Configuring, Verifying, and Committing a Zone

The zonecfg command described in the zonecfg(1M) man page is used to perform the following actions.

Create the zone configuration
Verify that all required information is present
Commit the non-global zone configuration

The zonecfg command can also be used to persistently specify the resource management settings for the global zone.

While configuring a zone with the zonecfg utility, you can use the revert subcommand to undo the setting for a resource. See How to Revert a Zone Configuration.

A script to configure multiple zones on your system is provided in Script to Configure Multiple Zones.

To display a non-global zone's configuration, see How to Display the Configuration of a Non-Global Zone.

How to Configure the Zone

Note that the only required elements to create a non-global zone are the zonename and zonepath properties. Other resources and properties are optional. Some optional resources also require choices between alternatives, such as the decision to use either the dedicated-cpu resource or the capped-cpu resource. See Zone Configuration Data for information on available zonecfg properties and resources.

You must be the global administrator or a user with appropriate authorizations in the global zone to perform this procedure.

Become root or assume an equivalent role.
Set up a zone configuration with the zone name you have chosen.
The name my-zone is used in this example procedure.
```
global# zonecfg -z my-zone
```
If this is the first time you have configured this zone, you will see the following system message:
```
my-zone: No such zone configured
Use 'create' to begin configuring a new zone.
```

Create the new zone configuration.

This procedure uses the default settings.

zonecfg:my-zone> create
create: Using system default template 'SYSdefault'

Set the zone path, /zones/my-zone in this procedure.
```
zonecfg:my-zone> set zonepath=/zones/my-zone
```
The zone must reside on a ZFS dataset. The ZFS dataset will be created automatically when the zone is installed or attached. If a ZFS dataset cannot be created, the zone will not install or attach. Note that if the parent directory of the zone path exists, it must be the mount point of a mounted dataset.
Set the autoboot value.
If set to true, the zone is automatically booted when the global zone is booted. The default value is false. Note that for the zones to autoboot, the zones service svc:/system/zones:default must also be enabled. This service is enabled by default.
```
zonecfg:my-zone> set autoboot=true
```

Set persistent boot arguments for a zone.

zonecfg:my-zone> set bootargs="-m verbose"

Dedicate one CPU to this zone.

zonecfg:my-zone> add dedicated-cpu

Set the number of CPUs.

zonecfg:my-zone:dedicated-cpu> set ncpus=1-2

(Optional) Set the importance.

zonecfg:my-zone:dedicated-cpu> set importance=10

The default is 1.

End the specification.
```
zonecfg:my-zone:dedicated-cpu> end
```

Revise the default set of privileges.
```
zonecfg:my-zone> set limitpriv="default,sys_time"
```
This line adds the ability to set the system clock to the default set of privileges.

Set the scheduling class to FSS.

zonecfg:my-zone> set scheduling-class=FSS

Add a memory cap.
```
zonecfg:my-zone> add capped-memory
```
1. Set the memory cap.
```
zonecfg:my-zone:capped-memory> set physical=1g
```
2. Set the swap memory cap.
```
zonecfg:my-zone:capped-memory> set swap=2g
```
3. Set the locked memory cap.
```
zonecfg:my-zone:capped-memory> set locked=500m
```
4. End the memory cap specification.
```
zonecfg:my-zone:capped-memory> end
```
Note - To use the capped-memory resource, the resource-cap package must be installed in the global zone.
Add a file system.
```
zonecfg:my-zone> add fs
```
1. Set the mount point for the file system, /usr/local in this procedure.
```
zonecfg:my-zone:fs> set dir=/usr/local
```
2. Specify that /opt/local in the global zone is to be mounted as /usr/local in the zone being configured.
```
zonecfg:my-zone:fs> set special=/opt/local
```
  In the non-global zone, the /usr/local file system will be readable and writable.
3. Specify the file system type, lofs in this procedure.
```
zonecfg:my-zone:fs> set type=lofs
```
  The type indicates how the kernel interacts with the file system.
4. End the file system specification.
```
zonecfg:my-zone:fs> end
```
This step can be performed more than once to add more than one file system.
Set the hostid if necessary.
```
zonecfg:my-zone> set hostid=80f0c086
```
Add a ZFS dataset named sales in the storage pool tank
```
zonecfg:my-zone> add dataset
```
1. Specify the path to the ZFS dataset sales.
```
zonecfg:my-zone> set name=tank/sales
```
2. End the dataset specification.
```
zonecfg:my-zone> end
```
The zone administrator can create and destroy snapshots, file systems, and volumes within the dataset. The zone administrator can modify properties of the dataset, and control compression and encryption.
Create an exclusive-IP zone with an automatic VNIC.
```
zonecfg:my-zone> set ip-type=exclusive
```
```
zonecfg:my-zone> add anet
```
1. Specify auto as the underlying link for the link to be created.
```
zonecfg:my-zone:anet> set lower-link=auto
```
  The zoneadmd daemon will automatically choose the link over which the VNIC will be created each time the zone boots. The IPoIB links are skipped when selecting the data-link.
2. End the specification.
```
zonecfg:my-zone:anet> end
```
Add a device.
```
zonecfg:my-zone> add device
```
1. Set the device match, /dev/sound/* in this procedure.
```
zonecfg:my-zone:device> set match=/dev/sound/*
```
2. End the device specification.
```
zonecfg:my-zone:device> end
```
This step can be performed more than once to add more than one device.
Add Open Fabrics User Verbs (OFUV) devices for components of OFUV other than IB diagnostic tools.
```
zonecfg:my-zone> add device
```
1. Set the device match, infiniband/ofs/* in this procedure.
```
zonecfg:my-zone:device> set match=infiniband/ofs/*
```
2. End the device specification.
```
zonecfg:my-zone:device> end
```
IB diagnostic tools are not supported in non-global zones. Devices added can be used with components of OFUV, such as verbs and rdma_cm.
This step can be performed more than once to add more than one device.
Add OFUV devices for components of OFUV other than IB diagnostic tools.
```
zonecfg:my-zone> add device
```
1. Set the device match, infiniband/hca/* in this procedure.
```
zonecfg:my-zone:device> set match=infiniband/hca/*
```
2. End the device specification.
```
zonecfg:my-zone:device> end
```
IB diagnostic tools are not supported in non-global zones. Devices added can be used with components of OFUV, such as verbs and rdma_cm.
This step can be performed more than once to add more than one device.
To allow disk labeling with the format command, an entire disk/LUN should be delegated to a zone, and the allow-partition property should be set.
```
zonecfg:my-zone> add device
```
1. Set the device match, /dev/*dsk/c2t40d3* in this procedure.
```
zonecfg:my-zone:device> set match=/dev/*dsk/c2t40d3*
```
2. Set allow-partition to be true.
```
zonecfg:my-zone:device> set allow-partition=true
```
3. End the device specification.
```
zonecfg:my-zone:device> end
```
This step can be performed more than once to add more than one device.

To allow uscsi operations on a disk, the allow-raw-io property should be set.

zonecfg:my-zone> add device

Set the device match, /dev/*dsk/c2t40d3* in this procedure.
```
zonecfg:my-zone:device> set match=/dev/*dsk/c2t40d3*
```

Set allow-raw-io to be true.

zonecfg:my-zone:device> set allow-raw-io=true

End the device specification.

zonecfg:my-zone:device> end

Caution - Allowing a zone to perform uscsi operations on a disk also allows the zone to access any other device connected to the same bus as the disk. Therefore, enabling this capability could create a security risk and allow for attacks against the global zone or other zones that use resources on the same bus. See uscsi(7I).

This step can be performed more than once to add more than one device.

Add a zone-wide resource control by using the property name.
```
zonecfg:my-zone> set max-sem-ids=10485200
```
This step can be performed more than once to add more than one resource control.

Add a comment by using the attr resource type.

zonecfg:my-zone> add attr

Set the name to comment.
```
zonecfg:my-zone:attr> set name=comment
```
Set the type to string.
```
zonecfg:my-zone:attr> set type=string
```

Set the value to a comment that describes the zone.

zonecfg:my-zone:attr> set value="This is my work zone."

End the attr resource type specification.
```
zonecfg:my-zone:attr> end
```

Verify the zone configuration for the zone.
```
zonecfg:my-zone> verify
```
Commit the zone configuration for the zone.
```
zonecfg:my-zone> commit
```
Exit the zonecfg command.
```
zonecfg:my-zone> exit
```
Note that even if you did not explicitly type commit at the prompt, a commit is automatically attempted when you type exit or an EOF occurs.

Using Multiple Subcommands From the Command Line

Tip - The zonecfg command also supports multiple subcommands, quoted and separated by semicolons, from the same shell invocation.

global# zonecfg -z my-zone "create ; set zonepath=/zones/my-zone"

For shared-IP zones, a static address can only be assigned in a zonecfg net resource. It cannot be supplied on the command line.

Where to Go From Here

See Installing and Booting Zones to install your committed zone configuration.

Script to Configure Multiple Zones

You can use this script to configure and boot multiple zones on your system. Zones created are default exclusive-IP zone with an anet resource.

Before executing the script, create a configuration profile by running the SCI Tool:

global# sysconfig create-profile -o sc_config.xml

The script takes the following parameters:

The number of zones to be created
The zonename prefix
The directory to use as the base directory
The full pathname of the newly created configuration profile

You must be the global administrator with root privileges in the global zone or a user with the correct rights profile to execute the script.

#!/bin/ksh
#
# Copyright 2006-2012 Oracle Corporation. All rights reserved.
# Use is subject to license terms.
#

#
# This script serves as an example of how to instantiate several zones
# with no administrative interaction.  Run the script with no arguments to
# get a usage message.  The general flow of the script is:
#
#   1) Parse and check command line arguments
#   2) Configure all zones that are not yet configured
#   3) Install the first zone, if needed
#   4) Create the remaining zones as clones of the first zone
#
# Upon successful completion, the requested number of zones will be
# been installed and booted.
#

export PATH=/usr/bin:/usr/sbin

me=$(basename $0)
function fail_usage {
    print -u2 "Usage:
    $me <#-of-zones> <zonename-prefix> <basedir> <sysconfig.xml>

Generate sysconfig.xml with:
    sysconfig create-profile -o sysconfig.xml

When running sysconfig, choose \"Automatically\" or \"None\" for network
configuration. The value entered for \"Computer Name\" will ignored:
each zone's nodename will be set to match the zone name."

    exit 2
}

function log {
    print "$(date +%T) $@"
}

function error {
    print -u2 "$me: ERROR: $@"
}

function get_zone_state {
    zoneadm -z "$1" list -p 2>/dev/null | cut -d: -f3
}

#
# Parse and check arguments
#
(( $# != 4 )) && fail_usage

# If $1 is not a number nzones will be set to 0.
integer nzones=$1
if (( nzones < 1 )); then
    error "Invalid number of zones \"$1\""
    fail_usage
fi
# Be sure that zonename prefix is an allowable zone name and not too long.
prefix=$2
if [[ $prefix != @([a-zA-Z0-9])*([-_.a-zA-Z0-9]) || ${#prefix} > 62 ]]; then
    error "Invalid zonename prefix"
    fail_usage
fi
# Be sure that basedir is an absolute path.  zoneadm will create the directory
# if needed.
dir=$3
if [[ $dir != /* ]]; then
    error "Invalid basedir"
    fail_usage
fi
# Be sure the sysconfig profile is readable and ends in .xml
sysconfig=$4
if [[ ! -f $sysconfig || ! -r $sysconfig || $sysconfig != *.xml ]]; then
    error "sysconfig profile missing, unreadable, or not *.xml"
    fail_usage
fi

#
# Create a temporary directory for all temp files
#
export TMPDIR=$(mktemp -d /tmp/$me.XXXXXX)
if [[ -z $TMPDIR ]]; then
    error "Could not create temporary directory"
    exit 1
fi
trap 'rm -rf $TMPDIR' EXIT

#
# Configure all of the zones
#
for (( i=1; i <= nzones; i++ )); do
    zone=$prefix$i
    state=$(get_zone_state $zone)
    if [[ -n $state ]]; then
        log "Skipping configuration of $zone: already $state"
        continue
    fi

    log "Configuring $zone"
    zonecfg -z "$zone" "create; set zonepath=$dir/$zone"
    if (( $? != 0 )); then
        error "Configuration of $zone failed"
        exit 1
    fi
done

#
# Install the first zone, then boot it for long enough for SMF to be
# initialized.  This will make it so that the first boot of all the clones
# goes much more quickly.
#
zone=${prefix}1
state=$(get_zone_state $zone)
if [[ $state == configured ]]; then
    log "Installing $zone"

    # Customize the nodename in the sysconfig profile
    z_sysconfig=$TMPDIR/$zone.xml
    search="<propval type=\"astring\" name=\"nodename\" value=\".*\"/>"
    replace="<propval type=\"astring\" name=\"nodename\" value=\"$zone\"/>"
    sed "s|$search|$replace|" $sysconfig > $z_sysconfig

    zoneadm -z $zone install -c $z_sysconfig
    if (( $? != 0 )); then
        error "Installation of $zone failed."
        rm -f $z_sysconfig
        exit 1
    fi
    rm -f $z_sysconfig
elif [[ $state != installed ]]; then
    error "Zone $zone is currently in the $state state."
    error "It must be in the installed state to be cloned."
    exit 1
fi
# Boot the zone no further than single-user.  All we really want is for
# svc:/system/manifest-import:default to complete.
log "Booting $zone for SMF manifest import"
zoneadm -z $zone boot -s
if (( $? != 0 )); then
    error "Failed to boot zone $zone"
    exit 1
fi
# This zlogin will return when manifest-import completes
log "Waiting for SMF manifest import in $zone to complete"
state=
while [[ $state != online ]]; do
    printf "."
    sleep 1
    state=$(zlogin $zone svcs -Ho state \
        svc:/system/manifest-import:default 2>/dev/null)
done
printf "\n"
log "Halting $zone"
zoneadm -z $zone halt
if (( $? != 0 )); then
    error "failed to halt $zone"
    exit 1
fi
firstzone=$zone

#
# Clone and boot the remaining zones
#
for (( i=2; i <= $nzones; i++ )); do
    zone=$prefix$i

    # Be sure that it needs to be installed
    state=$(get_zone_state $zone)
    if [[ $state != configured ]]; then
        log "Skipping installation of $zone: current state is $state."
        continue
    fi

    log "Cloning $zone from $firstzone"

    # Customize the nodename in the sysconfig profile
    z_sysconfig=$TMPDIR/$zone.xml
    search='<propval type="astring" name="nodename" value=".*"/>'
    replace='<propval type="astring" name="nodename" value="'$zone'"/>'
    sed "s|$search|$replace|" $sysconfig > $z_sysconfig

    # Clone the zone
    zoneadm -z $zone clone -c $z_sysconfig $firstzone
    if (( $? != 0 )); then
        error "Clone of $firstzone to $zone failed"
        rm -f $z_sysconfig
        exit 1
    fi
    rm -f $z_sysconfig

    # Boot the zone
    log "Booting $zone"
    zoneadm -z $zone boot
    if (( $? != 0 )); then
        error "Boot of $zone failed"
        exit 1
    fi
done

#
# Boot the first zone now that clones are done
#
log "Booting $firstzone"
zoneadm -z $firstzone boot
if (( $? != 0 )); then
    error "Boot of $firstzone failed"
    exit 1
fi

log "Completed in $SECONDS seconds"
exit 0

Output of script:

$ ./buildzones
Usage:
        buildzones <#-of-zones> <zonename-prefix> <basedir> <sysconfig.xml>

Generate sysconfig.xml with:
        sysconfig create-profile -o sysconfig.xml

When running sysconfig, choose "Automatically" or "None" for network
configuration. The value entered for "Computer Name" will be ignored:
each zone's nodename will be set to match the zone name.

# ~user/scripts/buildzones 3 bz /tank/bz /var/tmp/sysconfig.xml
12:54:04 Configuring bz1
12:54:05 Configuring bz2
12:54:05 Configuring bz3
12:54:05 Installing bz1
A ZFS file system has been created for this zone.
Progress being logged to /var/log/zones/zoneadm.20110816T195407Z.bz1.install
       Image: Preparing at /tank/bz/bz1/root.

 Install Log: /system/volatile/install.24416/install_log
AI Manifest: /usr/share/auto_install/manifest/zone_default.xml
  SC Profile: /tmp/buildzones.F4ay4T/bz1.xml
    Zonename: bz1
Installation: Starting ....

How to Display the Configuration of a Non-Global Zone

You must be the global administrator in the global zone or a user with the correct rights profile to perform this procedure.

Become root or assume an equivalent role.
Display the configuration of a zone.
```
global# zonecfg -z zonename info
```

Skip Navigation Links
Exit Print View
	Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management Oracle Solaris 11.1 Information Library