Previous
Utilities That Do Not Work or Are Modified in Non-Global Zones
Utilities That Do Not Work in Non-Global Zones
The following utilities do not work in a zone because they rely on devices that are not normally available:
prtconf (see the prtconf(1M) man page)
prtdiag (see the prtdiag(1M) man page)
SPARC: Utility Modified for Use in a Non-Global Zone
The eeprom utility can be used in a zone to view settings. The utility cannot be used to change settings. For more information, see the eeprom(1M) and openprom(7D) man pages.
Running Applications in Non-Global Zones
In general, all applications can run in a non-global zone. However, the following types of applications might not be suitable for this environment:
Applications that use privileged operations that affect the system as a whole. Examples include operations that set the global system clock or lock down physical memory.
The few applications dependent upon certain devices that do not exist in a non-global zone, such as /dev/kmem or /dev/ip.
Applications that expect to be able to write into /usr, either at runtime or when being installed, patched, or upgraded. This is because /usr is read-only for a non-global zone by default. Sometimes the issues associated with this type of application can be mitigated without changing the application itself.
Resource Controls Used in Non-Global Zones
For additional information about using a resource management feature in a zone, also refer to the chapter that describes the feature in Part 1 of this guide.
Any of the resource controls and attributes described in the resource management chapters can be set in the global and non-global zone /etc/project file, NIS map, or LDAP directory service. The settings for a given zone affect only that zone. A project running autonomously in different zones can have controls set individually in each zone. For example, Project A in the global zone can be set project.cpu-shares=10 while Project A in a non-global zone can be set project.cpu-shares=5. You could have several instances of rcapd running in each zone, with each instance operating only on its zone.
The resource controls and attributes used in a zone to control projects, tasks, and processes within that zone are subject to the additional requirements regarding pools and the zone-wide resource controls.
A "one zone, one pool" rule applies to non-global zones. Multiple non-global zones can share the resources of one pool. Processes in the global zone, however, can be bound by a sufficiently privileged process to any pool. The resource controller poold only runs in the global zone, where there is more than one pool for it to operate on. The poolstat utility run in a non-global zone displays only information about the pool associated with the zone. The pooladm command run without arguments in a non-global zone displays only information about the pool associated with the zone.
Zone-wide resource controls do not take effect when they are set in the project file. A zone-wide resource control is set through the zonecfg utility.
Fair Share Scheduler on a Solaris System With Zones Installed
This section describes how to use the fair share scheduler (FSS) with zones.
FSS Share Division in a Global or Non-Global Zone
FSS CPU shares for a zone are hierarchical. The shares for the global aand non-global zones are set by the global administrator through the zone-wide resource control zone.cpu-shares. The project.cpu-shares resource control can then be defined for each project within that zone to further subdivide the shares set through the zone-wide control.
To assign zone shares by using the zonecfg command, see How to Set zone.cpu-shares in the Global Zone. For more information on project.cpu-shares, see Available Resource Controls. Also see Using the Fair Share Scheduler on a Solaris System With Zones Installed for example procedures that show how to set shares on a temporary basis.
Share Balance Between Zones
You can use zone.cpu-shares to assign FSS shares in the global zone and in non-global zones. If FSS is the default scheduler on your system and shares are not assigned, each zone is given one share by default. If you have one non-global zone on your system and you give this zone two shares through zone.cpu-shares, that defines the proportion of CPU which the non-global zone will receive in relation to the global zone. The ratio of CPU between the two zones is 2:1.
Extended Accounting on a Solaris System With Zones Installed
The extended accounting subsystem collects and reports information for the entire system (including non-global zones) when run in the global zone. The global administrator can also determine resource consumption on a per-zone basis.
The extended accounting subsystem permits different accounting settings and files on a per-zone basis for process-based and task-based accounting. The exacct records can be tagged with the zone name EXD PROC ZONENAME for processes, and the zone name EXD TASK ZONENAME for tasks. Accounting records are written to the global zone's accounting files as well as the per-zone accounting files. The EXD TASK HOSTNAME, EXD PROC HOSTNAME, and EXD HOSTNAME records contain the uname -n value for the zone in which the process or task executed instead of the global zone's node name.
For information about IPQoS flow accounting, see Chapter 36, "Using Flow Accounting and Statistics Gathering (Tasks)," in System Administration Guide: IP Services.
Privileges in a Non-Global Zone
Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.
The following table lists all of the Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.
Table 26-1 Status of Privileges in Zones
Privilege | Status | Notes |
|---|---|---|
cpc_cpu | Optional | Access to certain cpc(3CPC) counters |
dtrace_proc | Optional | fasttrap and pid providers; plockstat(1M) |
dtrace_user | Optional | profile and syscall providers |
gart_access | Optional | ioctl(2) access to agpgart_io(7I) |
gart_map | Optional | mmap(2) access to agpgart_io(7I) |
net_rawaccess | Optional | Raw PF_INET/PF_INET6 packet access |
proc_clock_highres | Optional | Use of high resolution timers |
proc_priocntl | Optional | Scheduling control; priocntl(1) |
sys_ipc_config | Optional | Raising IPC message queue buffer size |
sys_time | Optional | System time manipulation; xntp(1M) |
dtrace_kernel | Prohibited | Currently unsupported |
proc_zone | Prohibited | Currently unsupported |
sys_config | Prohibited | Currently unsupported |
sys_devices | Prohibited | Currently unsupported |
sys_linkdir | Prohibited | Currently unsupported |
sys_net_config | Prohibited | Currently unsupported |
sys_res_config | Prohibited | Currently unsupported |
sys_suser_compat | Prohibited | Currently unsupported |
proc_exec | Required, Default | Used to start init(1M) |
proc_fork | Required, Default | Used to start init(1M) |
sys_mount | Required, Default | Needed to mount required file systems |
contract_event | Default | Used by contract file system |
contract_observer | Default | Contract observation regardless of UID |
file_chown | Default | File ownership changes |
file_chown_self | Default | Owner/group changes for own files |
file_dac_execute | Default | Execute access regardless of mode/ACL |
file_dac_read | Default | Read access regardless of mode/ACL |
file_dac_search | Default | Search access regardless of mode/ACL |
file_dac_write | Default | Write access regardless of mode/ACL |
file_link_any | Default | Link access regardless of owner |
file_owner | Default | Other access regardless of owner |
file_setid | Default | Permission changes for setid, setgid, setuid files |
ipc_dac_read | Default | IPC read access regardless of mode |
ipc_dac_owner | Default | IPC write access regardless of mode |
ipc_owner | Default | IPC other access regardless of mode |
net_icmpaccess | Default | ICMP packet access: ping(1M) |
net_privaddr | Default | Binding to privileged ports |
proc_audit | Default | Generation of audit records |
proc_chroot | Default | Changing of root directory |
proc_info | Default | Process examination |
proc_lock_memory | Default | Locking memory; shmctl(2)and mlock(3C) |
proc_owner | Default | Process control regardless of owner |
proc_session | Default | Process control regardless of session |
proc_setid | Default | Setting of user/group IDs at will |
proc_taskid | Default | Assigning of task IDs to caller |
sys_acct | Default | Management of accounting |
sys_admin | Default | Simple system administration tasks |
sys_audit | Default | Management of auditing |
sys_nfs | Default | NFS client support |
sys_resource | Default | Resource limit manipulation |
The following table lists all of the Trusted Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.
Note - Trusted Solaris privileges are interpreted only if the system is configured with Trusted Extensions.
Table 26-2 Status of Trusted Solaris Privileges in Zones
Trusted Solaris Privilege | Status | Notes |
|---|---|---|
sys_trans_label | Optional | Translate labels not dominated by sensitivity label |
win_colormap | Optional | Colormap restrictions override |
win_config | Optional | Configure or destroy resources that are permanently retained by the X server |
win_dac_read | Optional | Read from window resource not owned by client's user ID |
win_dac_write | Optional | Write to or create window resource not owned by client's user ID |
win_devices | Optional | Perform operations on input devices. |
win_dga | Optional | Use direct graphics access X protocol extensions; frame buffer privileges needed |
win_downgrade_sl | Optional | Change sensitivity label of window resource to new label dominated by existing label |
win_fontpath | Optional | Add an additional font path |
win_mac_read | Optional | Read from window resource with a label that dominates the client's label |
win_mac_write | Optional | Write to window resource with a label not equal to the client's label |
win_selection | Optional | Request data moves without confirmer intervention |
win_upgrade_sl | Optional | Change sensitivity label of window resource to a new label not dominated by existing label |
net_bindmlp | Default | Allows binding to a multilevel port (MLP) |
net_mac_aware | Default | Allows reading down through NFS |