solaris 11 zones p2 properties

7/23/2019 Solaris 11 Zones P2 Properties

1/22

Oracle Solaris 11 ZonesPart 2 New zone configuration properties.

Author: Tim Wort

ntro!uction

A number of new zonecfg(1M) properties are added to Oracle Solaris 11 zones. Below is a list of the

properties for both a Oracle Solaris 10 and a Oracle Solaris 11 zone. roperties added b! Solaris 11release 11"11 are in bold. roperties added b! new releases of Solaris 11 are noted b! release.

Oracle Solaris 1" zonecfgproperties

For resource type ... there are property types ...:

(global) zonename

(global) zonepath

(global) brand

(global) autoboot

(global) bootargs

(global) pool

(global) limitpriv

(global) scheduling-class (global) ip-type

(global) hostid

(global) max-lwps

(global) max-shm-memory

(global) max-shm-ids

(global) max-msg-ids

(global) max-sem-ids

(global) cpu-shares

fs dir, special, raw, type

inherit-pkg-dir dir

net address, physical, defrouter

device match

rctl name, value attr name, type, value

dataset name

dedicated-cpu ncpus, importance

capped-cpu ncpus

capped-memory physical, swap, loced

#n the Oracle Solaris 10 list abo$e the inherit-pg-dirresource is listed but it is not present in the

Oracle Solaris 11 list below% sparce root model zones are no longer supported. #n the Oracle Solaris 11list the file-mac-profilepropert!% the fs-allowedpropert!% themax-processespropert!% the anet

resource and adminresource are added. #n addition new resource properties are added to the netand

deviceresources.

Oracle Solaris 11 zonecfgproperties

For resource type ... there are property types ...:

(global) zonename

(global) zonepath

(global) brand

(global) autoboot

(global) autoshutdown (Solaris 11.&) (global) bootargs


2/22

(global) file-mac-profile

(global) pool

(global) limitpriv

(global) scheduling-class

(global) ip-type

(global) hostid

(global) fs-allowed

(global) max-lwps

(global) max-processes

(global) max-shm-memory

(global) max-shm-ids

(global) max-msg-ids

(global) max-sem-ids

(global) cpu-shares

(global) tenant (Solaris 11.&) fs dir, special, raw, type, options

net address, allowed-address, physical, defrouter, configure-

allowed-address

anet linkname, lower-link, allowed-address, configure-allowed-

address, defrouter, allowed-dhcp-cids, link-protection, mac-address, mac-prefix,

mac-slot, vlan-id, priority, rxrings, txrings, mtu, maxbw

(added b! Solaris 11.1) rxfanout,vsi-typeid, vsi-vers, vsi-mgrid, etsbw-lcl, cos, pkey,linkmode,

(added b! Solaris 11.&) evs, vport device match, allow-partition, allow-raw-io

(added b! Solaris 11.&) storage rctl name, value

attr name, type, value

dataset name

dedicated-cpu ncpus, importance

(added b! Solaris 11.&)cpus, cores, sockets capped-cpu ncpus

capped-memory physical, swap, loced

admin user, auths

(added b! Solaris 11.1) rootzpool install-size, storage

zpool install-size, name, storage

The autoshutdown#lo$al Propert% &Solaris 11.2'

'his propert! determines the action taen to shutdown the nonglobal zone on a graceful shutdown of

the *lobal zone. ossible $alues are+

shutdown , A clean zone shutdown. 'his is the default.

halt suspend

The tenant#lo$al Propert%&Solaris 11.2'

'his propert! wors with -S (-lastic irtual Switch). See e$sadm(1M). /efines the name of the

tenant that owns the -S to which a # anet will be connected to.

The file-mac-profile#lo$al Propert%


3/22

'he file-mac-profilepropert! is used to configure a immutable zone. #mmutable zones ha$e a read

onl! root s!stem. 'he ernel applies the read restriction based on the setting for this propert!. 'he

propert! is not set b! default which is the e2ui$alent of a nonesetting. 'he possible settings for thispropert! are+

none, 'he default% a standard readwrite zone. strict, A readonl! file s!stem where pacages can not be added% ser$ices are fi3ed% log files

are read onl! and should be configured for remote logging% configurations such as auditing are

fi3ed.

fixed-configuration, Same as strictwith the following e3ceptions% log files can be

written locall! and most of !var!"is writable% s!slog and audit configurations can not be

changed.

flexible-configuration, Same as fixed-configurationwith the following e3ceptions%

the !etc!"director! is writable% the !var!"is writable% configuration files for s!slog and

auditing can be changed. 4unctionalit! is similar to a sparse root model zone in Oracle Solaris

10.

'o e3amine the propert! more a readonl! zone has been created% following is the configuration

information for the zone. 'he networ interface is set to be shared% automaticnetwor configurationwill not wor correctl! and will re2uire inter$ention b! the administrator of the zone. 'he better

configurations to use are shared or e3clusi$e with a # configured in the global zone and assigned

specificall! to the nonglobal zone.

(ea!)onl% Zone configuration

# zonecfg -z readonly

readonly: $o such zone configured

%se &create& to begin configuring a new zone.

zonecfg:readonly' create -t default-shared-ipzonecfg:readonly' set zonepath*!zones!readonly

zonecfg:readonly' set file-mac-profile*strict

zonecfg:readonly' add net

zonecfg:readonly:net' set physical*net+

zonecfg:readonly:net' set address*./0.+.+!1

zonecfg:readonly:net' end

zonecfg:readonly' exit

'he zone install is standard% the zone will boot as a writable zone until the s!stem configurationinformation is added and the milestone self-assembly-completecompletes% the zone will then

reboot to readonl! mode. 'he state of the zone can be e3amined for the readwrite or readonl! modes

b! using thelist -p

option to thezoneadm

command+

Zone $oote!* not configure!

# zoneadm -z readonly list -p

2:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:W:strict

'he second to last field 567 indicates the zone is writable% the last field show the file-mac-profilepropert! setting.


4/22

Zone configure!* ser+ice self-assembly-completecomplete!* re$ooting


4:readonly:down:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:-strict

Zone re$ooting


!:readonly:ready:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:-strict

Zone $oote!* rea!)onl%


!:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:"strict

'he second to last field 587 indicates the zone is readonl!.

9ogging into the zone $ia the onsole will show indications of the readonl! state of the zone% for

e3ample+

$ov 4 +1:13:43 readonly sendmail520++6: unable to write pid to

#var#spool#clientm$ueue#sm-client%pid "ead-only file system

$ov 4 +1:13:40 readonly sendmail52306: unable to 7ualify my own domain name

(readonly) -- using short name

$ov 4 +1:13:4 readonly sendmail52306: $89%%: ;;(root): dborporation un8 4. .+ $ovember +

tim?readonly:@A

e3t is an e3amination of the zone to confirm the restrictions% first file writes and s!slog+

Test file an! s%slog write

root?readonly:@# touch !var!tmp!testfile

touch: cannot create !var!tmp!testfile: ;ead-only file system

root?readonly:@# touch !testfile

touch: cannot create !testfile: ;ead-only file system

B

root?readonly:@# touch !etc!testfile

touch: cannot create !etc!testfile: ;ead-only file system


5/22

root?readonly:@# touch !export!testfile

touch: cannot create !export!testfile: ;ead-only file system

root?readonly:!# logger -p auth.emerg tester

$ov 4 +4:41:4 readonly last message repeated time

$ov 4 +4:4/:+1 readonly root: 5BC 3+ auth.emerg6 tester

Dessage from syslogd?readonly at Fri $ov 4 +4:4/:+1 + ...

readonly last message repeated time

Dessage from syslogd?readonly at Fri $ov 4 +4:4/:+1 + ...

readonly root: 5BC 3+ auth.emerg6 tester

root?readonly:!# tail !var!adm!messages

$ov 4 +4:12:+2 readonly sendmail53/36: 5BC 3+ mail.crit6 Dy un7ualified

host name (readonly) unnownE sleeping for retry

$ov 4 +4:12:+2 readonly sendmail5336: 5BC 3+ mail.crit6 Dy un7ualified


$ov 4 +4:11:+2 readonly sendmail53/36: 5BC 3+ mail.alert6 unable to 7ualify

my own domain name (readonly) -- using short name

$ov 4 +4:11:+2 readonly sendmail5336: 5BC 3+ mail.alert6 unable to 7ualify


'he string tester would ha$e been written to !var!adm!messagesin a writable zone but in the strictreadonl! zone !var!adm!messagesis not writable.

e3t a ser$ice state is changed and a reboot is preformed to show the current state of the ser$ice ispersistent (fi3ed)+

root?readonly:@# svcs ssh

G BD FD;B

online 1:1/:4+ svc:!networ!ssh:default

root?readonly:@# svcadm disable ssh


G BD FD;B

disabled 4:1:1 svc:!networ!ssh:default

root?readonly:@# reboot

5>onnection to zone &readonly& pts!2 closed6


/:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:;:strict

# zlogin readonly

5>onnected to zone &readonly& pts!26

8racle >orporation un8 4. .+ $ovember +


G BD FD;B

online 4:3: svc:!networ!ssh:default

#n a readwrite zone changing a ser$ice state will sur$i$e a reboot. #n the readonl! zone the repositor!


6/22

is updated in memor! so the ser$ice can be disabled% howe$er% the repositor!:s new state for that ser$ice

can not be written to persistent storage so the state of the repositor! remains as when the repositor! was

last written.

acages are not a$ailable to the readonl! zone% in the ne3t test the zone is booted as a writable zone

b! passing the -woption to the zoneadmcommand. #n the writable state the pgcommand is $erified%

then the zone is rebooted to readonl! mode and the same commands are tested.

Zone ,oote! (ea!)write

# zoneadm -z readonly reboot -w


3:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:H:strict

# zlogin readonly



root?readonly:@#

p-g&1' comman! an! networ- +erifie!

root?readonly:@# getent hosts sol--server

./0.+.++ sol--server.timwort.org

root?readonly:@# pg publisher

=%IJBK; = G% %;B

solaris (syspub) origin online proxy:!!http:!!sol--

server.timwort.org!

root?readonly:@# pg search -r wireshar

B$CL G>B8$ MGJ%

=G>NGO

pg.summary set Jibraries and ools used by Hireshar and har $etwor

protocol analyzers pg:!diagnostic!wireshar!wireshar-common?.1.0-

+.34.+.+.+..423basename dir usr!lib!wireshar

pg:!diagnostic!wireshar!wireshar-common?.1.0-+.34.+.+.+..423

basename dir usr!share!wireshar

pg:!diagnostic!wireshar!wireshar-common?.1.0-+.34.+.+.+..423

basename file usr!sbin!wireshar

pg:!diagnostic!wireshar?.1.0-+.34.+.+.+..423

pg.fmri set solaris!diagnostic!wireshar

pg:!diagnostic!wireshar?.1.0-+.34.+.+.+..423

Zone $oote! to rea!)onl% state

# zoneadm -z readonly reboot

# zoneadm -z readonly list -p0:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:;:strict

# zlogin readonly



p-g&1' comman! an! networ- +erifie!

root?readonly:@# getent hosts sol--server

./0.+.++ sol--server.timwort.org


7/22

root?readonly:@# pg search -r wireshar

egmentation Fault

root?readonly:@# pg publisher

egmentation Fault

e3t the zone will be configured as a fixed-configurationzone and $erified+

Zone configure! as fixed-configurationan! re$oote!

# zonecfg -z readonly set file-mac-profile*fixed-configuration

# zoneadm -z readonly boot


:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:"fixed-configuration

Test file an! s%slog write

root?readonly:@# touch !var!tmp!testfile




touch: cannot create !etc!testfile: ;ead-only file system

root?readonly:@# touch !export!testfile

touch: cannot create !export!testfile: ;ead-only file system

root?readonly:@# logger -p auth.emerg tester

$ov 4 +/:1:10 readonly root: 5BC 3+ auth.emerg6 tester

Dessage from syslogd?readonly at Fri $ov 4 +/:1:10 + ...

readonly root: 5BC 3+ auth.emerg6 tester

root?readonly:@# tail !var!adm!messages

$ov 4 +4:12:+2 readonly sendmail53/36: 5BC 3+ mail.crit6 Dy un7ualified


$ov 4 +4:12:+2 readonly sendmail5336: 5BC 3+ mail.crit6 Dy un7ualified


$ov 4 +4:11:+2 readonly sendmail53/36: 5BC 3+ mail.alert6 unable to 7ualify


$ov 4 +4:11:+2 readonly sendmail5336: 5BC 3+ mail.alert6 unable to 7ualify


$ov 4 +/:21:41 readonly sendmail506: 5BC 3+ mail.crit6 Dy un7ualified

host name (readonly) unnownE sleeping for retry$ov 4 +/:24:41 readonly sendmail506: 5BC 3+ mail.alert6 unable to 7ualify


'ov ! *4+4 readonly root ./ 01++ auth%emerg2 tester

#n the fixed-configurationreadonl! configuration most of !varis writable and log files arewritable as seen b! the pre$ious commands.

e3t the zone is configured as flexible-configurationreadonl! zone and the configuration is


8/22

$erified+

Zone configure! as flexible-configurationan! re$oote!

# zonecfg -z readonly set file-mac-profile*flexible-configuration



:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-

b/0f1a3e3da:solaris:shared:"flexible-configuration

/erif% the flexible-configurationrea!)onl% zone configuration

# zlogin readonly



root?readonly:@# touch !usr!tester

touch: cannot create !usr!tester: ;ead-only file system


root?readonly:@# touch !lib!testfile

touch: cannot create !lib!testfile: ;ead-only file system



root?readonly:@# touch !root!testfile

'he flexible-configuration configuration allows access to roots home director!% !etcand !varbut other file s!stems are restricted.

'he restriction applied to a readonl! zone are not applied to readwrite files s!stems that are mountedreadwrite in to the zone $ia 4S or through zone configuration% for e3ample+

(ea!)onl% zone* #optnot writa$le

# zonecfg -z readonly set file-mac-profile*strict


# zlogin readonly



root?readonly:@# touch !opt!myfiletouch: cannot create !opt!myfile: ;ead-only file system

root?readonly:@# halt

5>onnection to zone &readonly& pts! closed6

0reate a ZS files s%stem an! a!! to zone configuration

# zfs create -p rpool!dstor!fs

# zonecfg -z readonly Padd fsEset type*zfsEset dir*!opt!localEset

special*rpool!dstor!fsEendEexitP


9/22

# zfs set mountpoint*legacy rpool!dstor!fs


/erif% write to file s%stem

# zlogin readonly



root?readonly:@# touch !opt!local!myfile

root?readonly:@#

Solaris 11.& adds 8eadOnl! *lobal zone configurations. #mmutable zones will ha$e a readonl! zone

root.

(ea!)Onl%mmuta$le #lo$al zone

# zonecfg -z global set file-mac-profile=fixed-configuration

The fs-allowed#lo$al Propert%

'he fs-allowedpropert! determines file s!stem t!pes that can be mounted within a nonglobal zone.

B! default t!pes hsfs(;4S) and 4S file s!stems can be mounted in the zone. 'he propert! taes acomma separated list of file s!stems.

#n the following e3ample the zone is at a default configuration and the fs-allowedpropert! is not set.

A


10/22

super-bloc bacups (for fsc -F ufs -o b*#) at:

2, 0/3/, 32+,

root?fszone:@# mount !dev!zvol!ds!rpool!datastor!vol !mnt

mount: Bnsufficient privileges

root?fszone:@# exit

logout

5>onnection to zone &fszone& pts! closed6

With fs-allowedset

# zonecfg -z fszone set fs-allowed*ufs

# zoneadm -z fszone reboot

# zlogin fszone

5>onnected to zone &fszone& pts!6


root?fszone:@# mount !dev!zvol!ds!rpool!datastor!vol !mnt

root?fszone:@# ls !mnt

lostRfound

Themax-processesan! zone.max-lofi#lo$al properties.

A new resource control max-processesis defined. 'he propert! sets the ma3imum number of process

table slots simultaneousl! a$ailable to this zone. 'his propert! is the preferred wa! to set the

zone.max-processesresource control.

Setting this propert! will implicitl! set the $alue of the max-lwpspropert! to 10 times the number of

process slots unless the max-lwpspropert! has been set e3plicitl!.

Additionall! loopbac file s!stem (lofi) de$ices are allowed within a zone% the resource control

zone.max-lofidefines the ma3imum number of lofi(;/) de$ices a$ailable to a zone.

max-processes

# zonecfg -z ozone Pset max-processes*2++EexitP

# zonecfg -z ozone info

...

5max-processes: 2++6

...

rctl: name: zone.max-processes

value: (priv*privileged,limit*2++,action*deny)

zone.max-lofi

zonecfg:ozone' add rctl

zonecfg:ozone:rctl' set name*zone.max-lofi

zonecfg:ozone:rctl' set value*(priv*privileged,limit*+,action*deny)

zonecfg:ozone:rctl' help


11/22

zonecfg:ozone:rctl' end

(esults

# prctl -i zone ozone

zone: 4: ozone

$GD =;BMBJO MGJ% FJGO G>B8$ ;>B=B$

zone%max-lofi

usage

privileged + - deny -

system +%43 max deny -

zone.max-swap

usage 13.1DI

system /.+I max deny -

zone.max-loced-memory

usage +I


zone.max-shm-memory


zone.max-shm-ids

system /.0D max deny -

zone.max-sem-ids

system /.0D max deny -zone.max-msg-ids

system /.0D max deny -

zone%max-processes

usage !

privileged - deny -

system %+!5 max deny -

zone%max-lwps

usage 4

privileged %6 - deny -

system %+!5 max deny -

zone.cpu-cap

usage +

system 1.O inf deny -

zone.cpu-shares

usage

privileged - none -

system /4.4N max none -

The new device(esource properties

Oracle Solaris 11 adds two new resource properties to the de$ice resource. #n Oracle Solaris 10 onl!

the match propert! could be set to some allowable de$ice. #n Oracle Solaris 11 the allow-partition

and the allow-raw-ioresource properties are added to the de$ice resource. 'hese resource properties

are configured as either true or false with the default setting as false.

'he allow-partitionpropert! allows a dis to be labeled with the format command. 'he allow-raw-iopropert! allows uscsi(;#) commands to be e3ecuted against the de$ice. Adding de$ices to a

zone or using the allow-partitionpropert! or using the allow-raw-iopropert! should be done with

caution. Access to a de$ice dri$e can allow a malicious user to panic the s!stem or access other de$iceon the bus. 'his resource and resource properties should not be used without first understanding the

securit! implications. See uscsi(;#)% /e$ice =se in on*lobal


12/22

'he following e3ample shows the use of the allow-partitionpropert!+

0urrent zone state

# zonecfg -z fszone info

zonename: fszone

zonepath: !zones!fszone

brand: solaris

autoboot: false

bootargs:

file-mac-profile:

pool:

limitpriv:

scheduling-class:

ip-type: shared

hostid:

fs-allowed: ufs

net:

address: ./0.+.+!1

allowed-address not specified

configure-allowed-address: true

physical: net+ defrouter not specified

Selecting a !e+ice to a!! to the zone

# zpool status

pool: rpool

state: 8$JB$

scan: none re7uested

config:

$GD G ;GC H;B >N%D

rpool 8$JB$ + + +

c2t+d+s+ 8$JB$ + + +

errors: $o nown data errors

# format

earching for diss...done

GMGBJGIJ CBN J>B8$:

+. c2t+d+ SGG-MI8L KG;CCBN-.+ cyl +04 alt hd 44 sec /2'

!pci?+,+!pci0+0/,0?d!dis?+,+

. c2td+ SGG-MI8L KG;CCBN-.+ cyl 0 alt hd /1 sec 2'

!pci?+,+!pci0+0/,0?d!dis?,+

pecify dis (enter its number): TC

A!!ing the !e+ice an! testing

# zonecfg -z fszone Padd deviceEset match*!dev!"ds!c2td+s"EendEexitP


root?ol---destop:@# zlogin fszone




13/22

root?fszone:@# format


GMGBJGIJ CBN J>B8$:

+. c2td+ SGG-MI8L KG;CCBN-.+ cyl 0 alt hd /1 sec 2'

sd at pciclass,++/++ slave /

pecify dis (enter its number): +

selecting c2td+

=ermission denied.

root?fszone:@# exit

logout

5>onnection to zone &fszone& pts!2 closed6

Setting the allow-partitionpropert% an! testing

# zonecfg -z fszone Pselect device match*!dev!"ds!c2td+s"Eset allow-partition*

trueEendEexitP


# zlogin fszone



root?fszone:@# format


GMGBJGIJ CBN J>B8$:

+. c2td+ SGG-MI8L KG;CCBN-.+ cyl 0 alt hd /1 sec 2'

sd at pciclass,++/++ slave /

pecify dis (enter its number): +

selecting c2td+

5dis formatted6

$o olaris fdis partition found.

F8;DG D$%:

dis - select a dis

type - select (define) a dis type

partition - select (define) a partition table

current - describe the current dis

format - format and analyze the dis

fdis - run the fdis program

repair - repair a defective sector

label - write label to the dis analyze - surface analysis

defect - defect list management

bacup - search for bacup labels

verify - read and display labels

save - save new dis!partition definitions

in7uiry - show dis BC

volname - set 0-character volume name

UScmd' - execute Scmd', then return

7uit

format' p


14/22

=G;BB8$ D$%:

+ - change V+& partition

- change V& partition

- change V& partition

2 - change V2& partition



/ - change V/& partition


select - select a predefined table

modify - modify a predefined partition table

name - name the current table

print - display the current table

label - write partition map and label to the dis

UScmd' - execute Scmd', then return

7uit

partition' p

>urrent partition table (original):

otal dis cylinders available: 0 R (reserved cylinders)

=art ag Flag >ylinders ize Ilocs + unassigned wm + + (+!+!+) +

unassigned wm + + (+!+!+) +

bacup wu + - 3 0.++DI (0!+!+) ++3+1

2 unassigned wm + + (+!+!+) +



/ unassigned wm + + (+!+!+) +


0 boot wu + - + .++DI (!+!+) +10


partition' m

elect partitioning base:

+. >urrent partition table (original)

. Gll Free Kog

>hoose base (enter number) 5+6Q

=art ag Flag >ylinders ize Ilocs

+ root wm + + (+!+!+) +

swap wu + + (+!+!+) +

bacup wu + - 3 0.++DI (0!+!+) ++3+1




/ usr wm + + (+!+!+) +


0 boot wu + - + .++DI (!+!+) +10 alternates wm + + (+!+!+) +

Co you wish to continue creating a new partition

table based on above table5yes6Q

Free Kog partition5/6Q +

nter size of partition && 5+b, +c, +.++mb, +.++gb6:

nter size of partition &2& 5+b, +c, +.++mb, +.++gb6:



nter size of partition &/& 5+b, +c, +.++mb, +.++gb6:



15/22


+ root wm - 3 3.++DI (3!+!+) 0/4/

swap wu + + (+!+!+) +

bacup wu + - 3 0.++DI (0!+!+) ++3+1




/ usr wm + + (+!+!+) +


0 boot wu + - + .++DI (!+!+) +10

alternates wm + + (+!+!+) +

8ay to mae this the current partition table5yes6Q

nter table name (remember 7uotes): t

;eady to label dis, continueQ y

partition' p

>urrent partition table (t):

otal dis cylinders available: 0 R (reserved cylinders)


+ unassigned wm - 3 3.++DI (3!+!+) 0/4/


bacup wu + - 3 0.++DI (0!+!+) ++3+1




/ unassigned wm + + (+!+!+) +


0 boot wu + - + .++DI (!+!+) +10


partition' TC

root?fszone:@#

'he storagepropert! is added to the deviceresource b! Solaris 11.&. 'he propert! can be set to a

storage =8# (S=8#)% see suri(>). 'he S=8# is mapped when the zone boots the allow-partitionis

automaticall! set to true. and the matching de$ice nodes are a$ailable inside the zone. 'he S=8# is

unmapped when the zone halts.

The anet an! net(esource Properties

6hen a nonglobal zone is created the default networing is configured as an e3clusi$e# t!pe with

an anetresource. 'he anetresource creates a # for the nonglobal zone. 'he # is presentwhen the nonglobal zone is booted and destro!ed when the nonglobal zone is shutdown. An e3ample

of the anetresource can be seen in art 1 of this document.

The anetproperties

anet:

linname: net+

lower-lin: auto

allowed-address not specified


16/22

configure-allowed-address: true

defrouter not specified

allowed-dhcp-cids not specified

lin-protection: mac-nospoof

mac-address: random

auto-mac-address: :0:+:fa:fb:da

mac-prefix not specified

mac-slot not specified

vlan-id not specified

priority not specified

rxrings not specified

txrings not specified

mtu not specified

maxbw not specified

(Added b! Solaris 11.1) rxfanout not specified

vsi-typeid not specified

vsi-vers not specified

vsi-mgrid not specified

etsbw-lcl not specified

cos not specified

pey not specified linmode not specified

(Added b! Solaris 11.&) evs not specified

vport not specified

Most of the anetproperties are self e3planator! and all are defined in the zonecfg(1M) man page. 'he

table e3amines a few of the more interesting properties.

lower-lin: auto /efines the lin in the global zone that will be used for the #% the

propert! can be set to an! e3isting lin as described b! the dladm(1M)

command.6hen set to auto the lin selection order is first a configured lin

aggregation in the up state% ne3t a -thernet lin in the up state chosenbased on a alphabetic sort % the net0 lin if a$ailable.

mac-address: random an be set to factor!% random or auto. Auto attempts to use a factor! MA

% if no factor! address is a$ailable then random is used. A random

addressed is preser$ed cross reboots to support /?.

auto-mac-address: 6hen the anetresource is used this propert! is populated with the

assigned MA address.

mac-prefix Sets a prefi3 for the random MA address if re2uired.

mac-slot A slot location for a specific factor! MA address.

Solaris 11.1 added more anetresource properties% these properties are described in the dladm(1M) man

page. Solaris 11.& added two more anet resource properties% these are properties are used the -S

en$ironment. See e$sadm(1M).

'he netresource properties include the defrouter% allowed-addressand configure-allowed-

address.


17/22

defrouter 'he propert! is optional and should onl! be set to a address on adifferent subnet than is configured for the global zone.

allowed-address =sed with e3clusi$e# zones onl!. #f used% this propert! constrain

the # address(es) that can be used to configure the interface in the

zone. 6hen set the allowed-addresspropert! also sets the

configure-allowed-addresspropert! to true.

configure-allowed-address 6hen this propert! is set to true the address defined b! the

allowed-addresspropert! will be configured on the interface

when the nonglobal zone boots.

The admin(esource

'he adminpropert! allows delegation of administrator tass for a particular zone to a nonroot or a role

user. 'wo properties can be set% the userpropert! which defines a user or role and the authspropert!

which defines one or more authorizations.

'he userpropert! tae a user or role that must e3ist in the global zone.

'he authspropert! can be set to a comma separated list. 'he possible $alues are login(authenticated

login to this zone)% manage(allows management for this zone using zoneadm(1M)) and cop!from(allows

cloning of this zone).

0reate a role for zone a!ministration

# roleadd -m -d /export/home/zadmin -s /usr/bin/pfbash zadmin80 blocks# passwd zadmin

ew !assword"e-enter new !assword"passwd" password successfull$ changed for zadmin

A!! the role to the zone

# zonecfg -z ozone %add admin&set user=zadmin&set auths=login'manage&end%(ound user in files repositor$.

The result for the pre+ious comman!

# grep zadmin /etc/user)attrzadmin""""t$pe=role&auths=solaris.zone.login/ozone'solaris.zone.manage/ozone&profiles=*one +anagement',ll&roleauth=role

Assign the role to a user# usermod - zadmin tim(ound user in files repositor$." usermod" tim is currentl$ logged in' some changes ma$ not take effect untilnext login.

45amine the user an! role

tim" profiles 1asic 2olaris ser ,ll


18/22

tim" roleszadmin

tim" su zadmin!assword"

zadmin" profiles

*one +anagement ,ll 1asic 2olaris ser

zadmin" profiles -p %*one +anagement%(ound profile in files repositor$.profiles"*one +anagement3 info name=*one +anagement desc=*ones 4irtual ,pplication 5nvironment ,dministration help=t*one+ngmnt.html cmd=/usr/sbin/zoneadm cmd=/usr/sbin/zloginprofiles"*one +anagement3 exit

/erif% use of the role

zadmin" zoneadm -z ozone shutdown -r

zadmin" zoneadm list -cv 67 ,+5 2,2 !,9 1,7 6! 0 global running / solaris shared : ozone running /zones/ozone solaris excl

; zone< running /zones/zone< solaris excl

zadmin" zlogin ozone>onnected to zone ?ozone? pts/@A

Bracle >orporation 2unB2 :.


19/22

zadmin" zoneadm -z zone< shutdown -rzoneadm" zone ?zone


20/22

The zone creation.

rootDanarch$"# zonecfg -z poolzonese ?create? to begin configuring a new zone.zonecfg"poolzone3 createcreate" sing s$stem default template ?2I2default?zonecfg"poolzone3 add rootzpoolzonecfg"poolzone"rootzpool3 add storage dev"dsk/c@t@d0

zonecfg"poolzone"rootzpool3 add storage dev"dsk/c@t:d0zonecfg"poolzone"rootzpool3 endzonecfg"poolzone3 add zpoolzonecfg"poolzone"zpool3 add storage dev"dsk/c@tCd0zonecfg"poolzone"zpool3 add storage dev"dsk/c@tFd0zonecfg"poolzone"zpool3 set name=poolreated zone zpool" poolzone)pool !rofile" /usr/share/auto)install/sc)profiles/enable)sci.xml *onename" poolzone6nstallation" 2tarting ...

>reating 6!2 image2tartup linked"


21/22

rootDanarch$"# zpool status pool" poolzone)poolL2+

poolzone)rpool BK65 0 0 0 mirror-0 BK65 0 0 0 c@t@d0 BK65 0 0 0 c@t:d0 BK65 0 0 0

errors" o known data errors

pool" rpoolstate" BK65 scan" none rePuestedconfig"

,+5 2,5 5,7 J65 >L2+ rpool BK65 0 0 0 c@t0d0 BK65 0 0 0


(After zone is booted)

rootDanarch$"# zlogin poolzone zpool status pool" poolL2+ rpool BK65 0 0 0 mirror-0 BK65 0 0 0 c@t@d0 BK65 0 0 0 c@t:d0 BK65 0 0 0


solaris 11 zones p2 properties

Documents