sun.com docs.sun.com My Sun Worldwide Sites

Previous Previous     Contents     Index     Next Next

Utilities That Do Not Work or Are Modified in Non-Global Zones

Utilities That Do Not Work in Non-Global Zones

The following utilities do not work in a zone because they rely on devices that are not normally available:

  • prtconf (see the prtconf(1M) man page)

  • prtdiag (see the prtdiag(1M) man page)

SPARC: Utility Modified for Use in a Non-Global Zone

The eeprom utility can be used in a zone to view settings. The utility cannot be used to change settings. For more information, see the eeprom(1M) and openprom(7D) man pages.

Running Applications in Non-Global Zones

In general, all applications can run in a non-global zone. However, the following types of applications might not be suitable for this environment:

  • Applications that use privileged operations that affect the system as a whole. Examples include operations that set the global system clock or lock down physical memory.

  • The few applications dependent upon certain devices that do not exist in a non-global zone, such as /dev/kmem or /dev/ip.

  • Applications that expect to be able to write into /usr, either at runtime or when being installed, patched, or upgraded. This is because /usr is read-only for a non-global zone by default. Sometimes the issues associated with this type of application can be mitigated without changing the application itself.

Resource Controls Used in Non-Global Zones

For additional information about using a resource management feature in a zone, also refer to the chapter that describes the feature in Part 1 of this guide.

Any of the resource controls and attributes described in the resource management chapters can be set in the global and non-global zone /etc/project file, NIS map, or LDAP directory service. The settings for a given zone affect only that zone. A project running autonomously in different zones can have controls set individually in each zone. For example, Project A in the global zone can be set project.cpu-shares=10 while Project A in a non-global zone can be set project.cpu-shares=5. You could have several instances of rcapd running in each zone, with each instance operating only on its zone.

The resource controls and attributes used in a zone to control projects, tasks, and processes within that zone are subject to the additional requirements regarding pools and the zone-wide resource controls.

A "one zone, one pool" rule applies to non-global zones. Multiple non-global zones can share the resources of one pool. Processes in the global zone, however, can be bound by a sufficiently privileged process to any pool. The resource controller poold only runs in the global zone, where there is more than one pool for it to operate on. The poolstat utility run in a non-global zone displays only information about the pool associated with the zone. The pooladm command run without arguments in a non-global zone displays only information about the pool associated with the zone.

Zone-wide resource controls do not take effect when they are set in the project file. A zone-wide resource control is set through the zonecfg utility.

Fair Share Scheduler on a Solaris System With Zones Installed

This section describes how to use the fair share scheduler (FSS) with zones.

FSS Share Division in a Global or Non-Global Zone

FSS CPU shares for a zone are hierarchical. The shares for the global aand non-global zones are set by the global administrator through the zone-wide resource control zone.cpu-shares. The project.cpu-shares resource control can then be defined for each project within that zone to further subdivide the shares set through the zone-wide control.

To assign zone shares by using the zonecfg command, see How to Set zone.cpu-shares in the Global Zone. For more information on project.cpu-shares, see Available Resource Controls. Also see Using the Fair Share Scheduler on a Solaris System With Zones Installed for example procedures that show how to set shares on a temporary basis.

Share Balance Between Zones

You can use zone.cpu-shares to assign FSS shares in the global zone and in non-global zones. If FSS is the default scheduler on your system and shares are not assigned, each zone is given one share by default. If you have one non-global zone on your system and you give this zone two shares through zone.cpu-shares, that defines the proportion of CPU which the non-global zone will receive in relation to the global zone. The ratio of CPU between the two zones is 2:1.

Extended Accounting on a Solaris System With Zones Installed

The extended accounting subsystem collects and reports information for the entire system (including non-global zones) when run in the global zone. The global administrator can also determine resource consumption on a per-zone basis.

The extended accounting subsystem permits different accounting settings and files on a per-zone basis for process-based and task-based accounting. The exacct records can be tagged with the zone name EXD PROC ZONENAME for processes, and the zone name EXD TASK ZONENAME for tasks. Accounting records are written to the global zone's accounting files as well as the per-zone accounting files. The EXD TASK HOSTNAME, EXD PROC HOSTNAME, and EXD HOSTNAME records contain the uname -n value for the zone in which the process or task executed instead of the global zone's node name.

For information about IPQoS flow accounting, see Chapter 36, "Using Flow Accounting and Statistics Gathering (Tasks)," in System Administration Guide: IP Services.

Privileges in a Non-Global Zone

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.

The following table lists all of the Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

Table 26-1 Status of Privileges in Zones

Privilege

Status

Notes

cpc_cpu

Optional

Access to certain cpc(3CPC) counters

dtrace_proc

Optional

fasttrap and pid providers; plockstat(1M)

dtrace_user

Optional

profile and syscall providers

gart_access

Optional

ioctl(2) access to agpgart_io(7I)

gart_map

Optional

mmap(2) access to agpgart_io(7I)

net_rawaccess

Optional

Raw PF_INET/PF_INET6 packet access

proc_clock_highres

Optional

Use of high resolution timers

proc_priocntl

Optional

Scheduling control; priocntl(1)

sys_ipc_config

Optional

Raising IPC message queue buffer size

sys_time

Optional

System time manipulation; xntp(1M)

dtrace_kernel

Prohibited

Currently unsupported

proc_zone

Prohibited

Currently unsupported

sys_config

Prohibited

Currently unsupported

sys_devices

Prohibited

Currently unsupported

sys_linkdir

Prohibited

Currently unsupported

sys_net_config

Prohibited

Currently unsupported

sys_res_config

Prohibited

Currently unsupported

sys_suser_compat

Prohibited

Currently unsupported

proc_exec

Required, Default

Used to start init(1M)

proc_fork

Required, Default

Used to start init(1M)

sys_mount

Required, Default

Needed to mount required file systems

contract_event

Default

Used by contract file system

contract_observer

Default

Contract observation regardless of UID

file_chown

Default

File ownership changes

file_chown_self

Default

Owner/group changes for own files

file_dac_execute

Default

Execute access regardless of mode/ACL

file_dac_read

Default

Read access regardless of mode/ACL

file_dac_search

Default

Search access regardless of mode/ACL

file_dac_write

Default

Write access regardless of mode/ACL

file_link_any

Default

Link access regardless of owner

file_owner

Default

Other access regardless of owner

file_setid

Default

Permission changes for setid, setgid, setuid files

ipc_dac_read

Default

IPC read access regardless of mode

ipc_dac_owner

Default

IPC write access regardless of mode

ipc_owner

Default

IPC other access regardless of mode

net_icmpaccess

Default

ICMP packet access: ping(1M)

net_privaddr

Default

Binding to privileged ports

proc_audit

Default

Generation of audit records

proc_chroot

Default

Changing of root directory

proc_info

Default

Process examination

proc_lock_memory

Default

Locking memory; shmctl(2)and mlock(3C)

proc_owner

Default

Process control regardless of owner

proc_session

Default

Process control regardless of session

proc_setid

Default

Setting of user/group IDs at will

proc_taskid

Default

Assigning of task IDs to caller

sys_acct

Default

Management of accounting

sys_admin

Default

Simple system administration tasks

sys_audit

Default

Management of auditing

sys_nfs

Default

NFS client support

sys_resource

Default

Resource limit manipulation

The following table lists all of the Trusted Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.


Note - Trusted Solaris privileges are interpreted only if the system is configured with Trusted Extensions.


Table 26-2 Status of Trusted Solaris Privileges in Zones

Trusted Solaris Privilege

Status

Notes

sys_trans_label

Optional

Translate labels not dominated by sensitivity label

win_colormap

Optional

Colormap restrictions override

win_config

Optional

Configure or destroy resources that are permanently retained by the X server

win_dac_read

Optional

Read from window resource not owned by client's user ID

win_dac_write

Optional

Write to or create window resource not owned by client's user ID

win_devices

Optional

Perform operations on input devices.

win_dga

Optional

Use direct graphics access X protocol extensions; frame buffer privileges needed

win_downgrade_sl

Optional

Change sensitivity label of window resource to new label dominated by existing label

win_fontpath

Optional

Add an additional font path

win_mac_read

Optional

Read from window resource with a label that dominates the client's label

win_mac_write

Optional

Write to window resource with a label not equal to the client's label

win_selection

Optional

Request data moves without confirmer intervention

win_upgrade_sl

Optional

Change sensitivity label of window resource to a new label not dominated by existing label

net_bindmlp

Default

Allows binding to a multilevel port (MLP)

net_mac_aware

Default

Allows reading down through NFS

Previous Previous     Contents     Index     Next Next
Company Info Contact Terms of Use Privacy Copyright 1994-2007 Sun Microsystems, Inc.