JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Resource Management

1.  Introduction to Solaris 10 Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

15.  Resource Control Functionality in the Solaris Management Console

Part II Zones

16.  Introduction to Solaris Zones

17.  Non-Global Zone Configuration (Overview)

18.  Planning and Configuring Non-Global Zones (Tasks)

19.  About Installing, Halting, Cloning, and Uninstalling Non-Global Zones (Overview)

20.  Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

21.  Non-Global Zone Login (Overview)

22.  Logging In to Non-Global Zones (Tasks)

23.  Moving and Migrating Non-Global Zones (Tasks)

24.  Solaris 10 9/10: Migrating a Physical Solaris System Into a Zone (Tasks)

25.  About Packages and Patches on a Solaris System With Zones Installed (Overview)

26.  Adding and Removing Packages and Patches on a Solaris System With Zones Installed (Tasks)

27.  Solaris Zones Administration (Overview)

What's New in This Chapter?

Global Zone Visibility and Access

Process ID Visibility in Zones

System Observability in Zones

Non-Global Zone Node Name

File Systems and Non-Global Zones

The -o nosuid Option

Mounting File Systems in Zones

Unmounting File Systems in Zones

Security Restrictions and File System Behavior

Non-Global Zones as NFS Clients

Use of mknod Prohibited in a Zone

Traversing File Systems

Restriction on Accessing A Non-Global Zone From the Global Zone

Networking in Shared-IP Non-Global Zones

Shared-IP Zone Partitioning

Shared-IP Network Interfaces

IP Traffic Between Shared-IP Zones on the Same Machine

Solaris IP Filter in Shared-IP Zones

IP Network Multipathing in Shared-IP Zones

Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones

Exclusive-IP Zone Partitioning

Exclusive-IP Data-Link Interfaces

IP Traffic Between Exclusive-IP Zones on the Same Machine

Solaris IP Filter in Exclusive-IP Zones

IP Network Multipathing in Exclusive-IP Zones

Device Use in Non-Global Zones

/dev and the /devices Namespace

Exclusive-Use Devices

Device Driver Administration

Utilities That Do Not Work or Are Modified in Non-Global Zones

Utilities That Do Not Work in Non-Global Zones

SPARC: Utility Modified for Use in a Non-Global Zone

Running Applications in Non-Global Zones

Resource Controls Used in Non-Global Zones

Fair Share Scheduler on a Solaris System With Zones Installed

FSS Share Division in a Non-Global Zone

Share Balance Between Zones

Extended Accounting on a Solaris System With Zones Installed

Privileges in a Non-Global Zone

Using IP Security Architecture in Zones

IP Security Architecture in Shared-IP Zones

Solaris 10 8/07: IP Security Architecture in Exclusive-IP Zones

Using Solaris Auditing in Zones

Configuring Audit in the Global Zone

Configuring User Audit Characteristics in a Non-Global Zone

Providing Audit Records for a Specific Non-Global Zone

Core Files in Zones

Running DTrace in a Non-Global Zone

About Backing Up a Solaris System With Zones Installed

Backing Up Loopback File System Directories

Backing Up Your System From the Global Zone

Backing Up Individual Non-Global Zones on Your System

Determining What to Back Up in Non-Global Zones

Backing Up Application Data Only

General Database Backup Operations

Tape Backups

About Restoring Non-Global Zones

Commands Used on a Solaris System With Zones Installed

28.  Solaris Zones Administration (Tasks)

29.  Upgrading a Solaris 10 System That Has Installed Non-Global Zones

30.  Troubleshooting Miscellaneous Solaris Zones Problems

Part III lx Branded Zones

31.  About Branded Zones and the Linux Branded Zone

32.  Planning the lx Branded Zone Configuration (Overview)

33.  Configuring the lx Branded Zone (Tasks)

34.  About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview)

35.  Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks)

36.  Logging In to lx Branded Zones (Tasks)

37.  Moving and Migrating lx Branded Zones (Tasks)

38.  Administering and Running Applications in lx Branded Zones (Tasks)

Glossary

Index

Privileges in a Non-Global Zone

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available within a zone, use the ppriv utility.

The following table lists all of the Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

The limitpriv property is available beginning with the Solaris 10 11/06 release.

Table 27-1 Status of Privileges in Zones

Privilege
Status
Notes
cpc_cpu
Optional
Access to certain cpc(3CPC) counters
dtrace_proc
Optional
fasttrap and pid providers; plockstat(1M)
dtrace_user
Optional
profile and syscall providers
graphics_access
Optional
ioctl(2) access to agpgart_io(7I)
graphics_map
Optional
mmap(2) access to agpgart_io(7I)
net_rawaccess
Optional in shared-IP zones.

Default in exclusive-IP zones.
Raw PF_INET/PF_INET6 packet access
proc_clock_highres
Optional
Use of high resolution timers
proc_priocntl
Optional
Scheduling control; priocntl(1)
sys_ipc_config
Optional
Raising IPC message queue buffer size
sys_time
Optional
System time manipulation; xntp(1M)
dtrace_kernel
Prohibited
Currently unsupported
proc_zone
Prohibited
Currently unsupported
sys_config
Prohibited
Currently unsupported
sys_devices
Prohibited
Currently unsupported
sys_linkdir
Prohibited
Currently unsupported
sys_net_config
Prohibited
Currently unsupported
sys_res_config
Prohibited
Currently unsupported
sys_suser_compat
Prohibited
Currently unsupported
proc_exec
Required, Default
Used to start init(1M)
proc_fork
Required, Default
Used to start init(1M)
sys_mount
Required, Default
Needed to mount required file systems
sys_ip_config
Required, Default in exclusive-IP zones

Prohibited in shared-IP zones
Required to boot zone and initialize IP networking in exclusive-IP zone
contract_event
Default
Used by contract file system
contract_observer
Default
Contract observation regardless of UID
file_chown
Default
File ownership changes
file_chown_self
Default
Owner/group changes for own files
file_dac_execute
Default
Execute access regardless of mode/ACL
file_dac_read
Default
Read access regardless of mode/ACL
file_dac_search
Default
Search access regardless of mode/ACL
file_dac_write
Default
Write access regardless of mode/ACL
file_link_any
Default
Link access regardless of owner
file_owner
Default
Other access regardless of owner
file_setid
Default
Permission changes for setid, setgid, setuid files
ipc_dac_read
Default
IPC read access regardless of mode
ipc_dac_owner
Default
IPC write access regardless of mode
ipc_owner
Default
IPC other access regardless of mode
net_icmpaccess
Default
ICMP packet access: ping(1M)
net_privaddr
Default
Binding to privileged ports
proc_audit
Default
Generation of audit records
proc_chroot
Default
Changing of root directory
proc_info
Default
Process examination
proc_lock_memory
Default
Locking memory; shmctl(2)and mlock(3C)

If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory.
proc_owner
Default
Process control regardless of owner
proc_session
Default
Process control regardless of session
proc_setid
Default
Setting of user/group IDs at will
proc_taskid
Default
Assigning of task IDs to caller
sys_acct
Default
Management of accounting
sys_admin
Default
Simple system administration tasks
sys_audit
Default
Management of auditing
sys_nfs
Default
NFS client support
sys_resource
Default
Resource limit manipulation

The following table lists all of the Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.

Note - These privileges are interpreted only if the system is configured with Solaris Trusted Extensions.

Table 27-2 Status of Solaris Trusted Extensions Privileges in Zones

Solaris Trusted Extensions Privilege
Status
Notes
file_downgrade_sl
Optional
Set the sensitivity label of file or directory to a sensitivity label that does not dominate the existing sensitivity label
file_upgrade_sl
Optional
Set the sensitivity label of file or directory to a sensitivity label that dominates the existing sensitivity label
sys_trans_label
Optional
Translate labels not dominated by sensitivity label
win_colormap
Optional
Colormap restrictions override
win_config
Optional
Configure or destroy resources that are permanently retained by the X server
win_dac_read
Optional
Read from window resource not owned by client's user ID
win_dac_write
Optional
Write to or create window resource not owned by client's user ID
win_devices
Optional
Perform operations on input devices.
win_dga
Optional
Use direct graphics access X protocol extensions; frame buffer privileges needed
win_downgrade_sl
Optional
Change sensitivity label of window resource to new label dominated by existing label
win_fontpath
Optional
Add an additional font path
win_mac_read
Optional
Read from window resource with a label that dominates the client's label
win_mac_write
Optional
Write to window resource with a label not equal to the client's label
win_selection
Optional
Request data moves without confirmer intervention
win_upgrade_sl
Optional
Change sensitivity label of window resource to a new label not dominated by existing label
net_bindmlp
Default
Allows binding to a multilevel port (MLP)
net_mac_aware
Default
Allows reading down via NFS

To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone.

To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.

Copyright © 2004, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next