Previous
Physical Memory Control and the capped-memory Resource
Determine values for this resource if you plan to cap memory for the zone by using rcapd from the global zone. See Chapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview), Chapter 11, Administering the Resource Capping Daemon (Tasks), and How to Configure the Zone.
The capped-memory resource sets limits for physical, swap, and locked memory.
The physical property of the capped-memory resource is used by rcapd as the max-rss value for the zone
The swap property of the capped-memory resource is the preferred way to set the zone.max-swap resource control.
The locked property of the capped-memory resource is the preferred way to set the zone.max-locked-memory resource control.
Zone Interfaces
Each zone that requires network connectivity must have one or more dedicated IP addresses. These addresses are associated with logical network interfaces. Zone interfaces configured by the zonecfg command will automatically be plumbed and placed in the zone when it is booted.
The ifconfig command can be used from the global zone to add or remove logical interfaces in a running zone. For more information, see Network Interfaces.
File Systems Mounted in Zones
Generally, the file systems mounted in a zone include the following:
The set of file systems mounted when the virtual platform is initialized
The set of file systems mounted from within the application environment itself
This can include, for example, the following file systems:
File systems specified in a zone's /etc/vfstab file
AutoFS and AutoFS-triggered mounts
Mounts explicitly performed by a zone administrator
Certain restrictions are placed on mounts performed from within the application environment. These restrictions prevent the zone administrator from denying service to the rest of the system, or otherwise negatively impacting other zones.
There are security restrictions associated with mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. See File Systems and Non-Global Zones for more information.
Configured Devices in Zones
The zonecfg command uses a rule-matching system to specify which devices should appear in a particular zone. Devices matching one of the rules are included in the zone's /dev file system. For more information, see How to Configure the Zone.
Setting Zone-Wide Resource Controls
The global administrator can set privileged zone-wide resource controls for a zone. Zone-wide resource controls limit the total resource usage of all process entities within a zone.
These limits are specified for both the global and non-global zones by using the zonecfg command. See How to Configure the Zone.
The preferred method for setting a zone-wide resource control is to use the global property name associated with the specific control.
The zone.cpu-shares resource control sets a limit on the number of fair share scheduler (FSS) CPU shares for a zone. CPU shares are first allocated to the zone, and then further subdivided among projects within the zone as specified in the project.cpu-shares entries. For more information, see Using the Fair Share Scheduler on a Solaris System With Zones Installed. The global property name for this control is cpu-shares.
The zone.max-locked-memory resource control limit the amount of locked physical memory available to a zone The allocation of the locked memory resource across projects within the zone can be controlled by using the project.max-locked-memory resource control. See Table 6-1 for more information. The global property name for this control is max-locked-memory.
The zone.max-lwps resource control enhances resource isolation by preventing too many LWPs in one zone from affecting other zones. The allocation of the LWP resource across projects within the zone can be controlled by using the project.max-lwps resource control. See Table 6-1 for more information. The global property name for this control is max-lwps.
The zone.max-msg-ids, zone.max-sem-ids, zone.max-shm-ids, and zone.max-shm-memory resource controls are used to limit System V resources used by all processes within a zone. The allocation of System V resources across projects within the zone can be controlled by using the project versions of these resource controls. The global property names for these controls are max-msg-ids, max-sem-ids, max-shm-ids, and max-shm-memory.
The zone.max-swap resource control limits swap consumed by user process address space mappings and tmpfs mounts within a zone. The output of prstat -Z displays a SWAP instead of a SIZE column. The swap reported is the total swap consumed by the zone's processes and tmpfs mounts. This value assists in monitoring the swap reserved by each zone, which can be used to choose an appropriate zone.max-swap setting. The global property name for this control is max-swap.
Table 17-1 Zone-Wide Resource Controls
Control Name | Global Property Name | Description | Default Unit | Value Used For |
|---|---|---|---|---|
zone.cpu-shares | cpu-shares | Number of fair share scheduler (FSS) CPU shares for this zone | Quantity (shares) | |
zone.max-locked-memory | max-locked-memory | Total amount of physical locked memory available to a zone. | Size (bytes) | locked property of capped-memory |
zone.max-lwps | max-lwps | Maximum number of LWPs simultaneously available to this zone | Quantity (LWPs) | |
zone.max-msg-ids | max-msg-ids | Maximum number of message queue IDs allowed for this zone | Quantity (message queue IDs) | |
zone.max-sem-ids | max-sem-ids | Maximum number of semaphore IDs allowed for this zone | Quantity (semaphore IDs) | |
zone.max-shm-ids | max-shm-ids | Maximum number of shared memory IDs allowed for this zone | Quantity (shared memory IDs) | |
zone.max-shm-memory | max-shm-memory | Total amount of shared memory allowed for this zone | Size (bytes) | |
zone.max-swap | max-swap | Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone. | Size (bytes) | swap property of capped-memory |
These limits can be specified for running processes by using the prctl command. An example is provided in How to Set FSS Shares in the Global Zone Using the prctl Command. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted.
Configurable Privileges
When a zone is booted, a default set of safe privileges is included in the configuration. These privileges are considered safe because they prevent a privileged process in the zone from affecting processes in other non-global zones on the system or in the global zone. You can use the zonecfg command to do the following:
Add to the default set of privileges, understanding that such changes might allow processes in one zone to affect processes in other zones by being able to control a global resource.
Remove from the default set of privileges, understanding that such changes might prevent some processes from operating correctly if they require those privileges to run.
Note - There are a few privileges that cannot beremoved from the zone's default privilege set, and there are also a few privileges that cannot be added to the set at this time.
For more information, see Privileges in a Non-Global Zone,How to Configure the Zone, and privileges(5).
Including a Comment for a Zone
You can add a comment for a zone by using the attr resource type. For more information, see How to Configure the Zone.
Using the zonecfg Command
The zonecfg command, which is described in the zonecfg(1M) man page, is used to configure a non-global zone. This command can also be used to persistently specify the resource management settings for the global zone.
The zonecfg command can be used in interactive mode, in command-line mode, or in command-file mode. The following operations can be performed using this command:
Create or delete (destroy) a zone configuration
Add resources to a particular configuration
Set properties for resources added to a configuration
Remove resources from a particular configuration
Query or verify a configuration
Commit to a configuration
Revert to a previous configuration
Rename a zone
Exit from a zonecfg session