Previous
Privileges Defined in lx Branded Zones
Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone.
Default, required default, optional, and prohibited privileges are defined by each brand. You can also add or remove certain privileges by using the limitpriv property as shown in Step 8 of How to Configure, Verify, and Commit the lx Branded Zone. The table Table 26-1 lists all of the Solaris privileges and the status of each privilege with respect to zones.
For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.
Using the zonecfg Command to Create an lx Branded Zone
The zonecfg command, which is described in the zonecfg(1M) man page, is used to configure a zone. The zonecfg command can be used in interactive mode, in command-line mode, or in command-file mode. The following operations can be performed using this command:
Create or delete (destroy) a zone configuration
Add resources to a particular configuration
Set properties for resources added to a configuration
Remove resources from a particular configuration
Query or verify a configuration
Commit to a configuration
Revert to a previous configuration
Rename a zone
Exit from a zonecfg session
The zonecfg prompt is of the following form:
zonecfg:zonename> |
When you are configuring a specific resource type, such as a file system, that resource type is also included in the prompt:
zonecfg:zonename:fs> |
For more information, including procedures that show how to use the various zonecfg components described in this chapter, see How to Configure the lx Branded Zone.
zonecfg Modes
The concept of a scope is used for the user interface. The scope can be either global or resource specific. The default scope is global.
In the global scope, the add subcommand and the select subcommand are used to select a specific resource. The scope then changes to that resource type.
For the add subcommand, the end or cancel subcommands are used to complete the resource specification.
For the select subcommand, the end or cancel subcommands are used to complete the resource modification.
The scope then reverts back to global.
Certain subcommands, such as add, remove, and set, have different semantics in each scope.
zonecfg Interactive Mode
In interactive mode, the following subcommands are supported. For detailed information about semantics and options used with the subcommands, see the zonecfg(1M) man page for options. For any subcommand that could result in destructive actions or loss of work, the system requests user confirmation before proceeding. You can use the -F (force) option to bypass this confirmation.
help | Print general help, or display help about a given resource.
| ||
create | Begin configuring an in-memory configuration for the specified new branded zone.
| ||
export | Print the configuration to standard output, or to the output file specified, in a form that can be used in a command file. | ||
add | In the global scope, add the specified resource type to the configuration. In the resource scope, add a property of the given name with the given value. See How to Configure the lx Branded Zone and the zonecfg(1M) man page for more information. | ||
set | Set a given property name to the given property value. Note that some properties, such as zonepath, are global, while others are resource specific. Thus, this command is applicable in both the global and resource scopes. | ||
select | Applicable only in the global scope. Select the resource of the given type that matches the given property name-property value pair criteria for modification. The scope is changed to that resource type. You must specify a sufficient number of property name-value pairs for the resource to be uniquely identified. | ||
clear | In the global scope, remove the specified resource type. In a resource scope, clear optional settings. | ||
remove | In the global scope, remove the specified resource type. You must specify a sufficient number of property name-value pairs for the resource type to be uniquely identified. If no property name-value pairs are specified, all instances will be removed. If more than one exists, a confirmation is required unless the -F option is used. In the resource scope, remove the specified property name-property value from the current resource. | ||
end | Applicable only in the resource scope. End the resource specification. The zonecfg command then verifies that the current resource is fully specified.
| ||
cancel | Applicable only in the resource scope. End the resource specification and reset the scope to global. Any partially specified resources are not retained. | ||
delete | Destroy the specified configuration. Delete the configuration both from memory and from stable storage. You must use the -F (force) option with delete.
| ||
info | Display information about the current configuration or the global resource properties zonepath, autoboot, and pool. If a resource type is specified, display information only about resources of that type. In the resource scope, this subcommand applies only to the resource being added or modified. | ||
verify | Verify current configuration for correctness. Ensure that all resources have all of their required properties specified. | ||
commit | Commit current configuration from memory to stable storage. Until the in-memory configuration is committed, changes can be removed with the revert subcommand. A configuration must be committed to be used by zoneadm. This operation is attempted automatically when you complete a zonecfg session. Because only a correct configuration can be committed, the commit operation automatically does a verify. | ||
revert | Revert configuration back to the last committed state. | ||
exit | Exit the zonecfg session. You can use the -F (force) option with exit. A commit is automatically attempted if needed. Note that an EOF character can also be used to exit the session. |
Caution - This action is instantaneous. No commit is required, and a
deleted zone cannot be reverted.