Hey Darren,
Thanks for reviewing this. Responses in-line below.
Darren J Moffat wrote:
DJM-1 zonestatd
What is the SMF method script used to start zonestatd ? ie what
uid/gid and privileges does it run with ?
/lib/svc/method/svc-zstat
I'll add that to the interface table.
It runs as uid/gid 0. I'll work out which privileges are needed so I
can drop the rest.
What is the RBAC authorisation used for managing the SMF service state
and the config value changes ?
I should use solaris.zones.manage
DJM-2 what method is used to ensure that zonestatd doesn't return
information about other ngz's when zonestat is run from an ngz ?
The zoneid from the door cred.
DJM-3 Can zonestat(1) run as an normal user (ie with no privileges
other than basic and no additional RBAC authorisations other than
those granted by Basic Solaris User) ? If so is there any information
that user can get that they can't through existing commands ?
It can be run as a basic user. The aggregated process cpu data requires
privilege to enable, and potentially privilege to fetch depending on the
permissions of the accounting file. The basic user cannot get access to
the individual accounting records, but only the aggregated totals by zone.
Today basic users can get /proc cpu usage data, which is basically the
same, but only for currently running processes.
Sounds like perhaps I should require all zonestat clients to have
PRIV_PROC_INFO, as without such privilege, similar tools like prstat
would not function.
The memory data is available via kstats and private system calls that
require no extra privilege. The private system calls are used by prstat
-Z and swap -s. I don't see any basic privileges governing kstat access.
DJM-4 I assume this works in a TX zone configuration
Yes.
DJM-5 I don't see how the FMRI can be Consolidation Private if the
config/sample_internal is Committed.
Good point. Since I support disabling of the smf service (in which
zonestat command does not work but fails gracefully), perhaps I should
make the smf service committed. I'm not sure what Committed on a
service means.
--
Darren J Moffat
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
