On Tue 12 Dec 2006 at 06:30PM, Steffen Weiberle wrote: > Jerry Jelinek wrote On 12/12/06 16:54,: > >Steffen Weiberle wrote: > > > >>Is it safe to generalize that non-LOFS file systems in Solaris 10 do > >>not allow cross-zone interaction? procfs does not. namefs does not. > >>tmpfs does not. sockfs does not. doors does not. What about all the > >>others (I can't even name them all)? > > > >Steffen, > > > >One issue to be aware of with tmpfs is that a zone can consume all > >of your swap space. This is not a communication issue per se > >but is a cross-zone issue if the zone is compromised. We are solving > >this with the new zone.max-swap rctl described here: > > > >http://www.opensolaris.org/os/community/arc/caselog/2006/598/ > > > >This new rctl is part of the overall zones/rm improvement project > >we have been working on for a while now. > > Thanks, Jerry! I am waiting with open arms :) for this, and memory sets, > and swap sets, and IP instances! Oh, and CPU caps. > > Wait, does this replace swap sets? Or is this a control to limit shared > swap only? Maybe I can update that bullet item in my presentations!! > > So, in addition to security concerns, this customer was also asking about > DoS prevention or minimization, and these will all contribute to that > ability.
Steffen, Probably you should review the duckhorn documentation (All of which has been forwarded to zones-discuss, and which are also available here: http://www.opensolaris.org/os/community/zones/zones_design_docs) and our Dec 4 KTD, the slides of which are at http://ktd.eng/. -dp -- Daniel Price - Solaris Kernel Engineering - [EMAIL PROTECTED] - blogs.sun.com/dp _______________________________________________ zones-discuss mailing list email@example.com