configure rlim_fd_max and rlim_fd_cur - Solaris Zones

Hi All,
I have few knowledge of solaris zones configuration, does anyone know how can i "configure" the kernel parameters rlim_fd_max and rlim_fd_cur for a zone, or do something similar ? Is this possible?
I have found the something that looks like this but i am not sure it is what i am looking for ( process.max-file-descriptor ).
Thanks in advance,
Andrei 

As far as I know, you can't do it because a zone do not have its own separate kernel.
In wikipedia, you have this confirmation (http://en.wikipedia.org/wiki/Solaris_Containers)
"As a zone does not have its own separate kernel (in contrast to a hardware virtual machine), applications that require direct manipulation of kernel features, such as the ability to directly read or alter kernel memory space, may not work inside of a container."
But anyway, if anybody know a way to do it, I will be really interested too as this a requirement which prevent us to use local zone in production.
Groucho_fr 

why don't you set these values in the global zone /etc/system and bounce the container?
also you may create a project with desired resource values and assign the whole zone or specific processes to the project.
Babak 

andrei.dumitru wrote:
Hi All,
I have few knowledge of solaris zones configuration, does anyone know how can i "configure" the kernel parameters rlim_fd_max and rlim_fd_cur for a zone, or do something similar ? Is this possible?
I have found the something that looks like this but i am not sure it is what i am looking for ( process.max-file-descriptor ).process.max-file-descriptor is what you're looking for. You set it in /etc/project instead of /etc/system.
See the docs on Solaris Virtualization or Solaris Containers for /etc/projects examples (Chapter 6).
You're going to need to read up on Solaris Projects.
alan 

On the non-global zone machine you have to create a project and set your limit there. If for example oracle want certain amount of memory all you have to do is to create an oracle project and set your values in there.

Related

/dev/mem

Hi ,
I have installed Solaris 10 and created a zone. I have an application which uses /dev/mem and /dev/kmem for reading several parameters. These are not copied during the zone's installation.
Does somebody know if there is a way to access /dev/mem and /dev/kmem in the zones created ?
Thanks for any answer 
Blech! What apps are reading /dev/mem and /dev/kmem? What are they reading? They've got bigger problems than just not working in a zone -- all bets are off in terms of their binary compatibility from one release to the next, or even from one patch level to the next. We'd like to provide whatever data these apps need via a more established mechanisms like /proc or kstats...
- Bryan
----------------------------------------------------------------------------
Bryan Cantrill, Solaris Kernel Development. bmc#eng.sun.com (650) 786-3652
No problem from Sol2.4 to Sol2.9 with last kernel patch. This way is used to optimize the app. on getting few performance statistics on system.
So is there any way to have these files reproduced in the zone ? 
No problem from Sol2.4 to Sol2.9 with last kernel
patch. This way is used to optimize the app. on
getting few performance statistics on system. Which performance statistics?
- jonathan
Even I had the same query about how to read /dev/kmem on Solaris 10.
(I understand the risks involved but it's client application we need to support).
We are using /dev/kmem to read Sys V IPC Data as well some file system quota related data.
Seems the symbols I am searching in /dev/kmem are not present in Solaris 10.
Can anybody guide me on the same? 
I'll agree with everyone who says this is wrong, but it is doable. The "right" way (if this can be called right) is to use the directive "add device" in zonecfg:
add device
set match=/dev/kmem
end
add device
set match=/dev/mem
end
etc. etc. You probably want/need /dev/ksyms too.
You can "hack" these into a running zone with a quick "mknod" in <zoneroot>/dev (using the major and minor numbers from the real device files).
Again, this is the wrong way. /dev/kstat exists in zones and is the right solution (well, mediated by the kstat API's in libkstat). Talk to your vendor.

Security: Zone vs. Change Root

Hi,
can someone tell me the security benefits I gain by using zones instead of using change root?
I'm in the process of setting up a couple of DMZ machines. I was playing around with zones to increase the security. I have the feeling I will decrease security instead of increasing it because a zone has far too many features. I can't really install a tiny minimal Solaris with just a couple of files, and if an attacker got me he can use the zone itself to attack other systems. Correct?
BTW.: Is there a Solaris list of minimal required packages? I removed all packages I could but I found still thinks like ssh, NIS, perl, .. After changing manually SUNW_PKG_ALLZONES I could remove a couple more until the zone crashed.
Right now I see two possibilities to go forward:
1.) Use a zone and change root the application. The zone part looks for me like an awful lot of work.
2.) Forget about zones and install and change root the application directly to the global zone. This will minimize the maintenance, only one system to harden, much faster to set up.
Do you agree or do I miss something?
What are you doing to increase the security on Solaris 10 (in opposition to Solaris 9).
Are there some guidelines how to securely setup zones?
I really like to hear some other thoughts about this.
Thanks for reading and consideration
Matthias 
What are you doing to increase the security on
Solaris 10 (in opposition to Solaris 9).
Are there some guidelines how to securely setup
zones? Before worring about using zones this way, you might want to become more familiar with Solaris 10 privileges. That to me is an important concept (which zones use implicitly) that can be added to other servers.
You can remove privileges from a process and it can't get them back. So even if a process were attacked, it wouldn't have any privs that were removed. Chroot attempts to do similar things, but it does it by preventing access to utilities rather than explicit permission. If the attacker can chroot out of the jail, then they own the box.
--
Darren 
First I want to say that I fully agree with Darren here. You can gain a little increase in security by applying tools, but nothing can beat having some basic understanding of the system you're working with.
But, to try and answer your questions..
can someone tell me the security benefits I gain by
using zones instead of using change root? I have no idea what so ever what a "change root" maybe. If you refer to a chroot then the answer is simple: security. Breaking out of a chroot is rather trivial (just search google for "breaking out chroot" and see for yourself). One of the stories I kinda like is http://www.bpfh.net/simes/computing/chroot-break.html.
A zone is much more than a mere chroot, its a whole new (controllable) process.
I have the feeling I will decrease
security instead of increasing it because a zone has
far too many features. I can't really install a tiny
minimal Solaris with just a couple of files, and if
an attacker got me he can use the zone itself to
attack other systems. Correct?Wrong. It depends on how you set it up. And even if you use the default (which directory inheritage) you can still disable most of the services.
But its perfectly possible to install a zone and then start removing all but the core packages.
What are you doing to increase the security on
Solaris 10 (in opposition to Solaris 9).What Darren already said.
Are there some guidelines how to securely setup
zones? docs.sun.com, and I'd say in particular:
http://docs.sun.com/app/docs/doc/817-1592
http://docs.sun.com/app/docs/doc/816-4557
>
I really like to hear some other thoughts about
this.
Thanks for reading and consideration
Matthias

solaris zones artful questions ... look inside

1. Already about a year everyone can test and use zones to enjoy the fast software OS virtualization � but who really use zones right now? Is Solaris zones in production now? Are the any evidences for everyone can check and I can reference to?
============================================
2. If �YES� I extremely would like to know:
a. What OS platform � SPARC, x86, x86-64 do they use and why?
b. What hardware and OS platform is preferable for cost savings by ratio (zone)/(hardware cost + support)?
c. What zones density per-computer (for rooted- and share-zones) is used to work without visible delays? I mean zone installation without ORACLE, mysql and others �havy� applications �. but with running apache,sshd � and light zone-administrator and other users activity (that constantly call ps,top,ls,emacs,vim and thinking what to do this evening). I would appreciate such information: (hardware) � (density for rooted- and shared-zones).
==========================================
3. Is there exact term when ZFS will be released? Will it be open-source?
==========================================
4. In what release or update memory restriction for zones will be ready? What memory � physical, virtual or both?
==========================================
5. Are there any plans to improve zone networking? For example to let zone-administrator to configure firewall inside zone ?
========================================== 
I'm using Zones on a production envirionment, JES portal server. The JES PS is fairly complex to install/configure. By using zones, I was able to take ufsdumps from the global zone. If I broke something, I could simply restore the last working backup. I'm running PS and gateway on a pair of V240s.
Why? Because we can and I immediately wanted the benefits of the zone mechanism.
HTH,
Roger S. 
As to who is using it: I do. I'm using zones on my Cyrix server (800Mhz Cyrix (VIA) CPU) running Solaris 10/x86 as well as on a few sparc servers. Reasons: security (control), resource control and most of all damage control.
As to the rest: why not try and see for yourself ?
Its hardly possible to answer since you can even limit the maximum CPU cycles which a zone can use, so basicly tune it any way you like. 
I also do on a Sun Fire 240. I have tree zones running, one exclusively for software development and two for software tests.
So I have one machine for all my needs instead of three standalone machines.
LHG
Juergen 
Ok, tnanx, what kind of zone is more suitable for development and to run tests? rooted that consumes additional memory and disk space but not limit package management or shared is enought ? 
It depends on what you're testing. I myself like the full root zone, regardless of application/purpose. Disk space is cheap. On the other hand, some people probably like the inherent security of a read-only filesystem.
BTW, I feel like I'm taking a marketing survey. Do I get a prize when I'm done? :-)
HTH,
Roger S. 
Full root zone has performance impact, so if you do not care about performance use it. 
It depends on what you're testing. I myself like
the full root zone, regardless of
application/purpose. Disk space is cheap. Don't forget RAM, too.
If /usr is lofs mounted from global /usr, then all the zones share library pages in RAM from shared objects in that filesystem (like libc.so). If the zone has a separate /usr, then the pages load separately.
The more running zones you have, the bigger the impact is likely to be.
Unfortunately, I don't know how to quantify it. As far as I know tools like 'prstat' are going to report the same amount of virtual memory use in both situations.
--
Darren 
Interesting comment about performance. How does a full root zone impact system performance?
Roger S. 
hmm ... it seems you are right and it's possibly a real problem. It would be very nice to know real virtual memory consumed by shared-zone. But as I reveal it is not so easy and smb. from kernel team should fix it. Look at file vm_rm.c from kernel source code. When we run prstat -Z
rm_assize(struct as *as) function is called. This function sums certain segmet sizes with no attention if the pages from this segment are shared. That's why we always have the total VMEM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
How how ... as two + two.
Each time you or system run executables this executables load shared libraries. So these libraries remain mapped for all rooted-zones and eat memory.
In case of shared-zones (note! that directories with libraries are mounted and mapped pages are assigned to inodes) most of needed libraries are already mapped from global-zone. And the rest libraries maps only ones on first demand. Its doesn't mater which shared or global-zone will map first. 
Man we gave you so much insight and only one duke dollar for so many questions? 
So, the "performance issue" is redundant loading of shared libraries? IMHO, if you're that tight on RAM, you need to upgrade your servers. We have a lot of apps that swell to over 200MB due to the application data loaded at runtime. Library size has a relatively small impact on RAM usage.
Also, the shared root zone reminds me too much of the old autoclient days. It's a good idea on paper, but too many apps throw stuff all over the disk. Even Sun's own JES suite requires a full root zone for non-global zone installation. The added flexibility of a full root zone far out weighs the extra RAM used.
YMMV,
Roger S. 
There are other issues such as patching?
Also it really depends on application but you will have lot of TLB misses.

To zone or not to zone and capped-cpu question

We have about a dozen Sun servers, each running Solaris 9. Most are V240s running just one application on each server. I am in the process of upgrading to Solaris 10, and know absolutely nothing about Sol 10 other than what I have been researching.
From what I have read so far, it seems to me that I would not need to create any zones and could run everything under the Global zone.
Reason being that there is only 1 application, and really no users other than Sys Admins. Does anyone see anything wrong with this?
Oh, and I need to ensure that our CPU usage stays below 80%. I've read where you can cap cpu usage within zones and thought that I could use the capped-cpu thing to do this.
All I have been reading is the Sun documentation. If anyone can recommend another good Solaris 10 source, I will gladly read it:))
Thanks!! 
zeekstern wrote:
We have about a dozen Sun servers, each running Solaris 9. Most are V240s running just one application on each server. I am in the process of upgrading to Solaris 10, and know absolutely nothing about Sol 10 other than what I have been researching.
From what I have read so far, it seems to me that I would not need to create any zones and could run everything under the Global zone.
Reason being that there is only 1 application, and really no users other than Sys Admins. Does anyone see anything wrong with this?This is exactly what any Solaris system prior to Solaris 10 looks like. Yes, it's fine. You don't have to create zones.
>
Oh, and I need to ensure that our CPU usage stays below 80%. I've read where you can cap cpu usage within zones and thought that I could use the capped-cpu thing to do this.Who or what is "our"? Do you mean the box never should go above 80% CPU usage? Why not, what are you saving that 20% for?
--
Darren 
Thanks for the reply Darren.
I should have been more clear in my post.
We cannot allow the CPU usage on any box go above 80%. This is in order for us to meet a dumb SLA (Service Level Agreement). The remaining 20% is just wasted. So our solution is to install Solaris 10 and make use of the Resource Manager.
My problem is that I have not been able to find any documentation that says we can use the cap-cpu parameter in the Global zone. I've found some where we could use it in Non Global Zones, but not Global. I prefer to keep things as simple as possible so if there is a way to cap cpu usage without creating zones, that is the way I would want to go.
Sun support claims this is "outside of our scope and that I need to hire their Professional Services" to get an answer. I don't agree with this but what the heck. But they did offer to help me whenever I get a break/fix problem:))
Any help would be greatly appreciated!! 
Slightly. The nice thing about zones is that you can apply resource constraints to the entire thing.
Global zones are different in that it's much more difficult to try to encompass everything running there. You can do resource limits on objects other than zones. You can do it on projects as well. If you can make your CPU-intensive things (like applications) run in a project, that might be the way to do it.
See the 'prctl' man page for some examples, and the resource_controls man page for available controls. You should have project.cpu-caps available as one.
--
Darren

"ZONE" question of  Solaris 10

Hi,
Recently i'm reading the administrator guide of solaris 10, I found the new concept of virtual server is "ZONE" in sol10. But I don't understand what different is it which compared by "vPartition" of HP and
" DLPAR" of IBM.
Who can help me to explain these different items of such ones??
Thanks advance,
Regards,
Denis
PS: Maybe this post is placed at wrong place. ;-))
I have no concept the IBM and HP capabilities in this area.
A zone in Solaris 10 should be thought of as a "cloned" instance of Solaris running within a master global instance of Solaris 10. The "zone" looks and feel like an independent stand alone Solaris to a normal user / administrator - for the most part. There are some things an administrator can't do in a zone e.g. like changing the network configuration, accessing raw storage to name a couple.
But a "zone" administrator can compile and install software, run services, setup a web service, trash the environment, or whatever without impacting any other zone on the box.
I've just started playing with zones myself so I'm fairly new at this too. I'm pretty sure there are ways to limit the amount of a resources a zone can consume but I don't have deals at the moment. 
can any one help me making the local zone to be dhcp client.
Thanks in advance
Regards,
neo 
xdeluo wrote:
Hi,
Recently i'm reading the administrator guide of solaris 10, I found the new concept of virtual server is "ZONE" in sol10. But I don't understand what different is it which compared by "vPartition" of HP and
" DLPAR" of IBM.
Who can help me to explain these different items of such ones??
Thanks advance,
Regards,
Denis
PS: Maybe this post is placed at wrong place. ;-))IBMs LPAR and DLPAR technology are ways of carving the physical hardware up into subsystems. Each "subsystem" is an entirely independent OS and that means you end up having N full copies of the OS installed that you have to maintain.
I don't have familiarity with HPs vPartition to give you any useful feedback on this.
Zones are a different path altogether. The global zone is the master and each local zone can either share the OS (shared root) or have its own OS (whole root). The IP stack can be independent or shared between the GZ and the LZ. The beauty is that the zone itself has minimal overhead and some applications might run faster in a zone than outside of it.
The gz can see all of its local zones.
IBM has WPAR technology. On the surface it looks like it might be very similar to zones.
Cheers, 
PATROL wrote:
can any one help me making the local zone to be dhcp client.Only zones using exclusive-ip networking can be a dhcp client. If you're using shared IP this is not available.
--
Darren

Categories

Resources