This chapter covers general administration tasks and provides usage examples.Using the ppriv Utility Using DTrace in a Non-Global Zone Mounting File Systems in Running Non-Global Zones Adding Non-Global Zone Access to Specific File Systems in the Global Zone Using IP Network Multipathing on a Solaris System With Zones Installed Administering Data-Links in Exclusive-IP Non-Global Zones Using the Fair Share Scheduler on a Solaris System With Zones Installed Using Rights Profiles in Zone Administration Backing Up a Solaris System With Installed Zones Restoring a Non-Global Zone See Chapter 26, Solaris Zones Administration (Overview) for general zone administration topics. Use the ppriv utility to display the zone's privileges.Use the ppriv utility with the l option to list the privileges available on the system. At the prompt, type ppriv l zone to report the set of privileges available in the zone.global# ppriv -l zoneYou will see a display similar to this:contract_event contract_observer cpc_cpu . . . Use the ppriv utility with the l option and the expression zone to list the zone's privileges. Log into the non-global zone. This example uses a zone named my-zone. At the prompt, type ppriv l zone to report the set of privileges available in the zone.my-zone# ppriv -l zoneYou will see a display similar to this:contract_event contract_observer file_chown . . . Use the ppriv utility with the l option, the expression zone, and the v option to list the zone's privileges. Log into the non-global zone. This example uses a zone named my-zone. At the prompt, type ppriv l v zone to report the set of privileges available in the zone, with a description of each privilege.my-zone# ppriv -lv zoneYou will see a display similar to this:contract_event Allows a process to request critical events without limitation. Allows a process to request reliable delivery of all events on any event queue. contract_observer Allows a process to observe contract events generated by contracts created and owned by users other than the process's effective user ID. Allows a process to open contract event endpoints belonging to contracts created and owned by users other than the process's effective user ID. file_chown Allows a process to change a file's owner user ID. Allows a process to change a file's group ID to one other than the process' effective group ID or one of the process' supplemental group IDs. . . . Perform the following steps to use DTrace functionality as described in Running DTrace in a Non-Global Zone.Use the zonecfg limitpriv property to add the dtrace_proc and dtrace_user privileges.global# zonecfg -z my-zone zonecfg:my-zone> set limitpriv="default,dtrace_proc,dtrace_user" zonecfg:my-zone> exitDepending on your requirements, you can add either privilege, or both privileges. Boot the zone.global# zoneadm -z my-zone boot Log in to the zone.global# zlogin my-zone Run the DTrace program.my-zone# dtrace -l To check the status of SMF services in a native non-global zone, use the zlogin command.Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. From the command line, type the following to show all services, including disabled ones.global# zlogin my-zone svcs -a For more information, see Chapter 22, Logging In to Non-Global Zones (Tasks) and svcs1. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Log in to the zone.global# zlogin my-zone Run the svcs command with the a option to show all services, including disabled ones.my-zone# svcs -a For more information, see Chapter 22, Logging In to Non-Global Zones (Tasks) and svcs1. You can mount file systems in a running non-global zone. The following procedures are covered.As the global administrator in the global zone, you can import raw and block devices into a non-global zone. After the devices are imported, the zone administrator has access to the disk. The zone administrator can then create a new file system on the disk and perform one of the following actions:Mount the file system manually Place the file system in /etc/vfstab so that it will be mounted on zone boot As the global administrator, you can also mount a file system from the global zone into the non-global zone. This procedure uses the lofi file driver, which exports a file as a block device. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Change directories to /usr/tmp.global# cd /usr/tmp Create a new UFS file system.global# mkfile 10m fsfile Attach the file as a block device.The first available slot, which is /dev/lofi/1 if no other lofi devices have been created, is used.global# lofiadm -a `pwd`/fsfileYou will also get the required character device. Import the devices into the zone my-zone.global# zonecfg -z my-zone zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/rlofi/1 zonecfg:my-zone:device> end zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/lofi/1 zonecfg:my-zone:device> end Reboot the zone.global# zoneadm -z my-zone boot Log in to the zone and verify that the devices were successfully imported.my-zone# ls -l /dev/*lofi/*You will see a display that is similar to this:brw------- 1 root sys 147, 1 Jan 7 11:26 /dev/lofi/1 crw------- 1 root sys 147, 1 Jan 7 11:26 /dev/rlofi/1 For more information, see the lofiadm1M and lofi7D man pages. You must be the zone administrator and have the Zone Management profile to perform this procedure. This procedure uses the newfs command, which is described in the newfs1M man page. Become superuser, or have the Zone Management rights profile in your list of profiles. In the zone my-zone, create a new file system on the disk.my-zone# newfs /dev/lofi/1 Respond yes at the prompt.newfs: construct a new file system /dev/rlofi/1: (y/n)? yYou will see a display that is similar to this:/dev/rlofi/1: 20468 sectors in 34 cylinders of 1 tracks, 602 sectors 10.0MB in 3 cyl groups (16 c/g, 4.70MB/g, 2240 i/g) super-block backups (for fsck -F ufs -o b=#) at: 32, 9664, 19296, Check the file system for errors.my-zone# fsck -F ufs /dev/rlofi/1You will see a display that is similar to this:** /dev/rlofi/1 ** Last Mounted on ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 2 files, 9 used, 9320 free (16 frags, 1163 blocks, 0.2% fragmentation) Mount the file system.my-zone# mount -F ufs /dev/lofi/1 /mnt Verify the mount.my-zone# grep /mnt /etc/mnttabYou will see a display similar to this:/dev/lofi/1 /mnt ufs rw,suid,intr,largefiles,xattr,onerror=panic,zone=foo,dev=24c0001 1073503869 This procedure is used to mount the block device /dev/lofi/1 on the file system path /mnt. The block device contains a UFS file system. The following options are used:logging is used as the mount option. yes tells the system to automatically mount the file system when the zone boots. /dev/rlofi/1 is the character (or raw) device. The fsck command is run on the raw device if required. Become superuser, or have the Zone Management rights profile in your list of profiles. In the zone my-zone, add the following line to /etc/vfstab:/dev/lofi/1 /dev/rlofi/1 /mnt ufs 2 yes logging Assume that a zone has the zonepath /export/home/my-zone. You want to mount the disk /dev/lofi/1 from the global zone into /mnt in the non-global zone.You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. To mount the disk into /mnt in the non-global zone, type the following from the global zone:global# mount -F ufs /dev/lofi/1 /export/home/my-zone/root/mnt For information about lofi, see the lofiadm1M and lofi7D man pages. This procedure enables you to add read-only access to CD or DVD media in a non-global zone. The Volume Management file system is used in the global zone for mounting the media. A CD or DVD can then be used to install a product in the non-global zone. This procedure uses a DVD named jes_05q4_dvd. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Determine whether the Volume Management file system is running in the global zone.global# svcs volfs STATE STIME FMRI online Sep_29 svc:/system/filesystem/volfs:default (Optional) If the Volume Management file system is not running in the global zone, start it.global# svcadm volfs enable Insert the media. Check for media in the drive.global# volcheck Test whether the DVD is automounted.global# ls /cdromYou will see a display similar to the following:cdrom cdrom1 jes_05q4_dvd Loopback mount the file system with the options ro,nodevices (read-only and no devices) in the non-global zone.global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/cdrom zonecfg:my-zone:fs> set special=/cdrom zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> add options [ro,nodevices] zonecfg:my-zone:fs> end zonecfg:my-zone> commit zonecfg:my-zone> exit Reboot the non-global zone.global# zoneadm -z my-zone reboot Use the zoneadm list command with the v option to verify the status.global# zoneadm list -vYou will see a display that is similar to the following:ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 my-zone running /export/home/my-zone native shared Log in to the non-global zone.global# zlogin my-zone Verify the DVD-ROM mount.my-zone# ls /cdromYou will see a display similar to this:cdrom cdrom1 jes_05q4_dvd Install the product as described in the product installation guide. Exit the non-global zone.my-zone# exitYou might want to retain the /cdrom file system in your non-global zone. The mount will always reflect the current contents of the CD-ROM drive, or an empty directory if the drive is empty. (Optional) If you want to remove the /cdrom file system from the non-global zone, use the following procedure.global# zonecfg -z my-zone zonecfg:my-zone> remove fs dir=/cdrom zonecfg:my-zone> commit zonecfg:my-zone> exit In a sparse root zone, /usr is mounted read-only from the global zone. You can use this procedure to add a writable directory, such as /usr/local, under /usr in your zone.You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Create the directory /usr/local in the global zone.global# mkdir -p /usr/local Specify a directory in the global zone to serve as the backing store for the zone's /usr/local directory.global# mkdir -p /storage/local/my-zone Edit the configuration for the zone my-zone.global# zonecfg -z my-zone Add the loopback-mounted filesystem.zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/usr/local zonecfg:my-zone:fs> set special=/storage/local/my-zone zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> end zonecfg:my-zone> commit zonecfg:my-zone> exit Boot the zone. This procedure is used to export home directories or other file systems from the global zone into non-global zones on the same system.You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Add the loopback-mounted filesystem.global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/export/home zonecfg:my-zone:fs> set special=/export/home zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> set options=nodevices zonecfg:my-zone:fs> end zonecfg:my-zone> commit zonecfg:my-zone> exit Add the following line to the zone's /etc/auto_home file:$HOST:/export/home/& IP Network Multipathing (IPMP) in an exclusive-IP zone is configured as it is in the global zone.You can configure one or more physical interfaces into an IP multipathing group, or IPMP group. After configuring IPMP, the system automatically monitors the interfaces in the IPMP group for failure. If an interface in the group fails or is removed for maintenance, IPMP automatically migrates, or fails over, the failed interface's IP addresses. The recipient of these addresses is a functioning interface in the failed interface's IPMP group. The failover feature of IPMP preserves connectivity and prevents disruption of any existing connections. Additionally, IPMP improves overall network performance by automatically spreading out network traffic across the set of interfaces in the IPMP group. This process is called load spreading. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Configure IPMP groups as described in Configuring IPMP Groups in System Administration Guide: IP Services. Use this procedure to configure IPMP in the global zone and extend the IPMP functionality to non-global zones.Each address, or logical interface, should be associated with a non-global zone when you configure the zone. See Using the zonecfg Command and How to Configure the Zone for instructions.This procedure accomplishes the following:The cards bge0 and hme0 are configured together in a group. Address 192.168.0.1 is associated with the non-global zone my-zone. The bge0 card is set as the physical interface. Thus, the IP address is hosted in the group that contains the bge0 and hme0 cards. In a running zone, you can use the ifconfig command to make the association. See Shared-IP Network Interfaces and the ifconfig1M man page.You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. In the global zone, configure IPMP groups as described in Configuring IPMP Groups in System Administration Guide: IP Services. Use the zonecfg command to configure the zone. When you configure the net resource, add address 192.168.0.1 and physical interface bge0 to the zone my-zone:zonecfg:my-zone> add net zonecfg:my-zone:net> set address=192.168.0.1 zonecfg:my-zone:net> set physical=bge0 zonecfg:my-zone:net> endOnly bge0 would be visible in non-global zone my-zone. If bge0 subsequently fails and the bge0 data addresses fail over to hme0 in the global zone, the my-zone addresses migrate as well.If address 192.168.0.1 moves to hme0, then only hme0 would now be visible in non-global zone my-zone. This card would be associated with address 192.168.0.1, and bge0 would no longer be visible. The dladm command is used from the global zone to administer data-links.The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. You must be the global administrator in the global zone to administer data-links. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Show the assignment of data-links on the system.global# dladm show-linkprop In the first screen, zone 49bge, which is assigned bge0 has not been bootedglobal# dladm show-linkprop LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone -- -- -- ath0 channel 6 -- -- ath0 powermode ? off off,fast,max ath0 radio ? on on,off ath0 speed 11 -- 1,2,5.5,6,9,11,12,18,24,36,48,54 ath0 zone -- -- -- Zone 49bge is booted.global# zoneadm -z 49bge boot The command dladm show-linkprop is run again. Note that the bge0 link is now assigned to 49bge.global# dladm show-linkprop LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone 49bge -- -- ath0 channel 6 -- -- ath0 powermode ? off off,fast,max ath0 radio ? on on,off ath0 speed 11 -- 1,2,5.5,6,9,11,12,18,24,36,48,54 ath0 zone -- -- -- The dladm command can be used with the set-linkprop subcommand to temporarily assign data-links to running exclusive-IP zones. Persistent assignment must be made through the zonecfg command.You must be the global administrator in the global zone to administer data-links. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use dladm set-linkprop with the t to add bge0 to a running zone called excl.global# dladm set-linkprop -t -p zone=excl bge0 LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone excl -- --The p option produces a display using a stable machine-parseable format. The dladm command can be used with the reset-linkprop subcommand to reset the bge0 link value to unassigned. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use dladm reset-linkprop with the t to undo the zone assignment of the bge0 device.global# dladm set-linkprop -t -p zone=excl bge0 LINK PROPERTY VALUE DEFAULT POSSIBLE bge0 zone excl -- --The p option produces a display using a stable machine-parseable format. If the running zone is using the device, the reassignment fails and an error message is displayed. See Exclusive-IP Zone Is Using Device, so dladm reset-linkprop Fails. Limits specified through the prctl command are not persistent. The limits are only in effect until the system is rebooted. To set shares in a zone permanently, see How to Configure the Zone and How to Set zone.cpu-shares in the Global Zone.The global zone is given one share by default. You can use this procedure to change the default allocation. Note that you must reset shares allocated through the prctl command whenever you reboot the system.You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use the prctl utility to assign two shares to the global zone:# prctl -n zone.cpu-shares -v 2 -r -i zone global (Optional) To verify the number of shares assigned to the global zone, type:# prctl -n zone.cpu-shares -i zone global For more information on the prctl utility, see the prctl1 man page. You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration Use the prctl command to specify a new value for cpu-shares. # prctl -i idtype -n zone.cpu-shares -r -v valueidtype is either the zonename or the zoneid. value is the new value. This section covers tasks associated with using rights profiles in non-global zones.The Zone Management profile grants the power to manage all of the non-global zones on the system to a user.You must be the global administrator in the global zone to perform this procedure. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Create a role that includes the Zone Management rights profile, and assign the role to a user.To create and assign the role by using the Solaris Management Console, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Refer to the task “How to Create and Assign a Role By Using the GUI.” To create and assign the role on the command line, see Managing RBAC in System Administration Guide: Security Services. Refer to the task “How to Create a Role From the Command Line.” You can execute zone commands in a profile using the pfexec program. The program executes commands with the attributes specified by the user's profiles in the exec_attr database. The program is invoked by the profile shells pfksh, pfcsh, and pfsh.Use the pfexec program to log in to a zone, for example, my-zone.machine$ pfexec zlogin my-zone The following procedures can be used to back up files in zones. Remember to also back up the zones' configuration files.You can perform full or incremental backups using the ufsdump command. This procedure backs up the zone /export/my-zone to /backup/my-zone.ufsdump, where my-zone is replaced with the name of a zone on your system. You might want to have a separate file system, for example, a file system mounted on /backup, to hold the backups. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. (Optional) Shut down the zone to put the zone in a quiescent state and to avoid creating backups of shared file systems.global# zlogin -S my-zone init 0 Check the zone's status.global# zoneadm list -cvYou will see a display similar to the following:ID NAME STATUS PATH BRAND IP 0 global running / native shared - my-zone installed /export/home/my-zone native shared Perform the backup.global# ufsdump 0f /backup/my-zone.ufsdump /export/my-zoneYou will see a display similar to the following:DUMP: Date of this level 0 dump: Wed Aug 10 16:13:52 2005 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rdsk/c0t0d0s0 (bird:/) to /backup/my-zone.ufsdump. DUMP: Mapping (Pass I) [regular files] DUMP: Mapping (Pass II) [directories] DUMP: Writing 63 Kilobyte records DUMP: Estimated 363468 blocks (174.47MB). DUMP: Dumping (Pass III) [directories] DUMP: Dumping (Pass IV) [regular files] DUMP: 369934 blocks (180.63MB) on 1 volume at 432 KB/sec DUMP: DUMP IS DONE Boot the zone.global# zoneadm -z my-zone boot This approach uses the fssnap command, which creates a temporary image of a file system intended for backup operations.This method can be used to provide a clean, consistent backup of the zone files only, and it can be executed while zones are running. However, it is a good idea to suspend or checkpoint active applications that are updating files when the snapshot is created. An application updating files when the snapshot is created might leave these files in an internally inconsistent, truncated, or otherwise unusable state. In the example procedure below, note the following:There is a zone named my-zone under /export/home. /export/home is a separate file system. The destination backup is /backup/my-zone.ufs. You must create the directory backup under /. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Create the snapshot.global# fssnap -o bs=/export /export/homeYou will see a display similar to the following:dev/fssnap/0 Mount the snapshot.global# mount -o ro /dev/fssnap/0 /mnt Back up my-zone from the snapshot.global# ufsdump 0f /backup/my-zone.ufsdump /mnt/my-zoneYou will see a display similar to the following:DUMP: Date of this level 0 dump: Thu Oct 06 15:13:07 2005 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rfssnap/0 (pc2:/mnt) to /backup/my-zone.ufsdump. DUMP: Mapping (Pass I) [regular files] DUMP: Mapping (Pass II) [directories] DUMP: Writing 32 Kilobyte records DUMP: Estimated 176028 blocks (85.95MB). DUMP: Dumping (Pass III) [directories] DUMP: Dumping (Pass IV) [regular files] DUMP: 175614 blocks (85.75MB) on 1 volume at 2731 KB/sec DUMP: DUMP IS DONE Unmount the snapshot.global# umount /mnt Delete the snapshot.global# fssnap -d /dev/fssnap/0Note that the snapshot is also removed from the system when the system is rebooted. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Change directories to the root directory.global# cd / Back up my-zone files that are not loopback mounted to /backup/my-zone.cpio.global# find export/my-zone -fstype lofs -prune -o -local | cpio -oc -O /backup/my-zone.cpio type as one line Verify the results.global# ls -l backup/my-zone.cpioYou will see a display similar to the following:-rwxr-xr-x 1 root root 99680256 Aug 10 16:13 backup/my-zone.cpio You should create backup files of your non-global zone configurations. You can use the backups to recreate the zones later if necessary. Create the copy of the zone's configuration after you have logged in to the zone for the first time and have responded to the sysidtool questions. This procedure uses a zone named my-zone and a backup file named my-zone.config to illustrate the process. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Print the configuration for the zone my-zone to a file named my-zone.config.global# zonecfg -z my-zone export > my-zone.config You can use the backup files of your non-global zone configurations to restore non-global zones, if necessary. This procedure uses a zone named my-zone and a backup file named my-zone.config to illustrate the process of restoring a zone. Become superuser, or assume the Primary Administrator role.To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Specify that my-zone.config be used as the zonecfg command file to recreate the zone my-zone.global# zonecfg -z my-zone -f my-zone.config Install the zone.global# zoneadm -z my-zone install To prevent the system from displaying the sysidtool questions upon initial zone login, delete the file zonepath/root/etc/.UNCONFIGURED, for example:global# rm /export/home/my-zone/root/etc/.UNCONFIGURED If you have any zone-specific files to restore, such as application data, manually restore (and possibly hand-merge) files from a backup into the newly created zone's root file system.