Download - Solaris 11 Zones P2 Properties
-
7/23/2019 Solaris 11 Zones P2 Properties
1/22
Oracle Solaris 11 ZonesPart 2 New zone configuration properties.
Author: Tim Wort
ntro!uction
A number of new zonecfg(1M) properties are added to Oracle Solaris 11 zones. Below is a list of the
properties for both a Oracle Solaris 10 and a Oracle Solaris 11 zone. roperties added b! Solaris 11release 11"11 are in bold. roperties added b! new releases of Solaris 11 are noted b! release.
Oracle Solaris 1" zonecfgproperties
For resource type ... there are property types ...:
(global) zonename
(global) zonepath
(global) brand
(global) autoboot
(global) bootargs
(global) pool
(global) limitpriv
(global) scheduling-class (global) ip-type
(global) hostid
(global) max-lwps
(global) max-shm-memory
(global) max-shm-ids
(global) max-msg-ids
(global) max-sem-ids
(global) cpu-shares
fs dir, special, raw, type
inherit-pkg-dir dir
net address, physical, defrouter
device match
rctl name, value attr name, type, value
dataset name
dedicated-cpu ncpus, importance
capped-cpu ncpus
capped-memory physical, swap, loced
#n the Oracle Solaris 10 list abo$e the inherit-pg-dirresource is listed but it is not present in the
Oracle Solaris 11 list below% sparce root model zones are no longer supported. #n the Oracle Solaris 11list the file-mac-profilepropert!% the fs-allowedpropert!% themax-processespropert!% the anet
resource and adminresource are added. #n addition new resource properties are added to the netand
deviceresources.
Oracle Solaris 11 zonecfgproperties
For resource type ... there are property types ...:
(global) zonename
(global) zonepath
(global) brand
(global) autoboot
(global) autoshutdown (Solaris 11.&) (global) bootargs
-
7/23/2019 Solaris 11 Zones P2 Properties
2/22
(global) file-mac-profile
(global) pool
(global) limitpriv
(global) scheduling-class
(global) ip-type
(global) hostid
(global) fs-allowed
(global) max-lwps
(global) max-processes
(global) max-shm-memory
(global) max-shm-ids
(global) max-msg-ids
(global) max-sem-ids
(global) cpu-shares
(global) tenant (Solaris 11.&) fs dir, special, raw, type, options
net address, allowed-address, physical, defrouter, configure-
allowed-address
anet linkname, lower-link, allowed-address, configure-allowed-
address, defrouter, allowed-dhcp-cids, link-protection, mac-address, mac-prefix,
mac-slot, vlan-id, priority, rxrings, txrings, mtu, maxbw
(added b! Solaris 11.1) rxfanout,vsi-typeid, vsi-vers, vsi-mgrid, etsbw-lcl, cos, pkey,linkmode,
(added b! Solaris 11.&) evs, vport device match, allow-partition, allow-raw-io
(added b! Solaris 11.&) storage rctl name, value
attr name, type, value
dataset name
dedicated-cpu ncpus, importance
(added b! Solaris 11.&)cpus, cores, sockets capped-cpu ncpus
capped-memory physical, swap, loced
admin user, auths
(added b! Solaris 11.1) rootzpool install-size, storage
zpool install-size, name, storage
The autoshutdown#lo$al Propert% &Solaris 11.2'
'his propert! determines the action taen to shutdown the nonglobal zone on a graceful shutdown of
the *lobal zone. ossible $alues are+
shutdown , A clean zone shutdown. 'his is the default.
halt suspend
The tenant#lo$al Propert%&Solaris 11.2'
'his propert! wors with -S (-lastic irtual Switch). See e$sadm(1M). /efines the name of the
tenant that owns the -S to which a # anet will be connected to.
The file-mac-profile#lo$al Propert%
-
7/23/2019 Solaris 11 Zones P2 Properties
3/22
'he file-mac-profilepropert! is used to configure a immutable zone. #mmutable zones ha$e a read
onl! root s!stem. 'he ernel applies the read restriction based on the setting for this propert!. 'he
propert! is not set b! default which is the e2ui$alent of a nonesetting. 'he possible settings for thispropert! are+
none, 'he default% a standard readwrite zone. strict, A readonl! file s!stem where pacages can not be added% ser$ices are fi3ed% log files
are read onl! and should be configured for remote logging% configurations such as auditing are
fi3ed.
fixed-configuration, Same as strictwith the following e3ceptions% log files can be
written locall! and most of !var!"is writable% s!slog and audit configurations can not be
changed.
flexible-configuration, Same as fixed-configurationwith the following e3ceptions%
the !etc!"director! is writable% the !var!"is writable% configuration files for s!slog and
auditing can be changed. 4unctionalit! is similar to a sparse root model zone in Oracle Solaris
10.
'o e3amine the propert! more a readonl! zone has been created% following is the configuration
information for the zone. 'he networ interface is set to be shared% automaticnetwor configurationwill not wor correctl! and will re2uire inter$ention b! the administrator of the zone. 'he better
configurations to use are shared or e3clusi$e with a # configured in the global zone and assigned
specificall! to the nonglobal zone.
(ea!)onl% Zone configuration
# zonecfg -z readonly
readonly: $o such zone configured
%se &create& to begin configuring a new zone.
zonecfg:readonly' create -t default-shared-ipzonecfg:readonly' set zonepath*!zones!readonly
zonecfg:readonly' set file-mac-profile*strict
zonecfg:readonly' add net
zonecfg:readonly:net' set physical*net+
zonecfg:readonly:net' set address*./0.+.+!1
zonecfg:readonly:net' end
zonecfg:readonly' exit
'he zone install is standard% the zone will boot as a writable zone until the s!stem configurationinformation is added and the milestone self-assembly-completecompletes% the zone will then
reboot to readonl! mode. 'he state of the zone can be e3amined for the readwrite or readonl! modes
b! using thelist -p
option to thezoneadm
command+
Zone $oote!* not configure!
# zoneadm -z readonly list -p
2:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:W:strict
'he second to last field 567 indicates the zone is writable% the last field show the file-mac-profilepropert! setting.
-
7/23/2019 Solaris 11 Zones P2 Properties
4/22
Zone configure!* ser+ice self-assembly-completecomplete!* re$ooting
# zoneadm -z readonly list -p
4:readonly:down:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:-strict
Zone re$ooting
# zoneadm -z readonly list -p
!:readonly:ready:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:-strict
Zone $oote!* rea!)onl%
# zoneadm -z readonly list -p
!:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:"strict
'he second to last field 587 indicates the zone is readonl!.
9ogging into the zone $ia the onsole will show indications of the readonl! state of the zone% for
e3ample+
$ov 4 +1:13:43 readonly sendmail520++6: unable to write pid to
#var#spool#clientm$ueue#sm-client%pid "ead-only file system
$ov 4 +1:13:40 readonly sendmail52306: unable to 7ualify my own domain name
(readonly) -- using short name
$ov 4 +1:13:4 readonly sendmail52306: $89%%: ;;(root): dborporation un8 4. .+ $ovember +
tim?readonly:@A
e3t is an e3amination of the zone to confirm the restrictions% first file writes and s!slog+
Test file an! s%slog write
root?readonly:@# touch !var!tmp!testfile
touch: cannot create !var!tmp!testfile: ;ead-only file system
root?readonly:@# touch !testfile
touch: cannot create !testfile: ;ead-only file system
B
root?readonly:@# touch !etc!testfile
touch: cannot create !etc!testfile: ;ead-only file system
-
7/23/2019 Solaris 11 Zones P2 Properties
5/22
root?readonly:@# touch !export!testfile
touch: cannot create !export!testfile: ;ead-only file system
root?readonly:!# logger -p auth.emerg tester
$ov 4 +4:41:4 readonly last message repeated time
$ov 4 +4:4/:+1 readonly root: 5BC 3+ auth.emerg6 tester
Dessage from syslogd?readonly at Fri $ov 4 +4:4/:+1 + ...
readonly last message repeated time
Dessage from syslogd?readonly at Fri $ov 4 +4:4/:+1 + ...
readonly root: 5BC 3+ auth.emerg6 tester
root?readonly:!# tail !var!adm!messages
$ov 4 +4:12:+2 readonly sendmail53/36: 5BC 3+ mail.crit6 Dy un7ualified
host name (readonly) unnownE sleeping for retry
$ov 4 +4:12:+2 readonly sendmail5336: 5BC 3+ mail.crit6 Dy un7ualified
host name (readonly) unnownE sleeping for retry
$ov 4 +4:11:+2 readonly sendmail53/36: 5BC 3+ mail.alert6 unable to 7ualify
my own domain name (readonly) -- using short name
$ov 4 +4:11:+2 readonly sendmail5336: 5BC 3+ mail.alert6 unable to 7ualify
my own domain name (readonly) -- using short name
'he string tester would ha$e been written to !var!adm!messagesin a writable zone but in the strictreadonl! zone !var!adm!messagesis not writable.
e3t a ser$ice state is changed and a reboot is preformed to show the current state of the ser$ice ispersistent (fi3ed)+
root?readonly:@# svcs ssh
G BD FD;B
online 1:1/:4+ svc:!networ!ssh:default
root?readonly:@# svcadm disable ssh
root?readonly:@# svcs ssh
G BD FD;B
disabled 4:1:1 svc:!networ!ssh:default
root?readonly:@# reboot
5>onnection to zone &readonly& pts!2 closed6
# zoneadm -z readonly list -p
/:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:;:strict
# zlogin readonly
5>onnected to zone &readonly& pts!26
8racle >orporation un8 4. .+ $ovember +
root?readonly:@# svcs ssh
G BD FD;B
online 4:3: svc:!networ!ssh:default
#n a readwrite zone changing a ser$ice state will sur$i$e a reboot. #n the readonl! zone the repositor!
-
7/23/2019 Solaris 11 Zones P2 Properties
6/22
is updated in memor! so the ser$ice can be disabled% howe$er% the repositor!:s new state for that ser$ice
can not be written to persistent storage so the state of the repositor! remains as when the repositor! was
last written.
acages are not a$ailable to the readonl! zone% in the ne3t test the zone is booted as a writable zone
b! passing the -woption to the zoneadmcommand. #n the writable state the pgcommand is $erified%
then the zone is rebooted to readonl! mode and the same commands are tested.
Zone ,oote! (ea!)write
# zoneadm -z readonly reboot -w
# zoneadm -z readonly list -p
3:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:H:strict
# zlogin readonly
5>onnected to zone &readonly& pts!26
8racle >orporation un8 4. .+ $ovember +
root?readonly:@#
p-g&1' comman! an! networ- +erifie!
root?readonly:@# getent hosts sol--server
./0.+.++ sol--server.timwort.org
root?readonly:@# pg publisher
=%IJBK; = G% %;B
solaris (syspub) origin online proxy:!!http:!!sol--
server.timwort.org!
root?readonly:@# pg search -r wireshar
B$CL G>B8$ MGJ%
=G>NGO
pg.summary set Jibraries and ools used by Hireshar and har $etwor
protocol analyzers pg:!diagnostic!wireshar!wireshar-common?.1.0-
+.34.+.+.+..423basename dir usr!lib!wireshar
pg:!diagnostic!wireshar!wireshar-common?.1.0-+.34.+.+.+..423
basename dir usr!share!wireshar
pg:!diagnostic!wireshar!wireshar-common?.1.0-+.34.+.+.+..423
basename file usr!sbin!wireshar
pg:!diagnostic!wireshar?.1.0-+.34.+.+.+..423
pg.fmri set solaris!diagnostic!wireshar
pg:!diagnostic!wireshar?.1.0-+.34.+.+.+..423
Zone $oote! to rea!)onl% state
# zoneadm -z readonly reboot
# zoneadm -z readonly list -p0:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:;:strict
# zlogin readonly
5>onnected to zone &readonly& pts!26
8racle >orporation un8 4. .+ $ovember +
p-g&1' comman! an! networ- +erifie!
root?readonly:@# getent hosts sol--server
./0.+.++ sol--server.timwort.org
-
7/23/2019 Solaris 11 Zones P2 Properties
7/22
root?readonly:@# pg search -r wireshar
egmentation Fault
root?readonly:@# pg publisher
egmentation Fault
e3t the zone will be configured as a fixed-configurationzone and $erified+
Zone configure! as fixed-configurationan! re$oote!
# zonecfg -z readonly set file-mac-profile*fixed-configuration
# zoneadm -z readonly boot
# zoneadm -z readonly list -p
:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:"fixed-configuration
Test file an! s%slog write
root?readonly:@# touch !var!tmp!testfile
root?readonly:@# touch !testfile
touch: cannot create !testfile: ;ead-only file system
root?readonly:@# touch !etc!testfile
touch: cannot create !etc!testfile: ;ead-only file system
root?readonly:@# touch !export!testfile
touch: cannot create !export!testfile: ;ead-only file system
root?readonly:@# logger -p auth.emerg tester
$ov 4 +/:1:10 readonly root: 5BC 3+ auth.emerg6 tester
Dessage from syslogd?readonly at Fri $ov 4 +/:1:10 + ...
readonly root: 5BC 3+ auth.emerg6 tester
root?readonly:@# tail !var!adm!messages
$ov 4 +4:12:+2 readonly sendmail53/36: 5BC 3+ mail.crit6 Dy un7ualified
host name (readonly) unnownE sleeping for retry
$ov 4 +4:12:+2 readonly sendmail5336: 5BC 3+ mail.crit6 Dy un7ualified
host name (readonly) unnownE sleeping for retry
$ov 4 +4:11:+2 readonly sendmail53/36: 5BC 3+ mail.alert6 unable to 7ualify
my own domain name (readonly) -- using short name
$ov 4 +4:11:+2 readonly sendmail5336: 5BC 3+ mail.alert6 unable to 7ualify
my own domain name (readonly) -- using short name
$ov 4 +/:21:41 readonly sendmail506: 5BC 3+ mail.crit6 Dy un7ualified
host name (readonly) unnownE sleeping for retry$ov 4 +/:24:41 readonly sendmail506: 5BC 3+ mail.alert6 unable to 7ualify
my own domain name (readonly) -- using short name
'ov ! *4+4 readonly root ./ 01++ auth%emerg2 tester
#n the fixed-configurationreadonl! configuration most of !varis writable and log files arewritable as seen b! the pre$ious commands.
e3t the zone is configured as flexible-configurationreadonl! zone and the configuration is
-
7/23/2019 Solaris 11 Zones P2 Properties
8/22
$erified+
Zone configure! as flexible-configurationan! re$oote!
# zonecfg -z readonly set file-mac-profile*flexible-configuration
# zoneadm -z readonly boot
# zoneadm -z readonly list -p
:readonly:running:!zones!readonly:0a+3b/-bb2/-/aa-f+0a-
b/0f1a3e3da:solaris:shared:"flexible-configuration
/erif% the flexible-configurationrea!)onl% zone configuration
# zlogin readonly
5>onnected to zone &readonly& pts!26
8racle >orporation un8 4. .+ $ovember +
root?readonly:@# touch !usr!tester
touch: cannot create !usr!tester: ;ead-only file system
root?readonly:@# touch !etc!testfile
root?readonly:@# touch !lib!testfile
touch: cannot create !lib!testfile: ;ead-only file system
root?readonly:@# touch !testfile
touch: cannot create !testfile: ;ead-only file system
root?readonly:@# touch !root!testfile
'he flexible-configuration configuration allows access to roots home director!% !etcand !varbut other file s!stems are restricted.
'he restriction applied to a readonl! zone are not applied to readwrite files s!stems that are mountedreadwrite in to the zone $ia 4S or through zone configuration% for e3ample+
(ea!)onl% zone* #optnot writa$le
# zonecfg -z readonly set file-mac-profile*strict
# zoneadm -z readonly boot
# zlogin readonly
5>onnected to zone &readonly& pts!6
8racle >orporation un8 4. .+ $ovember +
root?readonly:@# touch !opt!myfiletouch: cannot create !opt!myfile: ;ead-only file system
root?readonly:@# halt
5>onnection to zone &readonly& pts! closed6
0reate a ZS files s%stem an! a!! to zone configuration
# zfs create -p rpool!dstor!fs
# zonecfg -z readonly Padd fsEset type*zfsEset dir*!opt!localEset
special*rpool!dstor!fsEendEexitP
-
7/23/2019 Solaris 11 Zones P2 Properties
9/22
# zfs set mountpoint*legacy rpool!dstor!fs
# zoneadm -z readonly boot
/erif% write to file s%stem
# zlogin readonly
5>onnected to zone &readonly& pts!26
8racle >orporation un8 4. .+ $ovember +
root?readonly:@# touch !opt!local!myfile
root?readonly:@#
Solaris 11.& adds 8eadOnl! *lobal zone configurations. #mmutable zones will ha$e a readonl! zone
root.
(ea!)Onl%mmuta$le #lo$al zone
# zonecfg -z global set file-mac-profile=fixed-configuration
The fs-allowed#lo$al Propert%
'he fs-allowedpropert! determines file s!stem t!pes that can be mounted within a nonglobal zone.
B! default t!pes hsfs(;4S) and 4S file s!stems can be mounted in the zone. 'he propert! taes acomma separated list of file s!stems.
#n the following e3ample the zone is at a default configuration and the fs-allowedpropert! is not set.
A
-
7/23/2019 Solaris 11 Zones P2 Properties
10/22
super-bloc bacups (for fsc -F ufs -o b*#) at:
2, 0/3/, 32+,
root?fszone:@# mount !dev!zvol!ds!rpool!datastor!vol !mnt
mount: Bnsufficient privileges
root?fszone:@# exit
logout
5>onnection to zone &fszone& pts! closed6
With fs-allowedset
# zonecfg -z fszone set fs-allowed*ufs
# zoneadm -z fszone reboot
# zlogin fszone
5>onnected to zone &fszone& pts!6
8racle >orporation un8 4. .+ $ovember +
root?fszone:@# mount !dev!zvol!ds!rpool!datastor!vol !mnt
root?fszone:@# ls !mnt
lostRfound
Themax-processesan! zone.max-lofi#lo$al properties.
A new resource control max-processesis defined. 'he propert! sets the ma3imum number of process
table slots simultaneousl! a$ailable to this zone. 'his propert! is the preferred wa! to set the
zone.max-processesresource control.
Setting this propert! will implicitl! set the $alue of the max-lwpspropert! to 10 times the number of
process slots unless the max-lwpspropert! has been set e3plicitl!.
Additionall! loopbac file s!stem (lofi) de$ices are allowed within a zone% the resource control
zone.max-lofidefines the ma3imum number of lofi(;/) de$ices a$ailable to a zone.
max-processes
# zonecfg -z ozone Pset max-processes*2++EexitP
# zonecfg -z ozone info
...
5max-processes: 2++6
...
rctl: name: zone.max-processes
value: (priv*privileged,limit*2++,action*deny)
zone.max-lofi
zonecfg:ozone' add rctl
zonecfg:ozone:rctl' set name*zone.max-lofi
zonecfg:ozone:rctl' set value*(priv*privileged,limit*+,action*deny)
zonecfg:ozone:rctl' help
-
7/23/2019 Solaris 11 Zones P2 Properties
11/22
zonecfg:ozone:rctl' end
(esults
# prctl -i zone ozone
zone: 4: ozone
$GD =;BMBJO MGJ% FJGO G>B8$ ;>B=B$
zone%max-lofi
usage
privileged + - deny -
system +%43 max deny -
zone.max-swap
usage 13.1DI
system /.+I max deny -
zone.max-loced-memory
usage +I
system /.+I max deny -
zone.max-shm-memory
system /.+I max deny -
zone.max-shm-ids
system /.0D max deny -
zone.max-sem-ids
system /.0D max deny -zone.max-msg-ids
system /.0D max deny -
zone%max-processes
usage !
privileged - deny -
system %+!5 max deny -
zone%max-lwps
usage 4
privileged %6 - deny -
system %+!5 max deny -
zone.cpu-cap
usage +
system 1.O inf deny -
zone.cpu-shares
usage
privileged - none -
system /4.4N max none -
The new device(esource properties
Oracle Solaris 11 adds two new resource properties to the de$ice resource. #n Oracle Solaris 10 onl!
the match propert! could be set to some allowable de$ice. #n Oracle Solaris 11 the allow-partition
and the allow-raw-ioresource properties are added to the de$ice resource. 'hese resource properties
are configured as either true or false with the default setting as false.
'he allow-partitionpropert! allows a dis to be labeled with the format command. 'he allow-raw-iopropert! allows uscsi(;#) commands to be e3ecuted against the de$ice. Adding de$ices to a
zone or using the allow-partitionpropert! or using the allow-raw-iopropert! should be done with
caution. Access to a de$ice dri$e can allow a malicious user to panic the s!stem or access other de$iceon the bus. 'his resource and resource properties should not be used without first understanding the
securit! implications. See uscsi(;#)% /e$ice =se in on*lobal
-
7/23/2019 Solaris 11 Zones P2 Properties
12/22
'he following e3ample shows the use of the allow-partitionpropert!+
0urrent zone state
# zonecfg -z fszone info
zonename: fszone
zonepath: !zones!fszone
brand: solaris
autoboot: false
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed: ufs
net:
address: ./0.+.+!1
allowed-address not specified
configure-allowed-address: true
physical: net+ defrouter not specified
Selecting a !e+ice to a!! to the zone
# zpool status
pool: rpool
state: 8$JB$
scan: none re7uested
config:
$GD G ;GC H;B >N%D
rpool 8$JB$ + + +
c2t+d+s+ 8$JB$ + + +
errors: $o nown data errors
# format
earching for diss...done
GMGBJGIJ CBN J>B8$:
+. c2t+d+ SGG-MI8L KG;CCBN-.+ cyl +04 alt hd 44 sec /2'
!pci?+,+!pci0+0/,0?d!dis?+,+
. c2td+ SGG-MI8L KG;CCBN-.+ cyl 0 alt hd /1 sec 2'
!pci?+,+!pci0+0/,0?d!dis?,+
pecify dis (enter its number): TC
A!!ing the !e+ice an! testing
# zonecfg -z fszone Padd deviceEset match*!dev!"ds!c2td+s"EendEexitP
# zoneadm -z fszone reboot
root?ol---destop:@# zlogin fszone
5>onnected to zone &fszone& pts!26
8racle >orporation un8 4. .+ $ovember +
-
7/23/2019 Solaris 11 Zones P2 Properties
13/22
root?fszone:@# format
earching for diss...done
GMGBJGIJ CBN J>B8$:
+. c2td+ SGG-MI8L KG;CCBN-.+ cyl 0 alt hd /1 sec 2'
sd at pciclass,++/++ slave /
pecify dis (enter its number): +
selecting c2td+
=ermission denied.
root?fszone:@# exit
logout
5>onnection to zone &fszone& pts!2 closed6
Setting the allow-partitionpropert% an! testing
# zonecfg -z fszone Pselect device match*!dev!"ds!c2td+s"Eset allow-partition*
trueEendEexitP
# zoneadm -z fszone reboot
# zlogin fszone
5>onnected to zone &fszone& pts!26
8racle >orporation un8 4. .+ $ovember +
root?fszone:@# format
earching for diss...done
GMGBJGIJ CBN J>B8$:
+. c2td+ SGG-MI8L KG;CCBN-.+ cyl 0 alt hd /1 sec 2'
sd at pciclass,++/++ slave /
pecify dis (enter its number): +
selecting c2td+
5dis formatted6
$o olaris fdis partition found.
F8;DG D$%:
dis - select a dis
type - select (define) a dis type
partition - select (define) a partition table
current - describe the current dis
format - format and analyze the dis
fdis - run the fdis program
repair - repair a defective sector
label - write label to the dis analyze - surface analysis
defect - defect list management
bacup - search for bacup labels
verify - read and display labels
save - save new dis!partition definitions
in7uiry - show dis BC
volname - set 0-character volume name
UScmd' - execute Scmd', then return
7uit
format' p
-
7/23/2019 Solaris 11 Zones P2 Properties
14/22
=G;BB8$ D$%:
+ - change V+& partition
- change V& partition
- change V& partition
2 - change V2& partition
1 - change V1& partition
4 - change V4& partition
/ - change V/& partition
3 - change V3& partition
select - select a predefined table
modify - modify a predefined partition table
name - name the current table
print - display the current table
label - write partition map and label to the dis
UScmd' - execute Scmd', then return
7uit
partition' p
>urrent partition table (original):
otal dis cylinders available: 0 R (reserved cylinders)
=art ag Flag >ylinders ize Ilocs + unassigned wm + + (+!+!+) +
unassigned wm + + (+!+!+) +
bacup wu + - 3 0.++DI (0!+!+) ++3+1
2 unassigned wm + + (+!+!+) +
1 unassigned wm + + (+!+!+) +
4 unassigned wm + + (+!+!+) +
/ unassigned wm + + (+!+!+) +
3 unassigned wm + + (+!+!+) +
0 boot wu + - + .++DI (!+!+) +10
unassigned wm + + (+!+!+) +
partition' m
elect partitioning base:
+. >urrent partition table (original)
. Gll Free Kog
>hoose base (enter number) 5+6Q
=art ag Flag >ylinders ize Ilocs
+ root wm + + (+!+!+) +
swap wu + + (+!+!+) +
bacup wu + - 3 0.++DI (0!+!+) ++3+1
2 unassigned wm + + (+!+!+) +
1 unassigned wm + + (+!+!+) +
4 unassigned wm + + (+!+!+) +
/ usr wm + + (+!+!+) +
3 unassigned wm + + (+!+!+) +
0 boot wu + - + .++DI (!+!+) +10 alternates wm + + (+!+!+) +
Co you wish to continue creating a new partition
table based on above table5yes6Q
Free Kog partition5/6Q +
nter size of partition && 5+b, +c, +.++mb, +.++gb6:
nter size of partition &2& 5+b, +c, +.++mb, +.++gb6:
nter size of partition &1& 5+b, +c, +.++mb, +.++gb6:
nter size of partition &4& 5+b, +c, +.++mb, +.++gb6:
nter size of partition &/& 5+b, +c, +.++mb, +.++gb6:
nter size of partition &3& 5+b, +c, +.++mb, +.++gb6:
-
7/23/2019 Solaris 11 Zones P2 Properties
15/22
=art ag Flag >ylinders ize Ilocs
+ root wm - 3 3.++DI (3!+!+) 0/4/
swap wu + + (+!+!+) +
bacup wu + - 3 0.++DI (0!+!+) ++3+1
2 unassigned wm + + (+!+!+) +
1 unassigned wm + + (+!+!+) +
4 unassigned wm + + (+!+!+) +
/ usr wm + + (+!+!+) +
3 unassigned wm + + (+!+!+) +
0 boot wu + - + .++DI (!+!+) +10
alternates wm + + (+!+!+) +
8ay to mae this the current partition table5yes6Q
nter table name (remember 7uotes): t
;eady to label dis, continueQ y
partition' p
>urrent partition table (t):
otal dis cylinders available: 0 R (reserved cylinders)
=art ag Flag >ylinders ize Ilocs
+ unassigned wm - 3 3.++DI (3!+!+) 0/4/
unassigned wm + + (+!+!+) +
bacup wu + - 3 0.++DI (0!+!+) ++3+1
2 unassigned wm + + (+!+!+) +
1 unassigned wm + + (+!+!+) +
4 unassigned wm + + (+!+!+) +
/ unassigned wm + + (+!+!+) +
3 unassigned wm + + (+!+!+) +
0 boot wu + - + .++DI (!+!+) +10
unassigned wm + + (+!+!+) +
partition' TC
root?fszone:@#
'he storagepropert! is added to the deviceresource b! Solaris 11.&. 'he propert! can be set to a
storage =8# (S=8#)% see suri(>). 'he S=8# is mapped when the zone boots the allow-partitionis
automaticall! set to true. and the matching de$ice nodes are a$ailable inside the zone. 'he S=8# is
unmapped when the zone halts.
The anet an! net(esource Properties
6hen a nonglobal zone is created the default networing is configured as an e3clusi$e# t!pe with
an anetresource. 'he anetresource creates a # for the nonglobal zone. 'he # is presentwhen the nonglobal zone is booted and destro!ed when the nonglobal zone is shutdown. An e3ample
of the anetresource can be seen in art 1 of this document.
The anetproperties
anet:
linname: net+
lower-lin: auto
allowed-address not specified
-
7/23/2019 Solaris 11 Zones P2 Properties
16/22
configure-allowed-address: true
defrouter not specified
allowed-dhcp-cids not specified
lin-protection: mac-nospoof
mac-address: random
auto-mac-address: :0:+:fa:fb:da
mac-prefix not specified
mac-slot not specified
vlan-id not specified
priority not specified
rxrings not specified
txrings not specified
mtu not specified
maxbw not specified
(Added b! Solaris 11.1) rxfanout not specified
vsi-typeid not specified
vsi-vers not specified
vsi-mgrid not specified
etsbw-lcl not specified
cos not specified
pey not specified linmode not specified
(Added b! Solaris 11.&) evs not specified
vport not specified
Most of the anetproperties are self e3planator! and all are defined in the zonecfg(1M) man page. 'he
table e3amines a few of the more interesting properties.
lower-lin: auto /efines the lin in the global zone that will be used for the #% the
propert! can be set to an! e3isting lin as described b! the dladm(1M)
command.6hen set to auto the lin selection order is first a configured lin
aggregation in the up state% ne3t a -thernet lin in the up state chosenbased on a alphabetic sort % the net0 lin if a$ailable.
mac-address: random an be set to factor!% random or auto. Auto attempts to use a factor! MA
% if no factor! address is a$ailable then random is used. A random
addressed is preser$ed cross reboots to support /?.
auto-mac-address: 6hen the anetresource is used this propert! is populated with the
assigned MA address.
mac-prefix Sets a prefi3 for the random MA address if re2uired.
mac-slot A slot location for a specific factor! MA address.
Solaris 11.1 added more anetresource properties% these properties are described in the dladm(1M) man
page. Solaris 11.& added two more anet resource properties% these are properties are used the -S
en$ironment. See e$sadm(1M).
'he netresource properties include the defrouter% allowed-addressand configure-allowed-
address.
-
7/23/2019 Solaris 11 Zones P2 Properties
17/22
defrouter 'he propert! is optional and should onl! be set to a address on adifferent subnet than is configured for the global zone.
allowed-address =sed with e3clusi$e# zones onl!. #f used% this propert! constrain
the # address(es) that can be used to configure the interface in the
zone. 6hen set the allowed-addresspropert! also sets the
configure-allowed-addresspropert! to true.
configure-allowed-address 6hen this propert! is set to true the address defined b! the
allowed-addresspropert! will be configured on the interface
when the nonglobal zone boots.
The admin(esource
'he adminpropert! allows delegation of administrator tass for a particular zone to a nonroot or a role
user. 'wo properties can be set% the userpropert! which defines a user or role and the authspropert!
which defines one or more authorizations.
'he userpropert! tae a user or role that must e3ist in the global zone.
'he authspropert! can be set to a comma separated list. 'he possible $alues are login(authenticated
login to this zone)% manage(allows management for this zone using zoneadm(1M)) and cop!from(allows
cloning of this zone).
0reate a role for zone a!ministration
# roleadd -m -d /export/home/zadmin -s /usr/bin/pfbash zadmin80 blocks# passwd zadmin
ew !assword"e-enter new !assword"passwd" password successfull$ changed for zadmin
A!! the role to the zone
# zonecfg -z ozone %add admin&set user=zadmin&set auths=login'manage&end%(ound user in files repositor$.
The result for the pre+ious comman!
# grep zadmin /etc/user)attrzadmin""""t$pe=role&auths=solaris.zone.login/ozone'solaris.zone.manage/ozone&profiles=*one +anagement',ll&roleauth=role
Assign the role to a user# usermod - zadmin tim(ound user in files repositor$." usermod" tim is currentl$ logged in' some changes ma$ not take effect untilnext login.
45amine the user an! role
tim" profiles 1asic 2olaris ser ,ll
-
7/23/2019 Solaris 11 Zones P2 Properties
18/22
tim" roleszadmin
tim" su zadmin!assword"
zadmin" profiles
*one +anagement ,ll 1asic 2olaris ser
zadmin" profiles -p %*one +anagement%(ound profile in files repositor$.profiles"*one +anagement3 info name=*one +anagement desc=*ones 4irtual ,pplication 5nvironment ,dministration help=t*one+ngmnt.html cmd=/usr/sbin/zoneadm cmd=/usr/sbin/zloginprofiles"*one +anagement3 exit
/erif% use of the role
zadmin" zoneadm -z ozone shutdown -r
zadmin" zoneadm list -cv 67 ,+5 2,2 !,9 1,7 6! 0 global running / solaris shared : ozone running /zones/ozone solaris excl
; zone< running /zones/zone< solaris excl
zadmin" zlogin ozone>onnected to zone ?ozone? pts/@A
Bracle >orporation 2unB2 :.
-
7/23/2019 Solaris 11 Zones P2 Properties
19/22
zadmin" zoneadm -z zone< shutdown -rzoneadm" zone ?zone
-
7/23/2019 Solaris 11 Zones P2 Properties
20/22
The zone creation.
rootDanarch$"# zonecfg -z poolzonese ?create? to begin configuring a new zone.zonecfg"poolzone3 createcreate" sing s$stem default template ?2I2default?zonecfg"poolzone3 add rootzpoolzonecfg"poolzone"rootzpool3 add storage dev"dsk/c@t@d0
zonecfg"poolzone"rootzpool3 add storage dev"dsk/c@t:d0zonecfg"poolzone"rootzpool3 endzonecfg"poolzone3 add zpoolzonecfg"poolzone"zpool3 add storage dev"dsk/c@tCd0zonecfg"poolzone"zpool3 add storage dev"dsk/c@tFd0zonecfg"poolzone"zpool3 set name=poolreated zone zpool" poolzone)pool !rofile" /usr/share/auto)install/sc)profiles/enable)sci.xml *onename" poolzone6nstallation" 2tarting ...
>reating 6!2 image2tartup linked"
-
7/23/2019 Solaris 11 Zones P2 Properties
21/22
rootDanarch$"# zpool status pool" poolzone)poolL2+
poolzone)rpool BK65 0 0 0 mirror-0 BK65 0 0 0 c@t@d0 BK65 0 0 0 c@t:d0 BK65 0 0 0
errors" o known data errors
pool" rpoolstate" BK65 scan" none rePuestedconfig"
,+5 2,5 5,7 J65 >L2+ rpool BK65 0 0 0 c@t0d0 BK65 0 0 0
errors" o known data errors
(After zone is booted)
rootDanarch$"# zlogin poolzone zpool status pool" poolL2+ rpool BK65 0 0 0 mirror-0 BK65 0 0 0 c@t@d0 BK65 0 0 0 c@t:d0 BK65 0 0 0
errors" o known data errors