Re: [zones-discuss] non global zone memory allocation enquiry
Try: prstat -Z -Joe On 08/21/08 01:29, Gauss Tang - Sun Microsystems wrote: Dear Expert, We can check the zone memory allocation via command zonecfg -z zonename info capped-memory: physical: 256M But how to check this info after longin the zone? Thanks in advance. Regards, Gauss -- Joe MainaSun MicroSystems 1 Network Drive Sun Enterprise Services Network/N1 Grid Team UBUR04-206 Burlington,Ma 01803-0904 Phone: 1-800-USA-4SUN [EMAIL PROTECTED] `The trouble with the future is that it arrives before we're ready for it.' - Arnold Glasow *** ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] non global zone memory allocation enquiry
thanks for that command. i was looking for a way to find this as well. i tried kstat, prtconf and got the same output from the local and global zone (even after local zone was capped for memory). is this going to be changed or is this expected. Joseph Maina wrote: Try: prstat -Z -Joe On 08/21/08 01:29, Gauss Tang - Sun Microsystems wrote: Dear Expert, We can check the zone memory allocation via command zonecfg -z zonename info capped-memory: physical: 256M But how to check this info after longin the zone? Thanks in advance. Regards, Gauss begin:vcard fn:Jafar Shameem n:Shameem;Jafar org:Sun Microsystems, Inc.;Financial Services Area adr:;;101 Park Ave;New York;NY;10178;U.S.A. email;internet:[EMAIL PROTECTED] title:Architect tel;work:877-718-6809 tel;cell:917-288-3689 x-mozilla-html:FALSE version:2.1 end:vcard ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [smf-discuss] recommended dependency for non-system services? 6725004 - installing single-user-mode patches automatically
Nils Goroll wrote: Hi JOrdan, Jordan Brown wrote: I suggest to introduce an additional milestone (e.g. milestone/ready) with optional dependencies on all system services, roughly matching the time when rc3 is run. [...] I believe that the point you describe pretty much corresponds to milestone/multi-user. Agree, I should have thought twice. But what about the idea of making a dependency to multi-user obligatory for non-system apps? A few problems: 1) The ship has sailed. There are plenty of apps out there which don´t have that dependency and we cannot retroactively make requirements of them. The solution would fail in the face of that. 2) We want applications to declare accurate dependencies when possible to increase boot performance (especially on multi-core systems), and fault handling. This would be a step in the opposite direction -- I recommend a milestone dependency when a service author needs either an expedient solution or they don´t understand the application´s dependencies. But, it isn´t preferred. And again, none of this is a concern with IPS, so I don´t want to enforce user-visible changes now for a solution that has a guaranteed limited shelf-life. Jordan has explored some solutions which do not require changing administrator or service author behaviour, and those are far preferable. liane ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] non global zone memory allocation enquiry
Dear Joseph, Thanks for your help. prstat -Z can not tell us the value of capped-memory. :) Joseph Maina 写道: Try: prstat -Z -Joe On 08/21/08 01:29, Gauss Tang - Sun Microsystems wrote: Dear Expert, We can check the zone memory allocation via command zonecfg -z zonename info capped-memory: physical: 256M But how to check this info after longin the zone? Thanks in advance. Regards, Gauss ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] non global zone memory allocation enquiry
Use rcapstat Sent from my iPhone On Aug 22, 2008, at 10:15 AM, Gauss Tang - Sun Microsystems [EMAIL PROTECTED] wrote: Dear Joseph, Thanks for your help. prstat -Z can not tell us the value of capped-memory. :) Joseph Maina дµÀ: Try: prstat -Z -Joe On 08/21/08 01:29, Gauss Tang - Sun Microsystems wrote: Dear Expert, We can check the zone memory allocation via command zonecfg -z zonename info capped-memory: physical: 256M But how to check this info after longin the zone? Thanks in advance. Regards, Gauss ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] file system access from global zone
bart(1M) says about its -R option: Note - The root file system of any non-global zones must not be referenced with the -R option. Doing so might damage the global zone's file system, might compromise the security of the global zone, and might damage the non-global zone's file system. See zones(5). Why? ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] file system access from global zone
Jerry Jelinek wrote:
Jordan Brown wrote:
bart(1M) says about its -R option:
Note - The root file system of any non-global zones
must not be referenced with the -R option. Doing
so might damage the global zone's file system,
might compromise the security of the global
zone, and might damage the non-global zone's
file system. See zones(5).
Why?
Accessing a ngz fs from the gz is always dangerous since
a hostile ngz root admin can make changes which
refer to the gz, if you are looking at the fs from the
gz. If you are only reading and don't care
if you are reading the wrong stuff, it is not a
big deal. You should never write and attempt to
change anything when running in the gz and reaching
into the ngz hierarchy. E.g. editing {zonepath}/etc/passwd
could be made to refer to gz /etc/passwd with a simple
symlink.
That makes sense, but the statement in the man page seems far too strong
for this situation... how many zones configurations involve potentially
malicious local zone administrators? I know mine never do.
The caveats that you suggest seem along the lines of the usual caveats
about administrators working with files that are not trusted, applicable
in almost any environment.
Thanks for the info.
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] file system access from global zone
Jordan Brown wrote:
Jerry Jelinek wrote:
Jordan Brown wrote:
bart(1M) says about its -R option:
Note - The root file system of any non-global zones
must not be referenced with the -R option. Doing
so might damage the global zone's file system,
might compromise the security of the global
zone, and might damage the non-global zone's
file system. See zones(5).
Why?
Accessing a ngz fs from the gz is always dangerous since
a hostile ngz root admin can make changes which
refer to the gz, if you are looking at the fs from the
gz. If you are only reading and don't care
if you are reading the wrong stuff, it is not a
big deal. You should never write and attempt to
change anything when running in the gz and reaching
into the ngz hierarchy. E.g. editing {zonepath}/etc/passwd
could be made to refer to gz /etc/passwd with a simple
symlink.
That makes sense, but the statement in the man page seems far too strong
for this situation... how many zones configurations involve potentially
malicious local zone administrators? I know mine never do.
The caveats that you suggest seem along the lines of the usual caveats
about administrators working with files that are not trusted, applicable
in almost any environment.
I think the problem is that people tend to think of the zone as
a self-contained security boundary where any malicious activity by a zone
admin will be contained. Conversely, they also tend to think that they can
do arbitrary administrative tasks on that zone file system without logging
into the zone. After all, the file system is just right there. That
is an easy mistake to make, since you only have containment inside
the zone.
Jerry
___
zones-discuss mailing list
zones-discuss@opensolaris.org
