Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones |
1. Introduction to Solaris 10 Resource Management
2. Projects and Tasks (Overview)
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Resource Control Functionality in the Solaris Management Console
16. Introduction to Solaris Zones
17. Non-Global Zone Configuration (Overview)
18. Planning and Configuring Non-Global Zones (Tasks)
19. About Installing, Halting, Cloning, and Uninstalling Non-Global Zones (Overview)
20. Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
21. Non-Global Zone Login (Overview)
22. Logging In to Non-Global Zones (Tasks)
23. Moving and Migrating Non-Global Zones (Tasks)
24. Solaris 10 9/10: Migrating a Physical Solaris System Into a Zone (Tasks)
25. About Packages and Patches on a Solaris System With Zones Installed (Overview)
26. Adding and Removing Packages and Patches on a Solaris System With Zones Installed (Tasks)
27. Solaris Zones Administration (Overview)
Process ID Visibility in Zones
File Systems and Non-Global Zones
Mounting File Systems in Zones
Unmounting File Systems in Zones
Security Restrictions and File System Behavior
Non-Global Zones as NFS Clients
Use of mknod Prohibited in a Zone
Restriction on Accessing A Non-Global Zone From the Global Zone
Networking in Shared-IP Non-Global Zones
IP Traffic Between Shared-IP Zones on the Same Machine
Solaris IP Filter in Shared-IP Zones
IP Network Multipathing in Shared-IP Zones
Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones
Exclusive-IP Zone Partitioning
Exclusive-IP Data-Link Interfaces
IP Traffic Between Exclusive-IP Zones on the Same Machine
Solaris IP Filter in Exclusive-IP Zones
IP Network Multipathing in Exclusive-IP Zones
Device Use in Non-Global Zones
/dev and the /devices Namespace
Utilities That Do Not Work or Are Modified in Non-Global Zones
Utilities That Do Not Work in Non-Global Zones
SPARC: Utility Modified for Use in a Non-Global Zone
Running Applications in Non-Global Zones
Resource Controls Used in Non-Global Zones
Fair Share Scheduler on a Solaris System With Zones Installed
FSS Share Division in a Non-Global Zone
Extended Accounting on a Solaris System With Zones Installed
Privileges in a Non-Global Zone
Using IP Security Architecture in Zones
IP Security Architecture in Shared-IP Zones
Solaris 10 8/07: IP Security Architecture in Exclusive-IP Zones
Using Solaris Auditing in Zones
Configuring Audit in the Global Zone
Configuring User Audit Characteristics in a Non-Global Zone
Providing Audit Records for a Specific Non-Global Zone
Running DTrace in a Non-Global Zone
About Backing Up a Solaris System With Zones Installed
Backing Up Loopback File System Directories
Backing Up Your System From the Global Zone
Backing Up Individual Non-Global Zones on Your System
Determining What to Back Up in Non-Global Zones
Backing Up Application Data Only
General Database Backup Operations
About Restoring Non-Global Zones
Commands Used on a Solaris System With Zones Installed
28. Solaris Zones Administration (Tasks)
29. Upgrading a Solaris 10 System That Has Installed Non-Global Zones
30. Troubleshooting Miscellaneous Solaris Zones Problems
31. About Branded Zones and the Linux Branded Zone
32. Planning the lx Branded Zone Configuration (Overview)
33. Configuring the lx Branded Zone (Tasks)
34. About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview)
35. Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks)
36. Logging In to lx Branded Zones (Tasks)
37. Moving and Migrating lx Branded Zones (Tasks)
38. Administering and Running Applications in lx Branded Zones (Tasks)
The global zone acts as both the default zone for the system and as a zone for system-wide administrative control. There are administrative issues associated with this dual role. Since applications within the zone have access to processes and other system objects in other zones, the effect of administrative actions can be wider than expected. For example, service shutdown scripts often use pkill to signal processes of a given name to exit. When such a script is run from the global zone, all such processes in the system will be signaled, regardless of zone.
The system-wide scope is often needed. For example, to monitor system-wide resource usage, you must view process statistics for the whole system. A view of just global zone activity would miss relevant information from other zones in the system that might be sharing some or all of the system resources. Such a view is particularly important when system resources such as CPU are not strictly partitioned using resource management facilities.
Thus, processes in the global zone can observe processes and other objects in non-global zones. This allows such processes to have system-wide observability. The ability to control or send signals to processes in other zones is restricted by the privilege PRIV_PROC_ZONE. The privilege is similar to PRIV_PROC_OWNER because the privilege allows processes to override the restrictions placed on unprivileged processes. In this case, the restriction is that unprivileged processes in the global zone cannot signal or control processes in other zones. This is true even when the user IDs of the processes match or the acting process has the PRIV_PROC_OWNER privilege. The PRIV_PROC_ZONE privilege can be removed from otherwise privileged processes to restrict actions to the global zone.
For information about matching processes by using a zoneidlist, see the pgrep(1) and pkill(1) man pages.