Previous
Scheduling Class in a Zone
The scheduling class for a non-global zone is set to the scheduling class for the system by default. When you set the cpu-shares property, to get the full benefit of the fair share scheduler (FSS), you should also set FSS to be the default system scheduling class with the dispadmin command. That way, processes in the global zone or in other zones that do not have the scheduler set to FSS by some other method use the FSS by default. The following actions set the scheduling class for a zone:
You can use the scheduling-class property in zonecfg to set the scheduling class for the zone.
You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default. See Introduction to Resource Pools and How to Associate a Pool With a Scheduling Class.
If the cpu-shares rctl is set and FSS has not been set as the scheduling class for the zone through another action, zoneadmd sets the scheduling class to FSS when the zone boots.
Note that you can use the priocntl described in the priocntl(1) man page to move running processes into a different scheduling class without changing the default scheduling class and rebooting.
capped-memory Resource
Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. See Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone.
The capped-memory resource sets limits for physical, swap, and locked memory.
The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone
The swap property of the capped-memory resource is the preferred way to set the zone.max-swap resource control.
The locked property of the capped-memory resource is the preferred way to set the zone.max-locked-memory resource control.
Zone Interfaces in an lx Branded Zone
Each zone that requires network connectivity must have one or more dedicated IP addresses. These addresses are associated with logical network interfaces. Network interfaces configured by the zonecfg command will automatically be plumbed and placed in the zone when it is booted.
Mounted File Systems in an lx Branded Zone
Generally, the file systems mounted in a zone include the following:
The set of file systems mounted when the virtual platform is initialized
The set of file systems mounted from within the zone itself
This can include, for example, the following file systems:
automount-triggered mounts
Mounts explicitly performed by a zone administrator
Certain restrictions are placed on mounts performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.
There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.
Zone-Wide Resource Controls in an lx Branded Zone
The preferred method for setting a zone-wide resource control is to use the global property name associated with the specific control. These limits are specified for both the global and non-global zones.
The global administrator can also set privileged zone-wide resource controls for a zone by using the rctl resource.
Zone-wide resource controls limit the total resource usage of all process entities within a zone. These limits are specified in the zonecfg configuration. For instructions, see How to Configure the lx Branded Zone.
The following resource controls are currently available:
Table 30-1 Zone-Wide Resource Controls
Control Name | Global Property Name | Description | Default Unit | Value Used For |
|---|---|---|---|---|
zone.cpu-shares | cpu-shares | Number of fair share scheduler (FSS) CPU shares for this zone | Quantity (shares) | |
zone.max-locked-memory | max-locked-memory | Total amount of physical locked memory available to a zone. | Size (bytes) | locked property of capped-memory |
zone.max-lwps | max-lwps | Maximum number of LWPs simultaneously available to this zone | Quantity (LWPs) | |
zone.max-msg-ids | max-msg-ids | Maximum number of message queue IDs allowed for this zone | Quantity (message queue IDs) | |
zone.max-sem-ids | max-sem-ids | Maximum number of semaphore IDs allowed for this zone | Quantity (semaphore IDs) | |
zone.max-shm-ids | max-shm-ids | Maximum number of shared memory IDs allowed for this zone | Quantity (shared memory IDs) | |
zone.max-shm-memory | max-shm-memory | Total amount of shared memory allowed for this zone | Size (bytes) | |
zone.max-swap | max-swap | Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone. | Size (bytes) | swap property of capped-memory |
Configurable Privileges in an lx Branded Zone
The limitpriv property is used to specify a privilege mask other than the predefined default set. When a zone is booted, a default set of privileges is included in the brand configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the limitpriv property to do the following:
Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.
Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.
Note - There are a few privileges that cannot be removed from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.
For more information, see Privileges Defined in lx Branded Zones, Privileges in a Non-Global Zone and privileges(5).
attr Resource in an lx Branded Zone
You can use the attr resource type to enable access to an audio device present in the global zone. For instructions, see Step 12 of How to Configure, Verify, and Commit the lx Branded Zone.
You can also add a comment for a zone by using the attr resource type.
Resources Included in the Configuration by Default
Configured Devices in lx Branded Zones
The devices supported by each zone are documented in the man pages and other documentation for that brand. The lx zone does not allow the addition of any unsupported or unrecognized devices. The framework detects any attempt to add an unsupported device. An error message is issued that indicates the zone configuration cannot be verified.
Note that access to an audio device running in the global zone can be added through the attr resource property as shown in Step 12 of How to Configure, Verify, and Commit the lx Branded Zone.
File Systems Defined in lx Branded Zones
The file systems that are required for a branded zone are defined in the brand. You can add additional Solaris file systems to an lx branded zone by using the fs resource property as shown in Step 9 of How to Configure, Verify, and Commit the lx Branded Zone.
Note - Adding local Linux file systems is not supported. You can NFS mount file systems from a Linux server.