Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
Copyright 2013 Joyent, Inc. All Rights Reserved.
Copyright 2017 Peter Tribble
Copyright 2021 OmniOS Community Edition (OmniOSce) Association.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
zonecfg -z zonename
zonecfg -z zonename subcommand
zonecfg -z zonename -f command_file
zonecfg help
To simplify the user interface, zonecfg uses the concept of a scope. The default scope is global.
The following synopsis of the zonecfg command is for interactive usage:
zonecfg -z zonename subcommand
Parameters changed through zonecfg do not affect a running zone. The zone must be rebooted for the changes to take effect.
In addition to creating and modifying a zone, the zonecfg utility can also be used to persistently specify the resource management settings for the global zone.
In the following text, "rctl" is used as an abbreviation for "resource control". See resource_controls(7).
Every zone is configured with an associated brand. The brand determines the user-level environment used within the zone, as well as various behaviors for the zone when it is installed, boots, or is shutdown. Once a zone has been installed the brand cannot be changed. The default brand is determined by the installed distribution in the global zone. Some brands do not support all of the zonecfg properties and resources. See the brand-specific man page for more details on each brand. For an overview of brands, see the brands(7) man page.
Generic attribute.
Limits for CPU usage.
Limits for physical, swap, and locked memory.
ZFS dataset.
Subset of the system's processors dedicated to this zone while it is running.
Device.
file-system
Network interface.
Resource control.
Process security flag settings.
Delegation of administration to specific users.
The following properties are supported: (global)
zonename
zonepath
autoboot
bootargs
pool
limitpriv
brand
cpu-shares
hostid
max-lwps
max-msg-ids
max-processes
max-sem-ids
max-shm-ids
max-shm-memory
scheduling-class
fs-allowed
dir, special, raw, type, options
address, allowed-address, physical, defrouter
match
name, value
name, type, value
name
ncpus, importance
physical, swap, locked
ncpus
lower, default, upper.
user, auths.
As for the property values which are paired with these names, they are either simple, complex, or lists. The type allowed is property-specific. Simple values are strings, optionally enclosed within quotation marks. Complex values have the syntax:
(<name>=<value>,<name>=<value>,...)
where each <value> is simple, and the <name> strings are unique within a given property. Lists have the syntax:
[<value>,...]
where each <value> is either simple or complex. A list of a single value (either simple or complex) is equivalent to specifying that value without the list syntax. That is, "foo" is equivalent to "[foo]". A list can be empty (denoted by "[]").
In interpreting property values, zonecfg accepts regular expressions as specified in fnmatch(7). See EXAMPLES.
The property types are described as follows: global: zonename
The name of the zone.
Path to zone's file system.
Boolean indicating that a zone should be booted automatically at system boot. Note that if the zones service is disabled, the zone will not autoboot, regardless of the setting of this property. You enable the zones service with a svcadm command, such as:
# svcadm enable svc:/system/zones:default
Replace enable with disable to disable the zones service. See
svcadm(8).
Arguments (options) to be passed to the zone bootup, unless options are supplied to the "zoneadm boot" command, in which case those take precedence. The valid arguments are described in zoneadm(8).
Name of the resource pool that this zone must be bound to when booted. This property is incompatible with the dedicated-cpu resource.
The maximum set of privileges any process in this zone can obtain. The property should consist of a comma-separated privilege set specification as described in priv_str_to_set(3C). Privileges can be excluded from the resulting set by preceding their names with a dash (-) or an exclamation point (!). The special privilege string "zone" is not supported in this context. If the special string "default" occurs as the first token in the property, it expands into a safe set of privileges that preserve the resource and security isolation described in zones(7). A missing or empty property is equivalent to this same set of safe privileges. The system administrator must take extreme care when configuring privileges for a zone. Some privileges cannot be excluded through this mechanism as they are required in order to boot a zone. In addition, there are certain privileges which cannot be given to a zone as doing so would allow processes inside a zone to unduly affect processes in other zones. zoneadm(8) indicates when an invalid privilege has been added or removed from a zone's privilege set when an attempt is made to either "boot" or "ready" the zone. See privileges(7) for a description of privileges. The command "ppriv -l" (see ppriv(1)) produces a list of all Solaris privileges. You can specify privileges as they are displayed by ppriv. In privileges(7), privileges are listed in the form PRIV_privilege_name. For example, the privilege sys_time, as you would specify it in this property, is listed in privileges(7) as PRIV_SYS_TIME.
The zone's brand type.
A zone can either share the IP instance with the global zone, which is the default, or have its own exclusive instance of IP. This property takes the values shared and exclusive.
A zone can emulate a 32-bit host identifier to ease system consolidation. A zone's hostid property is empty by default, meaning that the zone does not emulate a host identifier. Zone host identifiers must be hexadecimal values between 0 and FFFFFFFE. A 0x or 0X prefix is optional. Both uppercase and lowercase hexadecimal digits are acceptable.
Values needed to determine how, where, and so forth to mount file systems. See mount(8), mount(2), fsck(8), and vfstab(5).
The network address and physical interface name of the network interface. The network address is one of:
a valid IPv4 address, optionally followed by "/" and a prefix length;
a valid IPv6 address, which must be followed by "/" and a prefix length;
a host name which resolves to an IPv4 address.
Device name to match.
The name and priv/limit/action triple of a resource control. See prctl(1) and rctladm(8). The preferred way to set rctl values is to use the global property name associated with a specific rctl.
The name, type and value of a generic attribute. The type must be one of int, uint, boolean or string, and the value must be of that type. uint means unsigned, that is, a non-negative integer.
The name of a ZFS dataset to be accessed from within the zone. See zfs(8).
The number of Fair Share Scheduler (FSS) shares to allocate to this zone. This property is incompatible with the dedicated-cpu resource. This property is the preferred way to set the zone.cpu-shares rctl.
The maximum number of LWPs simultaneously available to this zone. This property is the preferred way to set the zone.max-lwps rctl. If max-processes is not explicitly set then it will be set to the same value as max-lwps.
The maximum number of message queue IDs allowed for this zone. This property is the preferred way to set the zone.max-msg-ids rctl.
The maximum number of processes simultaneously available to this zone. This property is the preferred way to set the zone.max-processes rctl. If max-lwps is not explicitly set, then setting this property will automatically set max-lwps to 10 times the value of max-processes.
The maximum number of semaphore IDs allowed for this zone. This property is the preferred way to set the zone.max-sem-ids rctl.
The maximum number of shared memory IDs allowed for this zone. This property is the preferred way to set the zone.max-shm-ids rctl.
The maximum amount of shared memory allowed for this zone. This property is the preferred way to set the zone.max-shm-memory rctl. A scale (K, M, G, T) can be applied to the value for this number (for example, 1M is one megabyte).
Specifies the scheduling class used for processes running in a zone. When this property is not specified, the scheduling class is established as follows:
If the cpu-shares property or equivalent rctl is set, the scheduling class FSS is used.
If neither cpu-shares nor the equivalent rctl is set and the zone's pool property references a pool that has a default scheduling class, that class is used.
Under any other conditions, the system default scheduling class is used.
The number of CPUs that should be assigned for this zone's exclusive use. The zone will create a pool and processor set when it boots. See pooladm(8) and poolcfg(8) for more information on resource pools. The ncpu property can specify a single value or a range (for example, 1-4) of processors. The importance property is optional; if set, it will specify the pset.importance value for use by poold(8). If this resource is used, there must be enough free processors to allocate to this zone when it boots or the zone will not boot. The processors assigned to this zone will not be available for the use of the global zone or other zones. This resource is incompatible with both the pool and cpu-shares properties. Only a single instance of this resource can be added to the zone.
The caps on the memory that can be used by this zone. A scale (K, M, G, T) can be applied to the value for each of these numbers (for example, 1M is one megabyte). Each of these properties is optional but at least one property must be set when adding this resource. Only a single instance of this resource can be added to the zone. The physical property sets the max-rss for this zone. This will be enforced by rcapd(8) running in the global zone. The swap property is the preferred way to set the zone.max-swap rctl. The locked property is the preferred way to set the zone.max-locked-memory rctl.
Sets a limit on the amount of CPU time that can be used by a zone. The unit used translates to the percentage of a single CPU that can be used by all user threads in a zone, expressed as a fraction (for example, .75) or a mixed number (whole number and fraction, for example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of 1.25 means 125%, .75 mean 75%, and so forth. When projects within a capped zone have their own caps, the minimum value takes precedence. The capped-cpu property is an alias for zone.cpu-cap resource control and is related to the zone.cpu-cap resource control. See resource_controls(7).
Set the process security flags associated with the zone. The lower and upper fields set the limits, the default field is set of flags all zone processes inherit.
Delegate zone administration to the named user. Valid values for auths are login, manage, and clonefrom. The login authorization enables the user to use zlogin(1) to log in to the zone, being prompted for authentication (but not to access the zone console). The manage authorization enables the user to install, update, boot or halt the zone, to log in using zlogin(1) without authentication, and to access the zone console. The clonefrom authorization allows the user to install a new zone using this zone as a clone source.
A comma-separated list of additional filesystems that may be mounted within the zone; for example "ufs,pcfs". By default, only hsfs(4FS) and network filesystems can be mounted. If the first entry in the list is "-" then that disables all of the default filesystems. If any filesystems are listed after "-" then only those filesystems can be mounted. This property does not apply to filesystems mounted into the zone via "add fs" or "add dataset". WARNING: allowing filesystem mounts other than the default may allow the zone administrator to compromise the system with a malicious filesystem image, and is not supported.
The following table summarizes resources, property-names, and types:
resource property-name type (global) zonename simple (global) zonepath simple (global) autoboot simple (global) bootargs simple (global) pool simple (global) limitpriv simple (global) brand simple (global) ip-type simple (global) hostid simple (global) cpu-shares simple (global) max-lwps simple (global) max-msg-ids simple (global) max-processes simple (global) max-sem-ids simple (global) max-shm-ids simple (global) max-shm-memory simple (global) scheduling-class simple fs dir simple special simple raw simple type simple options list of simple net address simple physical simple device match simple rctl name simple value list of complex attr name simple type simple value simple dataset name simple dedicated-cpu ncpus simple or range importance simple capped-memory physical simple with scale swap simple with scale locked simple with scale capped-cpu ncpus simple security-flags lower simple default simple upper simple admin user simple auths simple
To further specify things, the breakdown of the complex property "value" of the "rctl" resource type, it consists of three name/value pairs, the names being "priv", "limit" and "action", each of which takes a simple value. The "name" property of an "attr" resource is syntactically restricted in a fashion similar but not identical to zone names: it must begin with an alphanumeric, and can contain alphanumerics plus the hyphen (-), underscore (_), and dot (.) characters. Attribute names beginning with "zone" are reserved for use by the system. Finally, the "autoboot" global property must have a value of "true" or "false".
# kstat caps::'/cpucaps/'
A kstat(8) command running in a zone displays only CPU caps relevant for that zone and for projects in that zone. See EXAMPLES.
The following are cap-related arguments for use with kstat(8): caps
The kstat module.
kstat class, for use with the kstat -c option.
kstat name, for use with the kstat -n option. id is the project or zone identifier.
The following fields are displayed in response to a kstat(8) command requesting statistics for all CPU caps. module
In this usage of kstat, this field will have the value caps.
As described above, cpucaps_project_id or cpucaps_zone_id
Total time, in seconds, spent above the cap.
Total time, in seconds, spent below the cap.
Maximum observed CPU usage.
Number of threads on cap wait queue.
Current aggregated CPU usage for all threads belonging to a capped project or zone, in terms of a percentage of a single CPU.
The cap value, in terms of a percentage of a single CPU.
Name of the zone for which statistics are displayed.
See EXAMPLES for sample output from a kstat command.
Specify the name of zonecfg command file. command_file is a text file of zonecfg subcommands, one per line.
Specify the name of a zone. Zone names are case sensitive. Zone names must begin with an alphanumeric character and can contain alphanumeric characters, the underscore (_) the hyphen (-), and the dot (.). The name global and all names beginning with SUNW are reserved and cannot be used.
zonecfg supports a semicolon-separated list of subcommands. For example:
# zonecfg -z myzone "add net; set physical=myvnic; end"
Subcommands which can result in destructive actions or loss of work have an -F option to force the action. If input is from a terminal device, the user is prompted when appropriate if such a command is given without the -F option otherwise, if such a command is given without the -F option, the action is disallowed, with a diagnostic message written to standard error.
The following subcommands are supported: add resource-type (global scope)
add property-name property-value (resource scope)
In the global scope, begin the specification for a given resource type. The scope is changed to that resource type. In the resource scope, add a property of the given name with the given value. The syntax for property values varies with different property types. In general, it is a simple value or a list of simple values enclosed in square brackets, separated by commas ([foo,bar,baz]). See PROPERTIES.
End the resource specification and reset scope to global. Abandons any partially specified resources. cancel is only applicable in the resource scope.
Clear the value for the property.
Commit the current configuration from memory to stable storage. The configuration must be committed to be used by zoneadm. Until the in-memory configuration is committed, you can remove changes with the revert subcommand. The commit operation is attempted automatically upon completion of a zonecfg session. Since a configuration must be correct to be committed, this operation automatically does a verify.
Create an in-memory configuration for the specified zone. Use create to begin to configure a new zone. See commit for saving this to stable storage. If you are overwriting an existing configuration, specify the -F option to force the action. Specify the -t template option to create a configuration identical to template, where template is the name of a configured zone. Use the -a path option to facilitate configuring a detached zone on a new host. The path parameter is the zonepath location of a detached zone that has been moved on to this new host. Once the detached zone is configured, it should be installed using the "zoneadm attach" command (see zoneadm(8)). All validation of the new zone happens during the attach process, not during zone configuration. Use the -b option to create a blank configuration. Without arguments, create applies the Sun default settings.
Delete the specified configuration from memory and stable storage. This action is instantaneous, no commit is necessary. A deleted configuration cannot be reverted. Specify the -F option to force the action.
End the resource specification. This subcommand is only applicable in the resource scope. zonecfg checks to make sure the current resource is completely specified. If so, it is added to the in-memory configuration (see commit for saving this to stable storage) and the scope reverts to global. If the specification is incomplete, it issues an appropriate error message.
Print configuration to standard output. Use the -f option to print the configuration to output-file. This option produces output in a form suitable for use in a command file.
Print general help or help about given topic.
info [resource-type [property-name=property-value]*]
Display information about the current configuration. If resource-type is specified, displays only information about resources of the relevant type. If any property-name value pairs are specified, displays only information about resources meeting the given criteria. In the resource scope, any arguments are ignored, and info displays information about the resource which is currently being added or modified.
In the global scope, removes the specified resource. The [] syntax means 0 or more of whatever is inside the square braces. If you want only to remove a single instance of the resource, you must specify enough property name-value pairs for the resource to be uniquely identified. If no property name-value pairs are specified, all instances will be removed. If there is more than one pair is specified, a confirmation is required, unless you use the -F option.
Select the resource of the given type which matches the given property-name property-value pair criteria, for modification. This subcommand is applicable only in the global scope. The scope is changed to that resource type. The {} syntax means 1 or more of whatever is inside the curly braces. You must specify enough property -name property-value pairs for the resource to be uniquely identified.
Set a given property name to the given value. Some properties (for example, zonename and zonepath) are global while others are resource-specific. This subcommand is applicable in both the global and resource scopes.
Verify the current configuration for correctness:
All resources have all of their required properties specified.
A zonepath is specified.
Revert the configuration back to the last committed state. The -F option can be used to force the action.
Exit the zonecfg session. A commit is automatically attempted if needed. You can also use an EOF character to exit zonecfg. The -F option can be used to force the action.
In the following example, zonecfg creates the environment for a new zone. /usr/local is loopback mounted from the global zone into /opt/local. /opt/sfw is loopback mounted from the global zone, three logical network interfaces are added, and a limit on the number of fair-share scheduler (FSS) CPU shares for a zone is set using the rctl resource type. The example also shows how to select a given resource for modification.
example# zonecfg -z myzone3 my-zone3: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:myzone3> create zonecfg:myzone3> set zonepath=/export/home/my-zone3 zonecfg:myzone3> set autoboot=true zonecfg:myzone3> add fs zonecfg:myzone3:fs> set dir=/usr/local zonecfg:myzone3:fs> set special=/opt/local zonecfg:myzone3:fs> set type=lofs zonecfg:myzone3:fs> add options [ro,nodevices] zonecfg:myzone3:fs> end zonecfg:myzone3> add fs zonecfg:myzone3:fs> set dir=/mnt zonecfg:myzone3:fs> set special=/dev/dsk/c0t0d0s7 zonecfg:myzone3:fs> set raw=/dev/rdsk/c0t0d0s7 zonecfg:myzone3:fs> set type=ufs zonecfg:myzone3:fs> end zonecfg:myzone3> add net zonecfg:myzone3:net> set address=192.168.0.1/24 zonecfg:myzone3:net> set physical=eri0 zonecfg:myzone3:net> end zonecfg:myzone3> add net zonecfg:myzone3:net> set address=192.168.1.2/24 zonecfg:myzone3:net> set physical=eri0 zonecfg:myzone3:net> end zonecfg:myzone3> add net zonecfg:myzone3:net> set address=192.168.2.3/24 zonecfg:myzone3:net> set physical=eri0 zonecfg:myzone3:net> end zonecfg:my-zone3> set cpu-shares=5 zonecfg:my-zone3> add capped-memory zonecfg:my-zone3:capped-memory> set physical=50m zonecfg:my-zone3:capped-memory> set swap=100m zonecfg:my-zone3:capped-memory> end zonecfg:myzone3> exit
Example 2 Creating a Non-Native Zone
The following example creates a new Linux zone:
example# zonecfg -z lxzone lxzone: No such zone configured Use 'create' to begin configuring a new zone zonecfg:lxzone> create -t SUNWlx zonecfg:lxzone> set zonepath=/export/zones/lxzone zonecfg:lxzone> set autoboot=true zonecfg:lxzone> exit
Example 3 Creating an Exclusive-IP Zone
The following example creates a zone that is granted exclusive access to bge1 and bge33000 and that is isolated at the IP layer from the other zones configured on the system.
The IP addresses and routing should be configured inside the new zone using the normal networking administration tools such as ipadm(8).
example# zonecfg -z excl excl: No such zone configured Use 'create' to begin configuring a new zone zonecfg:excl> create zonecfg:excl> set zonepath=/export/zones/excl zonecfg:excl> set ip-type=exclusive zonecfg:excl> add net zonecfg:excl:net> set physical=bge1 zonecfg:excl:net> end zonecfg:excl> add net zonecfg:excl:net> set physical=bge33000 zonecfg:excl:net> end zonecfg:excl> exit
Example 4 Associating a Zone with a Resource Pool
The following example shows how to associate an existing zone with an existing resource pool:
example# zonecfg -z myzone zonecfg:myzone> set pool=mypool zonecfg:myzone> exit
For more information about resource pools, see pooladm(8) and poolcfg(8).
Example 5 Changing the Name of a Zone
The following example shows how to change the name of an existing zone:
example# zonecfg -z myzone zonecfg:myzone> set zonename=myzone2 zonecfg:myzone2> exit
Example 6 Changing the Privilege Set of a Zone
The following example shows how to change the set of privileges an existing zone's processes will be limited to the next time the zone is booted. In this particular case, the privilege set will be the standard safe set of privileges a zone normally has along with the privilege to change the system date and time:
example# zonecfg -z myzone zonecfg:myzone> set limitpriv="default,sys_time" zonecfg:myzone2> exit
Example 7 Setting the zone.cpu-shares Property for the Global Zone
The following command sets the zone.cpu-shares property for the global zone:
example# zonecfg -z global zonecfg:global> set cpu-shares=5 zonecfg:global> exit
Example 8 Using Pattern Matching
The following commands illustrate zonecfg support for pattern matching. In the zone flexlm, enter:
zonecfg:flexlm> add device zonecfg:flexlm:device> set match="/dev/cua/a00[2-5]" zonecfg:flexlm:device> end
In the global zone, enter:
global# ls /dev/cua
a a000 a001 a002 a003 a004 a005 a006 a007 b
In the zone flexlm, enter:
flexlm# ls /dev/cua
a002 a003 a004 a005
Example 9 Setting a Cap for a Zone to Three CPUs
The following sequence uses the zonecfg command to set the CPU cap for a zone to three CPUs.
zonecfg:myzone> add capped-cpu zonecfg:myzone>capped-cpu> set ncpus=3 zonecfg:myzone>capped-cpu>capped-cpu> end
The preceding sequence, which uses the capped-cpu property, is equivalent to the following sequence, which makes use of the zone.cpu-cap resource control.
zonecfg:myzone> add rctl zonecfg:myzone:rctl> set name=zone.cpu-cap zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=none) zonecfg:myzone:rctl> end
Example 10 Using kstat to Monitor CPU Caps
The following command displays information about all CPU caps.
# kstat -n /cpucaps/
module: caps instance: 0
name: cpucaps_project_0 class: project_caps
above_sec 0
below_sec 2157
crtime 821.048183159
maxusage 2
nwait 0
snaptime 235885.637253027
usage 0
value 18446743151372347932
zonename global
module: caps instance: 0
name: cpucaps_project_1 class: project_caps
above_sec 0
below_sec 0
crtime 225339.192787265
maxusage 5
nwait 0
snaptime 235885.637591677
usage 5
value 18446743151372347932
zonename global
module: caps instance: 0
name: cpucaps_project_201 class: project_caps
above_sec 0
below_sec 235105
crtime 780.37961782
maxusage 100
nwait 0
snaptime 235885.637789687
usage 43
value 100
zonename global
module: caps instance: 0
name: cpucaps_project_202 class: project_caps
above_sec 0
below_sec 235094
crtime 791.72983782
maxusage 100
nwait 0
snaptime 235885.637967512
usage 48
value 100
zonename global
module: caps instance: 0
name: cpucaps_project_203 class: project_caps
above_sec 0
below_sec 235034
crtime 852.104401481
maxusage 75
nwait 0
snaptime 235885.638144304
usage 47
value 100
zonename global
module: caps instance: 0
name: cpucaps_project_86710 class: project_caps
above_sec 22
below_sec 235166
crtime 698.441717859
maxusage 101
nwait 0
snaptime 235885.638319871
usage 54
value 100
zonename global
module: caps instance: 0
name: cpucaps_zone_0 class: zone_caps
above_sec 100733
below_sec 134332
crtime 821.048177123
maxusage 207
nwait 2
snaptime 235885.638497731
usage 199
value 200
zonename global
module: caps instance: 1
name: cpucaps_project_0 class: project_caps
above_sec 0
below_sec 0
crtime 225360.256448422
maxusage 7
nwait 0
snaptime 235885.638714404
usage 7
value 18446743151372347932
zonename test_001
module: caps instance: 1
name: cpucaps_zone_1 class: zone_caps
above_sec 2
below_sec 10524
crtime 225360.256440278
maxusage 106
nwait 0
snaptime 235885.638896443
usage 7
value 100
zonename test_001
Example 11 Displaying CPU Caps for a Specific Zone or Project
Using the kstat -c and -i options, you can display CPU caps for a specific zone or project, as below. The first command produces a display for a specific project, the second for the same project within zone 1.
# kstat -c project_caps # kstat -c project_caps -i 1
Successful completion.
An error occurred.
Invalid usage.
ATTRIBUTE TYPE ATTRIBUTE VALUE |
Interface Stability Volatile |
System Administration Guide: Solaris Containers-Resource Management, and Solaris Zones