System Administration Commands zonemgr(1M)
NAME
zonemgr - set up and manage zones
SYNOPSIS
Normal usage:
zonemgr -a <action> [options]
See proper usage:
zonemgr -h
Display version:
zonemgr -v
Display license:
zonemgr -l
DESCRIPTION
The purpose of zonemgr is to simplify Solaris 10 and OpenSolaris zones
management. There are many pre-defined actions that can be applied to one
or more zones depending on the action.
OPTIONS
The following zonemgr options are supported:
-a <action> Specify the action to be performed
-n "<zonename1>[|<zonename2>|<zonename3>|...]"
Specify the name{s) of the zone(s) There is one special case zone
name. if you use "-n all", the action will be applied to all zones.
-h See this usage information
-v See the version number of this script
-l See the CDDL license
-f <config_file>
Where the contents of the config_file consists of normal command line
arguments with one flag/argument per line.
Here is the contents of a config_file for a single invocation of
zonemgr.
# zonemgr -f m1_zone.cfg
The contents of m1_zone.cfg are as follows.
<-- File Begins Here -->
-a add
-n m1
-z "/zones"
-P "abc123"
-I "192.168.0.10|hme0|24|m1"
<-- File Ends Here -->
You can also specify multiple invocations of the zonemgr by
separating sets of flags with the command delimiting word
newcmd.
Here is the contents of a config_file for three invocations of
zonemgr.
# zonemgr -f multi_zone.cfg
The contents of m1_zone.cfg are as follows.
<-- File Begins Here -->
-a add
-n m1
-z "/zones"
-P "abc123"
-I "192.168.0.10|hme0|24|m1"
newcmd
-a add
-n m2
-P "def456"
newcmd
-a add
-n m3
-P "ghi789"
<-- File Ends Here -->
Note that you can include comments within the configuration file
by prefacing the comment line with a pound symbol (#).
Here is the contents of a config_file for a single invocation of
zonemgr with interspersed comments.
# zonemgr -f commented_zone.cfg
The contents of m1_zone.cfg are as follows.
<-- File Begins Here -->
# Adding zone m1
-a add
-n m1
-P "abc123"
# Place on the DMZ network
-I "192.168.0.10|hme0|24|m1"
<-- File Ends Here -->
ACTIONS
Actions which can result in data loss or can significantly alter the
server configuration will require authorization. To confirm all such
changes, you may use the -F flag to answer yes to all such authorizations.
The following actions are supported:
info [info_options]
The "info" action displays configuration information about one or
more zones. If no zone names are provided the info action displays
the full configuration for all non-global zones. The following
optional info_options are supported.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol
.
-o "option|value" Specify optional zone settings
Enable debug output mode.
-o debug
Keep all zonemgr artifacts.
-o keep_artifacts
resinfo [resinfo_options]
The "resinfo" action displays all resource management configuration
information about one or more zones. If no zone names are provided,
then the resinfo action displays the resource management information
for all non-global zones. The following optional resinfo_options are
supported.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
-o "option|value" Specify optional zone settings
Enable debug output mode.
-o debug
Keep all zonemgr artifacts.
-o keep_artifacts
add [add_options]
The "add" action adds one or more non-global zones. The following
optional add_options are supported.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
-t <w or s>
Type of zone where w=Whole Root and s=Sparse Root. A sparse
root zone inherits the following directories from the global
zone: /lib, /usr, /sbin, and /platform. A whole root zone does
not inherit any directories from the global zone. The default
value is sparse root (s).
OpenSolaris does not share the same definitions of sparse and
whole root zones as Solaris 10. For OpenSolaris, all zones are
whole root zones. Further, the package set installed in a zone
is a significantly smaller subset of the packages contained in
the global zone. This ensures that the zone is minimized by
default. Adding packages to to OpenSolaris is significantly
easier though than it was for Solaris 10. More on that feature
through that feature (-G "pkg|<pkgname>") later.
-o "option|value" Specify optional zone settings
Enable debug output mode.
-o debug
Keep all zonemgr artifacts.
-o keep_artifacts
Set the comment that describes the zone.
-o "comment|<value>"
Set the autoboot value. The autoboot property determines
whether or not the zone will boot when the global zone is
booted.
-o "autoboot|<true or false>"
Set the boot arguments of the zone.
-o "bootargs|<value>"
The default network interface type for a non-global zone is
shared. To dedicate all assigned network interfaces to a zone,
add the -o "exclusive" option. Note that when you enable the
option on a zone, ALL network interfaces assigned to that
zone will be assigned exclusively to that zone. Further, each
network interface will require a default router assignment as
well. e.g. the fifth field of the -I flag.
-o exclusive
Remove inherited package directories from the zone.
-o "rmDir|/dir1[|/dir2|/dir3|...]
Add inherited package directories to the zone.
-o "addDir|/dir1[|/dir2|/dir3|...]
The dCount option is used in conjunction with the add and
clone actions automate the naming of some number of zones.
For example -o "dCount|10" would create 10 zones starting
with the first available name. The naming automator starts
at zone0001 and increments until an unused name is found.
-o "dCount|<number>"
The dPrefix option is used in conjunction with the add and
clone actions to define the prefix of the auto zone name
generator. For example, -o "dPrefix|mysql" would create one
or more zones with the prefix of mysql. e.g. mysql0001.
-o "dPrefix|<name>"
-P "<file or password>" or shadow
Unencrypted password of the root user of this new non-global
zone. The password can either be specified in a file or as a
quoted string.
The global root password from /etc/shadow will be used by
default by -P or -E if neither is specified.
OR
-E "<file or password>" or shadow
This is an alternate way from -P <password> of specifying the
non-global root users password via an encrypted format. The
encrypted password can either be specified in a file or as a
quoted string. You can copy and paste the users password from
/etc/shadow.
The global root password from /etc/shadow will be used by
default by -P or -E if neither is specified.
-z "<zonepath>[|<ZFS filesystem>][|<ZFS options>][|<zonename>]"
The zonepath is the subdirectory below the zone root directory.
For example, specifying -z /myzones would result in the
following root zone directory.
/myzones/<zonename>
where <zonename> is the name of the zone you are creating.
If no zonepath is specified, the default value of zonepath is
/zones.
If the filesystem containing the zonepath is a ZFS filesystem, a
new ZFS filesystem will be created for the zone directory. If
no ZFS filesystem is specified in the optional second pipe (|)
delmited field, the default value will be the ZFS pool
containing the root 
filesystem. In most cases this is
rpool. In this case, the ZFS filesystem would be
rpool/<zonename>
Optionally, you may also specify a semicolon (;) delimited list
of ZFS options in the third pipe (|) delimited field as well.
The last optional field only applies when multiple zone paths
are specified that are intended to map to multiple zones. For
example, consider adding two zones (z1 and z2) in a single run
of the zonemgr where each zone has its specifc zonepath.
# zonemgr -F -a add -n "z1|z2" -z "/z1|||z1" -z "/zone2|||z2"
In this next example, you add a ZFS filesystem (rpool/z1) with
the mountpoint of /z and optional enables the gzip compression
algorithm and disables atime.
-z "/z|rpool/z1|compression=gzip;atime=off"
OR
-Z "<zonedir>[|<ZFS filesystem>][|<ZFS options>]"
The zonedir is the zone root directory. Specifying -Z /z1 will
place the zone root directory in /z1.
If no zonePaths is specified, the default value of zonePaths is
/zones/<zonename>
If the filesystem containing the zonedir is a ZFS filesystem, a
new ZFS filesystem will be created for the zone directory. If
no ZFS filesystem is specified in the optional second pipe (|)
delmited field, the default value will be the ZFS pool
containing the root filesystem. In most cases this is
rpool. In this case, the ZFS filesystem would be
rpool/<zonename>
Optionally, you may also specify a semicolon (;) delimited list
of ZFS options in the third pipe (|) delimited field as well.
For example, the following would create a ZFS filesystem
(rpool/z) with the mountpoint of /z, enables the gzip
compression algorithm and disables atime.
-Z "/z|rpool/z|compression=gzip;atime=off"
-I "<IPAddr>|<Netif>|<Netmask>|<Hostname>[|<defrouter>][|zonename]"
IP Address (IPAddr) of the non-global zone plus the network
interface (Netif) for that IP address, the netmask (Netmask) in
CIDR format, and the host name (Hostname) for that IP address.
If multiple zones are being created or modified, use the last
field to specify the name to which the network information is
to be applied.
If not specified the default network interface is the first non-
loopback interface listed by ifconfig. The default netmask is
the netmask that corresponds to the IP address that you specify.
There is no default host name.
The fifth parameter to the -I flag specifies the default router
to use per network interface. The default router (<defrouter>)
is an optional parameter for shared network interfaces.
However, if "exclusive" option is invoked, you must specify a
default router.
The sixth parameter is optional and only required when zonemgr
is called with multiple zone names. This parameter specifies the
zone name to which the IP address is assigned.
Note that shared network interfaces of the non-global zone
inherit the default routers of the global zone that match the
subnets of the non-global zone. When you specify the default
route for a shared IP non-global zone, the default route is
added to the global zone as well. Therefore, if you add the
wrong default route to a non-global zone, and then modify the
default route with the -m flag, you will notice both in the non-
global as well as in the global zone that both default routes
exist. You will need to remove the incorrect default from the
global zone with the route command. For example, the following
route invocation would remove the default router of 192.168.1.2:
# route delete -net default 192.168.1.2
Note also that a zone can be created without a network address.
OR
-I "ns|<Netif>|<Netmask>|all[|<defrouter>]"
This is a special use case of -I that automates the IP address
and zone assignment process for a shared network interface.
Using "ns" rather than a specific IP address looks up the IP
address via name resolution according to the hosts definition in
/etc/nsswitch.conf of the global zone.
Using "all" rather than a specific hostname tells zonemgr to
add a single IP address to each zone specified by -n <zone1>
[|<zone2>|<zone3>|...] where the IP address is determined by
name resolution of the respect zones zonename.
The network interface (NetIF) and the netmask (Netmask) must
also be specified.
-D "<domain>"
DNS Domain Name. If a domain is specified, then dns name
servers must also be specified.
Note also that the fully qualified host name of the non-global
zone must be resolvable by the naming service.
-d "<nameserver1>|<nameserver2>|.."
Pipe delimited ordered list of Domain Name Servers. If domain
name servers are specified the domain name via -d "<domain>"
must also be specified.
Note also that the fully qualified host name of the non-global
zone must be resolvable by the naming service.
-r "<global_dir>"
or
-r "<global_dir>|<non-global_mount_point>"
or
-r "<type>|<inputs>"
Mount a directory or device from the global zone into the non-
global zone in readonly mode. The inputs vary according to the
type.
Note that for all filesystems but the lofi/lofs filesystem, the
device is mounted for exclusive use of the non-global zone.
However, the root user in the global zone can access the
contents of the mounted filesystem because the root mount point
of the non-global zone is accessible as a directory in the
global zone.
type = lofi or lofs
For this filesystem type, you are read-only mounting
a directory or device from the global zone into a non-
global zone through the loopback device.
<input1> = Global zone directory
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated mount options (ro
is implied)
type = zfs
For this filesystem type, you are read-only mounting
an existing ZFS filesystem from the global zone into
the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (ro is
implied)
type = newzfs
For this filesystem type, you are creating a new zfs
filesystem in the global zone and read-only mounting
it into the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (ro is
implied)
type = zvol
For this filesystem type, you are making an existing
ZFS volume from the global zone available within a
non-global zone in read-only mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (ro is
implied)
type = newzvol
For this filesystem type, you are making a new ZFS
volume in the global zone and then making that new ZFS
volume available within a non-global zone in read-only
mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (ro is
implied)
type = ufs
For this filesystem type, you are read-only mounting
an existing UFS filesystem from the global zone into
the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = pcfs
For this filesystem type, you are read-only mounting
an existing PCFS (DOS/VFAT) filesystem from the global
zone into the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = newpcfs
For this filesystem type, you are creating a new read-
only pcfs (DOS/VFAT) filesystem in the global zone and
mounting it in the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = hsfs
For this filesystem type, you are either read-only
mounting an existing HSFS (CD-ROM/DVD-ROM) filesystem
or creating a new HSFS filesystem to be mounted in
read-only mode.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = nfs
For this filesystem type, you are adding a Network
File System (NFS) entry to /etc/vfstab in the non-
global zone.
<input1> = NFS server host
<input2> = NFS server export directory
<input3> = Non-global zone directory (mount point)
<input4> = Mount options (ro is implied)
type = smb
For this filesystem type, you are adding a Session
Message Block (SMB) filesystem (a.k.a. Microsoft (TM)
Windows Network Filesystem entry to /etc/vfstab in the
non-global zone.
<input1> = SMB server host
<input2> = SMB Workgroup
<input3> = SMB Share
<input4> = Non-global zone directory (mount point)
<input5> = SMB user
<input6> = SMB user password
<input7> = SMB filesystem mount options
-w "<global_dir>"
or
-w "<global_dir>|<non-global_mount_point>"
or
-w "<type>|<inputs>"
Mount a directory or device from the global zone into the non-
global zone in read/write mode. The usage for each option
varies according to the type. Note that for all filesystems but
the lofi/lofs filesystem, the device is mounted for exclusive
use of the non-global zone. However, the root user in the
global zone can access the contents of the mounted filesystem
because the root mount point of the non-global zone is
accessible as a directory in the global zone.
type = lofi or lofs
For this filesystem type, you are read-write mounting
a directory or device from the global zone into a non-
global zone through the loopback device.
<input1> = Global zone directory
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated mount options (rw
is implied)
type = zfs
For this filesystem type, you are read-write mounting
an existing ZFS filesystem from the global zone into
the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = newzfs
For this filesystem type, you are creating a new zfs
filesystem in the global zone and read-write mounting
it into the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = zvol
For this filesystem type, you are making an existing
ZFS volume from the global zone available within a
non-global zone in read-write mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (rw is
implied)
type = newzvol
For this filesystem type, you are making a new ZFS
volume in the global zone and then making that new ZFS
volume available within a non-global zone in read-
write mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (rw is
implied)
type = dset
For this type, you are making a ZFS dataset from the
global zone accessible and manageable from within the
non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = newdset
For this type, you are creating a new ZFS filesystem
in the global zone and making that ZFS filesystem
accessible and manageable from within the non-global
zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = ufs
For this filesystem type, you are read-write mounting
an existing UFS filesystem from the global zone into
the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = pcfs
For this filesystem type, you are read-write mounting
an existing PCFS (DOS/VFAT) filesystem from the global
zone into the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = newpcfs
For this filesystem type, you are creating a new read-
write pcfs (DOS/VFAT) filesystem in the global zone
and mounting it in the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = nfs
For this filesystem type, you are adding an NFS
filesystem entry to /etc/vfstab in the non-global
zone.
<input1> = NFS server host
<input2> = NFS server export directory
<input3> = Non-global zone directory (mount point)
<input4> = Mount options (ro is implied)
type = smb
For this filesystem type, you are adding a Session
Message Block (SMB) filesystem (a.k.a. Microsoft (TM)
Windows Network Filesystem entry to /etc/vfstab in the
non-global zone.
<input1> = SMB server host
<input2> = SMB Workgroup
<input3> = SMB Share
<input4> = Non-global zone directory (mount point)
<input5> = SMB user
<input6> = SMB user password
<input7> = SMB filesystem mount options
-B "<name>|<subset>|<img>"
Make the zone into a branded zone where <name> is the brand
name, <subset>, is the brand subset, and <img> is the path and
file name of the brand archive. If a media drive is being used,
<img> is the path to the mounted media. e.g. /cdrom/cdrom0
Available brands include Linux, Solaris 8 Containers, and
Solaris 9 Containers.
-R "<dir>|<shell>|<on|off>"
This flag enables you to customize the super user's (root) home
directory (<dir), the super user's shell environment (<shell>),
and optinally can enable root login over ssh (<on|off>) which is
disabled 
by default.
-C "<source>|<destination>"
or
-C "<pre|post>|<source>|<destination>"
This flag gives you the ability to copy
data from the global zone (<source>) to
the non-global zone (<destination>).
There are two phases of zone boot process
in which you can copy data into the non-
global. The first and default phase
(<pre>) is before the zone boots for the
first time. The second phase (<post>)
is after the zone complets its last
boot of the zone creation process.
Data copied from the global zone can be
a file or directory. All data will be
recursively copied from the global zone
into the non-global zone.
Note that filesystems specified with -r
and -w will not be created until after
the zone has completed its first boot.
Thus do not expect that pre-boot copies
will go into a filesystem that you have
specified with the -r or -w options.
-s "<method>|<method_arguments>"
This feature hardens the non-global zone by disabling (or
enabling) un-necessary operating system services of the non-
global zone according to the method specified. Hardening
methods and corresponding arguments are as follows.
Secure by default:
Method: netservices or sbd
Arguments:
limited - Eliminate un-necessary services
open - Enable standard services
Service Management Facility Site
Profile:
Method: smf
Argument: <fullpath>/<smf_xml_file>
JumpStart Architecture and Security Scripts (aka Solaris
Security Toolkit):
Method: jass
Argument: <jass_driver_name>
Basic service management:
Method: basic
without arguments: enable, disable, lock or unlock
Argument: One of the following:
disable
lock
enable
unlock
disable|<service_list_file>
lock|<service_list_file>
enable|<service_list_file>
unlock|<service_list_file>
Basic Lock Down:
This method disables un-necessary services. Note that
the enable and lock methods are the same as using
"basic|enable" or "basic|lock".
Method: enable, disable, lock or unlock
Argument: none
Extreme Lock Down:
This method disables nearly everything possible. Note also
that there is no unlock or undo for this hardening method.
Method: jail
Argument: none
-S "<svc1>[|<svc2>|<svc3>|...]"
Restart specified service(s) after adding zone. The service
name should be in frmi format. A special case is "reboot" to
restart all services in the zone.
-M [basic|<file>]
Minimize the whole root non-global zone by either excluding or
removing un-necessary packages. The optional <file> is a file
containing a list of packages that you would like removed from
the zone. If no <file> is specified, the following categories
will be removed with pkgrm -Y <category>:
JDS4 JDS3 JDS JDSosol GNOME2 CTL ALE APOC CTL EVO146
G11NTOLS GLOW JAI JAVAAPPS JDIC
Note that this option does not apply to OpenSolaris because non-
global zones are minimized by default.
-X "<command> <args>"
Runs <command> inside the non-global zone once the zone is
successfully created. Note that you may need to include the
full path to the command as well. And you can pass <args>
(arguments) to the command if you include them in the quoted the
command.
Note that the most common way to make executables accessible to
the zone is to read-only (-r) or read-write (-w) mount a
directory from the global zone into the non-global zone.
-G "<package>"
or
-G "<type>|<package>"
This option provides automated installation of remote packages
according to the respository type.
Repository = Blastwave(TM)
Type = csw
Args: <pkg> or "csw|<pkg_url>"
Solaris Example 1: top
Solaris Example 2: "csw|top"
OpenSolaris Example: "csw|IPSFWtop"
OpenSolaris IPS Repository:
http://blastwave.network.com:10000
Repository = SunFreeware.com(TM)
Type = sfw
Args for Solaris: "sfw|<pkg_url>"
Args for OpenSolaris: "sfw|<pkg>"
Solaris Example:
"sfw|ftp://ftp.sunfreeware.com/pub/freeware/intel/10/top-3.6.1-sol10-x86-local.gz"
OpenSolaris Example: "sfw|top"
OpenSolaris IPS Repository:
http://pkg.sunfreeware.com:9000
Repository = OpenSolaris.org
Type = pkg
Args: "pkg|<pkg>"
Example: "pkg|SUNWtop"
OpenSolaris IPS Repository:
http://pkg.opensolaris.org/release
-p "<resource>|<resource_arg>"
Resource allocated to this zone. Note
that although all of the following resource
types can be applied to a zone, only one
of each type can be specified per zone.
Resources are deleted by specifying a value
of 0 for the <resource_arg>.
resource = cpu
The cpu resource type specifies the upper
limit (cap) of CPU time that can be used by
a zone. The valid argument for this
resource type is either a whole or a mixed
(whole and fraction) number. A cpu value
of 3.25 means 325% of a cpu.
Note that a zone cannot be assigned capped
and dedicated CPU resources at the same
time. You can use one or the other.
resource = dcpu
The dcpu resource type specifies the fixed
number (or range) of CPUs to dedicate to
this zone.
Valid arguments for this resource type
include the following:
Maximum number: 3
Range: 2-4
Note that a zone cannot be assigned capped
and dedicated CPU resources at the same
time. You can use one or the other.
resource = scpu
The scpu resource type specifies the number
of FSS (Fair Share Scheduler) CPU shares to
allocate to this zone.
Valid arguments for this resource type
specify any integer. A value of zero disables
FSS CPU shares.
Note that a zone cannot be assigned FSS
and dedicated CPU resources at the same
time. You can use one or the other.
Note also that if you want to use the fair
share scheduler (FSS), you may want to
consider changing the global zone (e.g. the
system) scheduler to the FSS. You can make
this change with the following two commands.
Set the default scheduler for the system to
be the FSS.
dispadmin -d FSS
Make this configuration take effect
immediately, without rebooting.
priocntl -s -c FSS -i all
resource = ram
The ram resource type specifies the maximum
amount of memory (e.g. RAM) that this zone
can consume.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
resource = dram
The dram resource type specifies the specific
amount of memory (e.g. RAM) that is dedicated
to this zone.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
resource = swap
The swap resource type specifies the maximum
amount of virtual memory (e.g. swap) that
this zone can consume.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
-L "<priv>[|<priv>|...]"
Specifies the limit set for privileges allowed in this zone.
See manual page privileges for more info and list of available
privileges.
-e <extra brand flags and arguments>
Adds <-flags arguments> to be passed to the brand installer. In
an IPS brand -e "-P publisher=uri -e SUNWipkg" will install the
IPS package manger from uri.
del [delete_options]
The "del" action deletes an existing non-global zone. The following
optional del_options are supported.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
-o "option|value" Specify optional zone settings
Enable debug output mode.
-o debug
Keep all zonemgr artifacts.
-o keep_artifacts
modify [modify_options]
The "modify" action enables you to add, modify and delete properties
to a zone. The following optional modify_options are supported.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
Zone properties that can be modified include the following.
Modify the zone name:
-m "zonename|<value>"
Modify the comment that describes the zone:
-m "comment|<value>"
Modify the autoboot value. The autoboot property determines
whether or not the zone will boot when the global zone is booted.
- m "autoboot|<true or false>"
Modify the boot arguments of the zone:
-m "bootargs|<value>"
Modify an existing filesystem (fs) property:
-m "fs|<dir>|<resource_type>|<value>"
Where fs resource types include the following:
dir - Global zone directory
special - Non-global zone directory
options - Filesystem mount options
Modify an existing network property:
-m "net|<ipaddr/netmask>|<resource_type>|<value>"
Where net resource types include the following:
address - Network address and netmask in CIDR format
physical - The network interface
defrouter - The default gateway IP address
Zone properties that can be removed include the following:
Remove a network interface from the zone configuration:
-m "del|net|<address/cidr_netmask>"
Remove a filesystem from the zone configuration:
-m "del|fs|<dir_value>"
Remove a ZFS volume from the zone configuration:
-m "del|zvol|<name_value>"
Remove a ZFS dataset from the zone configuration:
-m "del|dset|<dataset_value>"
Remove a device from the zone configuration:
-m "del|device|<match_value>"
In addition to modifying and deleting existing properties, you can
also add a few types of properties. The arguments used to add these
optional properties are listed below.
-I "<IPAddr>|<Netif>|<Netmask>|<Hostname>[|<defrouter>][|zonename]"
IP Address (IPAddr) of the non-global zone plus the network
interface (Netif) for that IP address, the netmask (Netmask) in
CIDR format, and the host name (Hostname) for that IP address.
If multiple zones are being created or modified, use the last
field to specify the name to which the network information is
to be applied.
If not specified the default network interface is the first non-
loopback interface listed by ifconfig. The default netmask is
the netmask that corresponds to the IP address that you specify.
There is no default host name.
The fifth parameter to the -I flag specifies the default router
to use per network interface. The default router (<defrouter>)
is an optional parameter for shared network interfaces.
However, if "exclusive" option is invoked, you must specify a
default router.
The sixth parameter is optional and only required when zonemgr
is called with multiple zone names. This parameter specifies the
zone name to which the IP address is assigned.
Note that shared network interfaces of the non-global zone
inherit the default routers of the global zone that match the
subnets of the non-global zone. When you specify the default
route for a shared IP non-global zone, the default route is
added to the global zone as well. Therefore, if you add the
wrong default route to a non-global zone, and then modify the
default route with the -m flag, you will notice both in the non-
global as well as in the global zone that both default routes
exist. You will need to remove the incorrect default from the
global zone with the route command. For example, the following
route invocation would remove the default router of 192.168.1.2:
# route delete -net default 192.168.1.2
Note also that a zone can be created without a network address.
OR
-I "ns|<Netif>|<Netmask>|all[|<defrouter>]"
This is a special use case of -I that automates the IP address
and zone assignment process for a shared network interface.
Using "ns" rather than a specific IP address looks up the IP
address via name resolution according to the hosts definition in
/etc/nsswitch.conf of the global zone.
Using "all" rather than a specific hostname tells zonemgr to
add a single IP address to each zone specified by -n <zone1>
[|<zone2>|<zone3>|...] where the IP address is determined by
name resolution of the respect zones zonename.
The network interface (NetIF) and the netmask (Netmask) must
also be specified.
-r "<global_dir>"
or
-r "<global_dir>|<non-global_mount_point>"
or
-r "<type>|<inputs>"
Mount a directory or device from the global zone into the non-
global zone in readonly mode. The inputs vary according to the
type.
Note that for all filesystems but the lofi/lofs filesystem, the
device is mounted for exclusive use of the non-global zone.
However, the root user in the global zone can access the
contents of the mounted filesystem because the root mount point
of the non-global zone is accessible as a directory in the
global zone.
type = lofi or lofs
For this filesystem type, you are read-only mounting
a directory or device from the global zone into a non-
global zone through the loopback device.
<input1> = Global zone directory
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated mount options (ro
is implied)
type = zfs
For this filesystem type, you are read-only mounting
an existing ZFS filesystem from the global zone into
the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (ro is
implied)
type = newzfs
For this filesystem type, you are creating a new zfs
filesystem in the global zone and read-only mounting
it into the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (ro is
implied)
type = zvol
For this filesystem type, you are making an existing
ZFS volume from the global zone available within a
non-global zone in read-only mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (ro is
implied)
type = newzvol
For this filesystem type, you are making a new ZFS
volume in the global zone and then making that new ZFS
volume available within a non-global zone in read-only
mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (ro is
implied)
type = ufs
For this filesystem type, you are read-only mounting
an existing UFS filesystem from the global zone into
the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = pcfs
For this filesystem type, you are read-only mounting
an existing PCFS (DOS/VFAT) filesystem from the global
zone into the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = newpcfs
For this filesystem type, you are creating a new read-
only pcfs (DOS/VFAT) filesystem in the global zone and
mounting it in the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = hsfs
For this filesystem type, you are either read-only
mounting an existing HSFS (CD-ROM/DVD-ROM) filesystem
or creating a new HSFS filesystem to be mounted in
read-only mode.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (ro is implied)
type = nfs
For this filesystem type, you are adding a Network
File System (NFS) entry to /etc/vfstab in the non-
global zone.
<input1> = NFS server host
<input2> = NFS server export directory
<input3> = Non-global zone directory (mount point)
<input4> = Mount options (ro is implied)
type = smb
For this filesystem type, you are adding a Session
Message Block (SMB) filesystem (a.k.a. Microsoft (TM)
Windows Network Filesystem entry to /etc/vfstab in the
non-global zone.
<input1> = SMB server host
<input2> = SMB Workgroup
<input3> = SMB Share
<input4> = Non-global zone directory (mount point)
<input5> = SMB user
<input6> = SMB user password
<input7> = SMB filesystem mount options
-w "<global_dir>"
or
-w "<global_dir>|<non-global_mount_point>"
or
-w "<type>|<inputs>"
Mount a directory or device from the global zone into the non-
global zone in read/write mode. The usage for each option
varies according to the type. Note that for all filesystems but
the lofi/lofs filesystem, the device is mounted for exclusive
use of the non-global zone. However, the root user in the
global zone can access the contents of the mounted filesystem
because the root mount point of the non-global zone is
accessible as a directory in the global zone.
type = lofi or lofs
For this filesystem type, you are read-write mounting
a directory or device from the global zone into a non-
global zone through the loopback device.
<input1> = Global zone directory
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated mount options (rw
is implied)
type = zfs
For this filesystem type, you are read-write mounting
an existing ZFS filesystem from the global zone into
the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = newzfs
For this filesystem type, you are creating a new zfs
filesystem in the global zone and read-write mounting
it into the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = zvol
For this filesystem type, you are making an existing
ZFS volume from the global zone available within a
non-global zone in read-write mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (rw is
implied)
type = newzvol
For this filesystem type, you are making a new ZFS
volume in the global zone and then making that new ZFS
volume available within a non-global zone in read-
write mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (rw is
implied)
type = dset
For this type, you are making a ZFS dataset from the
global zone accessible and manageable from within the
non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = newdset
For this type, you are creating a new ZFS filesystem
in the global zone and making that ZFS filesystem
accessible and manageable from within the non-global
zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = ufs
For this filesystem type, you are read-write mounting
an existing UFS filesystem from the global zone into
the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = pcfs
For this filesystem type, you are read-write mounting
an existing PCFS (DOS/VFAT) filesystem from the global
zone into the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = newpcfs
For this filesystem type, you are creating a new read-
write pcfs (DOS/VFAT) filesystem in the global zone
and mounting it in the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = nfs
For this filesystem type, you are adding an NFS
filesystem entry to /etc/vfstab in the non-global
zone.
<input1> = NFS server host
<input2> = NFS server export directory
<input3> = Non-global zone directory (mount point)
<input4> = Mount options (ro is implied)
type = smb
For this filesystem type, you are adding a Session
Message Block (SMB) filesystem (a.k.a. Microsoft (TM)
Windows Network Filesystem entry to /etc/vfstab in the
non-global zone.
<input1> = SMB server host
<input2> = SMB Workgroup
<input3> = SMB Share
<input4> = Non-global zone directory (mount point)
<input5> = SMB user
<input6> = SMB user password
<input7> = SMB filesystem mount options
-C "<source>|<destination>"
or
-C "<pre|post>|<source>|<destination>"
This flag gives you the ability to copy
data from the global zone (<source>) to
the non-global zone (<destination>).
There are two phases of zone boot process
in which you can copy data into the non-
global. The first and default phase
(<pre>) is before the zone boots for the
first time. The second phase (<post>)
is after the zone complets its last
boot of the zone creation process.
Data copied from the global zone can be
a file or directory. All data will be
recursively copied from the global zone
into the non-global zone.
Note that filesystems specified with -r
and -w will not be created until after
the zone has completed its first boot.
Thus do not expect that pre-boot copies
will go into a filesystem that you have
specified with the -r or -w options.
-s "<method>|<method_arguments>"
This feature hardens the non-global zone by disabling (or
enabling) un-necessary operating system services of the non-
global zone according to the method specified. Hardening
methods and corresponding arguments are as follows.
Secure by default:
Method: netservices or sbd
Arguments:
limited - Eliminate un-necessary services
open - Enable standard services
Service Management Facility Site
Profile:
Method: smf
Argument: <fullpath>/<smf_xml_file>
JumpStart Architecture and Security Scripts (aka Solaris
Security Toolkit):
Method: jass
Argument: <jass_driver_name>
Basic service management:
Method: basic
without arguments: enable, disable, lock or unlock
Argument: One of the following:
disable
lock
enable
unlock
disable|<service_list_file>
lock|<service_list_file>
enable|<service_list_file>
unlock|<service_list_file>
Basic Lock Down:
This method disables un-necessary services. Note that
the enable and lock methods are the same as using
"basic|enable" or "basic|lock".
Method: enable, disable, lock or unlock
Argument: none
Extreme Lock Down:
This method disables nearly everything possible. Note also
that there is no unlock or undo for this hardening method.
Method: jail
Argument: none
-M [basic|<file>]
Minimize the whole root non-global zone by either excluding or
removing un-necessary packages. The optional <file> is a file
containing a list of packages that you would like removed from
the zone. If no <file> is specified, the following categories
will be removed with pkgrm -Y <category>:
JDS4 JDS3 JDS JDSosol GNOME2 CTL ALE APOC CTL EVO146
G11NTOLS GLOW JAI JAVAAPPS JDIC
Note that this option does not apply to OpenSolaris because non-
global zones are minimized by default.
-X "<command> <args>"
Runs <command> inside the non-global zone once the zone is
successfully created. Note that you may need to include the
full path to the command as well. And you can pass <args>
(arguments) to the command if you include them in the quoted the
command.
Note that the most common way to make executables accessible to
the zone is to read-only (-r) or read-write (-w) mount a
directory from the global zone into the non-global zone.
-G "<package>"
or
-G "<type>|<package>"
This option provides automated installation of remote packages
according to the respository type.
Repository = Blastwave(TM)
Type = csw
Args: <pkg> or "csw|<pkg_url>"
Solaris Example 1: top
Solaris Example 2: "csw|top"
OpenSolaris Example: "csw|IPSFWtop"
OpenSolaris IPS Repository:
http://blastwave.network.com:10000
Repository = SunFreeware.com(TM)
Type = sfw
Args for Solaris: "sfw|<pkg_url>"
Args for OpenSolaris: "sfw|<pkg>"
Solaris Example:
"sfw|ftp://ftp.sunfreeware.com/pub/freeware/intel/10/top-3.6.1-sol10-x86-local.gz"
OpenSolaris Example: "sfw|top"
OpenSolaris IPS Repository:
http://pkg.sunfreeware.com:9000
Repository = OpenSolaris.org
Type = pkg
Args: "pkg|<pkg>"
Example: "pkg|SUNWtop"
OpenSolaris IPS Repository:
http://pkg.opensolaris.org/release
-p "<resource>|<resource_arg>"
Resource allocated to this zone. Note
that although all of the following resource
types can be applied to a zone, only one
of each type can be specified per zone.
Resources are deleted by specifying a value
of 0 for the <resource_arg>.
resource = cpu
The cpu resource type specifies the upper
limit (cap) of CPU time that can be used by
a zone. The valid argument for this
resource type is either a whole or a mixed
(whole and fraction) number. A cpu value
of 3.25 means 325% of a cpu.
Note that a zone cannot be assigned capped
and dedicated CPU resources at the same
time. You can use one or the other.
resource = dcpu
The dcpu resource type specifies the fixed
number (or range) of CPUs to dedicate to
this zone.
Valid arguments for this resource type
include the following:
Maximum number: 3
Range: 2-4
Note that a zone cannot be assigned capped
and dedicated CPU resources at the same
time. You can use one or the other.
resource = scpu
The scpu resource type specifies the number
of FSS (Fair Share Scheduler) CPU shares to
allocate to this zone.
Valid arguments for this resource type
specify any integer. A value of zero disables
FSS CPU shares.
Note that a zone cannot be assigned FSS
and dedicated CPU resources at the same
time. You can use one or the other.
Note also that if you want to use the fair
share scheduler (FSS), you may want to
consider changing the global zone (e.g. the
system) scheduler to the FSS. You can make
this change with the following two commands.
Set the default scheduler for the system to
be the FSS.
dispadmin -d FSS
Make this configuration take effect
immediately, without rebooting.
priocntl -s -c FSS -i all
resource = ram
The ram resource type specifies the maximum
amount of memory (e.g. RAM) that this zone
can consume.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
resource = dram
The dram resource type specifies the specific
amount of memory (e.g. RAM) that is dedicated
to this zone.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
resource = swap
The swap resource type specifies the maximum
amount of virtual memory (e.g. swap) that
this zone can consume.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
list [list_options]
The "list" action lists all non-global zones. The following optional
list_options are supported.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
status [status_options]
The "status" action shows the zone status, cpu count, cpu clock
cycle, and the uptime for specified zone. If no non-global zone
names are specified, then all non-global zones status information is
displayed. The following optional status_options are supported.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
clone -y <sourceZoneName> [clone_options]
The "clone" action clones an existing zone into a one or more new
non-global zones. The properties of new zone(s) can be tailored via
the following optional clone_options arguments.
-F Do not confirm an action; Just do it.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
-o "option|value" Specify optional zone settings
Enable debug output mode.
-o debug
Keep all zonemgr artifacts.
-o keep_artifacts
Set the comment that describes the zone.
-o "comment|<value>"
Set the autoboot value. The autoboot property determines
whether or not the zone will boot when the global zone is
booted.
-o "autoboot|<true or false>"
Set the boot arguments of the zone.
-o "bootargs|<value>"
The default network interface type for a non-global zone is
shared. To dedicate all assigned network interfaces to a zone,
add the -o "exclusive" option. Note that when you enable the
option on a zone, ALL network interfaces assigned to that
zone will be assigned exclusively to that zone. Further, each
network interface will require a default router assignment as
well. e.g. the fifth field of the -I flag.
-o exclusive
Remove inherited package directories from the zone.
-o "rmDir|/dir1[|/dir2|/dir3|...]
Add inherited package directories to the zone.
-o "addDir|/dir1[|/dir2|/dir3|...]
The dCount option is used in conjunction with the add and
clone actions automate the naming of some number of zones.
For example -o "dCount|10" would create 10 zones starting
with the first available name. The naming automator starts
at zone0001 and increments until an unused name is found.
-o "dCount|<number>"
The dPrefix option is used in conjunction with the add and
clone actions to define the prefix of the auto zone name
generator. For example, -o "dPrefix|mysql" would create one
or more zones with the prefix of mysql. e.g. mysql0001.
-o "dPrefix|<name>"
Force ZFS clone to copy rather than clone filesstem.
-o cpclone
-t <w or s>
Type of zone where w=Whole Root and s=Sparse Root. A sparse
root zone inherits the following directories from the global
zone: /lib, /usr, /sbin, and /platform. A whole root zone does
not inherit any directories from the global zone. The default
value is sparse root (s).
OpenSolaris does not share the same definitions of sparse and
whole root zones as Solaris 10. For OpenSolaris, all zones are
whole root zones. Further, the package set installed in a zone
is a significantly smaller subset of the packages contained in
the global zone. This ensures that the zone is minimized by
default. Adding packages to to OpenSolaris is significantly
easier though than it was for Solaris 10. More on that feature
through that feature (-G "pkg|<pkgname>") later.
-P "<file or password>" or shadow
Unencrypted password of the root user of this new non-global
zone. The password can either be specified in a file or as a
quoted string.
The global root password from /etc/shadow will be used by
default by -P or -E if neither is specified.
OR
-E "<file or password>" or shadow
This is an alternate way from -P <password> of specifying the
non-global root users password via an encrypted format. The
encrypted password can either be specified in a file or as a
quoted string. You can copy and paste the users password from
/etc/shadow.
The global root password from /etc/shadow will be used by
default by -P or -E if neither is specified.
-z "<zonepath>[|<ZFS filesystem>][|<ZFS options>][|<zonename>]"
The zonepath is the subdirectory below the zone root directory.
For example, specifying -z /myzones would result in the
following root zone directory.
/myzones/<zonename>
where <zonename> is the name of the zone you are creating.
If no zonepath is specified, the default value of zonepath is
/zones.
If the filesystem containing the zonepath is a ZFS filesystem, a
new ZFS filesystem will be created for the zone directory. If
no ZFS filesystem is specified in the optional second pipe (|)
delmited field, the default value will be the ZFS pool
containing the root filesystem. In most cases this is
rpool. In this case, the ZFS filesystem would be
rpool/<zonename>
Optionally, you may also specify a semicolon (;) delimited list
of ZFS options in the third pipe (|) delimited field as well.
The last optional field only applies when multiple zone paths
are specified that are intended to map to multiple zones. For
example, consider adding two zones (z1 and z2) in a single run
of the zonemgr where each zone has its specifc zonepath.
# zonemgr -F -a add -n "z1|z2" -z "/z1|||z1" -z "/zone2|||z2"
In this next example, you add a ZFS filesystem (rpool/z1) with
the mountpoint of /z and optional enables the gzip compression
algorithm and disables atime.
-z "/z|rpool/z1|compression=gzip;atime=off"
OR
-Z "<zonedir>[|<ZFS filesystem>][|<ZFS options>]"
The zonedir is the zone root directory. Specifying -Z /z1 will
place the zone root directory in /z1.
If no zonePaths is specified, the default value of zonePaths is
/zones/<zonename>
If the filesystem containing the zonedir is a ZFS filesystem, a
new ZFS filesystem will be created for the zone directory. If
no ZFS filesystem is specified in the optional second pipe (|)
delmited field, the default value will be the ZFS pool
containing the root filesystem. In most cases this is
rpool. In this case, the ZFS filesystem would be
rpool/<zonename>
Optionally, you may also specify a semicolon (;) delimited list
of ZFS options in the third pipe (|) delimited field as well.
For example, the following would create a ZFS filesystem
(rpool/z) with the mountpoint of /z, enables the gzip
compression algorithm and disables atime.
-Z "/z|rpool/z|compression=gzip;atime=off"
-D "<domain>"
DNS Domain Name. If a domain is specified, then dns name
servers must also be specified.
Note also that the fully qualified host name of the non-global
zone must be resolvable by the naming service.
-d "<nameserver1>|<nameserver2>|.."
Pipe delimited ordered list of Domain Name Servers. If domain
name servers are specified the domain name via -d "<domain>"
must also be specified.
Note also that the fully qualified host name of the non-global
zone must be resolvable by the naming service.
-w "<global_dir>"
or
-w "<global_dir>|<non-global_mount_point>"
or
-w "<type>|<inputs>"
Mount a directory or device from the global zone into the non-
global zone in read/write mode. The usage for each option
varies according to the type. Note that for all filesystems but
the lofi/lofs filesystem, the device is mounted for exclusive
use of the non-global zone. However, the root user in the
global zone can access the contents of the mounted filesystem
because the root mount point of the non-global zone is
accessible as a directory in the global zone.
type = lofi or lofs
For this filesystem type, you are read-write mounting
a directory or device from the global zone into a non-
global zone through the loopback device.
<input1> = Global zone directory
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated mount options (rw
is implied)
type = zfs
For this filesystem type, you are read-write mounting
an existing ZFS filesystem from the global zone into
the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = newzfs
For this filesystem type, you are creating a new zfs
filesystem in the global zone and read-write mounting
it into the non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = zvol
For this filesystem type, you are making an existing
ZFS volume from the global zone available within a
non-global zone in read-write mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (rw is
implied)
type = newzvol
For this filesystem type, you are making a new ZFS
volume in the global zone and then making that new ZFS
volume available within a non-global zone in read-
write mode.
<input1> = The ZFS filesystem
<input2> = Size
<input3> = Semicolon separated zfs options (rw is
implied)
type = dset
For this type, you are making a ZFS dataset from the
global zone accessible and manageable from within the
non-global zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = newdset
For this type, you are creating a new ZFS filesystem
in the global zone and making that ZFS filesystem
accessible and manageable from within the non-global
zone.
<input1> = The ZFS filesystem
<input2> = Non-global zone directory (mount point)
<input3> = Semicolon separated zfs options (rw is
implied)
type = ufs
For this filesystem type, you are read-write mounting
an existing UFS filesystem from the global zone into
the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = pcfs
For this filesystem type, you are read-write mounting
an existing PCFS (DOS/VFAT) filesystem from the global
zone into the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = newpcfs
For this filesystem type, you are creating a new read-
write pcfs (DOS/VFAT) filesystem in the global zone
and mounting it in the non-global zone.
<input1> = Raw device /dev/rdsk/<dev> or device
<dev>
<input2> = Non-global zone directory (mount point)
<input3> = Mount options (rw is implied)
type = nfs
For this filesystem type, you are adding an NFS
filesystem entry to /etc/vfstab in the non-global
zone.
<input1> = NFS server host
<input2> = NFS server export directory
<input3> = Non-global zone directory (mount point)
<input4> = Mount options (ro is implied)
type = smb
For this filesystem type, you are adding a Session
Message Block (SMB) filesystem (a.k.a. Microsoft (TM)
Windows Network Filesystem entry to /etc/vfstab in the
non-global zone.
<input1> = SMB server host
<input2> = SMB Workgroup
<input3> = SMB Share
<input4> = Non-global zone directory (mount point)
<input5> = SMB user
<input6> = SMB user password
<input7> = SMB filesystem mount options
-p "<resource>|<resource_arg>"
Resource allocated to this zone. Note
that although all of the following resource
types can be applied to a zone, only one
of each type can be specified per zone.
Resources are deleted by specifying a value
of 0 for the <resource_arg>.
resource = cpu
The cpu resource type specifies the upper
limit (cap) of CPU time that can be used by
a zone. The valid argument for this
resource type is either a whole or a mixed
(whole and fraction) number. A cpu value
of 3.25 means 325% of a cpu.
Note that a zone cannot be assigned capped
and dedicated CPU resources at the same
time. You can use one or the other.
resource = dcpu
The dcpu resource type specifies the fixed
number (or range) of CPUs to dedicate to
this zone.
Valid arguments for this resource type
include the following:
Maximum number: 3
Range: 2-4
Note that a zone cannot be assigned capped
and dedicated CPU resources at the same
time. You can use one or the other.
resource = scpu
The scpu resource type specifies the number
of FSS (Fair Share Scheduler) CPU shares to
allocate to this zone.
Valid arguments for this resource type
specify any integer. A value of zero disables
FSS CPU shares.
Note that a zone cannot be assigned FSS
and dedicated CPU resources at the same
time. You can use one or the other.
Note also that if you want to use the fair
share scheduler (FSS), you may want to
consider changing the global zone (e.g. the
system) scheduler to the FSS. You can make
this change with the following two commands.
Set the default scheduler for the system to
be the FSS.
dispadmin -d FSS
Make this configuration take effect
immediately, without rebooting.
priocntl -s -c FSS -i all
resource = ram
The ram resource type specifies the maximum
amount of memory (e.g. RAM) that this zone
can consume.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
resource = dram
The dram resource type specifies the specific
amount of memory (e.g. RAM) that is dedicated
to this zone.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
resource = swap
The swap resource type specifies the maximum
amount of virtual memory (e.g. swap) that
this zone can consume.
Valid arguments for this resource type
specify the amount and scale of memory where
the scale is represnted by K (kilobyte),
M (megabyte), G (gigabyte), or T (terabyte).
For example, 1M is one megabyte.
move -n "<zonename(s)>" -Z "<newzonePaths>" [move_options]
The "move" action moves one or more zones from their current
directory to a new directory.
The following move_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
-Z "<dir>" New directory for this zone.
The following optional move_options are supported.
-F Do not confirm an action; Just do it.
detach -n "<zonename(s)>"
The "detach" action detaches a zone so that it can be attached to a
different server.
The following detach_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
The following detach_options options are optional.
-F Do not confirm an action; Just do it.
attach -n "<zonename(s)>"
The "attach" action attaches a detached zone.
The following attach_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
The following attach_options options are optional.
-F Do not confirm an action; Just do it.
shutdown -n "<zonename(s)>"
The "shutdown" action shuts down one or more zones.
The following shutdown_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
The following shutdown_options options are optional.
-F Do not confirm an action; Just do it.
boot -n "<zonename(s)>"
The "boot" action boots one or more zones.
The following boot_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
The following boot_options options are optional.
-F Do not confirm an action; Just do it.
reboot -n "<zonename(s)>"
The "reboot" action reboots one or more zones.
The following reboot_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
The following reboot_options options are optional.
-F Do not confirm an action; Just do it.
halt -n "<zonename(s)>"
The "halt" action halts one or more zones.
The following halt_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
The following halt_options options are optional.
-F Do not confirm an action; Just do it.
only -n "<zonename(s)>"
The "only" action shuts down all non-global zones but those
specified by -n and then boots any of the specified zones that are
not already running.
The following only_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
There are two zone name special cases.
bootall
This zone name makes sure all non-global zones are booted.
haltall
This zone name makes sure all zones are halted.
The following only_options options are optional.
-F Do not confirm an action; Just do it.
runcmd -n "<zonename(s)>" -X "<cmd_with_args>"
The "runcmd" action runs commands specified with the -X
"<cmd_with_args>" flags in all non-global zones specified by -n.
The following halt_options options are required.
-n "<zonename(s)>"
The zone name input take multiple forms. You can specify a
single zone name, multiple pipe delimited names, or for non-
add or clone actions, you can use the \^ (beginning of the
string), \$ (end of the string), and * (glob) symbols to
pattern match one or more specific zones.
Note that zone names may not contain any white spaces or non-
alphanumeric characters except the dash symbol.
There is one zone name special case.
all
This zone name runs the specified commands on all non-
global zones.
-X <command>
Runs <command> inside the non-global command once it is
successfully created. Note that you may need to include the
full path to the command as well.
The following runcmd_options options are optional.
-F Do not confirm an action; Just do it.
EXAMPLES
Example 1: Add A Default Zone
The following command will create a non-global zone named zone0001. The
name of the zone is automatically determined based on the next available
zone name. The password of the non-global zone root user is set to the
same password of the root user of the global zone. The creation of the
zone is forced with the -F flag.
# zonemgr -F -a add
Example 2: Add A Custom Zone
The following command will create a non-global zone named m1. the password
of the root user of zone m1 is set to "abc123". IP address 192.168.0.10 is
assigned to the zone and mapped to the name zonem1 as well.
# zonemgr -F -a add -n m1 -P "abc123" -I "192.168.0.10|hme0|24|zonem1"
Example 3: Add Multiple Zones With Auto Network Discovery
The following command will create 3 non-global zones. If host names
of the 3 zone names are not resolvable, then zone creation will stop
with an error. e.g. m1, m2, and m3 must either be in /etc/hosts, DNS,
or NIS depending on the /etc/nsswitch.conf config of the global zone.
# zonemgr -F -a add -n "m1|m2|m3" -I "ns|hme0|24|all"
The following command will create 3 non-global zones where each zone is
dynamically determined according to the next available zone name. For
example, if the last dynamically generaged zone name was zone0004, then
the 3 zones added would be named zone0005, zone0006, and zone0007.
# zonemgr -F -a add -o 'dCount|3' -I "ns|hme0|24|all"
Example 4: Delete One or More Zones
The following command will delete a single non-global zone named m1 and
it will not be prompted to continue because the action is forced with
the -F flag.
# Delete one zone
# zonemgr -F -n m1 -a del
# Delete three zones
# zonemgr -F -n "m1|m2|m3" -a del
Example 5: List One, More, Or All Zones
The following command will list respectively one, three, and all available
zones.
# List one zone
# zonemgr -a list -n m1
# List three zones
# zonemgr -a list -n "m1|m2|m3"
# List all zones
# zonemgr -a list
Example 6: Show Status One, More, Or All Zones
The following command will show the status respectively of one, more, or
all zones.
# Show the status of one zone
# zonemgr -a status -n m1
# Show the status of three zones
# zonemgr -a status -n "m1|m2|m3"
# Show the status of all zones
# zonemgr -a status
Example 7: Shutdown, Halt, Boot, and Reboot a Zone
The following three commands will respectively shutdown, halt, boot, and
reboot non-global zone m1.
# zonemgr -F -n m1 -a shutdown
# zonemgr -F -n m1 -a halt
# zonemgr -F -n m1 -a boot
# zonemgr -F -n m1 -a reboot
Example 8: Halt or Boot All Zones
The following commands will respectively halt and boot all non-global
zones.
# zonemgr -a only -n haltall
# zonemgr -a only -n bootall
Example 9: Manage State Of Multiple Zones
The following command will halt all non-global zones but those specified
by the -n parameter and will boot any of the specified zones that are not
currently running.
# zonemgr -a only -n "m1|m2"
Example 10: Add One Or More Zones With CPU Containment
The following command will add non-global zone m1 and dedicate a single
CPU to that zone.
# zonemgr -a add -n m1 -p "dcpu|1"
The following command will add three non-global zones and dedicate a
single CPU to each zone.
# zonemgr -a add -n "m1|m2|m3" -p "dcpu|1"
Example 11: Add One Or More Zones With RAM Containment
The following command will add non-global zone m1 and dedicate 1G of
physical memory to the zone.
# zonemgr -a add -n m1 -p "dram|1"
The following command will add three non-global zones and dedicate
1G of physical memory to each zone.
# zonemgr -a add -n "m1|m2|m3" -p "dram|1"
Example 12: Add A Zone With Custom Root Zone Directory
The following command will create non-global zone named m2 with a root
zone directory of /z/m2.
# zonemgr -a add -z /z/m2
Note that the -z flag specifies the exact root zone direcory (e.g. /z/m2).
Example 13: Add A Zone With Custom Root ZFS Zone Directory
The following command will create non-global zone named m3 with a root
zone directory of /m3 that is stored in zfs filesystem rpool/m4.
# zonemgr -a add -z "/m3|rpool/m4"
Note that the -z flag specifies the exact root zone direcory (e.g. /m43
and optionally the exact zfs filesystem name (e.g. rpool/m4).
Example 14: Add A Zone With Custom Root ZFS Zone Directory
If the next available automatically generated zone name is zone0004, the
following command will create non-global zone named zone0004 with a root
zone directory of /z/zone0004 that is stored in zfs filesystem
rpool/zone0004. Further, the zfs filesystem is configured with compression
enabled and set to gzip and the recordsize is changed from the default of
128k to 8k.
# zonemgr -a add -Z "/z|rpool|compression=gzip;recordsize=8k"
Note that the -Z flag specifies the base zfs filesystem on which the new
ZFS filesystem will be added using the zone name. In our example, the
base zfs filesystem is rpool. The new zfs filesystem is rpool/zone0004.
Example 15: Add A Zone With Multiple IP Addresses
The following command will create a non-global zone named m1 with three IP
addresses where each IP address is configured on its own network
interface. Note that the third option has specified that it will
exclusively use the bge1 network interface. The other IP addresses are
assigned to shared network interfaces (hme0 and bge0).
# zonemgr -a add -n m1 -P "abc123" \
-I "192.168.0.10|hme0|24|m1" \
-I "192.168.5.27|bge0|24|m2" \
-I "192.168.10.5|bge1|24|m3"
Example 16: Harden Zone Via Disabling Services
The following commands will disable all un-necessary services of non-
global zone m1 using the basic, jass, and jail methods. There are other
hardening methods as well. See documentation by running zonemgr -h to see
all hardening methods.
# zonemgr -a modify -n m1 -s lock
# zonemgr -a modify -n m1 -s 'sbd|limited'
# zonemgr -a modify -n m1 -s jail
Example 17: A Complex Example
The following command will perform the details stated below.
# zonemgr -a add -n m2 -t w \
-P "abc123" -R /root \
-I "192.168.0.10|hme0|24|m2" \
-r "/ds/build11/bits|/bits" \
-w "/zones/m2|/ds/m2" \
-s "basic|lock" -S ssh \
-C /etc/ssh/sshd_config \
-L "default|dtrace_proc|dtrace_user"
1. Add a whole root zone named m2 in /zones/m2.
2. Set the root password of that zone to abc123.
3. Set the home directory of the root user of the non-global
zone to /root.
4. Set the IP address of the zone to 192.168.0.10, the
netmask to 255.255.255.0, assign it to interface hme0, and
assign it a host name of m2.
5. Read only mount /ds/build11/bits from the global zone to
/bits in the non-global zone.
6. Read write mount /zones/m2 from the global zone to /ds/m2
in the non-global zone.
7. Disable all un-necessary services in the non-global zone
and restart the ssh service once the lockdown is complete.
8. Copy the /etc/ssh/sshd_config, /etc/resolv.conf, and
/etc/nsswitch.conf files from the global zone to the
non-global zone. The resolv.conf and nsswitch.conf are
copied for convenience only if they are present in the
global zone.
9. Add the dtrace_proc and dtrace_user privileges to the
non-global zone
Example 18: Creating A BrandZ (e.g. Linux) Zone
The following command will add a BrandZ zone
# zonemgr -a add -n m1 -P "abc123" \
-I "192.168.0.10|hme0|24|m1" \
-B "SUNWlx|all|/data/brandz/centos_fs_image.tar"
The parameters passed to -B break down as follows:
* SUNWlx: The zone brand (only lx is currently supported)
* On opensolaris ipkg is the default brand. Do not specify ipkg it
will be installed by default on opensolaris.
* all: The brand subset to install. Valid values include desktop,
applications, server, development, system, and all. I don't yet
have an idea as to how this option will impact other distributions
that folks come up with. These options may or may not be valid.
TBD.
* /data/brandz/centos_fs_image.tar: The path to the brand bits. I
simply pointed them to the BrandZ community's CentOS image.
Example 19: Add A Zone AND Install MySQL5 From BlastWave
The following command will add a zone named m1, download and install
mysql5 and all requisite bits from Blastwave.org, and install all those
bits in the proper order in the m1 zone.
# zonemgr -a add -n m1 -P "abc123" \
-I "192.168.0.10|hme0|24|m1" -G mysql5
Example 20: Add A ZFS Filesystem To An Existing Zone
The following command will create a legacy mode ZFS filesystem from the
myzfspool pool, set the ZFS mount point to /zfsdata, and mount that
filesystem exclusively within the m1 zone.
# zonemgr -a modify -n m1 -w "zfs|/zfsdata|zpool/m1data"
Example 21: Move One Or More Zones
The following command will move zone m1 from its present root zone
directory to /export.
# zonemgr -a move -n m1 -Z /export
The following command will move zones m1, m2, and m3 from their
present root zone directories to /export.
# zonemgr -a move -n "m1|m2|m3" -Z /export
Example 22: Detach And Attach A Zone
The following two commands will detach a zone and then re-attach it.
# zonemgr -a detach -n m1 -F
# zonemgr -a attach -n m1 -F
Example 23: Clone One Or More Zone
The following command will make a clone zone m1 named m1clone.
# zonemgr -a clone -n m1 -y m1clone -Z /zones
The following command will make 3 statically named clones from the
source clone, m1.
# zonemgr -a clone -y m1 -n "m2|m3|m4"
The following command will make 5 dynamically named clones from the
source clone, m1.
# zonemgr -a clone -y m1 -o 'dCount|5'
NOTES
Note that most parameters are multivalued. In other words, you can
specify the same parameter multiple times. For example, to mount the
/data1 and /data2 directories in read only mode from the global zone to
the non-global zone, add the following to the add action:
-r "/data1" -r "/data2"
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 An error occurred.
SEE ALSO
svcs(1), zlogin(1), zonename(1), svcadm(1M), svc.startd(1M) and init(1M),
svc.startd(1M), zoneadm(1M), zonecfg(1M), attributes(5), smf(5), zones(5)
