Oracle Solaris 11 Zones Part 2 New zone configuration properties. Author: Tim Wort Introduction A number of new zonecfg(1M) properties are added to Oracle Solaris 11 zones. Below is a list of the properties for both a Oracle Solaris 10 and a Oracle Solaris 11 zone. Properties added by Solaris 11 release 11/11 are in bold. Properties added by new releases of Solaris 11 are noted by release. Oracle Solaris 10 zonecfg properties For resource type ... there are property types ...: (global) zonename (global) zonepath (global) brand (global) autoboot (global) bootargs (global) pool (global) limitpriv (global) scheduling-class (global) ip-type (global) hostid (global) max-lwps (global) max-shm-memory (global) max-shm-ids (global) max-msg-ids (global) max-sem-ids (global) cpu-shares fs dir, special, raw, type inherit-pkg-dir dir net address, physical, defrouter device match rctl name, value attr name, type, value dataset name dedicated-cpu ncpus, importance capped-cpu ncpus capped-memory physical, swap, locked In the Oracle Solaris 10 list above the inherit-pkg-dir resource is listed but it is not present in the Oracle Solaris 11 list below, sparce root model zones are no longer supported. In the Oracle Solaris 11 list the file-mac-profile property, the fs-allowed property, the max-processes property, the anet resource and admin resource are added. In addition new resource properties are added to the net and device resources. Oracle Solaris 11 zonecfg properties For resource type ... there are property types ...: (global) zonename (global) zonepath (global) brand (global) autoboot (global) autoshutdown (Solaris 11.2) (global) bootargs
Transcript
Oracle Solaris 11 Zones Part 2 New zone configuration properties.
Author: Tim WortIntroduction
A number of new zonecfg(1M) properties are added to Oracle Solaris 11 zones. Below is a list of the properties for both a Oracle Solaris 10 and a Oracle Solaris 11 zone. Properties added by Solaris 11 release 11/11 are in bold. Properties added by new releases of Solaris 11 are noted by release.
Oracle Solaris 10 zonecfg properties
For resource type ... there are property types ...: (global) zonename (global) zonepath (global) brand (global) autoboot (global) bootargs (global) pool (global) limitpriv (global) scheduling-class (global) ip-type (global) hostid (global) max-lwps (global) max-shm-memory (global) max-shm-ids (global) max-msg-ids (global) max-sem-ids (global) cpu-shares fs dir, special, raw, type inherit-pkg-dir dir net address, physical, defrouter device match rctl name, value attr name, type, value dataset name dedicated-cpu ncpus, importance capped-cpu ncpus capped-memory physical, swap, locked
In the Oracle Solaris 10 list above the inherit-pkg-dir resource is listed but it is not present in the Oracle Solaris 11 list below, sparce root model zones are no longer supported. In the Oracle Solaris 11 list the file-mac-profile property, the fs-allowed property, the max-processes property, the anet resource and admin resource are added. In addition new resource properties are added to the net and device resources.
Oracle Solaris 11 zonecfg properties
For resource type ... there are property types ...: (global) zonename (global) zonepath (global) brand (global) autoboot
(added by Solaris 11.1) rxfanout,vsi-typeid, vsi-vers, vsi-mgrid, etsbw-lcl, cos, pkey, linkmode,
(added by Solaris 11.2) evs, vport device match, allow-partition, allow-raw-io
(added by Solaris 11.2) storage rctl name, value attr name, type, value dataset name dedicated-cpu ncpus, importance
(added by Solaris 11.2) cpus, cores, sockets capped-cpu ncpus capped-memory physical, swap, locked admin user, auths
(added by Solaris 11.1) rootzpool install-size, storage zpool install-size, name, storage
The autoshutdown Global Property (Solaris 11.2)
This property determines the action taken to shutdown the non-global zone on a graceful shutdown of the Global zone. Possible values are:
• shutdown – A clean zone shutdown. This is the default.• halt• suspend
The tenant Global Property (Solaris 11.2)
This property works with EVS (Elastic Virtual Switch). See evsadm(1M). Defines the name of the tenant that owns the EVS to which a VNIC anet will be connected to.
The file-mac-profile Global Property
The file-mac-profile property is used to configure a immutable zone. Immutable zones have a read-only root system. The kernel applies the read restriction based on the setting for this property. The property is not set by default which is the equivalent of a none setting. The possible settings for this property are:
• none – The default, a standard read-write zone.• strict – A read-only file system where packages can not be added, services are fixed, log files
are read only and should be configured for remote logging, configurations such as auditing are fixed.
• fixed-configuration – Same as strict with the following exceptions, log files can be written locally and most of /var/* is writable, syslog and audit configurations can not be changed.
• flexible-configuration – Same as fixed-configuration with the following exceptions, the /etc/* directory is writable, the /var/* is writable, configuration files for syslog and auditing can be changed. Functionality is similar to a sparse root model zone in Oracle Solaris 10.
To examine the property more a read-only zone has been created, following is the configuration information for the zone. The network interface is set to be shared, automatic-network configuration will not work correctly and will require intervention by the administrator of the zone. The better configurations to use are shared or exclusive with a VNIC configured in the global zone and assigned specifically to the non-global zone.
Read-only Zone configuration
# zonecfg -z readonlyreadonly: No such zone configuredUse 'create' to begin configuring a new zone.zonecfg:readonly> create -t SYSdefault-shared-ipzonecfg:readonly> set zonepath=/zones/readonlyzonecfg:readonly> set file-mac-profile=strictzonecfg:readonly> add netzonecfg:readonly:net> set physical=net0zonecfg:readonly:net> set address=192.168.0.10/24zonecfg:readonly:net> endzonecfg:readonly> exit
The zone install is standard, the zone will boot as a writable zone until the system configuration information is added and the milestone self-assembly-complete completes, the zone will then reboot to read-only mode. The state of the zone can be examined for the read-write or read-only modes by using the list -p option to the zoneadm command:
Zone booted, not configured
# zoneadm -z readonly list -p3:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:W:strict
The second to last field “W” indicates the zone is writable, the last field show the file-mac-profile property setting.
Zone configured, service self-assembly-complete completed, rebooting
# zoneadm -z readonly list -p4:readonly:down:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:-:strict
Zone rebooting
# zoneadm -z readonly list -p5:readonly:ready:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:-:strict
Zone booted, read-only
# zoneadm -z readonly list -p5:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:R:strict
The second to last field “R” indicates the zone is read-only. Logging into the zone via the Console will show indications of the read-only state of the zone, for example:
Nov 25 04:47:57 readonly sendmail[13800]: unable to write pid to /var/spool/clientmqueue/sm-client.pid: Read-only file systemNov 25 04:47:58 readonly sendmail[13782]: unable to qualify my own domain name (readonly) -- using short nameNov 25 04:47:59 readonly sendmail[13782]: NOQUEUE: SYSERR(root): db_map_open: cannot pre-open database /etc/mail/aliases.db: Read-only file systemNov 25 04:47:59 readonly sendmail[13782]: NOQUEUE: SYSERR(root): ndbm_map_open: cannot create database /etc/mail/aliases: Read-only file systemNov 25 04:47:59 readonly sendmail[13782]: NOQUEUE: SYSERR(root): Cannot create database for alias file /etc/mail/aliases
readonly console login: timPassword:error processing /etc/logindevperm, see syslog for more detailsNov 25 05:07:36 readonly login: failed to chown device /dev/console: Read-only file systemNov 25 05:07:36 readonly login: failed to chmod device /dev/console: Read-only file systemOracle Corporation SunOS 5.11 11.0 November 2011tim@readonly:~$
Next is an examination of the zone to confirm the restrictions, first file writes and syslog:
Test file and syslog write
root@readonly:~# touch /var/tmp/testfiletouch: cannot create /var/tmp/testfile: Read-only file system
Message from syslogd@readonly at Fri Nov 25 05:56:04 2011 ...readonly last message repeated 1 time
Message from syslogd@readonly at Fri Nov 25 05:56:04 2011 ...readonly root: [ID 702911 auth.emerg] tester
root@readonly:/# tail /var/adm/messagesNov 25 05:43:03 readonly sendmail[17967]: [ID 702911 mail.crit] My unqualified host name (readonly) unknown; sleeping for retryNov 25 05:43:03 readonly sendmail[17972]: [ID 702911 mail.crit] My unqualified host name (readonly) unknown; sleeping for retryNov 25 05:44:03 readonly sendmail[17967]: [ID 702911 mail.alert] unable to qualify my own domain name (readonly) -- using short nameNov 25 05:44:03 readonly sendmail[17972]: [ID 702911 mail.alert] unable to qualify my own domain name (readonly) -- using short name
The string tester would have been written to /var/adm/messages in a writable zone but in the strict read-only zone /var/adm/messages is not writable.
Next a service state is changed and a reboot is preformed to show the current state of the service is persistent (fixed):
In a read-write zone changing a service state will survive a reboot. In the read-only zone the repository
is updated in memory so the service can be disabled, however, the repository's new state for that service can not be written to persistent storage so the state of the repository remains as when the repository was last written.
Packages are not available to the read-only zone, in the next test the zone is booted as a writable zone by passing the -w option to the zoneadm command. In the writable state the pkg command is verified, then the zone is rebooted to read-only mode and the same commands are tested.
Zone Booted Read-write
# zoneadm -z readonly reboot -w
# zoneadm -z readonly list -p7:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:W:strict
# zlogin readonly[Connected to zone 'readonly' pts/3]Oracle Corporation SunOS 5.11 11.0 November 2011root@readonly:~#
pkg(1M) command and network verified
root@readonly:~# getent hosts sol11-11-server192.168.0.200 sol11-11-server.timwort.orgroot@readonly:~# pkg publisherPUBLISHER TYPE STATUS URIsolaris (syspub) origin online proxy://http://sol11-11-server.timwort.org/root@readonly:~# pkg search -r wiresharkINDEX ACTION VALUE PACKAGEpkg.summary set Libraries and Tools used by Wireshark and TShark Network protocol analyzers pkg:/diagnostic/wireshark/[email protected] dir usr/lib/wireshark pkg:/diagnostic/wireshark/[email protected] dir usr/share/wireshark pkg:/diagnostic/wireshark/[email protected] file usr/sbin/wireshark pkg:/diagnostic/[email protected] set solaris/diagnostic/wireshark pkg:/diagnostic/[email protected]
Zone booted to read-only state
# zoneadm -z readonly reboot
# zoneadm -z readonly list -p8:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:R:strict
# zlogin readonly[Connected to zone 'readonly' pts/3]Oracle Corporation SunOS 5.11 11.0 November 2011
Message from syslogd@readonly at Fri Nov 25 06:41:48 2011 ...readonly root: [ID 702911 auth.emerg] tester
root@readonly:~# tail /var/adm/messagesNov 25 05:43:03 readonly sendmail[17967]: [ID 702911 mail.crit] My unqualified host name (readonly) unknown; sleeping for retryNov 25 05:43:03 readonly sendmail[17972]: [ID 702911 mail.crit] My unqualified host name (readonly) unknown; sleeping for retryNov 25 05:44:03 readonly sendmail[17967]: [ID 702911 mail.alert] unable to qualify my own domain name (readonly) -- using short nameNov 25 05:44:03 readonly sendmail[17972]: [ID 702911 mail.alert] unable to qualify my own domain name (readonly) -- using short nameNov 25 06:34:54 readonly sendmail[22189]: [ID 702911 mail.crit] My unqualified host name (readonly) unknown; sleeping for retryNov 25 06:35:54 readonly sendmail[22189]: [ID 702911 mail.alert] unable to qualify my own domain name (readonly) -- using short nameNov 25 06:41:48 readonly root: [ID 702911 auth.emerg] tester
In the fixed-configuration read-only configuration most of /var is writable and log files are writable as seen by the previous commands.
Next the zone is configured as flexible-configuration read-only zone and the configuration is
verified:
Zone configured as flexible-configuration and rebooted
# zonecfg -z readonly set file-mac-profile=flexible-configuration
# zoneadm -z readonly boot
# zoneadm -z readonly list -p1:readonly:running:/zones/readonly:8a079b62-bb36-6a1a-f08a-b68f4a7e7d2a:solaris:shared:R:flexible-configuration
Verify the flexible-configuration read-only zone configuration
# zlogin readonly[Connected to zone 'readonly' pts/3]Oracle Corporation SunOS 5.11 11.0 November 2011
root@readonly:~# touch /usr/testertouch: cannot create /usr/tester: Read-only file system
root@readonly:~# touch /etc/testfile
root@readonly:~# touch /lib/testfiletouch: cannot create /lib/testfile: Read-only file system
root@readonly:~# touch /testfiletouch: cannot create /testfile: Read-only file system
root@readonly:~# touch /root/testfile
The flexible-configuration configuration allows access to roots home directory, /etc and /var but other file systems are restricted.
The restriction applied to a read-only zone are not applied to read-write files systems that are mounted read-write in to the zone via NFS or through zone configuration, for example:
Read-only zone, /opt not writable
# zonecfg -z readonly set file-mac-profile=strict
# zoneadm -z readonly boot
# zlogin readonly[Connected to zone 'readonly' pts/2]Oracle Corporation SunOS 5.11 11.0 November 2011
root@readonly:~# touch /opt/myfiletouch: cannot create /opt/myfile: Read-only file system
root@readonly:~# halt[Connection to zone 'readonly' pts/2 closed]
Create a ZFS files system and add to zone configuration
Solaris 11.2 adds Read-Only Global zone configurations. Immutable zones will have a read-only zone root.
Read-Only/Immutable Global zone
# zonecfg -z global set file-mac-profile=fixed-configuration
The fs-allowed Global Property
The fs-allowed property determines file system types that can be mounted within a non-global zone. By default types hsfs(7FS) and NFS file systems can be mounted in the zone. The property takes a comma separated list of file systems.
In the following example the zone is at a default configuration and the fs-allowed property is not set. A ZFS volume is created and and a UFS file system is applied.
root@fszone:~# zfs create -V 100m rpool/datastor/vol1
root@fszone:~# pkg list *ufs*NAME (PUBLISHER) VERSION IFOsystem/file-system/ufs 0.5.11-0.175.0.0.0.2.1 i--
root@fszone:~# newfs /dev/zvol/rdsk/rpool/datastor/vol1newfs: construct a new file system /dev/zvol/rdsk/rpool/datastor/vol1: (y/n)? yWarning: 4130 sector(s) in last cylinder unallocated/dev/zvol/rdsk/rpool/datastor/vol1: 204766 sectors in 34 cylinders of 48 tracks, 128 sectors 100.0MB in 3 cyl groups (14 c/g, 42.00MB/g, 20160 i/g)
root@fszone:~# mount /dev/zvol/dsk/rpool/datastor/vol1 /mntmount: Insufficient privileges
root@fszone:~# exitlogout
[Connection to zone 'fszone' pts/2 closed]
With fs-allowed set
# zonecfg -z fszone set fs-allowed=ufs
# zoneadm -z fszone reboot
# zlogin fszone[Connected to zone 'fszone' pts/2]Oracle Corporation SunOS 5.11 11.0 November 2011
root@fszone:~# mount /dev/zvol/dsk/rpool/datastor/vol1 /mnt
root@fszone:~# ls /mntlost+found
The max-processes and zone.max-lofi Global properties.
A new resource control max-processes is defined. The property sets the maximum number of process table slots simultaneously available to this zone. This property is the preferred way to set the zone.max-processes resource control.
Setting this property will implicitly set the value of the max-lwps property to 10 times the number of process slots unless the max-lwps property has been set explicitly.
Additionally loop-back file system (lofi) devices are allowed within a zone, the resource control zone.max-lofi defines the maximum number of lofi(7D) devices available to a zone.
zonecfg:ozone> add rctlzonecfg:ozone:rctl> set name=zone.max-lofizonecfg:ozone:rctl> set value=(priv=privileged,limit=10,action=deny)zonecfg:ozone:rctl> help
zonecfg:ozone:rctl> end
Results
# prctl -i zone ozonezone: 5: ozoneNAME PRIVILEGE VALUE FLAG ACTION RECIPIENTzone.max-lofi usage 0 privileged 10 - deny - system 18.4E max deny -zone.max-swap usage 47.4MB system 16.0EB max deny -zone.max-locked-memory usage 0B system 16.0EB max deny -zone.max-shm-memory system 16.0EB max deny -zone.max-shm-ids system 16.8M max deny -zone.max-sem-ids system 16.8M max deny -zone.max-msg-ids system 16.8M max deny -zone.max-processes usage 5 privileged 300 - deny - system 2.15G max deny -zone.max-lwps usage 24 privileged 3.00K - deny - system 2.15G max deny - zone.cpu-cap usage 0 system 4.29G inf deny -zone.cpu-shares usage 1 privileged 1 - none - system 65.5K max none -
The new device Resource properties
Oracle Solaris 11 adds two new resource properties to the device resource. In Oracle Solaris 10 only the match property could be set to some allowable device. In Oracle Solaris 11 the allow-partition and the allow-raw-io resource properties are added to the device resource. These resource properties are configured as either true or false with the default setting as false.
The allow-partition property allows a disk to be labeled with the format command. The allow-raw-io property allows uscsi(7I) commands to be executed against the device. Adding devices to a zone or using the allow-partition property or using the allow-raw-io property should be done with caution. Access to a device drive can allow a malicious user to panic the system or access other device on the bus. This resource and resource properties should not be used without first understanding the security implications. See uscsi(7I), Device Use in Non-Global Zones.
# zpool status pool: rpool state: ONLINE scan: none requestedconfig:
NAME STATE READ WRITE CKSUM rpool ONLINE 0 0 0 c3t0d0s0 ONLINE 0 0 0
errors: No known data errors
# formatSearching for disks...done
AVAILABLE DISK SELECTIONS: 0. c3t0d0 <ATA-VBOX HARDDISK-1.0 cyl 2085 alt 2 hd 255 sec 63> /pci@0,0/pci8086,2829@d/disk@0,0 1. c3t2d0 <ATA-VBOX HARDDISK-1.0 cyl 98 alt 2 hd 64 sec 32> /pci@0,0/pci8086,2829@d/disk@2,0Specify disk (enter its number): ^D
root@Sol-11-11-desktop:~# zlogin fszone[Connected to zone 'fszone' pts/3]Oracle Corporation SunOS 5.11 11.0 November 2011
root@fszone:~# formatSearching for disks...done
AVAILABLE DISK SELECTIONS: 0. c3t2d0 <ATA-VBOX HARDDISK-1.0 cyl 98 alt 2 hd 64 sec 32> sd2 at pciclass,0106010 slave 16Specify disk (enter its number): 0selecting c3t2d0Permission denied.
# zlogin fszone[Connected to zone 'fszone' pts/3]Oracle Corporation SunOS 5.11 11.0 November 2011
root@fszone:~# formatSearching for disks...done
AVAILABLE DISK SELECTIONS: 0. c3t2d0 <ATA-VBOX HARDDISK-1.0 cyl 98 alt 2 hd 64 sec 32> sd2 at pciclass,0106010 slave 16Specify disk (enter its number): 0selecting c3t2d0[disk formatted]No Solaris fdisk partition found.
FORMAT MENU: disk - select a disk type - select (define) a disk type partition - select (define) a partition table current - describe the current disk format - format and analyze the disk fdisk - run the fdisk program repair - repair a defective sector label - write label to the disk analyze - surface analysis defect - defect list management backup - search for backup labels verify - read and display labels save - save new disk/partition definitions inquiry - show disk ID volname - set 8-character volume name !<cmd> - execute <cmd>, then return quitformat> p
PARTITION MENU: 0 - change `0' partition 1 - change `1' partition 2 - change `2' partition 3 - change `3' partition 4 - change `4' partition 5 - change `5' partition 6 - change `6' partition 7 - change `7' partition select - select a predefined table modify - modify a predefined partition table name - name the current table print - display the current table label - write partition map and label to the disk !<cmd> - execute <cmd>, then return quitpartition> pCurrent partition table (original):Total disk cylinders available: 98 + 2 (reserved cylinders)
The storage property is added to the device resource by Solaris 11.2. The property can be set to a storage URI (SURI), see suri(5). The SURI is mapped when the zone boots the allow-partition is automatically set to true. and the matching device nodes are available inside the zone. The SURI is unmapped when the zone halts.
The anet and net Resource Properties
When a non-global zone is created the default networking is configured as an exclusive-IP type with an anet resource. The anet resource creates a VNIC for the non-global zone. The VNIC is present when the non-global zone is booted and destroyed when the non-global zone is shutdown. An example of the anet resource can be seen in Part 1 of this document.
The anet properties
anet: linkname: net0 lower-link: auto allowed-address not specified
configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random auto-mac-address: 2:8:20:fa:fb:da mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified
(Added by Solaris 11.1) rxfanout not specified vsi-typeid not specified vsi-vers not specified vsi-mgrid not specified etsbw-lcl not specified cos not specified pkey not specified linkmode not specified
(Added by Solaris 11.2) evs not specified vport not specified
Most of the anet properties are self explanatory and all are defined in the zonecfg(1M) man page. The table examines a few of the more interesting properties.
lower-link: auto Defines the link in the global zone that will be used for the VNIC, the property can be set to any existing link as described by the dladm(1M) command. When set to auto the link selection order is first a configured link aggregation in the up state, next a Ethernet link in the up state chosen based on a alphabetic sort , the net0 link if available.
mac-address: random Can be set to factory, random or auto. Auto attempts to use a factory MAC , if no factory address is available then random is used. A random addressed is preserved cross reboots to support DHCP.
auto-mac-address: When the anet resource is used this property is populated with the assigned MAC address.
mac-prefix Sets a prefix for the random MAC address if required.
mac-slot A slot location for a specific factory MAC address.
Solaris 11.1 added more anet resource properties, these properties are described in the dladm(1M) man page. Solaris 11.2 added two more anet resource properties, these are properties are used the EVS environment. See evsadm(1M).
The net resource properties include the defrouter, allowed-address and configure-allowed-address.
defrouter The property is optional and should only be set to a address on a different subnet than is configured for the global zone.
allowed-address Used with exclusive-IP zones only. If used, this property constrain the IP address(es) that can be used to configure the interface in the zone. When set the allowed-address property also sets the configure-allowed-address property to true.
configure-allowed-address When this property is set to true the address defined by the allowed-address property will be configured on the interface when the non-global zone boots.
The admin Resource
The admin property allows delegation of administrator tasks for a particular zone to a non-root or a role user. Two properties can be set, the user property which defines a user or role and the auths property which defines one or more authorizations.
The user property take a user or role that must exist in the global zone.
The auths property can be set to a comma separated list. The possible values are login (authenticated login to this zone), manage (allows management for this zone using zoneadm(1M)) and copyfrom (allows cloning of this zone).
Create a role for zone administration# roleadd -m -d /export/home/zadmin -s /usr/bin/pfbash zadmin 80 blocks# passwd zadminNew Password:Re-enter new Password:passwd: password successfully changed for zadmin
Add the role to the zone# zonecfg -z ozone "add admin;set user=zadmin;set auths=login,manage;end"Found user in files repository.
The result for the previous command# grep zadmin /etc/user_attrzadmin::::type=role;auths=solaris.zone.login/ozone,solaris.zone.manage/ozone;profiles=Zone Management,All;roleauth=role
Assign the role to a user# usermod -R zadmin timFound user in files repository.UX: usermod: tim is currently logged in, some changes may not take effect until next login.
Examine the user and roletim:~$ profiles Basic Solaris User All
tim:~$ roleszadmin
tim:~$ su zadminPassword:
zadmin:~$ profiles Zone Management All Basic Solaris User
Verify use of the rolezadmin:~$ zoneadm -z ozone shutdown -r
zadmin:~$ zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / solaris shared 5 ozone running /zones/ozone solaris excl 6 zone1 running /zones/zone1 solaris excl
zadmin:~$ zlogin ozone[Connected to zone 'ozone' pts/4]Oracle Corporation SunOS 5.11 11.0 December 2011root@ozone:~# pwd/root
root@ozone:~# cd ..
root@ozone:/# lsbin etc home mnt nfs4 proc rpool system usrdev export lib net opt root sbin tmp var
root@ozone:/# exitlogout
Verify access to the assigned zone onlyroot:~# zonecfg -z ozone info adminadmin: user: zadmin auths: login,manage
root:~# zonecfg -z zone1 info admin
zadmin:~$ zlogin zone1zlogin: zadmin is not authorized to login to zone1 zone.
zadmin:~$ zoneadm -z zone1 shutdown -rzoneadm: zone 'zone1': User zadmin is not authorized to shutdown this zone.
zadmin:~$
The zpool and rootzpool Resources (Solaris 11.1)
These resources are used to install a zone root pool and additional ZFS storage pools. The zpool resource can only be added before the zone is installed. Both resources take one or more storage properties, a optional install-size property. The zpool resource also has a set-name property. The rootpool resource name is automatically assigned as zonename_rpool.
The storage property defines a shared storage resource(s) in the form of SURIs.
SURI Format
Local Device URI dev:<local-path-under-/dev> dev:///<path-with-dev> dev:<absolute-path-with-dev>
This example shows the creation and installation of a zone using both the zpool and rootzpool resources.
The zone creation.root@anarchy:~# zonecfg -z poolzoneUse 'create' to begin configuring a new zone.zonecfg:poolzone> createcreate: Using system default template 'SYSdefault'zonecfg:poolzone> add rootzpoolzonecfg:poolzone:rootzpool> add storage dev:dsk/c4t4d0zonecfg:poolzone:rootzpool> add storage dev:dsk/c4t5d0zonecfg:poolzone:rootzpool> endzonecfg:poolzone> add zpoolzonecfg:poolzone:zpool> add storage dev:dsk/c4t2d0zonecfg:poolzone:zpool> add storage dev:dsk/c4t3d0zonecfg:poolzone:zpool> set name=pool1zonecfg:poolzone:zpool> endzonecfg:poolzone> set zonepath=/zones/poolzonezonecfg:poolzone> exit
The zone installation.root@anarchy:~# zoneadm -z poolzone install -x force-zpool-create-allCreated zone zpool: poolzone_rpoolCreated zone zpool: poolzone_pool1Progress being logged to /var/log/zones/zoneadm.20140614T212225Z.poolzone.install Image: Preparing at /zones/poolzone/root.
AI Manifest: /tmp/manifest.xml.50ayDo SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml Zonename: poolzoneInstallation: Starting ...
PHASE ITEMSInstalling new actions 48378/48378Updating package state database DoneUpdating image state DoneCreating fast lookup database DoneInstallation: Succeeded
Note: Man pages can be obtained by installing pkg:/system/manual
done.
Done: Installation completed in 165.737 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)
to complete the configuration process.
Log saved in non-global zone as /zones/poolzone/root/var/log/zones/zoneadm.20140614T212225Z.poolzone.install
root@anarchy:~# zpool status pool: poolzone_pool1 state: ONLINE scan: none requestedconfig:
