Oracle Documentation
System Administration Guide: Solaris Containers--Resource Management and Solaris Zones
Fair Share Scheduler
Introduction to Resource Pools
Physical Memory Conltrol Using the Resource Capping Daemon
The section 5, resource_controls contains related information.
From Solaris 10 9/10, Solaris 10 9/10: Migrating a Physical Solaris System Into a Zone
Note:
Solaris 10 8/07 (Update 4) was the first release to support Zones and Live Upgrade.
Solaris 10 10/08 (Update 6) was the first version to support ZFS root.
From www.oracle.com:
Solaris Containers for System {Admins, Architects, Engineers} PDF slide presentation.
Utility Tools for Management of Solaris Containers in PDF format.
Best Practices for Running Oracle Databases in Solaris Containers in PDF format.
Oracle Partitioning Rules and Solaris 10 Containers in PDF format.
A Solaris Resource Manager quickstart guide.
From Solaris How-To Guides:
Solaris How-To Guides, "Consolidating Servers and Applications" :PDF:.
Solaris How-To Guides, "How To Move a Solaris Container" :PDF:.
Solaris How-To Guides, "Managing ZFS in Solaris 10 Containers" :PDF:.
From Sun BluePrints:
Solaris Containers - What Are They And How To Use Them.
Creating Self-Balancing Solutions with Solaris Containers.
Slicing and Dicing Servers: A Guide to Virtualization and Containment Technologies.
Solaris Containers Architecture Guide.
Working with Solaris Containers and the Solaris Service Manager.
Guide to Solaris Containers.
From Sun Developers:
Sun Developers Networks' Bringing Your Application Into the Zone article.
Blogs
Bob Netherton's Weblog entry, Common First Time Mistakes - Containers.
The Clingan Zone blog Securing a zone using the Solaris Security Toolkit
The Clingan Zone blog Simplify zone administration using the global zone: Patches
The Clingan Zone blog Simplify zone administration using the global zone: Packages
Sun Weblog entry, Script to create a zone.
From Menno Lageman's Weblog Monitoring zone boot and shutdown using DTrace.
A dtrace script to display zone state changes, you can cut and paste from this page or download the link.
Paulo Silva's Weblog Deploying Solaris 8 Systems using Solaris 10 Containers
From Gerry Haskin's blog, Using Solaris Live Upgrade for patching.
From Blog O'Matty, Zone update on attach functionality.
Solaris 10 Update 9 Solaris Containers News
Akamit Blog, Limiting resource usage for Solaris zones
From OpenSolaris.org
Opensolaris.org Zones and Containers FAQ can be found at the OpenSolaris Community: Zones web portal.
From Opensolaris.org Creating a Flash Archive of a Zoned System.
Linux in a Zone? See BrandZ a framework that extends the Solaris Zones infrastructure to create Branded Zones, which are zones that contain non-native operating environments.
Lisa XVIII paper Solaris Zones:Operating System Support for Consolidating Commercial Workloads in PDF format.
Sysadmin journal Solaris 10 Zones Defense article.
Sysadmin journal System Security in SolarisTM 10: Privileges and Zones in Perspective article.
Instructor Brendan Greggs' wrote zone documentation called Documentation: Zones, this document contains a extensive resource control section.
This PDF file is the multi-processor lab that is part of the LVC course material.
The Route from Solaris 10 Zones to Server Consolidation information from a customer consolidation project using Solaris zones.
The Zone Manager is a script designed to automate and simplify 60% of Solaris 10 zone management tasks.
Procedure to define the netmask on the network resource of the zone.
Define the network resource on the target zone using the zonecfg command. Prior to rebooting the zone, modify the /etc/netmask on the global zone, adding the desired netmask for the target zone.
Example:
vi /etc/netmasks
adding the line
10.1.0.0 255.255.255.0
or
After the network resource has been defined on the zone, and the zone has been rebooted, use the ifconfig command from the global zone to configure the netmask of the target zone network resource. Of course, this procedure will not persist beyond a zone reboot unless the entry in the /etc/netmask file has been made.
The netmask can be set during zone configuration as well:
zonecfg:spinzone:net> info
net:
address: 192.168.1.61/24
physical: hme0
Solaris 10 8/07 Update 4, NFSv4 Domain Name Configurable During Installation describes using the nfs4_domain keyword in the sysidcfg file.
How to change the terminal type you selected manually during the lab:
global-zone# zlogin /usr/sbin/sys-unconfig
How to Use an /etc/sysidcfg File to Perform the
Initial Zone Configuration
You must be the global administrator in the global zone to perform
this procedure.
Become superuser, or assume the Primary Administrator role.
From the global zone,
change directories to the non-global zone's /etc directory:
|
global# cd /export/home/my-zone/root/etc
|
Create the sysidcfg
file and place it in this directory.
The file will look similar to the following:
|
system_locale=C
terminal=dtterm
network_interface=primary {
hostname=my-zone
}
security_policy=NONE
name_service=NIS {
domain_name=special.example.com
name_server=bird(192.168.112.3)
}
nfs4_domain=dynamic
timezone=US/Central
root_password=eYtmwIm8Gpbak
|
Boot the zone.
How to add a device or file system to a non-global zone.
This example uses a usb memory stick.
Configure the device in the global zone:
chaos# zonecfg -z my-zone8
zonecfg:my-zone8> add device
zonecfg:my-zone8:device> set match=/dev/dsk/c3t0d0*
zonecfg:my-zone8:device> end
This will give full access to the c3t0d0xx devices in /dev/dsk when the zone is booted.
Mount the device:
my-zone8# mount -F pcfs /dev/dsk/c3t0d0p1 /stick
This alternate method requires that the device be configured before the zone is booted.
dir: /stick
special: /dev/dsk/c3t0d0p1
raw: /dev/rdsk/c3t0d0p1
type: pcfs
options: [rw]
Additional notes on Adding a device to a Non-global zone:
This might leave a path from the non-global zone to the global zone, therefor the security implication should be considered.
If the match= method is used with hard disk partitions then a entry should be included for the coresponding /dev/rdsk devices.
Migrating a Physical Solaris System Into a Zone
The feature was added as part of the Solaris 10 9/10 release.
Step 1.
You need to assess the source system.
The source must be at the same or older release level of Solaris 10, must be the same architecture. Consider applications that directly use hardware device and NFS server as these applications do not work in a non-global zone.
Step 2.
Create a image of the source system.
you can use several methods, a flash archive, cpio, pax (-x xustar), bzip2 or gzip compressed cpio or ufsdump. If the root filesystem is ZFS then you must use the pax or cpio option with flarcreate command.
chaos:/> flarcreate -n 8.1.10 -L cpio /net/ultra20/flar/chaos.flar
Archive format requested is cpio
This archiver format is NOT VALID for flash installation of ZFS root pool.
This format is useful for installing the system image into a zone.
Reissue command without -L option to produce an archive for root pool install.
Full Flash
Checking integrity...
Integrity OK.
Running precreation scripts...
Precreation scripts done.
Determining the size of the archive...
cpio: File size of "etc/mnttab" has decreased by 74
15238396 blocks
1 error(s)
The archive will be approximately 7.26GB.
Creating the archive...
15238436 blocks
Archive creation complete.
Running postcreation scripts...
Postcreation scripts done.
Running pre-exit scripts...
Pre-exit scripts done.
Step 3.
Create a zone.
Use the zonecfg command to create a new zone.
ultra20:/> zonecfg -z chaoszone "create -b;set zonepath=/export/zones/chaos;add net;set address=192.168.1.202;set physical=nge0;end"
Step 4.
Install the zone.
ultra20:/> zoneadm -z chaoszone install -u -a /flar/chaos.flar
Log File: /var/tmp/chaoszone.install_log.rpaW7e
Installing: This may take several minutes...
Postprocessing: This may take a while...
Postprocess: Updating the zone software to match the global zone...
Postprocess: Zone software update complete
Postprocess: Updating the image to run within a zone
Result: Installation completed successfully.
Log File: /export/zones/chaos/root/var/log/chaoszone.install2472.log
Step 5.
Configure the zone.
Boot the zone and log in useing zlogin -C and configure the zone.
This table shows the behavior of packaging in a zone environment, with variances based on variable settings. (Based on the chart in "Bringing Your Application Into the Zone" document.)
SUNW_PKG_ALLZONES
false
SUNW_PKG_HOLLOW
false
SUNW_PKG_THISZONE
false
|
Add to gz, current lz and future lz |
Add to gz only, not to current or future lz |
|
|
SUNW_PKG_ALLZONES
true
SUNW_PKG_HOLLOW
false
SUNW_PKG_THISZONE
false
|
Add to gz, current lz and future lz |
|
|
|
SUNW_PKG_ALLZONES
true
SUNW_PKG_HOLLOW
true
SUNW_PKG_THISZONE
false
|
Add to gz Add to pkginfo db in current and future lz |
|
|
|
SUNW_PKG_ALLZONES
true
SUNW_PKG_HOLLOW
true
SUNW_PKG_THISZONE
true
|
Invalid option combination |
Invalid option combination |
Invalid option combination |
Invalid option combination |
SUNW_PKG_ALLZONES
false
SUNW_PKG_HOLLOW
true
SUNW_PKG_THISZONE
false
|
Invalid option combination |
Invalid option combination |
Invalid option combination |
Invalid option combination |
SUNW_PKG_ALLZONES
false
SUNW_PKG_HOLLOW
true
SUNW_PKG_THISZONE
true
|
Invalid option combination |
Invalid option combination |
Invalid option combination |
Invalid option combination |
SUNW_PKG_ALLZONES
false
SUNW_PKG_HOLLOW
false
SUNW_PKG_THISZONE
true
|
Add to gz only, not to current or future lz |
Add to gz only, not to current or future lz |
|
|
SUNW_PKG_ALLZONES
true
SUNW_PKG_HOLLOW
false
SUNW_PKG_THISZONE
true
|
Invalid option combination |
Invalid option combination |
Invalid option combination |
Invalid option combination |
|
Legend:
gz = global zone
lz = non-global zone
An "invalid option combination" means the package attribute settings do not make sense - not all possible combinations of settings for these three attributes are legal. They should be caught by pkgmk(1M) and the package should not be created.
An "operation not allowed" means the pkgadd command will output an error message and fail to add the packages based on the combination of command line options, package attribute settings, and the type of zone pkgadd is being run in.
Software Update Entitlement Policy for Solaris (patches)
Using patchadd in the Global Zone
To add a patch to the global
zone and to all non-global zones, run patchadd as the
global administrator in the global zone.
When patchadd is used in the global zone, the following
conditions apply:
The patchadd utility is able to add the patch(es)
to the global zone and to all non-global zones only. This is the
default action.
The patchadd utility cannot add the patch(es)
to the global zone only or to a subset of the non-global zones.
When you add a patch to the
global zone and to all non-global zones, you do not have to consider
whether the patch affects areas
that are shared from the global zone.
The following steps are performed by the patchadd
utility:
The patch is added to the
global zone.
The patch database on the
global zone is updated.
The patch is added to
each non-global zone.
The patch database on
each non-global zone is updated.
Using patchadd in a Non-Global Zone
When used in a non-global zone by the zone administrator, patchadd
can only be used to add patches to that zone. A patch
can be added to a non-global zone in the following cases:
The following steps are performed by the patchadd
utility:
Removing Patches in a Zones Environment
The patchrm system utility
described in the patchrm(1M)
man page is used to remove patches in a zones environment.
Using patchrm in the Global Zone
As the global administrator, you can use the patchrm
utility in the global zone to remove patches. The patchrm
utility cannot remove patches from the global zone only or from a
subset of the non-global zones.
Using patchrm in a Non-Global Zone
As the zone administrator, you can use the patchrm
utility in a non-global zone to remove patches from that non-global
zone only. Patches cannot affect areas that are shared.
Solaris Update 3 (11/06) added the limitpriv parameter to the
zonecfg command.
Optional privileges are not part of the default set but can be add
ed to the NG zone.
Prohibited privileges can not be added to a NG zone.
Required privileges are part of the default set and can not be re
moved.
Default privileges are the default set of privileges in a NG zone, the keywor
d default expands to this set.
When using the limitpriv keyword it is common to add privileges to
or remove privileges from the default set, the default keyword can be
used first, this keyword expands to the default set.
Example:
limitpriv=default,sys_time,!net_rawaccess
The sys_time privilege is added, the net_rawaccess negat
ed.
Status of Privileges in Zones
|
Privilege
|
Status
|
Notes
|
|
cpc_cpu
|
Optional
|
Access to certain cpc(3CPC) counters
|
|
dtrace_proc
|
Optional
|
fasttrap and pid providers; plockstat(1M)
|
|
dtrace_user
|
Optional
|
profile and syscall providers
|
|
gart_access
|
Optional
|
ioctl(2) access to agpgart_io(7I)
|
|
gart_map
|
Optional
|
mmap(2) access to agpgart_io(7I)
|
|
net_rawaccess
|
Optional in shared-IP zones.
Default in exclusive-IP zones.
|
Raw PF_INET/PF_INET6 packet access
|
|
proc_clock_highres
|
Optional
|
Use of high resolution timers
|
|
proc_priocntl
|
Optional
|
Scheduling control; priocntl(1)
|
|
sys_ipc_config
|
Optional
|
Raising IPC message queue buffer size
|
|
sys_time
|
Optional
|
System time manipulation; xntp(1M)
|
|
dtrace_kernel
|
Prohibited
|
Currently unsupported
|
|
proc_zone
|
Prohibited
|
Currently unsupported
|
|
sys_config
|
Prohibited
|
Currently unsupported
|
|
sys_devices
|
Prohibited
|
Currently unsupported
|
|
sys_linkdir
|
Prohibited
|
Currently unsupported
|
|
sys_net_config
|
Prohibited
|
Currently unsupported
|
|
sys_res_config
|
Prohibited
|
Currently unsupported
|
|
sys_suser_compat
|
Prohibited
|
Currently unsupported
|
|
proc_exec
|
Required, Default
|
Used to start init(1M)
|
|
proc_fork
|
Required, Default
|
Used to start init(1M)
|
|
sys_mount
|
Required, Default
|
Needed to mount required file systems
|
|
sys_ip_config
|
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
|
Required to boot zone and initialize IP networking in exclusive-IP zone
|
|
contract_event
|
Default
|
Used by contract file system
|
|
contract_observer
|
Default
|
Contract observation regardless of UID
|
|
file_chown
|
Default
|
File ownership changes
|
|
file_chown_self
|
Default
|
Owner/group changes for own files
|
|
file_dac_execute
|
Default
|
Execute access regardless of mode/ACL
|
|
file_dac_read
|
Default
|
Read access regardless of mode/ACL
|
|
file_dac_search
|
Default
|
Search access regardless of mode/ACL
|
|
file_dac_write
|
Default
|
Write access regardless of mode/ACL
|
|
file_link_any
|
Default
|
Link access regardless of owner
|
|
file_owner
|
Default
|
Other access regardless of owner
|
|
file_setid
|
Default
|
Permission changes for setid, setgid, setuid files
|
|
ipc_dac_read
|
Default
|
IPC read access regardless of mode
|
|
ipc_dac_owner
|
Default
|
IPC write access regardless of mode
|
|
ipc_owner
|
Default
|
IPC other access regardless of mode
|
|
net_icmpaccess
|
Default
|
ICMP packet access: ping(1M)
|
|
net_privaddr
|
Default
|
Binding to privileged ports
|
|
proc_audit
|
Default
|
Generation of audit records
|
|
proc_chroot
|
Default
|
Changing of root directory
|
|
proc_info
|
Default
|
Process examination
|
|
proc_lock_memory
|
Default
|
Locking memory; shmctl(2)and mlock(3C)
If this privilege is assigned to a non-global zone by the system administrator,
consider also setting the zone.max-locked-memory resource
control to prevent the zone from locking all memory.
|
|
proc_owner
|
Default
|
Process control regardless of owner
|
|
proc_session
|
Default
|
Process control regardless of session
|
|
proc_setid
|
Default
|
Setting of user/group IDs at will
|
|
proc_taskid
|
Default
|
Assigning of task IDs to caller
|
|
sys_acct
|
Default
|
Management of accounting
|
|
sys_admin
|
Default
|
Simple system administration tasks
|
|
sys_audit
|
Default
|
Management of auditing
|
|
sys_nfs
|
Default
|
NFS client support
|
|
sys_resource
|
Default
|
Resource limit manipulation
|
The following table lists all of the Solaris Trusted Extensions privileges
and the status of each privilege with respect to zones. Optional privileges
are not part of the default set of privileges but can be specified through
the limitpriv property.
Note - These privileges are interpreted only if the system is configured
with Solaris Trusted Extensions.
Table 26.2 Status of Solaris Trusted Extensions
Privileges in Zones
|
Solaris Trusted Extensions Privilege
|
Status
|
Notes
|
|
sys_trans_label
|
Optional
|
Translate labels not dominated by sensitivity label
|
|
win_colormap
|
Optional
|
Colormap restrictions override
|
|
win_config
|
Optional
|
Configure or destroy resources that are permanently retained by the
X server
|
|
win_dac_read
|
Optional
|
Read from window resource not owned by client's user ID
|
|
win_dac_write
|
Optional
|
Write to or create window resource not owned by client's user ID
|
|
win_devices
|
Optional
|
Perform operations on input devices.
|
|
win_dga
|
Optional
|
Use direct graphics access X protocol extensions; frame buffer privileges
needed
|
|
win_downgrade_sl
|
Optional
|
Change sensitivity label of window resource to new label dominated by
existing label
|
|
win_fontpath
|
Optional
|
Add an additional font path
|
|
win_mac_read
|
Optional
|
Read from window resource with a label that dominates the client's label
|
|
win_mac_write
|
Optional
|
Write to window resource with a label not equal to the client's label
|
|
win_selection
|
Optional
|
Request data moves without confirmer intervention
|
|
win_upgrade_sl
|
Optional
|
Change sensitivity label of window resource to a new label not dominated
by existing label
|
|
net_bindmlp
|
Default
|
Allows binding to a multilevel port (MLP)
|
|
net_mac_aware
|
Default
|
Allows reading down via NFS
|
Zone configuration options added in Solaris Update 4 (8/07)
Branded Zones
BrandZ provides the framework to create non-global branded zones that contain non-native operating environments. Branded zones are used on the Solaris Operating System to run applications. The first brand available is the lx brand, Solaris Containers for Linux Applications. The lx brand provides a Linux environment for your applications and runs on x86 and x64 machines.
Exclusive-IP Non-Global Zones:
The ip-type property is set in the global scope of the zonecfg command. The property can be set to shared or exclusive. If this property is set to shared the IP address and interface are shared by the global zone, this is the default behavior and the behavior prior to the 8/07 release of Solaris.
When the ip-type property is set to exclusive only the physical resource is set. The
zonecfg:ozone> set ip-type=exclusive
zonecfg:ozone> add net
zonecfg:ozone:net> set physical=bge1
zonecfg:ozone> end
Full IP-level functionality is available in an exclusive-IP zone.
An exclusive-IP zone has its own IP-related state.
This includes the ability to use the following features in an exclusive-IP zone:
DHCPv4 and IPv6 stateless address autoconfiguration
IP Filter, including network address translation (NAT) functionality
IP Network Multipathing (IPMP)
IP routing
ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs
IP security (IPsec) and IKE, which automates the provision of authenticated keying material for IPsec security association
bootargs
The bootargs property is set in the global scope of the zonecfg command. The bootargs defines arguments (options) to be passed to the zone bootup, unless options are supplied to the zoneadm boot command, in which case those take precedence. The valid arguments are described in zoneadm(1M).
zonecfg:ozone> set bootargs="-m verbose"
capped-memory
The capped-memory resource limits physical, swap, and locked memory properties. The physical property sets the max-rss for this zone. This will be enforced by rcapd(1M) running in the global zone. The swap property is the preferred way to set the zone.max-swap rctl. The locked property is the preferred way to set the zone.max-locked-memory rctl.
zonecfg:ozone> add capped-memory
zonecfg:ozone:capped-memory> set physical=500m
zonecfg:ozone:capped-memory> set swap=256m
zonecfg:ozone:capped-memory> end
dedicated-cpu
The dedicated-cpu specifies that a subset of the system's processors should be dedicated to a non-global zone while it is running. When the zone boots, the system will dynamically create a temporary pool for use while the zone is running.
The dedicated-cpu resource sets limits for ncpus, and optionally, importance.
ncpus
Specify the number of CPUs or specify a range, such as 2-4 CPUs. If you specify a range because you want dynamic resource pool behavior, also do the following:
Set the importance property.
Enable the poold service.
importance
If you are using a CPU range to achieve dynamic behavior, also set the importance property, The importance property, which is optional, defines the relative importance of the pool. This property is only needed when you specify a range for ncpus and are using dynamic resource pools managed by poold. If poold is not running, then importance is ignored. If poold is running and importance is not set, importance defaults to 1.
Solaris 8/07 Zone-Wide Resource Controls
|
Control Name
|
Global Property Name
|
Description
|
Default Unit
|
Value Used For
|
|
zone.cpu-shares
|
cpu-shares
|
Number of fair share scheduler (FSS) CPU shares for this zone
|
Quantity (shares)
|
|
|
zone.max-locked-memory
|
|
Total amount of physical locked memory available to a zone.
If priv_proc_lock_memory is assigned to a zone, consider
setting this resource control as well, to prevent that zone from locking all
memory.
|
Size (bytes)
|
locked property of capped-memory
|
|
zone.max-lwps
|
max-lwps
|
Maximum number of LWPs simultaneously available to this zone
|
Quantity (LWPs)
|
|
|
zone.max-msg-ids
|
max-msg-ids
|
Maximum number of message queue IDs allowed for this zone
|
Quantity (message queue IDs)
|
|
|
zone.max-sem-ids
|
max-sem-ids
|
Maximum number of semaphore IDs allowed for this zone
|
Quantity (semaphore IDs)
|
|
|
zone.max-shm-ids
|
max-shm-ids
|
Maximum number of shared memory IDs allowed for this zone
|
Quantity (shared memory IDs)
|
|
|
zone.max-shm-memory
|
max-shm-memory
|
Total amount of System V shared memory allowed for this zone
|
Size (bytes)
|
|
|
zone.max-swap
|
|
Total amount of swap that can be consumed by user process address space
mappings and tmpfs mounts for this zone.
|
Size (bytes)
|
swap property of capped-memory
|
Solaris 10 Update 5 (5/08) introduces CPU caps. CPU caps provide absolute fine-grained limits on the amount of CPU resources that can be consumed by a project or a zone.
Two new controls are added, project.cpu-cap and zone.cpu-cap. The control is represented as 1% of a cpu. 100 represents 1 full cpu, the controls are a absolute cap on the cpu resource.
Project CPU cap example:
user.akolb:1234::::project.cpu-cap=(privileged,600,deny)
Sets a 6 cpu limit for the project user.akolb.
Zone CPU cap example:
zonecfg:myzone> add rctl
zonecfg:myzone:rctl> set name=zone.cpu-cap
zonecfg:myzone:rctl> add value (priv=privileged,limit=300,action=deny)
zonecfg:myzone:rctl> end
Sets a 3 cpu limit for the zone myzone.
Dynamically changes a CPU cap for a project:
$ prctl -r -t privileged -n project.cpu-cap -v 80 -i project group.staff
Replaces a cpu cap on the project group.staff, making the new cap 80% of one cpu, reguardless of the number of cpus to which the project has access.
