Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019
 
 

Monitoring a System With Non-Global Zones

In general, non-global zones and their processes are visible to the global zone but cannot see each others' processes. As on systems without zones, you can limit what is visible remotely, create core files, set time, run DTrace, and view statistics.

Global Zone Visibility and Access

The global zone acts as both the default zone for the system and as a zone for system-wide administrative control. There are administrative issues associated with this dual role. Since applications within the zone have access to processes and other system objects in other zones, the effect of administrative actions can be wider than expected. For example, service shutdown scripts often use pkill to signal processes of a given name to exit. When such a script is run from the global zone, all such processes in the system will be signaled, regardless of zone.

The system-wide scope is often needed. For example, to monitor system-wide resource usage, you must view process statistics for the whole system. A view of just global zone activity would miss relevant information from other zones in the system that might be sharing some or all of the system resources. Such a view is particularly important when system resources such as CPU are not strictly partitioned using resource management facilities.

Thus, processes in the global zone can observe processes and other objects in non-global zones. This allows such processes to have system-wide observability. The ability to control or send signals to processes in other zones is restricted by the privilege proc_zone. The privilege is similar to proc_owner because the privilege allows processes to override the restrictions placed on unprivileged processes. In this case, the restriction is that unprivileged processes in the global zone cannot signal or control processes in other zones. This is true even when the user IDs of the processes match or the acting process has the proc_owner privilege. The proc_zone privilege can be removed from otherwise privileged processes to restrict actions to the global zone.

For information about matching processes by using a zoneidlist, see the pgrep(1) and pkill(1) man pages.

Process ID Visibility in Zones

Only processes in the same zone will be visible through system call interfaces that take process IDs, such as the kill and priocntl commands. For information, see the kill(1) and the priocntl(1) man pages.

System Observability in Zones

When the ps command is run in the global zone, user and group names are resolved using the global zone's name services. Processes running in a non-global zone on the system display user and group names that match the global zone's name services. These global zone names might be different than the names configured in name services in the non-global zones.

    The ps command has the following modifications for zones:

  • The –o option is used to specify output format. This option allows you to print the zone ID of a process or the name of the zone in which the process is running.

  • The –zzonelist option is used to list only processes in the specified zones. Zones can be specified either by zone name or by zone ID. This option is only useful when the command is executed in the global zone.

  • The –Z option is used to print the name of the zone associated with the process. The name is printed under the column heading ZONE.

For more information, see the ps(1) man page.

A –z zonename option has been added to the following Oracle Solaris utilities. You can use this option to filter the information to include only the zone or zones specified.

  • ipcs -z zonename – See the ipcs(1) man page

  • pgrep -z zonename – See the pgrep(1) man page

  • ptree -z zonename – See the proc(1) man page

  • prstat -z zonename – See the prstat(8) man page

For the full list of changes made to commands, see Commands With Modifications for Zones.

Reporting Active Zone Statistics With the zonestat Utility

To use the zonestat utility, see the zonestat(1) man page and Reporting Resource Usage in a Non-Global Zone.

The zonestat utility reports on the CPU, memory, and resource control utilization of the currently running zones. The zonestat utility prints a series of reports at specified intervals. Optionally, the utility can print one or more summary reports.

The zonestat utility also reports on network bandwidth utilization in exclusive-IP zones. An exclusive-IP zone has its own IP-related state and one or more dedicated datalinks.

When run from within a non-global zone, only processor sets visible to that zone are reported. The non-global zone output will include all of the memory resources, and the limits resource.

The zonestat service in the global zone must be online to use the zonestat service in the non-global zones. The zonestat service in each non-global zone reads system configuration and utilization data from the zonestat service in the global zone.

The zonestatd system daemon is started during system boot. The daemon monitors the utilization of system resources by zones, as well as zone and system configuration information such as psrset processor sets, pool processor sets, and resource control settings. There are no configurable components.

Monitoring Non-Global Zones With the fsstat Utility

The fsstat utility collects and prints kstats per zone, including aggregations. By default, the utility reports an aggregate of all running zones. A per-fstype kstat is produced for each zone. The global zone kstat reports its exclusive activity. The global zone can see the kstats of all zones on the system. Non-global zones only see the kstats associated with the zone in which the utility is run. A non-global zone cannot monitor file system activity in other zones.

For more information, see the fsstat(8) man page and Reporting Per-Zone File System Statistics.

Running DTrace in a Non-Global Zone

DTrace programs that require only the dtrace_proc and dtrace_user privileges can be run in a non-global zone. To add these privileges to the set of privileges available in the non-global zone, set the zone's limitpriv property, as shown in Example 35, Adding DTrace Privileges to a Non-Global Zone.

DTrace supports the providers fasttrap and pid through dtrace_proc. The providers supported through dtrace_user are profile and syscall. DTrace providers and actions operate only within the zone.

Core Files in Zones

The coreadm command is used to specify the name and location of core files produced by abnormally terminating processes. Core file paths that include the zonename of the zone in which the process executed can be produced by specifying the %z variable. The path name is relative to a zone's root directory.

For more information, see the coreadm(8) and core(5) man pages.

Non-Global Zone Node Name

The node name is the local source for the system name. The node name must be unique, such as the zone name. The zone node name can be set by the zone administrator. For example, set the zone name in the global zone:

$ hostname kzone1

To display the hostname, type the hostname command without an argument. For example:

$ hostname
kzone1