Zone Manager Version 1.8 Help
System Administration Commands zonemgr(1M)
NAME
zonemgr - set up and manage zones
SYNOPSIS
Normal usage:
zonemgr -a <action> [options]
See proper usage:
zonemgr -h
Display the version:
zonemgr -v
Display the license:
zonemgr -l
DESCRIPTION
The purpose of zonemgr is to simplify Solaris 10 zones
management. There are many pre-defined actions that can be
applied to one or more zones depending on the action.
OPTIONS
The following options are supported:
-a <action> Specify the action to be performed
-n <zonename> Specify the name of the zone
-h See this usage information
-l See the GPL v2 license
-v See the version number of this script
ACTIONS
Actions which can result in destructive actions or loss
of work have a -F flag to force the action.
The following actions are supported:
info -n <zonename>
The "info" action displays configuration information
about a zone.
add -n <zonename> -z <dir> [add_options]
The "add" action adds a new zone.
The following add_options are required:
-z "<dir>" Base directory for this zone.
-P "<file or password>"
Unencrypted password of the root user
of this new non-global zone. The
password can either be specified in
a file or as a quoted string.
The following add_options can be used as substitutes for
the required options:
-Z "<dir>" Root zone directory for this zone.
This is an alternate way from
-z <dir> of specifying the zones root
directory.
-E "<file or password>"
This is an alternate way from
-P <password> of specifying the non-
global root user's password via an
encrypted format. The encrypted
password can either be specified in
a file or as a quoted string. You
can copy and paste the user's
password from /etc/shadow).
The following optional add_options are supported:
-t <w or s> Type of zone where w=Whole Root and
s=Sparse Root. A sparse root zone
inherits the following directories
from the global zone: /lib, /usr,
/sbin, and /platform. A whole root
zone does not inherit any directories
from the global zone. The default
value is sparse root (s).
-A Disable autoboot (prevent zone from
booting when the server reboots).
-I "<IP Address>|<Interface>|<Netmask>|<Host name>"
IP Address of the non-global zone
plus the network interface for that
IP address, the netmask in CIDR
format, and the host name for that IP
address.
If not specified the default network
interface is the first non-loopback
interface listed by ifconfig. The
default netmask is the netmask that
corresponds to the IP address that
you specify. There is no default host
name.
Note that a zone can be created
without a network address.
-D "<domain>" DNS Domain Name. If a domain is
specified, then dns name servers must
also be specified. Note also that
the fully qualified host name of the
non-global zone must be resolvable by
the naming service.
-d "<ns1>,<ns2>,.."
Ordered list of DNS Name Servers. If
domain name servers are specified the
domain name must also be specified.
Note also that the fully qualified host
name of the non-global zone must be
resolvable by the naming service.
-r "<gdir>|<ldir>" Loopback mount global zone directory
(gdir) on a non-global zone directory
(ldir) in read only mode.
-w "<gdir>|<ldir>" Loopback mount global zone directory
(gdir) on a non-global zone directory
(ldir) in read write mode.
-N "<server>|<export_dir>|<mount_dir>|<options>"
Mount an NFS directory where <server>
is the NFS server host name or IP
address, <export_dir> is the NFS
exported directory, <mount_dir> is
the mount point within the non-global
zone to mount the NFS filesystem, and
<options> are the NFS mount options.
Note that zones only supports
mounting an NFS filesystem from a
host on a separate physical server.
e.g. You cannot at the present time
mount an NFS filesystem from another
zone on this physical server.
-B "<name>|<subset>|<img>"
Make the zone into a Linux branded
zone where <name> is the brand name,
<subset>, is the brand subset, and
<img> is the path and file name of
the brand archive. If a media drive
is being used, <img> is the path to
the mounted media. e.g.
/cdrom/cdrom0
-R "<dir>|<shell>"
Custom home directory (<dir>) and
a shell (<shell>) for the root user
of the non-global zone.
-C "<pre or post boot>|<source>|<destination>"
or
-C "<source>|<destination>"
File/Directory to recursively copy
from the global zone into the non-
global zone. The <pre or post boot>
option defines if you want the source
copied before the non-global zone is
booted (pre) or after (post) the zone
has completed its final boot.
The <destination> option is used to
specify a different destination location
in the non-global zone that presently
exists in the global zone.
-s "<method>|<method_arguments>"
This feature hardens the non-global
zone by disabling (or enabling)
un-necessary operating system
services of the non-global zone
according to the method specified.
Hardening methods and corresponding
arguments are as follows:
Secure by default:
Method: netservices or sbd
Arguments:
limited - Eliminate un-necessary services
open - Enable standard services
Service Management Facility Site
Profile:
Method: smf
Argument: <fullpath>/<smf_xml_file>
JumpStart Architecture and Security
Scripts (aka Solaris Security
Toolkit):
Method: jass
Argument: <jass_driver_name>
Basic service management:
Method: basic or enable or disable or lock or unlock
Argument: One of the following:
disable
lock
enable
unlock
disable|<service_list_file>
lock|<service_list_file>
enable|<service_list_file>
unlock|<service_list_file>
-S "<service>" Restart specified service after
adding zone. A special case is
'reboot' to restart all services in
the zone.
-M [basic|<file>] Minimize the non-global zone by
either excluding or removing un-
necessary packages. The optional
<file> is a file containing a list
of packages that you would like
removed from the zone. If no <file>
is specified, the following
categories will be removed with
pkgrm -Y <category>:
JDS4 JDS3 JDS JDSosol GNOME2 CTL
ALE APOC CTL EVO146 G11NTOLS GLOW
JAI JAVAAPPS JDIC
-X "<command> <args>"
Runs <command> inside the non-global
command once it is successfully
created. Note that you may need to
include the full path to the command
as well. And you can pass <args>
(arguments) to the command if you
include them in the quoted the
command.
-G <package> Fully automates the installation of
specified BlastWave package. For a
full list of available BlastWave
packages, visit the following URL:
http://blastwave.org/packages
-L "<priv>[,<priv>,...]"
Specifies the limit set for privileges
allowed in this zone. See manual page
privileges for more info and list of
available privileges.
del -n <zonename> [-F]
The del action deletes an existing zone
The "del" action supports the following optional option:
-F Don't confirm an action; Just do it.
modify -n <zonename>
The "modify" action enables you to add, modify and delete
select zone properties. Zone properties that can be modified
include the following:
Modify the zone name:
-m "zonename:<value>"
Modify the comment that describes the zone:
-m "comment:<value>"
Modify the autoboot value. The autoboot property determines
whether or not the zone will boot when the global zone is
booted.
-m "autoboot:<true|false>"
Modify the boot arguments of the zone:
-m "bootargs:<value>"
Modify an existing filesystem (fs) property:
-m "fs:<dir>|<resource_type>:<value>"
Where net resource types include the following:
dir - Global zone directory
special - Non-global zone directory
options - Filesystem mount options
Modify an existing network property:
-m "net:<ipaddr/netmask>|<resource_type>:<value>"
Where net resource types include the following:
address - Network address and netmask in CIDR format
physical - The network interface
Zone properties that can be deleted include the following:
Modify an existing filesystem property:
-m "del:fs:<dir_value>"
Modify an existing network property:
-m "del:net:<address/cidr_netmask>"
In addition to modifying and deleting existing properties,
you can also add a few types of properties. The arguments
used to add these properties are listed below.
-I "<IP Address>|<Interface>|<Netmask>|<Host name>"
IP Address of the non-global zone
plus the network interface for that
IP address, the netmask in CIDR
format, and the host name for that IP
address.
If not specified the default network
interface is the first non-loopback
interface listed by ifconfig. The
default netmask is the netmask that
corresponds to the IP address that
you specify. There is no default host
name.
Note that a zone can be created
without a network address.
-r "<gdir>|<ldir>" Loopback mount global zone directory
(gdir) on a non-global zone directory
(ldir) in read only mode.
-w "<gdir>|<ldir>" Loopback mount global zone directory
(gdir) on a non-global zone directory
(ldir) in read write mode.
-w "zfs|<dir>|zpool|zname"
Create a ZFS filesystem using legacy mode
and mount the ZFS filesystem within the
zone. Note that this filesystem is not
mounted in the global zone. However, the
root user in the global zone can access
the contents of the mounted zfs
filesystem because the root mount point of
the non-global zone is accessible as a
directory in the global zone.
dir = The mount point inside the non-global
zone
zpool = The ZFS pool name
zname = The ZFS filesystem name
-C "<pre or post boot>|<source>|<destination>"
or
-C "<source>|<destination>"
File/Directory to recursively copy
from the global zone into the non-
global zone. The <pre or post boot>
option defines if you want the source
copied before the non-global zone is
booted (pre) or after (post) the zone
has completed its final boot.
The <destination> option is used to
specify a different destination location
in the non-global zone that presently
exists in the global zone.
-s "<method>|<method_arguments>"
This feature hardens the non-global
zone by disabling (or enabling)
un-necessary operating system
services of the non-global zone
according to the method specified.
Hardening methods and corresponding
arguments are as follows:
Secure by default:
Method: netservices or sbd
Arguments:
limited - Eliminate un-necessary services
open - Enable standard services
Service Management Facility Site
Profile:
Method: smf
Argument: <fullpath>/<smf_xml_file>
JumpStart Architecture and Security
Scripts (aka Solaris Security
Toolkit):
Method: jass
Argument: <jass_driver_name>
Basic service management:
Method: basic or enable or disable or lock or unlock
Argument: One of the following:
disable
lock
enable
unlock
disable|<service_list_file>
lock|<service_list_file>
enable|<service_list_file>
unlock|<service_list_file>
-M [basic|<file>] Minimize the non-global zone by
either excluding or removing un-
necessary packages. The optional
<file> is a file containing a list
of packages that you would like
removed from the zone. If no <file>
is specified, the following
categories will be removed with
pkgrm -Y <category>:
JDS4 JDS3 JDS JDSosol GNOME2 CTL
ALE APOC CTL EVO146 G11NTOLS GLOW
JAI JAVAAPPS JDIC
-X "<command> <args>"
Runs <command> inside the non-global
command once it is successfully
created. Note that you may need to
include the full path to the command
as well. And you can pass <args>
(arguments) to the command if you
include them in the quoted the
command.
-G <package> Fully automates the installation of
specified BlastWave package. For a
full list of available BlastWave
packages, visit the following URL:
http://blastwave.org/packages
list
The "list" action lists all current zones
clone -n <zonename> -y <sourceZoneName> [clone_options]
The "clone" action clones an existing zone into a
new zone. The new zone can be tailored via the
optional arguments used when creating a new zone.
The "clone" action supports the following required
options:
The following clone_options are required:
-z "<dir>" Base directory for this zone.
-P "<file or password>"
Unencrypted password of the root user
of this new non-global zone. The
password can either be specified in
a file or as a quoted string.
The following clone_options can be used as substitutes for
the required options:
-Z "<dir>" Root zone directory for this zone.
This is an alternate way from
-z <dir> of specifying the zones root
directory.
-E "<file or password>"
This is an alternate way from
-P <password> of specifying the non-
global root user's password via an
encrypted format. The encrypted
password can either be specified in
a file or as a quoted string. You
can copy and paste the user's
password from /etc/shadow).
The following optional clone_options are supported:
-F Don't confirm an action; Just do it.
-t <w or s> Type of zone where w=Whole Root and
s=Sparse [default: s]
-d "<ns1>,<ns2>,.."
Ordered list of DNS Name Servers
-D "<domain>" DNS Domain Name
-A Disable autoboot (prevent zone from
booting on system reboots)
-I "<IP Address>|<Interface>|<Netmask>|<Host name>"
IP Address of the non-global zone
plus the network interface for that
IP address, the netmask in CIDR
format, and the host name for that IP
address.
If not specified the default network
interface is the first non-loopback
interface listed by ifconfig. The
default netmask is the netmask that
corresponds to the IP address that
you specify. There is no default host
name.
Note that a zone can be created
without a network address.
-r "<gdir>|<ldir>" Mount global zone directory (gdir) on
a non-global zone directory (ldir) in
read only mode
-w "<gdir>|<ldir>" Mount global zone directory (gdir) on
a non-global zone directory (ldir) in
read write mode
-N "<server>|<export_dir>|<mount_dir>|<options>"
Mount an NFS directory where <server>
is the NFS server host name or IP
address, <export_dir> is the NFS
exported directory, <mount_dir> is
the mount point within the non-global
zone to mount the NFS filesystem, and
<options> are the NFS mount options.
Note that zones only supports
mounting an NFS filesystem from a
host on a separate physical server.
e.g. You cannot at the present time
mount an NFS filesystem from another
zone on this physical server.
-p "<resource>|<resource_arg>"
<resource> can be either cpu or ram.
<resource_arg> is either number of processors
or Mb of RAM depending on the resource specified.
Processor count enables you to specify the number
of processors that will be assigned to this zone.
(Not yet available) RAM count enables you to
specifiy the maximum amount of RAM in bytes that
this zone can use.
move -n <zonename> -Z <newzonepath> [-F]
The "move" action moves an existing zone from its current
directory to a new directory.
The "move" action supports the following required
options:
The following options are required:
-Z "<dir>" New directory for this zone.
detach -n <zonename> [-F]
The "detach" action detaches a zone so that it can be
attached to a different server.
The "detach" action supports the following required
options:
The following options are required:
-F Don't confirm an action; Just do it.
attach -n <zonename> [-F]
The "attach" action attaches a detached zone.
The "attach" action supports the following required
options:
The following options are required:
-F Don't confirm an action; Just do it.
shutdown -n <zonename> [-F]
The "shutdown" action shuts down a zone.
The "shutdown" action supports the following optional
option:
-F Don't confirm an action; Just do it.
boot -n <zonename>
The "boot" action boots a zone.
The "boot" action supports the following optional
option:
-F Don't confirm an action; Just do it.
reboot -n <zonename> [-F]
The "reboot" action reboots a zone.
The "reboot" action supports the following optional
option:
-F Don't confirm an action; Just do it.
halt -n <zonename> [-F]
The "halt" action halts a zone.
The "halt" action supports the following optional
option:
-F Don't confirm an action; Just do it.
only -n <zonename> [-F]
The "only" action halts all non-global zones but those
specified by -n "<zonename> <zonename>" and boot any of
these specified zones that are not currently running.
There are two zone name special cases.
bootall
This zone name makes sure all non-global zones
are booted.
haltall
This zone name makes sure all zones are halted.
The "only" action supports the following optional
option:
-F Don't confirm an action; Just do it.
runcmd -n <zonename> -X "<cmd_with_args>" [-F]
The "runcmd" action runs commands specified with the
-X "<cmd_with_args>" flags in all non-global zones
specified by -n "<zonename> <zonename>" flag.
There is one zone name special case.
all
This zone name runs the specified commands on
all non-global zones.
The following options are required:
-n "<zone1> <zone2> ..."
Specify the name of the zones
-X <command> Runs <command> inside the non-global
command once it is successfully
created. Note that you may need to
include the full path to the command
as well.
The "runcmd" action supports the following optional
option:
-F Don't confirm an action; Just do it.
zcontainer -n <zonename> -p "<resource>|<resource_arg>"
The "zcontainer" action transforms the zone into a container
by applying resource controls to the zone.
The following option is required:
-p "<resource>|<resource_arg>"
<resource> can be either cpu or ram.
<resource_arg> is either number of processors
or Mb of RAM depending on the resource specified.
Processor count enables you to specify the number
of processors that will be assigned to this zone.
(Not yet available) RAM count enables you to
specifiy the maximum amount of RAM in bytes that
this zone can use.
The "zcontainer" action supports the following optional
option:
-F Don't confirm an action; Just do it.
EXAMPLES
Example 1: Create A Zone
The following command will create a non-global zone named
m1.
# zonemgr -a add -n m1 -z "/zones" -P "abc123" \
-I "192.168.0.10|hme0|24|myzonehost"
Example 2: Delete A Zone
The following command will delete the non-global zone named
m1 and it will not be prompted to continue because the
action is forced with the -F flag.
# zonemgr -F -a del -n m1
Example 3: Create A Zone With Multiple IP Addresses
The following command will create a non-global zone named
m1 with three IP addresses where each IP address is configured
on its own network interface.
# zonemgr -a add -n m1 -z "/zones" -P "abc123" \
-I "192.168.0.10|hme0|24|myzonehost1" \
-I "192.168.5.27|bge0|24|myzonehost2" \
-I "192.168.10.5|bge1|24|myzonehost3"
Example 4: A Complex Example
The following command will perform the details stated below.
# zonemgr -a add -n m2 -t w -z "/zones" \
-P "abc123" -R /root \
-I "192.168.0.10|hme0|24|myzonehost" \
-r "/ds/build11/bits|/bits" \
-w "/zones/m2|/ds/m2" \
-s "basic|lock" -S ssh \
-C /etc/ssh/sshd_config -C /etc/resolv.conf \
-C /etc/nsswitch.conf \
-L default,dtrace_proc,dtrace_user
1. Create a whole root zone named m2 in /zones/m2.
2. Set the root password of that zone to abc123.
3. Set the home directory of the root user of the non-global
zone to /root.
4. Set the IP address of the zone to 192.168.0.10, the
netmask to 255.255.255.0, assign it to interface hme0, and
assign it a host name of myzonehost.
5. Read only mount /ds/build11/bits from the global zone to
/bits in the non-global zone.
6. Read write mount /zones/m2 from the global zone to /ds/m2
in the non-global zone.
7. Disable all un-necessary services in the non-global zone
and restart the ssh service once the lockdown is complete.
8. Copy the /etc/ssh/sshd_config, /etc/resolv.conf, and
/etc/nsswitch.conf files from the global zone to the
non-global zone
9. Add the dtrace_proc and dtrace_user privileges to the
non-global zone
Example 5: List All Zones
The following command will list all available zones.
# zonemgr -a list
Example 6: Reboot A Zone
The following command will reboot non-global zone m1.
# zonemgr -a reboot -n m1
Example 7: Disable Un-necessary Services
The following command will disable all un-necessary services
of non-global zone m1.
# zonemgr -a modify -n m1 -s "basic|lock"
Example 8: Enable Un-necessary Services
The following command will enable all un-necessary services
of non-global zone m1.
# zonemgr -a modify -n m1 -s "basic|unlock"
Example 9: Manage State Of Multiple Zones
The following command will halt all non-global zones but
those specified by the -n parameter and will boot any of the
specified zones that are not currently running.
# zonemgr -a only -n "m1 m2"
Example 10: Halt All Zones
The following command will halt all non-global zones.
# zonemgr -a only -n "haltall"
Example 11: Boot All Zones
The following command will boot all non-global zones.
# zonemgr -a only -n "bootall"
Example 12: Creating A BrandZ (e.g. Linux) Zone
The following command will add a BrandZ zone
# zonemgr -a add -n m1 -z "/zones" -P "abc123" \
-I "192.168.0.10|hme0|24|myzonehost" \
-B "SUNWlx|all|/data/brandz/centos_fs_image.tar"
The parameters passed to -B break down as follows:
* SUNWlx: The zone brand (only lx is currently supported)
* all: The brand subset to install. Valid values include
desktop, applications, server, development, system,
and all. I don't yet have an idea as to how this
option will impact other distributions that folks come
up with. These options may or may not be valid. TBD.
* /data/brandz/centos_fs_image.tar: The path to the
brand bits. I simply pointed them to the BrandZ
community's CentOS image.
Example 13: Create A Zone AND Install MySQL5 From BlastWave
The following command will add a zone named m1, download and
install mysql5 and all requisite bits from Blastwave.org,
and install all those bits in the proper order in the m1
zone.
# zonemgr -a add -n m1 -z "/zones" -P "abc123" \
-I "192.168.0.10|hme0|24|myzonehost" -G "mysql5"
Example 14: Add a ZFS filesystem to an existing zone
The following command will create a legacy mode ZFS
filesystem from the myzfspool pool, set the ZFS mount
point to /zfsdata, and mount that filesystem exclusively
within the m1 zone.
# zonemgr -a modify -n m1 -w "zfs|/zfsdata|myzfspool"
Example 15: Move a zone
The following command will move a zone to a new directory.
# zonemgr -a move -n m1 -Z /zones/newm1
Example 16: Detach and attach a zone
The following two commands will detach a zone and then
re-attach it.
# zonemgr -a detach -n m1 -F
# zonemgr -a attach -n m1 -F
Example 17: Clone a zone
The following command will move a zone to a new directory.
# zonemgr -a clone -n m1 -y m1clone -Z /zones/m1clone \
-P "pw"
Example 18: Apply CPU containment to a zone
The following command will put a zone into a CPU processor
set that will limit all process of the zone to running on
the specified number of CPUs.
# zonemgr -a zcontainer -n m1 -p "cpu|1"
NOTES
Note that most parameters are multivalued. In other words,
you can specify the same parameter multiple times. For
example, to mount the /data1 and /data2 directories in read
only mode from the global zone to the non-global zone, add
the following to the add action:
-r "/data1" -r "/data2"
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 An error occurred.
2 Invalid usage.
SEE ALSO
svcs(1), zlogin(1), zonename(1), svcadm(1M), svc.startd(1M)
and init(1M), svc.startd(1M), zoneadm(1M), zonecfg(1M),
attributes(5), smf(5), zones(5)
on 2009/10/26 12:18