
name: cpucaps_project_0 class: project_caps
above_sec 0
below_sec 0
crtime 225360.256448422
maxusage 7
nwait 0
snaptime 235885.638714404
usage 7
value 18446743151372347932
zonename test_001
module: caps instance: 1
name: cpucaps_zone_1 class: zone_caps
above_sec 2
below_sec 10524
crtime 225360.256440278
maxusage 106
nwait 0
snaptime 235885.638896443
usage 7
value 100
zonename test_001
Example 12 Displaying CPU Caps for a Specific Zone or Project
Using the kstat -c and -i options, you can display CPU caps for a spe‐
cific zone or project, as below. The first command produces a display
for a specific project, the second for the same project within zone 1.
# kstat -c project_caps
# kstat -c project_caps -i 1
Example 13 Delegating Zone Administrative Rights
The following example shows how to assign administrative rights for the
current zone to a role.
example# zonecfg -z myzone
zonecfg:myzone> add admin
zonecfg:myzone:admin> set user=zadmin
zonecfg:myzone:admin> set auths=login,manage
zonecfg:myzone:admin> end
zonecfg:myzone> commit
The result of executing these commands would be an updated entry in the
RBAC user_attr(5) database, similar to the following:
zadmin::::type=role; \
auths=solaris.zone.login/myzone,solaris.zone.manage/myzone; \
profiles=Zone Management
Example 14 Creating an Exclusive-IP Zone with Non-Default Properties
The following example creates a zone with an automatically created VNIC
over mylink0 with the given MAC address, maximum bandwidth of 100 Mbps,
high priority, dedicated hardware rings for RX side, no dedicated hard‐
ware rings for the TX side (that is, software-based) and with a VLAN id
2.
example# zonecfg -z excl-ip
excl-ip: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:excl-ip> create -b
zonecfg:excl-ip> add anet
zonecfg:excl-ip:anet> set linkname=mynic0
zonecfg:excl-ip:anet> set lower-link=mylink0
zonecfg:excl-ip:anet> set mac-address=8:0:20:fe:4e:b8
zonecfg:excl-ip:anet> set maxbw=100M
zonecfg:excl-ip:anet> set priority=high
zonecfg:excl-ip:anet> set vlan-id=2
zonecfg:excl-ip:anet> set rxrings=hw
zonecfg:excl-ip:anet> set txrings=sw
zonecfg:excl-ip:anet> end
zonecfg:excl-ip> exit
Example 15 Creating a Read-Only Zone
The following example creates a new zone that has its root filesystem
protected against modifications by the zone. Files in /var are writable
by virtue of the fixed-configuration profile that is applied.
example# zonecfg -z rozone
rozone: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:rozone> create
zonecfg:rozone> set brand=solaris
zonecfg:rozone> set autoboot=true
zonecfg:rozone> set file-mac-profile=fixed-configuration
zonecfg:rozone> add net
zonecfg:rozone:net> set physical=vnic0
zonecfg:rozone:net> end
zonecfg:rozone> exit
Example 16 Creating an Exclusive-IP Zone with an IB Partition
The following example creates a zone with default properties. The zone
will automatically create a IPoIB datalink when the zone boots and
delete the datalink when the zone halts.
example# zonecfg -z excl-ip
excl-ip: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:excl-ip> create
zonecfg:excl-ip> set ip-type=exclusive
zonecfg:excl-ip> add anet
zonecfg:excl-ip> set linkname=part0
zonecfg:excl-ip> set lower-link=net4
zonecfg:excl-ip> set pkey=ffff
zonecfg:excl-ip:anet> end
zonecfg:excl-ip> exit
Example 17 Creating a Zone Installed into a Dedicated Storage Resource
and rootzpool
The following example creates a new zone with a rootzpool resource com‐
prised of one storage resource containing the entire zone installation.
The rootzpool will be automatically created or a pre-created ZFS pool
will be imported during zone installation. In this case with a zone
name being zoss, the pool's name will be zoss_rpool.
example# zonecfg -z zoss
zoss: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:zoss> create
zonecfg:zoss> add rootzpool
zonecfg:zoss:rootzpool> add storage \
iscsi://127.0.0.1/luname.naa.600144f03d70c80000004ea57da10001
zonecfg:zoss:rootzpool> end
zonecfg:zoss> exit
Example 18 Creating a Zone with a Delegated zpool Resource
The following example creates a new zone with a zpool resource dele‐
gated to the zone comprised of two storage resources. The zpool will be
automatically created or a pre-created zpool will be imported during
zone installation. The name will be zoss_mypool.
example# zonecfg -z zoss
zoss: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:zoss> create
zonecfg:zoss> set zonepath=/zoss
zonecfg:zoss> add zpool
zonecfg:zoss:zpool> set name=mypool
zonecfg:zoss:zpool> add storage dev:/dev/dsk/c0t1d0
zonecfg:zoss:zpool> add storage dev:/dev/dsk/c1t1d0
zonecfg:zoss:zpool> end
zonecfg:zoss> exit
Example 19 Creating a Zone with an npiv Resource
The following example creates a new zone with two npiv resources dele‐
gated to the zone. The two npiv ports will be automatically created
during zone installation.
example# zonecfg -z vzone
vzone: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:vzone> create
zonecfg:vzone> add npiv
zonecfg:vzone:npiv> set virtual-port-wwn=2100000000000001
zonecfg:vzone:npiv> set over-hba=c9
zonecfg:vzone:npiv> end
zonecfg:vzone> add npiv
zonecfg:vzone:npiv> end
zonecfg:vzone> exit
Example 20 Inspecting the Live Configuration of the Running Zone
The following example inspects the live configuration of the running
zone.
example# zonecfg -z myzone -r
zonecfg:myzone> info
Example 21 Temporarily adding a new anet to the Running Zone Without
Rebooting the Zone
The following example temporarily adds a new anet to the running zone
without rebooting the zone.
example# zonecfg -z myzone -r
zonecfg:myzone> add anet
zonecfg:myzone> set linkname=anet1
zonecfg:myzone> set lower-link=net1
zonecfg:myzone> end
zonecfg:myzone> commit
Example 22 Creating a Zone Configuration From a Unified Archive
The following example creates a new zone configuration from a Unified
Archive stored in /export/archives. The archive contains only one zone,
named web with zonepath /zones/web. As is shown by the info subcommand,
the zonepath was adjusted as described in the Configuration From Uni‐
fied Archives section, above.
example# zonecfg -z uar-zone
uar-zone: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:uar-zone> create -a /export/archives/web.uar
zonecfg:uar-zone> info zonepath
zonepath: /zones/web
zonecfg:uar-zone> set zonepath=/system/zones/uar-zone
zonecfg:uar-zone> exit
Equivalently, this could be done in non-interactive mode:
example# zonecfg -z uar-zone \
"create -a /export/archives/web.uar; set zonepath=/system/zones/uar-zone"
Example 23 Creating a Zone Configuration From a Unified Archive on a
Secure Web Server
This example shows a non-interactive command that configures a zone
from an archive on a secure web server. The -z option is used to spec‐
ify that a specific archived zone is to be used as the configuration
source. The certificate, CA certificate, and key were first transferred
to this machine.
example# zonecfg -z uar-zone create \
-a https://install.example.com/archives/combo.uar \
-z database \
-x cert=/root/install.pem \
-x cacert=/root/example.com.pem \
-x key=/root/sslkey.pem \
"set zonepath=/system/zones/uar-zone"
Example 24 Creating a Zone Configuration for p2v of a Global Zone
This example shows the creation of a zone configuration from a Unified
Archive using an archived global zone as the source. Note that the zone
configuration found in the archive was generated with zonep2vchk(8) and
as such may include notes for further customization that is recom‐
mended.
example# zonecfg -z uar-gz
uar-gz: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:uar-gz> create -a /export/p2v.uar -z global
zonecfg:uar-gz> info attr
attr:
name: zonep2vchk-info
type: string
value: "p2v of host m4k"
attr:
name: zonep2vchk-net-blue0
type: string
value: "original system had NIC blue0 with MAC
address 0:8:20:9e:eb:8c and IP address
10.147.23.12: consider anet
(linkname=blue0
mac-address=0:8:20:9e:eb:8c
allowed-address=10.147.23.12)"
attr:
name: zonep2vchk-num-cpus
type: string
value: "original system had 4 CPUs: consider
capped-cpu (ncpus=4.0) or dedicated-cpu
(ncpus=4)"
attr:
name: zonep2vchk-physmem
type: string
value: "original system had 32 GB: consider
capped-memory (physical=32G)"
attr:
name: zonep2vchk-swap
type: string
value: "original system had 48 GB: consider
capped-memory (swap=48G)"
zonecfg:uar-gz> select anet linkname=blue0
zonecfg:uar-gz:anet> set allowed-address=10.147.23.12
zonecfg:uar-gz:anet> set configure-allowed-address=true
zonecfg:uar-gz:anet> end
zonecfg:uar-gz> add capped-memory
zonecfg:uar-gz:capped-memory> set swap=48G
zonecfg:uar-gz:capped-memory> end
zonecfg:uar-gz> exit
Example 25 Creating a Zone That has an anet Resource That Connects to
an Elastic Virtual Switch.
The following example creates a zone that has a VNIC anet resource that
connects to an EVS evsa and VPort vport0 for tenant tenantA.
example# zonecfg -z evszone
evszone: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:evszone> create
zonecfg:evszone> set tenant=tenantA
zonecfg:evszone> add anet
zonecfg:evszone:anet> set evs=EVSA
zonecfg:evszone:anet> set vport=vport0
zonecfg:rozone:net> end
zonecfg:rozone> exit
example# zoneadm -z evszone install
example# zoneadm -z evszone boot
example# dladm show-vnic -c
LINK TENANT EVS VPORT OVER MACADDRESS VIDS
evszone/net0 tenantA EVSA vport0 net2 2:8:20:1a:c1:e4 0
When the zone boots, evszone/net0 VNIC anet will have the MAC address,
IP address, and the SLA properties of the vport EVSA/vport0.
Example 26 Changing Verified Boot Settings
# zonecfg -z vbzone1
zonecfg:vbzone1> add verified-boot
zonecfg:vbzone1:verified-boot> set policy=enforce
zonecfg:vbzone1:verified-boot> add cert \
file:///etc/certs/elfsign/mycert.pem
zonecfg:vbzone1:verified-boot> add cert \
http://keyserv.hang10software.com/keydist/hang10se.pem
zonecfg:vbzone1:verified-boot> end
Example 27 Copying a Zone Configuration to Another System for Zone
Migration
When manually migrating a zone from one global zone to another global
zone, the zone configuration needs to migrate first. The export subcom‐
mand exports all zone configuration such that it can be used with the
zonecfg -f option on the new global zone with exact preservation. If a
procedure like the one shown in this example is not used, kernel zones
will not be able to access any suspend file or properly attach to the
new global zone.
global-1# zonecfg -z myzone export -f /net/scratch/export/myzone.cfg
global-2# zonecfg -z myzone -f /net/scratch/export/myzone.cfg
Example 28 Using the anet iov property for a kernel zone
In this example, iov-kz is a kernel zone with a single anet.
global# zonecfg -z iov-kz
zonecfg:iov-kz> select anet id=0
zonecfg:iov-kz:anet> set iov=auto
zonecfg:iov-kz:anet> end
zonecfg:iov-kz> exit
If lower-link is not auto, the user must ensure that the lower-link has
iov turned on before booting the kernel zone. If lower-link is auto,
the user must ensure that global zone has at least one link with iov
turned on.
If iov is not on, it can be turned on by:
# dladm set-linkprop -p iov=on net1
If a VF is available, after booting the kernel zone, a VF should appear
as a physical NIC device within the kernel zone:
iov-kz# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net0 Ethernet up 10000 full ixgbevf0
Example 29 Using an NFS SURI for a Device Property in a Kernel Zone
# zonecfg -z nfs-kz
zonecfg:nfs-kz> add device
zonecfg:nfs-kz> set \
storage=nfs://user1:staff@testsys1/export/test/nfs-kz-dev1
zonecfg:nfs-kz> set create-size=8g
zonecfg:nfs-kz> end
zonecfg:nfs-kz> exit
Example 30 Creating a Zone with an anet Resource that has Multiple VLAN
IDs Specified
# zonecfg -z vlan-kz
zonecfg:vlan-kz> create -t SYSsolaris-kz
zonecfg:vlan-kz> select anet id=0
zonecfg:vlan-kz> set mac-address=0:1:2:3:4:5
zonecfg:vlan-kz:anet> set vlan-id=11
zonecfg:vlan-kz:anet> add vlan
zonecfg:vlan-kz:anet:vlan> set vlan-id=45
zonecfg:vlan-kz:anet:vlan> end
zonecfg:vlan-kz:anet> add vlan
zonecfg:vlan-kz:anet:vlan> set vlan-id=46
zonecfg:vlan-kz:anet:vlan> end
zonecfg:vlan-kz:anet> info vlan
vlan 0:
vlan-id: 45
vlan 1:
vlan-id: 46
zonecfg:vlan-kz:anet> end
zonecfg:vlan-kz> commit
zonecfg:vlan-kz> exit
This implies that the virtual-switch on the host is now configured to
handle frames with the following <mac-address, vlan-id> tuples:
-- <0:1:2:3:4:5, 11>
-- <0:1:2:3:4:5, 45>
-- <0:1:2:3:4:5, 46>
Frames arriving with <0:1:2:3:4:5, 11> tuple will have their VID
stripped and passed on to the solaris-kz. Guest will never see the
packets tagged with VID 11. While the frames with <0:1:2:3:4:5, 45> and
<0:1:2:3:4:5, 46> will be passed as is to solaris-kz.
Inside vlan-kz, if there is a VLAN datalink vlan45 with VID of 45, the
virtual switch in the guest will strip VID 45 from the frame and pass
the frame to vlan45. All the frames originating from vlan45 datalink
inside the guest will be tagged by the virtual-switch in the guest and
passed onto the anet in the host. The host anet will pass the frames
directly to the NIC to be sent out.
Example 31 Setting boot-priority and SMF Dependencies of a Zone
Set the high boot priority for the zone and its SMF instance dependen‐
cies, requiring
svc:/application/frobnicate:default
and any of
svc:/system/zones/zone:appfirewall
svc:/3rdparty/my-firewall:default
and excluding the zone
svc:/system/zones/zone:dataload
example# zonecfg -z foo
zonecfg:foo> set boot-priority=high
zonecfg:foo> add smf-dependency
zonecfg:foo:smf-dependency> set
fmri=svc:/application/frobnicate:default
zonecfg:foo:smf-dependency> end
zonecfg:foo> add smf-dependency
zonecfg:foo:smf-dependency> set name=firewall
zonecfg:foo:smf-dependency> set fmri=svc:/system/zones/zone:appfirewall
zonecfg:foo:smf-dependency> set grouping=require_any
zonecfg:foo:smf-dependency> end
zonecfg:foo> add smf-dependency
zonecfg:foo:smf-dependency> set name=firewall
zonecfg:foo:smf-dependency> set fmri=svc:/3rdparty/my-firewall:default
zonecfg:foo:smf-dependency> end
zonecfg:foo> add smf-dependency
zonecfg:foo:smf-dependency> set fmri=svc:/system/zones/zone:dataload
zonecfg:foo:smf-dependency> set grouping=exclude_all
zonecfg:foo:smf-dependency> end
zonecfg:foo> exit
Example 32 Setting up solaris-kz Brand Zone for Dynamic Configuration
of MAC Addresses and VLAN IDs
# zonecfg -z dyn-vlan-kz
zonecfg:dyn-vlan-kz> create -t SYSsolaris-kz
zonecfg:dyn-vlan-kz> select anet id=0
zonecfg:dyn-vlan-kz> set mac-address=0:1:2:3:4:5
zonecfg:dyn-vlan-kz:anet> add mac
zonecfg:dyn-vlan-kz:anet:mac> add allowed-mac-address fa:16:3f
zonecfg:dyn-vlan-kz:anet:mac> add allowed-mac-address fa:80:20:21:22
zonecfg:dyn-vlan-kz:anet:mac> end
zonecfg:dyn-vlan-kz:anet> end
zonecfg:dyn-vlan-kz:anet> info mac
mac 0:
mac-address not specified
auto-mac-address not specified
mac-prefix not specified
allowed-mac-address: fa:16:3f
allowed-mac-address: fa:80:20:21:22
id: 0
zonecfg:dyn-vlan-kz:anet> add vlan
zonecfg:dyn-vlan-kz:anet:vlan> add dynamic-vlan-id 100-199
zonecfg:dyn-vlan-kz:anet:vlan> add dynamic-vlan-id 400-498
zonecfg:dyn-vlan-kz:anet:vlan> end
zonecfg:dyn-vlan-kz:anet> info vlan
vlan 0:
vlan-id: not specified
dynamic-vlan-id: 100-199
dynamic-vlan-id: 400-498
dynamic-vlan-id: 500
zonecfg:dyn-vlan-kz:anet> end
zonecfg:dyn-vlan-kz> commit
zonecfg:dyn-vlan-kz> exit
Therefore, running solaris-kz brand zone can create a VNIC with any MAC
address in fa:80:20:21:22:00 to fa:80:20:21:22:ff or fa:16:3f:00:00:00
to fa:16:3f:ff:ff:ff and/or with any one of the 200 VLAN IDs (100-199,
400-498, and 500).
Example 33 Using info -a to Display all Properties of a Zone
In the following example, zonecfg creates the environment for a new
zone. The zonepath is set to /system/zones/%{zonename}. This matches
the default value. On using the info subcommand (without any options),
this property gets excluded from the output along with any other prop‐
erty which matches its default value.
example# zonecfg -z zone1
zonecfg:zone1> info
zonename: zone1
brand: solaris
anet 0:
linkname: net0
configure-allowed-address: true
Here the -a option can be used to display all the properties whether
they match the default value or not.
zonecfg:zone1> info -a
zonename: zone1
zonepath.template: /system/zones/%{zonename}
zonepath: /system/zones/zone1
brand: solaris
autoboot: false
autoshutdown: shutdown
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
tenant:
fs-allowed:
anet 0:
linkname: net0
lower-link: auto
allowed-address:
configure-allowed-address: true
defrouter:
allowed-dhcp-cids:
link-protection: mac-nospoof
mac-address: auto
auto-mac-address:
mac-prefix:
mac-slot:
vlan-id:
priority:
rxrings:
txrings:
mtu:
maxbw:
bwshare:
rxfanout:
vsi-typeid:
vsi-vers:
vsi-mgrid:
etsbw-lcl:
cos:
pkey:
linkmode:
evs:
vport:
Example 34 Setting up anets on solaris-kz Brand Zone for High Avail‐
ability
# dladm set-linkprop -p iov=on net0
# dladm set-linkprop -p iov=on net2
# dladm create-aggr -l net0 -l net2 -m dlmp halink0
# zonecfg -z ha-kz
zonecfg:ha-kz> create -t SYSsolaris-kz
zonecfg:ha-kz> add anet
zonecfg:ha-kz:anet> set lower-link=halink0
zonecfg:ha-kz:anet> set iov=off
zonecfg:ha-kz:anet> set maxbw=500
zonecfg:ha-kz:anet> set id=0
zonecfg:ha-kz:anet> end
zonecfg:ha-kz> add anet
zonecfg:ha-kz:anet> set lower-link=halink0
zonecfg:ha-kz:anet> set iov=auto
zonecfg:ha-kz:anet> set bwshare=60
zonecfg:ha-kz:anet> set id=1
zonecfg:ha-kz:anet> end
zonecfg:ha-kz> commit
zonecfg:ha-kz> exit
Therefore, the two anet datalinks running on solaris-kz brand zone will
be reliably protected by DLMP aggregation against network failures.
Example 35 Create a Configuration For Export
# zonecfg
Use 'create' to begin configuring a new zone.
zonecfg> create -t SYSsolaris
zonecfg> set autoboot=true
zonecfg> export -r
create -Fb
set brand=solaris
set autoboot=true
add anet
set linkname=net0
set configure-allowed-address=true
end
Example 36 Re-import a Zone Configuration
# zonecfg -z myzone info autoboot
autoboot: false
# zonecfg -z myzone <<EOF
> create -Fb
> set brand=solaris
> add anet
> set linkname=net0
> end
> set autoboot=true
> EOF
Zone myzone already exists; overwriting.
# zonecfg -z myzone info autoboot
autoboot: true
EXIT STATUS
The following exit values are returned:
0
Successful completion.
1
An error occurred.
2
Invalid usage.
ATTRIBUTES
See the attributes(7) man page for descriptions of the following
attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/zones _ Interface StabilityVolatile
SEE ALSO
lgrpinfo(1), ppriv(1), prctl(1), zlogin(1), kstat(3KSTAT),
priv_str_to_set(3C), hsfs(4FS), uscsi(4I), dev(4FS), zfs(4FS),
user_attr(5), vfstab(5), attributes(7), brands(7), fnmatch(7), mwac(7),
privileges(7), rbac(7), resource-controls(7), resource-management(7),
solaris(7), solaris-kz(7), suri(7), tpd(7), uar(7), zones(7),
archiveadm(8), dladm(8), evsadm(8), format(8), ipadm(8), kstat(8),
mount(8), pooladm(8), poolbind(8), poolcfg(8), poold(8), psrinfo(8),
rcapd(8), rctladm(8), route(8), suriadm(8), svcadm(8), zfs(8),
zoneadm(8), zonep2vchk(8), zpool(8)
Resource Management and Oracle Solaris Zones Developer's Guide
NOTES
All character data used by zonecfg must be in US-ASCII encoding.
Adding a device to a zone, in general, can allow the zone to adversely
affect the security and stability of the system, as not all devices
have been audited for secure use inside a zone.
Storage devices using the sd or ssd target driver (this can be checked
using prtconf -D /dev/dsk/c2t40d3, for example) can be safely delegated
to a zone. This will allow a zone admin to label and partition such
devices.
In order to allow disk labeling by means of format(8), an entire
disk/LUN should be delegated to a zone, and the allow-partition prop‐
erty set. For example:
zonecfg:myzone> add device
zonecfg:myzone> set match=/dev/*dsk/c2t40d3*
zonecfg:myzone> set allow-partition=true
zonecfg:myzone> end
While it is not recommended, it is also possible to delegate just a
single slice (for example, match=/dev/dsk/c2t40d3s0) of a disk. In
order for this to be safe, the allow-partition property must not be
true, and the slice or partition must not overlap the disk header of
disk labels (these are located within the first two or last two blocks
of the partition or disk).
Raw access to storage devices can be enabled by setting the allow-raw-
io property to true. This is unsafe, as it allows raw SCSI commands
(see uscsi(4I) man page) to be performed by zone processes.
The allow-mhd property allows applications to use the mhd(4I) ioctls on
the device.
Inside a zone, device-in-use checking does not work, as the /devices/
tree it relies upon is not present. A future project might address this
limitation.
The mount point for a lofs file system specified by an fs" resource
must not lie within any filesystem that is mounted by the zone. In par‐
ticular, such mountpoints must not lie beneath /var and /export.
The special property for a ZFS file system specified by an fs resource
cannot be a descendant of any dataset delegated to the zone, including
the zone's top-level delegated dataset.
Oracle Solaris 11.4 13 Aug 2021 zonecfg(8)