All,
I am running into a little challenge with SMF and privileges and wanted
to get your opinion. The NTP service normally requires the following
privileges:
basic,!file_link_any,!proc_info,!proc_session,net_privaddr,proc_lock_memory,
proc_priocntl,sys_resource,sys_time
By default, Solaris zones do not provide proc_priocntl and sys_time.
If you want NTP to set the system clock you need sys_time and likely
proc_priocntl, but there are cases when you may want to run NTP in a
non-global zone and not set the system clock.
This should not be a problem, except that today if you specify the
above privilege list as part of NTP's start/privileges method, the
service fails to start as a result of a setppriv error - since the
sys_time and proc_priocntl privileges are not available.
Ideally, the application should decide whether or not it can run with
the privileges it is given - not SMF. In this case, the application
would happily run but SMF is never starting it because the privileges
as defined do not all exist in the zone.
My question:
1. What are your thoughts on a concept of start/optional_privileges?
or
2. Only passing to the start method only the intersection of
start/privileges with the "max" privileges available to SMF ("all" in
GZ or "zone" in NGZ) and then just allowing the application to decide
if it can run. I am sure start/limit_privileges needs to be figured
in as well.
Honestly, I think I prefer the second method, but wanted to get your
feedback. This is a problem since otherwise, you would need two
difference manifests or at least instances one for GZ and one for
NGZ which is architecturally inelegant.
Lastly, is anyone aware of other services such as NTP where this
issue would arise?
g
