On Tue 12 Dec 2006 at 06:30PM, Steffen Weiberle wrote:
> Jerry Jelinek wrote On 12/12/06 16:54,:
> >Steffen Weiberle wrote:
> >
> >>Is it safe to generalize that non-LOFS file systems in Solaris 10 do 
> >>not allow cross-zone interaction? procfs does not. namefs does not. 
> >>tmpfs does not. sockfs does not. doors does not. What about all the 
> >>others (I can't even name them all)?
> >
> >Steffen,
> >
> >One issue to be aware of with tmpfs is that a zone can consume all
> >of your swap space.  This is not a communication issue per se
> >but is a cross-zone issue if the zone is compromised.  We are solving
> >this with the new zone.max-swap rctl described here:
> >
> >http://www.opensolaris.org/os/community/arc/caselog/2006/598/
> >
> >This new rctl is part of the overall zones/rm improvement project
> >we have been working on for a while now.
> Thanks, Jerry! I am waiting with open arms :) for this, and memory sets, 
> and swap sets, and IP instances! Oh, and CPU caps.
> Wait, does this replace swap sets? Or is this a control to limit shared 
> swap only? Maybe I can update that bullet item in my presentations!!
> So, in addition to security concerns, this customer was also asking about 
> DoS prevention or minimization, and these will all contribute to that 
> ability.


Probably you should review the duckhorn documentation (All of which has
been forwarded to zones-discuss, and which are also available here:
http://www.opensolaris.org/os/community/zones/zones_design_docs) and our
Dec 4 KTD, the slides of which are at http://ktd.eng/.


Daniel Price - Solaris Kernel Engineering - [EMAIL PROTECTED] - blogs.sun.com/dp
zones-discuss mailing list

Reply via email to