Solaris 11 Zones P2 Properties

Oracle Solaris 11 Zones
Part 2 New zone configuration properties.

Author: Tim Wort
Introduction
A number of new zonecfg(1M) properties are added to Oracle Solaris 11 zones. Below is a list of the
properties for both a Oracle Solaris 10 and a Oracle Solaris 11 zone. Properties added by Solaris 11
release 11/11 are in bold. Properties added by new releases of Solaris 11 are noted by release.
Oracle Solaris 10 zonecfg properties
For resource type ... there are property types ...:
(global)
zonename
(global)
zonepath
(global)
brand
(global)
autoboot
(global)
bootargs
(global)
pool
(global)
limitpriv
(global)
scheduling-class
(global)
ip-type
(global)
hostid
(global)
max-lwps
(global)
max-shm-memory
(global)
max-shm-ids
(global)
max-msg-ids
(global)
max-sem-ids
(global)
cpu-shares
fs
dir, special, raw, type
inherit-pkg-dir dir
net
address, physical, defrouter
device
match
rctl
name, value
attr
name, type, value
dataset
name
dedicated-cpu
ncpus, importance
capped-cpu
ncpus
capped-memory
physical, swap, locked
In the Oracle Solaris 10 list above the inherit-pkg-dir resource is listed but it is not present in the
Oracle Solaris 11 list below, sparce root model zones are no longer supported. In the Oracle Solaris 11
list the file-mac-profile property, the fs-allowed property, the max-processes property, the anet
resource and admin resource are added. In addition new resource properties are added to the net and
device resources.
Oracle Solaris 11 zonecfg properties
For resource type ... there are property types ...:
(global)
zonename
(global)
zonepath
(global)
brand
(global)
autoboot
(global)
autoshutdown
(global)
bootargs
(Solaris 11.2)
(global)
file-mac-profile
(global)
pool
(global)
limitpriv
(global)
scheduling-class
(global)
ip-type
(global)
hostid
(global)
fs-allowed
(global)
max-lwps
(global)
max-processes
(global)
max-shm-memory
(global)
max-shm-ids
(global)
max-msg-ids
(global)
max-sem-ids
(global)
cpu-shares
(global)
tenant
(Solaris 11.2)
fs
dir, special, raw, type, options
net
address, allowed-address, physical, defrouter, configureallowed-address
anet
linkname, lower-link, allowed-address, configure-allowedaddress, defrouter, allowed-dhcp-cids, link-protection, mac-address, mac-prefix,
mac-slot, vlan-id, priority, rxrings, txrings, mtu, maxbw
(added by Solaris 11.1) rxfanout,vsi-typeid, vsi-vers, vsi-mgrid, etsbw-lcl, cos, pkey,
linkmode,
(added by Solaris 11.2) evs, vport
device
match, allow-partition, allow-raw-io
(added by Solaris 11.2) storage
rctl
name, value
attr
name, type, value
dataset
name
dedicated-cpu
ncpus, importance
(added by Solaris 11.2) cpus, cores, sockets
capped-cpu
ncpus
capped-memory
physical, swap, locked
admin
user, auths
(added by Solaris 11.1)

rootzpool
zpool
install-size, storage
install-size, name, storage
The autoshutdown Global Property (Solaris 11.2)

This property determines the action taken to shutdown the non-global zone on a graceful shutdown of
the Global zone. Possible values are:
shutdown A clean zone shutdown. This is the default.

halt
suspend
The tenant Global Property (Solaris 11.2)

This property works with EVS (Elastic Virtual Switch). See evsadm(1M). Defines the name of the
tenant that owns the EVS to which a VNIC anet will be connected to.
The file-mac-profile Global Property
The file-mac-profile property is used to configure a immutable zone. Immutable zones have a readonly root system. The kernel applies the read restriction based on the setting for this property. The
property is not set by default which is the equivalent of a none setting. The possible settings for this
property are:
none The default, a standard read-write zone.

strict A read-only file system where packages
can not be added, services are fixed, log files

are read only and should be configured for remote logging, configurations such as auditing are
fixed.
fixed-configuration Same as strict with the following exceptions, log files can be
written locally and most of /var/* is writable, syslog and audit configurations can not be
changed.
flexible-configuration Same as fixed-configuration with the following exceptions,
the /etc/* directory is writable, the /var/* is writable, configuration files for syslog and
auditing can be changed. Functionality is similar to a sparse root model zone in Oracle Solaris
10.
To examine the property more a read-only zone has been created, following is the configuration
information for the zone. The network interface is set to be shared, automatic-network configuration
will not work correctly and will require intervention by the administrator of the zone. The better
configurations to use are shared or exclusive with a VNIC configured in the global zone and assigned
specifically to the non-global zone.
Read-only Zone configuration
# zonecfg -z readonly
readonly: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:readonly> create -t SYSdefault-shared-ip
zonecfg:readonly> set zonepath=/zones/readonly
zonecfg:readonly> set file-mac-profile=strict
zonecfg:readonly> add net
zonecfg:readonly:net> set physical=net0
zonecfg:readonly:net> set address=192.168.0.10/24
zonecfg:readonly:net> end
zonecfg:readonly> exit
The zone install is standard, the zone will boot as a writable zone until the system configuration
information is added and the milestone self-assembly-complete completes, the zone will then
reboot to read-only mode. The state of the zone can be examined for the read-write or read-only modes
by using the list -p option to the zoneadm command:
Zone booted, not configured
# zoneadm -z readonly list -p
3:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:W:strict
The second to last field W indicates the zone is writable, the last field show the file-mac-profile
property setting.
Zone configured, service self-assembly-complete completed, rebooting

4:readonly:down:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:-:strict
Zone rebooting
5:readonly:ready:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:-:strict
Zone booted, read-only

5:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:R:strict
The second to last field R indicates the zone is read-only.

Logging into the zone via the Console will show indications of the read-only state of the zone, for
example:
Nov 25 04:47:57 readonly sendmail[13800]: unable to write pid to
/var/spool/clientmqueue/sm-client.pid: Read-only file system
Nov 25 04:47:58 readonly sendmail[13782]: unable to qualify my own domain name
(readonly) -- using short name
Nov 25 04:47:59 readonly sendmail[13782]: NOQUEUE: SYSERR(root): db_map_open:
cannot pre-open database /etc/mail/aliases.db: Read-only file system
Nov 25 04:47:59 readonly sendmail[13782]: NOQUEUE: SYSERR(root): ndbm_map_open:
cannot create database /etc/mail/aliases: Read-only file system
Nov 25 04:47:59 readonly sendmail[13782]: NOQUEUE: SYSERR(root): Cannot create
database for alias file /etc/mail/aliases
readonly console login: tim
Password:
error processing /etc/logindevperm, see syslog for more details
Nov 25 05:07:36 readonly login: failed to chown device /dev/console: Read-only
file system
Nov 25 05:07:36 readonly login: failed to chmod device /dev/console: Read-only
file system
Oracle Corporation
SunOS 5.11
11.0
November 2011
tim@readonly:~$
Next is an examination of the zone to confirm the restrictions, first file writes and syslog:
Test file and syslog write
root@readonly:~# touch /var/tmp/testfile
touch: cannot create /var/tmp/testfile: Read-only file system
root@readonly:~# touch /testfile
touch: cannot create /testfile: Read-only file system
I
root@readonly:~# touch /etc/testfile
touch: cannot create /etc/testfile: Read-only file system
root@readonly:~# touch /export/testfile

touch: cannot create /export/testfile: Read-only file system
root@readonly:/# logger -p auth.emerg tester
Nov 25 05:54:51 readonly last message repeated 1 time
Nov 25 05:56:04 readonly root: [ID 702911 auth.emerg] tester
Message from syslogd@readonly at Fri Nov 25 05:56:04 2011 ...
readonly last message repeated 1 time
readonly root: [ID 702911 auth.emerg] tester
root@readonly:/# tail /var/adm/messages
Nov 25 05:43:03 readonly sendmail[17967]: [ID 702911
host name (readonly) unknown; sleeping for retry
my own domain name (readonly) -- using short name
mail.crit] My unqualified
mail.crit] My unqualified
mail.alert] unable to qualify
mail.alert] unable to qualify
The string tester would have been written to /var/adm/messages in a writable zone but in the strict
read-only zone /var/adm/messages is not writable.
Next a service state is changed and a reboot is preformed to show the current state of the service is
persistent (fixed):
root@readonly:~# svcs ssh
STATE
STIME
FMRI
online
4:46:50 svc:/network/ssh:default
root@readonly:~# svcadm disable ssh
STATE
STIME
FMRI
disabled
root@readonly:~# reboot
[Connection to zone 'readonly' pts/3 closed]
# zlogin readonly
[Connected to zone 'readonly' pts/3]
Oracle Corporation
SunOS 5.11
11.0
November 2011

STATE
STIME
FMRI
online
In a read-write zone changing a service state will survive a reboot. In the read-only zone the repository
is updated in memory so the service can be disabled, however, the repository's new state for that service
can not be written to persistent storage so the state of the repository remains as when the repository was
last written.
Packages are not available to the read-only zone, in the next test the zone is booted as a writable zone
by passing the -w option to the zoneadm command. In the writable state the pkg command is verified,
then the zone is rebooted to read-only mode and the same commands are tested.
Zone Booted Read-write
# zoneadm -z readonly reboot -w
7:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:W:strict
# zlogin readonly
Oracle Corporation
SunOS 5.11
root@readonly:~#
11.0
November 2011
pkg(1M) command and network verified

root@readonly:~# getent hosts sol11-11-server
192.168.0.200
sol11-11-server.timwort.org
root@readonly:~# pkg publisher
PUBLISHER
TYPE
STATUS
URI
solaris
(syspub)
origin
online
proxy://http://sol11-11server.timwort.org/
root@readonly:~# pkg search -r wireshark
INDEX
ACTION VALUE
PACKAGE
pkg.summary set
Libraries and Tools used by Wireshark and TShark Network
protocol analyzers pkg:/diagnostic/wireshark/wireshark-common@1.4.80.175.0.0.0.2.537
basename
dir
usr/lib/wireshark
pkg:/diagnostic/wireshark/wireshark-common@1.4.8-0.175.0.0.0.2.537
basename
dir
usr/share/wireshark
pkg:/diagnostic/wireshark/wireshark-common@1.4.8-0.175.0.0.0.2.537
basename
file
usr/sbin/wireshark
pkg:/diagnostic/wireshark@1.4.8-0.175.0.0.0.2.537
pkg.fmri
set
solaris/diagnostic/wireshark
pkg:/diagnostic/wireshark@1.4.8-0.175.0.0.0.2.537
Zone booted to read-only state

# zoneadm -z readonly reboot
# zlogin readonly
Oracle Corporation
SunOS 5.11
11.0
November 2011
pkg(1M) command and network verified

root@readonly:~# getent hosts sol11-11-server
192.168.0.200
sol11-11-server.timwort.org
root@readonly:~# pkg search -r wireshark

Segmentation Fault
root@readonly:~# pkg publisher
Segmentation Fault
Next the zone will be configured as a fixed-configuration zone and verified:

Zone configured as fixed-configuration and rebooted
# zonecfg -z readonly set file-mac-profile=fixed-configuration
# zoneadm -z readonly boot
9:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:R:fixed-configuration
Test file and syslog write

root@readonly:~# touch /var/tmp/testfile
touch: cannot create /etc/testfile: Read-only file system
root@readonly:~# touch /export/testfile
touch: cannot create /export/testfile: Read-only file system
root@readonly:~# logger -p auth.emerg tester
readonly root: [ID 702911 auth.emerg] tester
root@readonly:~# tail /var/adm/messages
Nov 25 05:43:03 readonly sendmail[17967]: [ID 702911 mail.crit] My unqualified
Nov 25 05:44:03 readonly sendmail[17967]: [ID 702911 mail.alert] unable to qualify
In the fixed-configuration read-only configuration most of /var is writable and log files are
writable as seen by the previous commands.
Next the zone is configured as flexible-configuration read-only zone and the configuration is
verified:
Zone configured as flexible-configuration and rebooted
# zonecfg -z readonly set file-mac-profile=flexible-configuration
1:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08ab68f4a7e7d2a:solaris:shared:R:flexible-configuration
Verify the flexible-configuration read-only zone configuration

# zlogin readonly
Oracle Corporation
SunOS 5.11
11.0
November 2011
root@readonly:~# touch /usr/tester

touch: cannot create /usr/tester: Read-only file system
root@readonly:~# touch /lib/testfile
touch: cannot create /lib/testfile: Read-only file system
root@readonly:~# touch /root/testfile
The flexible-configuration configuration allows access to roots home directory, /etc and /var
but other file systems are restricted.
The restriction applied to a read-only zone are not applied to read-write files systems that are mounted
read-write in to the zone via NFS or through zone configuration, for example:
Read-only zone, /opt not writable
# zonecfg -z readonly set file-mac-profile=strict
# zlogin readonly
Oracle Corporation
SunOS 5.11
11.0
November 2011
root@readonly:~# touch /opt/myfile

touch: cannot create /opt/myfile: Read-only file system
root@readonly:~# halt
[Connection to zone 'readonly' pts/2 closed]
Create a ZFS files system and add to zone configuration

# zfs create -p rpool/dstor/fs1
# zonecfg -z readonly "add fs;set type=zfs;set dir=/opt/local;set
special=rpool/dstor/fs1;end;exit"
# zfs set mountpoint=legacy rpool/dstor/fs1

Verify write to file system

# zlogin readonly
Oracle Corporation
SunOS 5.11
11.0
November 2011
root@readonly:~# touch /opt/local/myfile

root@readonly:~#
Solaris 11.2 adds Read-Only Global zone configurations. Immutable zones will have a read-only zone
root.
Read-Only/Immutable Global zone
# zonecfg -z global set file-mac-profile=fixed-configuration
The fs-allowed Global Property

The fs-allowed property determines file system types that can be mounted within a non-global zone.
By default types hsfs(7FS) and NFS file systems can be mounted in the zone. The property takes a
comma separated list of file systems.
In the following example the zone is at a default configuration and the fs-allowed property is not set.
A ZFS volume is created and and a UFS file system is applied.
UFS file system in a default zone configuration
root@fszone:~# zfs list
NAME
USED AVAIL REFER
rpool
382M 9.14G
31K
rpool/ROOT
382M 9.14G
31K
rpool/ROOT/solaris
382M 9.14G
351M
rpool/ROOT/solaris/var 24.3M 9.14G 23.4M
rpool/export
96.5K 9.14G
32K
rpool/export/home
64.5K 9.14G
32K
rpool/export/home/tim
32.5K 9.14G 32.5K
I
root@fszone:~# zfs create rpool/datastor
MOUNTPOINT
/rpool
legacy
/
/var
/export
/export/home
/export/home/tim
root@fszone:~# zfs create -V 100m rpool/datastor/vol1

root@fszone:~# pkg list *ufs*
NAME (PUBLISHER)
system/file-system/ufs
VERSION
0.5.11-0.175.0.0.0.2.1
IFO
i--
root@fszone:~# newfs /dev/zvol/rdsk/rpool/datastor/vol1

newfs: construct a new file system /dev/zvol/rdsk/rpool/datastor/vol1: (y/n)? y
Warning: 4130 sector(s) in last cylinder unallocated
/dev/zvol/rdsk/rpool/datastor/vol1:
204766 sectors in 34 cylinders of 48
tracks, 128 sectors
100.0MB in 3 cyl groups (14 c/g, 42.00MB/g, 20160 i/g)
super-block backups (for fsck -F ufs -o b=#) at:

32, 86176, 172320,
root@fszone:~# mount /dev/zvol/dsk/rpool/datastor/vol1 /mnt
mount: Insufficient privileges
root@fszone:~# exit
logout
[Connection to zone 'fszone' pts/2 closed]
With fs-allowed set

# zonecfg -z fszone set fs-allowed=ufs
# zoneadm -z fszone reboot
# zlogin fszone
[Connected to zone 'fszone' pts/2]
Oracle Corporation
SunOS 5.11
11.0
November 2011
root@fszone:~# mount /dev/zvol/dsk/rpool/datastor/vol1 /mnt

root@fszone:~# ls /mnt
lost+found
The max-processes and zone.max-lofi Global properties.

A new resource control max-processes is defined. The property sets the maximum number of process
table slots simultaneously available to this zone. This property is the preferred way to set the
zone.max-processes resource control.
Setting this property will implicitly set the value of the max-lwps property to 10 times the number of
process slots unless the max-lwps property has been set explicitly.
Additionally loop-back file system (lofi) devices are allowed within a zone, the resource control
zone.max-lofi defines the maximum number of lofi(7D) devices available to a zone.
max-processes
# zonecfg -z ozone "set max-processes=300;exit"
# zonecfg -z ozone info
...
[max-processes: 300]
...
rctl:
name: zone.max-processes
value: (priv=privileged,limit=300,action=deny)
zone.max-lofi
zonecfg:ozone> add rctl
zonecfg:ozone:rctl> set name=zone.max-lofi
zonecfg:ozone:rctl> set value=(priv=privileged,limit=10,action=deny)
zonecfg:ozone:rctl> help
zonecfg:ozone:rctl> end
Results
# prctl -i zone ozone
zone: 5: ozone
NAME
PRIVILEGE
zone.max-lofi
usage
privileged
system
zone.max-swap
usage
system
zone.max-locked-memory
usage
system
zone.max-shm-memory
system
zone.max-shm-ids
system
zone.max-sem-ids
system
zone.max-msg-ids
system
zone.max-processes
usage
privileged
system
zone.max-lwps
usage
privileged
system
zone.cpu-cap
usage
system
zone.cpu-shares
usage
privileged
system
VALUE
FLAG
ACTION
RECIPIENT
0
10
18.4E
max
deny
deny
47.4MB
16.0EB
max
deny
0B
16.0EB
max
deny
16.0EB
max
deny
16.8M
max
deny
16.8M
max
deny
16.8M
max
deny
5
300
2.15G
max
deny
deny
24
3.00K
2.15G
max
deny
deny
0
4.29G
inf
deny
1
1
65.5K
max
none
none
The new device Resource properties

Oracle Solaris 11 adds two new resource properties to the device resource. In Oracle Solaris 10 only
the match property could be set to some allowable device. In Oracle Solaris 11 the allow-partition
and the allow-raw-io resource properties are added to the device resource. These resource properties
are configured as either true or false with the default setting as false.
The allow-partition property allows a disk to be labeled with the format command. The allowraw-io property allows uscsi(7I) commands to be executed against the device. Adding devices to a
zone or using the allow-partition property or using the allow-raw-io property should be done with
caution. Access to a device drive can allow a malicious user to panic the system or access other device
on the bus. This resource and resource properties should not be used without first understanding the
security implications. See uscsi(7I), Device Use in Non-Global Zones.
The following example shows the use of the allow-partition property:

Current zone state
# zonecfg -z fszone info
zonename: fszone
zonepath: /zones/fszone
brand: solaris
autoboot: false
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed: ufs
net:
address: 192.168.0.10/24
allowed-address not specified
configure-allowed-address: true
physical: net0
defrouter not specified
Selecting a device to add to the zone

# zpool
pool:
state:
scan:
config:
status
rpool
ONLINE
none requested
NAME
rpool
c3t0d0s0
STATE
ONLINE
ONLINE
READ WRITE CKSUM

0
0
0
0
0
0
errors: No known data errors

# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <ATA-VBOX HARDDISK-1.0 cyl 2085 alt 2 hd 255 sec 63>
/pci@0,0/pci8086,2829@d/disk@0,0
/pci@0,0/pci8086,2829@d/disk@2,0
Specify disk (enter its number): ^D
Adding the device and testing

# zonecfg -z fszone "add device;set match=/dev/*dsk/c3t2d0s*;end;exit"
root@Sol-11-11-desktop:~# zlogin fszone
Oracle Corporation
SunOS 5.11
11.0
November 2011
root@fszone:~# format
sd2 at pciclass,0106010 slave 16
Specify disk (enter its number): 0
selecting c3t2d0
Permission denied.
root@fszone:~# exit
logout
[Connection to zone 'fszone' pts/3 closed]
Setting the allow-partition property and testing

# zonecfg -z fszone "select device match=/dev/*dsk/c3t2d0s*;set allow-partition=
true;end;exit"
# zlogin fszone
Oracle Corporation
SunOS 5.11
11.0
November 2011
root@fszone:~# format
sd2 at pciclass,0106010 slave 16
Specify disk (enter its number): 0
selecting c3t2d0
[disk formatted]
No Solaris fdisk partition found.
FORMAT MENU:
disk
type
partition
current
format
fdisk
repair
label
analyze
defect
backup
verify
save
inquiry
volname
!<cmd>
quit
format> p
select a disk
select (define) a disk type
select (define) a partition table
describe the current disk
format and analyze the disk
run the fdisk program
repair a defective sector
write label to the disk
surface analysis
defect list management
search for backup labels
read and display labels
save new disk/partition definitions
show disk ID
set 8-character volume name
execute <cmd>, then return
PARTITION MENU:
0
- change `0' partition
1
2
3
4
5
6
7
select - select a predefined table
modify - modify a predefined partition table
name
- name the current table
print - display the current table
label - write partition map and label to the disk
!<cmd> - execute <cmd>, then return
quit
partition> p
Current partition table (original):
Total disk cylinders available: 98 + 2 (reserved cylinders)
Part
Tag
0 unassigned
1 unassigned
2
backup
3 unassigned
4 unassigned
5 unassigned
6 unassigned
7 unassigned
8
boot
9 unassigned
Flag
wm
wm
wu
wm
wm
wm
wm
wm
wu
wm
Cylinders
0
0
0 - 97
0
0
0
0
0
0 - 0
0
Size
0
0
98.00MB
0
0
0
0
0
1.00MB
0
Blocks
(0/0/0)
0
(0/0/0)
0
(98/0/0) 200704
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(1/0/0)
2048
(0/0/0)
0
partition> m
Select partitioning base:
0. Current partition table (original)
1. All Free Hog
Choose base (enter number) [0]? 1
Part
Tag
Flag
Cylinders
Size
Blocks
0
root
wm
0
0
(0/0/0)
0
1
swap
wu
0
0
(0/0/0)
0
2
backup
wu
0 - 97
98.00MB
(98/0/0) 200704
3 unassigned
wm
0
0
(0/0/0)
0
4 unassigned
wm
0
0
(0/0/0)
0
5 unassigned
wm
0
0
(0/0/0)
0
6
usr
wm
0
0
(0/0/0)
0
7 unassigned
wm
0
0
(0/0/0)
0
8
boot
wu
0 - 0
1.00MB
(1/0/0)
2048
9 alternates
wm
0
0
(0/0/0)
0
Do you wish to continue creating a new partition
table based on above table[yes]?
Free Hog partition[6]? 0
Enter size of partition '1' [0b, 0c, 0.00mb, 0.00gb]:
Part
Tag
0
root
1
swap
2
backup
3 unassigned
4 unassigned
5 unassigned
6
usr
7 unassigned
8
boot
9 alternates
Flag
wm
wu
wu
wm
wm
wm
wm
wm
wu
wm
Cylinders
1 - 97
0
0 - 97
0
0
0
0
0
0 - 0
0
Size
97.00MB
0
98.00MB
0
0
0
0
0
1.00MB
0
Blocks
(97/0/0) 198656
(0/0/0)
0
(98/0/0) 200704
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(1/0/0)
2048
(0/0/0)
0
Okay to make this the current partition table[yes]?

Enter table name (remember quotes): t
Ready to label disk, continue? y
partition> p
Current partition table (t):
Total disk cylinders available: 98 + 2 (reserved cylinders)
Part
Tag
0 unassigned
1 unassigned
2
backup
3 unassigned
4 unassigned
5 unassigned
6 unassigned
7 unassigned
8
boot
9 unassigned
Flag
wm
wm
wu
wm
wm
wm
wm
wm
wu
wm
Cylinders
1 - 97
0
0 - 97
0
0
0
0
0
0 - 0
0
Size
97.00MB
0
98.00MB
0
0
0
0
0
1.00MB
0
Blocks
(97/0/0) 198656
(0/0/0)
0
(98/0/0) 200704
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(1/0/0)
2048
(0/0/0)
0
partition> ^D
root@fszone:~#
The storage property is added to the device resource by Solaris 11.2. The property can be set to a
storage URI (SURI), see suri(5). The SURI is mapped when the zone boots the allow-partition is
automatically set to true. and the matching device nodes are available inside the zone. The SURI is
unmapped when the zone halts.
The anet and net Resource Properties

When a non-global zone is created the default networking is configured as an exclusive-IP type with
an anet resource. The anet resource creates a VNIC for the non-global zone. The VNIC is present
when the non-global zone is booted and destroyed when the non-global zone is shutdown. An example
of the anet resource can be seen in Part 1 of this document.
The anet properties
anet:
linkname: net0
lower-link: auto
allowed-address not specified
configure-allowed-address: true
defrouter not specified
allowed-dhcp-cids not specified
link-protection: mac-nospoof
mac-address: random
auto-mac-address: 2:8:20:fa:fb:da
mac-prefix not specified
mac-slot not specified
vlan-id not specified
priority not specified
rxrings not specified
txrings not specified
mtu not specified
maxbw not specified
(Added by Solaris 11.1)

rxfanout not specified
vsi-typeid not specified
vsi-vers not specified
vsi-mgrid not specified
etsbw-lcl not specified
cos not specified
pkey not specified
linkmode not specified
(Added by Solaris 11.2)

evs not specified
vport not specified
Most of the anet properties are self explanatory and all are defined in the zonecfg(1M) man page. The
table examines a few of the more interesting properties.
lower-link: auto
Defines the link in the global zone that will be used for the VNIC, the
property can be set to any existing link as described by the dladm(1M)
command.
When set to auto the link selection order is first a configured link
aggregation in the up state, next a Ethernet link in the up state chosen
based on a alphabetic sort , the net0 link if available.
mac-address: random
Can be set to factory, random or auto. Auto attempts to use a factory MAC
, if no factory address is available then random is used. A random
addressed is preserved cross reboots to support DHCP.
auto-mac-address:
When the anet resource is used this property is populated with the
assigned MAC address.
mac-prefix
Sets a prefix for the random MAC address if required.
mac-slot
A slot location for a specific factory MAC address.
Solaris 11.1 added more anet resource properties, these properties are described in the dladm(1M) man
page. Solaris 11.2 added two more anet resource properties, these are properties are used the EVS
environment. See evsadm(1M).
The net resource properties include the defrouter, allowed-address and configure-allowedaddress.
defrouter
The property is optional and should only be set to a address on a

different subnet than is configured for the global zone.
allowed-address
Used with exclusive-IP zones only. If used, this property constrain

the IP address(es) that can be used to configure the interface in the
zone. When set the allowed-address property also sets the
configure-allowed-address property to true.
configure-allowed-address
When this property is set to true the address defined by the

allowed-address property will be configured on the interface
when the non-global zone boots.
The admin Resource

The admin property allows delegation of administrator tasks for a particular zone to a non-root or a role
user. Two properties can be set, the user property which defines a user or role and the auths property
which defines one or more authorizations.
The user property take a user or role that must exist in the global zone.
The auths property can be set to a comma separated list. The possible values are login (authenticated
login to this zone), manage (allows management for this zone using zoneadm(1M)) and copyfrom (allows
cloning of this zone).
Create a role for zone administration
# roleadd -m -d /export/home/zadmin -s /usr/bin/pfbash zadmin
80 blocks
# passwd zadmin
New Password:
Re-enter new Password:
passwd: password successfully changed for zadmin
Add the role to the zone

# zonecfg -z ozone "add admin;set user=zadmin;set auths=login,manage;end"
Found user in files repository.
The result for the previous command

# grep zadmin /etc/user_attr
zadmin::::type=role;auths=solaris.zone.login/ozone,solaris.zone.manage/ozone;profi
les=Zone Management,All;roleauth=role
Assign the role to a user

# usermod -R zadmin tim
Found user in files repository.
UX: usermod: tim is currently logged in, some changes may not take effect until
next login.
Examine the user and role

tim:~$ profiles
Basic Solaris User
All
tim:~$ roles
zadmin
tim:~$ su zadmin
Password:
zadmin:~$ profiles
Zone Management
All
Basic Solaris User
zadmin:~$ profiles -p "Zone Management"
Found profile in files repository.
profiles:Zone Management> info
name=Zone Management
desc=Zones Virtual Application Environment Administration
help=RtZoneMngmnt.html
cmd=/usr/sbin/zoneadm
cmd=/usr/sbin/zlogin
profiles:Zone Management> exit
Verify use of the role

zadmin:~$ zoneadm -z ozone shutdown -r
zadmin:~$ zoneadm list -cv
ID NAME
STATUS
0 global
running
5 ozone
running
6 zone1
running
PATH
/
/zones/ozone
/zones/zone1
zadmin:~$ zlogin ozone

[Connected to zone 'ozone' pts/4]
Oracle Corporation
SunOS 5.11
root@ozone:~# pwd
/root
BRAND
solaris
solaris
solaris
11.0
December 2011
proc
root
rpool
sbin
root@ozone:~# cd ..
root@ozone:/# ls
bin
etc
home
dev
export lib
mnt
net
nfs4
opt
system
tmp
root@ozone:/# exit
logout
Verify access to the assigned zone only

root:~# zonecfg -z ozone info admin
admin:
user: zadmin
auths: login,manage
root:~# zonecfg -z zone1 info admin
zadmin:~$ zlogin zone1
zlogin: zadmin is not authorized
to login to zone1 zone.
usr
var
IP
shared
excl
excl
zadmin:~$ zoneadm -z zone1 shutdown -r

zoneadm: zone 'zone1': User zadmin is not authorized to shutdown this zone.
zadmin:~$
The zpool and rootzpool Resources (Solaris 11.1)

These resources are used to install a zone root pool and additional ZFS storage pools. The zpool
resource can only be added before the zone is installed. Both resources take one or more storage
properties, a optional install-size property. The zpool resource also has a set-name property. The
rootpool resource name is automatically assigned as zonename_rpool.
The storage property defines a shared storage resource(s) in the form of SURIs.
SURI Format
Local Device URI
dev:<local-path-under-/dev>
dev:///<path-with-dev>
dev:<absolute-path-with-dev>
Examples:
dev:dsk/c0t0d0s0
dev:///dev/dsk/c0t0d0s0
dev:/dev/dsk/c0t0d0s0
Logical Unit URI

lu:luname.naa.<ID>
lu:initiator.naa.<ID>,target.naa.<ID>,luname.naa.<ID>
Examples:
lu:luname.naa.5000c5000288fa25
lu:initiator.naa.2100001d38089fb0,target.naa.2100001d38089fb0,luname.naa.
5000c5000288fa25
iSCSI URI
iscsi:///luname.naa.<ID>
iscsi://<host>[:<port>]/luname.naa.<ID>
Examples:
iscsi:///luname.naa.600144f03d70c80000004ea57da10001
iscsi://[::1]/luname.naa.600144f03d70c80000004ea57da10001
iscsi://127.0.0.1/luname.naa.600144f03d70c80000004ea57da10001
iscsi://127.0.0.1:3260/luname.naa.600144f03d70c80000004ea57da10001
iscsi://hostname:3260/luname.naa.600144f03d70c80000004ea57da10001
This example shows the creation and installation of a zone using both the zpool and rootzpool
resources.
The zone creation.

root@anarchy:~# zonecfg -z poolzone
Use 'create' to begin configuring a new zone.
zonecfg:poolzone> create
create: Using system default template 'SYSdefault'
zonecfg:poolzone> add rootzpool
zonecfg:poolzone:rootzpool> add storage dev:dsk/c4t4d0
zonecfg:poolzone:rootzpool> add storage dev:dsk/c4t5d0
zonecfg:poolzone:rootzpool> end
zonecfg:poolzone> add zpool
zonecfg:poolzone:zpool> add storage dev:dsk/c4t2d0
zonecfg:poolzone:zpool> add storage dev:dsk/c4t3d0
zonecfg:poolzone:zpool> set name=pool1
zonecfg:poolzone:zpool> end
zonecfg:poolzone> set zonepath=/zones/poolzone
zonecfg:poolzone> exit
The zone installation.

root@anarchy:~# zoneadm -z poolzone install -x force-zpool-create-all
Created zone zpool: poolzone_rpool
Created zone zpool: poolzone_pool1
Progress being logged to /var/log/zones/zoneadm.20140614T212225Z.poolzone.install
Image: Preparing at /zones/poolzone/root.
AI Manifest:
SC Profile:
Zonename:
Installation:
/tmp/manifest.xml.50ayDo
/usr/share/auto_install/sc_profiles/enable_sci.xml
poolzone
Starting ...
Creating IPS image

Startup linked: 1/1 done
Installing packages from:
solaris
origin:
http://localhost:1008/solaris/01dc619d8dd30519966173a5eb2837b0d63d8630/
DOWNLOAD
PKGS
FILES
XFER (MB)
Completed
186/186
34363/34363 230.5/230.5
PHASE
Installing new actions
Updating package state database
Updating image state
Creating fast lookup database
Installation: Succeeded
SPEED
3.3M/s
ITEMS
48378/48378
Done
Done
Done
Note: Man pages can be obtained by installing pkg:/system/manual

done.
Done: Installation completed in 165.737 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)
to complete the configuration process.
Log saved in non-global zone as
/zones/poolzone/root/var/log/zones/zoneadm.20140614T212225Z.poolzone.install
root@anarchy:~# zpool status

pool: poolzone_pool1
state: ONLINE
scan: none requested
config:
NAME
STATE
READ WRITE CKSUM
poolzone_pool1 ONLINE
0
0
mirror-0 ONLINE
0
0
0
c4t2d0 ONLINE
0
0
0
c4t3d0 ONLINE
0
0
0

pool: poolzone_rpool
state: ONLINE
config:
NAME
STATE
READ WRITE CKSUM
poolzone_rpool ONLINE
0
0
mirror-0 ONLINE
0
0
0
c4t4d0 ONLINE
0
0
0
c4t5d0 ONLINE
0
0
0
pool: rpool
state: ONLINE
config:
NAME
rpool
c4t0d0
STATE
ONLINE
ONLINE
READ WRITE CKSUM

0
0
0
0
0
0
(After zone is booted)

root@anarchy:~# zlogin poolzone zpool status
pool: pool1
state: ONLINE
config:
NAME
pool1
mirror-0
c4t2d0
c4t3d0
STATE
ONLINE
ONLINE
ONLINE
ONLINE

pool: rpool
state: ONLINE
config:
READ WRITE CKSUM

0
0
0
0
0
0
0
0
0
0
0
0
NAME
rpool
mirror-0
c4t4d0
c4t5d0
STATE
ONLINE
ONLINE
ONLINE
ONLINE
READ WRITE CKSUM

0
0
0
0
0
0
0
0
0
0
0
0

Solaris 11 Zones P2 Properties

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Solaris 11 Zones P2 Properties

Caricato da

Copyright:

Formati disponibili

Oracle Solaris 11 Zones

Part 2 New zone configuration properties.

(added by Solaris 11.1)

The autoshutdown Global Property (Solaris 11.2)

shutdown A clean zone shutdown. This is the default.

The tenant Global Property (Solaris 11.2)

The file-mac-profile Global Property

none The default, a standard read-write zone.

can not be added, services are fixed, log files

Zone configured, service self-assembly-complete completed, rebooting

Zone booted, read-only

The second to last field R indicates the zone is read-only.

root@readonly:~# touch /export/testfile

root@readonly:~# svcs ssh

pkg(1M) command and network verified

Zone booted to read-only state

pkg(1M) command and network verified

root@readonly:~# pkg search -r wireshark

Next the zone will be configured as a fixed-configuration zone and verified:

Test file and syslog write

Verify the flexible-configuration read-only zone configuration

root@readonly:~# touch /usr/tester

root@readonly:~# touch /opt/myfile

Create a ZFS files system and add to zone configuration

# zfs set mountpoint=legacy rpool/dstor/fs1

Verify write to file system

root@readonly:~# touch /opt/local/myfile

The fs-allowed Global Property

root@fszone:~# zfs create -V 100m rpool/datastor/vol1

root@fszone:~# newfs /dev/zvol/rdsk/rpool/datastor/vol1

super-block backups (for fsck -F ufs -o b=#) at:

With fs-allowed set

root@fszone:~# mount /dev/zvol/dsk/rpool/datastor/vol1 /mnt

The max-processes and zone.max-lofi Global properties.

The new device Resource properties

The following example shows the use of the allow-partition property:

Selecting a device to add to the zone

READ WRITE CKSUM

errors: No known data errors

Adding the device and testing

Setting the allow-partition property and testing

Okay to make this the current partition table[yes]?

The anet and net Resource Properties

(Added by Solaris 11.1)

(Added by Solaris 11.2)

Sets a prefix for the random MAC address if required.

A slot location for a specific factory MAC address.

The property is optional and should only be set to a address on a

Used with exclusive-IP zones only. If used, this property constrain

When this property is set to true the address defined by the

The admin Resource

Add the role to the zone

The result for the previous command

Assign the role to a user

Examine the user and role

Verify use of the role

zadmin:~$ zlogin ozone

Verify access to the assigned zone only

to login to zone1 zone.

zadmin:~$ zoneadm -z zone1 shutdown -r

The zpool and rootzpool Resources (Solaris 11.1)

Logical Unit URI

The zone creation.

The zone installation.