Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

System Administration Guide: Virtualization Using the Solaris Operating System
Previous Next

Zone Components

This section covers the required and optional zone components that can be configured. Additional information is provided in Zone Configuration Data.

Zone Name and Path

You must choose a name and a path for your zone.

Zone Autoboot

The autoboot property setting determines whether the zone is automatically booted when the global zone is booted. The zones service, svc:/system/zones:default must also be enabled.

Resource Pool Association

If you have configured resource pools on your system as described in Chapter 13, Creating and Administering Resource Pools (Tasks), you can use the pool property to associate the zone with one of the resource pools when you configure the zone.

If you do not have resource pools configured, you can still specify that a subset of the system's processors be dedicated to a non-global zone while it is running by using the dedicated-cpu resource. The system will dynamically create a temporary pool for use while the zone is running. With specification through zonecfg, pool settings propagate during migrations.

Note - A zone configuration using a persistent pool set through the pool property is incompatible with a temporary pool configured through the dedicated-cpu resource. You can set only one of these two properties.

dedicated-cpu Resource

The dedicated-cpu resource specifies that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system will dynamically create a temporary pool for use while the zone is running.

With specification in zonecfg, pool settings propagate during migrations.

The dedicated-cpu resource sets limits for ncpus, and optionally, importance.

ncpus

Specify the number of CPUs or specify a range, such as 2–4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:

importance

If you are using a CPU range to achieve dynamic behavior, also set the importance property, The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, importance defaults to 1. For more information, see pool.importance Property Constraint.

Note - The capped-cpu resource and the dedicated-cpu resource are incompatible. The cpu-shares rctl and the dedicated-cpu resource are incompatible.

capped-cpu Resource

The capped-cpu resource provides an absolute fine-grained limit on the amount of CPU resources that can be consumed by a project or a zone. When used in conjunction with processor sets, CPU caps limit CPU usage within a set. The capped-cpu resource has a single ncpus property that is a positive decimal with two digits to the right of the decimal. This property corresponds to units of CPUs. The resource does not accept a range. The resource does accept a decimal number. When specifying ncpus, a value of 1 means 100 percent of a CPU. A value of 1.25 means 125 percent, because 100 percent corresponds to one full CPU on the system.

Note - The capped-cpu resource and the dedicated-cpu resource are incompatible.

Scheduling Class

You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among zones, based on their importance. This importance is expressed by the number of shares of CPU resources that you assign to each zone. Even if you are not using FSS to manage CPU resource allocation between zones, you can set the zone's scheduling-class to use FSS so that you can set shares on projects within the zone.

When you explicitly set the cpu-shares property, the fair share scheduler (FSS) will be used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class. The following actions set the scheduling class for a zone:

  • You can use the scheduling-class property in zonecfg to set the scheduling class for the zone.

  • You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default. See Introduction to Resource Pools and How to Associate a Pool With a Scheduling Class.

  • If the cpu-shares rctl is set and FSS has not been set as the scheduling class for the zone through another action, zoneadmd sets the scheduling class to FSS when the zone boots.

  • If the scheduling class is not set through any other action, the zone inherits the system default scheduling class.

Note that you can use the priocntl described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.

Physical Memory Control and the capped-memory Resource

The capped-memory resource sets limits for physical, swap, and locked memory. Each limit is optional, but at least one must be set.

  • Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone.

  • The swap property of the capped-memory resource is the preferred way to set the zone.max-swap resource control.

  • The locked property of the capped-memory resource is the preferred way to set the zone.max-locked-memory resource control.

For more information, see Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone.

Zone Network Interfaces

Zone network interfaces configured by the zonecfg command to provide network connectivity will automatically be set up and placed in the zone when it is booted.

The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.

There are two IP types available for non-global zones, shared-IP and exclusive-IP. The shared-IP zone shares a network interface and the exclusive-IP zone must have a dedicated network interface.

For information about IP features in each type, see Networking in Shared-IP Non-Global Zones and Networking in Exclusive-IP Non-Global Zones.

Shared-IP Non-Global Zones

The shared-IP zone is the default type. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:

  • The zone is to be connected to the same data-link, that is, be on the same IP subnet or subnets as the global zone

  • You do not want the other capabilities that the exclusive-IP zone provides.

Shared-IP zones are assigned one or more IP addresses using the zonecfg command. The data-link names must also be configured in the global zone.

In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.

These addresses are associated with logical network interfaces. The ifconfig command can be used from the global zone to add or remove logical interfaces in a running zone. For more information, see Shared-IP Network Interfaces.

Exclusive-IP Non-Global Zones

Full IP-level functionality is available in an exclusive-IP zone.

An exclusive-IP zone has its own IP-related state.

This includes the ability to use the following features in an exclusive-IP zone:

  • DHCPv4 and IPv6 stateless address autoconfiguration

  • IP Filter, including network address translation (NAT) functionality

  • IP Network Multipathing (IPMP)

  • IP routing

  • ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs

  • IP security (IPsec) and IKE, which automates the provision of authenticated keying material for IPsec security association

An exclusive-IP zone is assigned its own set of data-links using the zonecfg command. The zone is given a data-link name such as xge0, e1000g1, or bge32001, using the physical property of the net resource. The address and the defrouter properties of the net resource are not set.

Note that the assigned data-link enables the snoop command to be used.

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. See Administering Data-Links in Exclusive-IP Non-Global Zones for usage examples.

Inside a running exclusive-IP zone, the ifconfig command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as for the global zone, by using the sysidtools described in sysidcfg(4).

Note - The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command. An example follows.

global# zlogin zone1 ifconfig -a
Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, the superuser in an exclusive-IP zone can send spoofed packets on those data-links, just as can be done in the global zone.

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.

File Systems Mounted in Zones

Generally, the file systems mounted in a zone include the following:

  • The set of file systems mounted when the virtual platform is initialized

  • The set of file systems mounted from within the application environment itself

This can include, for example, the following file systems:

  • File systems specified in a zone's /etc/vfstab file

  • AutoFS and AutoFS-triggered mounts

  • Mounts explicitly performed by a zone administrator

Certain restrictions are placed on mounts performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.

There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.

Configured Devices in Zones

The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the zone's /dev file system. For more information, see How to Configure the Zone.

Setting Zone-Wide Resource Controls

The global administrator can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.

These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone.

The preferred, simpler method for setting a zone-wide resource control is to use the property name instead of the rctl resource.

The zone.cpu-cap resource control sets an absolute limit on the amount of CPU resources that can be consumed by a zone. A value of 100 means 100 percent of one CPU as the project.cpu-cap setting. A value of 125 is 125 percent, because 100 percent corresponds to one full CPU on the system when using CPU caps.

Note - When setting the capped-cpu resource, you can use a decimal number for the unit. The value correlates to the zone.capped-cpu resource control, but the setting is scaled down by 100. A setting of 1 is equivalent to a setting of 100 for the resource control.

The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on a Solaris System With Zones Installed. The global property name for this control is cpu-shares.

The zone.max-locked-memory resource control limits the amount of locked physical memory available to a zone The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Table 6-1 for more information.

The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Table 6-1 for more information. The global property name for this control is max-lwps.

The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.

The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat -Z displays a SWAP column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting.

Table 17-1 Zone-Wide Resource Controls

Control Name

Global Property Name

Description

Default Unit

Value Used For

zone.cpu-cap

Absolute limit on the amount of CPU resources for this zone

Quantity (number of CPUs), expressed as a percentage

Note - When setting as the capped-cpu resource, you can use a decimal number for the unit.

zone.cpu-shares

cpu-shares

Number of fair share scheduler (FSS) CPU shares for this zone

Quantity (shares)

zone.max-locked-memory

Total amount of physical locked memory available to a zone.

If priv_proc_lock_memory is assigned to a zone, consider setting this resource control as well, to prevent that zone from locking all memory.

Size (bytes)

locked property of capped-memory

zone.max-lwps

max-lwps

Maximum number of LWPs simultaneously available to this zone

Quantity (LWPs)

zone.max-msg-ids

max-msg-ids

Maximum number of message queue IDs allowed for this zone

Quantity (message queue IDs)

zone.max-sem-ids

max-sem-ids

Maximum number of semaphore IDs allowed for this zone

Quantity (semaphore IDs)

zone.max-shm-ids

max-shm-ids

Maximum number of shared memory IDs allowed for this zone

Quantity (shared memory IDs)

zone.max-shm-memory

max-shm-memory

Total amount of System V shared memory allowed for this zone

Size (bytes)

zone.max-swap

Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone.

Size (bytes)

swap property of capped-memory

These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.

Configurable Privileges

When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:

  • Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.

  • Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.

Note - There are a few privileges that cannot be removed from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.

For more information, see Privileges in a Non-Global Zone, How to Configure the Zone, and privileges(5).

Including a Comment for a Zone

You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone.
Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire