Re: [zones-discuss] Run user script when start zone
With Solaris 11 vnics, each zone can be excl-IP and share an adapter. Each of those zones controls its vnic, not the NIC. --JeffV Sent from my mobile device On Mar 24, 2012, at 7:22 AM, skeletor wrote: > 23.03.2012 11:23, Ian Collins написал: >> >> For what you are trying to do, exclusive IP is the best option. >> > > I have only 1 network adapter. > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Has the restriction on sharing from a zone been removed yet?
On Thu, Sep 29, 2011 at 4:45 PM, Nico Williams wrote: > On Thu, Sep 29, 2011 at 3:28 PM, Jeff Victor > wrote: > > The general rule is "convince product management that there is a business > > reason to invest the engineer(s) and it will get done." > > IMO, for backports, the bar should be much higher. Yes. I intended to say "sufficient business reason" to cover all that. My bad. --JeffV > The vendor should > compute the cost of the backport *including* the cost of opportunity, > and including the further cost of opportunity involved in encouraging > more backports by the mere fact of having done one backport (if the > customer believes they can put off upgrading forever then the pressure > to backport more and more features will rise). If the value of doing > the backport *significantly* exceeds that cost, then, sure, do the > backport. > > The cost of backporting complex features, particularly ones that have > wide ramifications, and particularly when the backport is to Solaris > 10, with its awful patching mechanisms, is best understood as > astronomical. A backport of Zoned NFS server should be considered as > in the high 7 $ figure range, if not higher still -- after all, how do > you estimate the forgone value of talented engineers working on > innovative new features?? > > Just say no to backports. Pressure the ISVs instead to re-certify > their apps. Legacy costs the customer a lot also -- there's enormous, > typically unaccounted-for costs in legacy. > > Nico > -- > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Has the restriction on sharing from a zone been removed yet?
On Thu, Sep 29, 2011 at 3:57 PM, Ian Collins wrote: > On 09/30/11 03:01 AM, Edward Pilatowicz wrote: > >> On Thu, Sep 29, 2011 at 04:57:12PM +1300, Ian Collins wrote: >> >>> On 09/29/11 09:50 AM, Edward Pilatowicz wrote: >>> nfs server is now supported in a zone on s11. smb server is not. >>> OK, thanks Ed. >>> >>> I thought the original ARC case for PRIV_SYS_SHARE would have enabled >>> both? >>> >>> it's not just a matter of enabling privs. there was a lot of work that >> when into enabling nfs that would also have to be done for smb. >> >> Fair enough. Although I was really looking forward to dropping Samba! > The general rule is "convince product management that there is a business reason to invest the engineer(s) and it will get done." I hope that someday zones can be CIFS servers. In the mean time, the global zone can be a CIFS server. That means you can implement stable, scalable CIFS servers - if you use Solaris! ;-) --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] psets for zones
Also, using method (2), you have told the Solaris kernel that it can move CPUs out of pset1 if another pset needs them. --JeffV On Thu, Mar 10, 2011 at 2:35 PM, Christian Meier wrote: > Hello, > > also have a look at the pset.load value. As long as the load is higher > than the pset.max the pset.size will not be under 5 > expect you have an other pool with a higher importance. > As soon as the load is coming under 5 the cpu's will be assigned to an > other pool or pool_default > >>> pset pset1 >>> int pset.sys_id 1 >>> boolean pset.default false >>> uint pset.min 1 >>> uint pset.max 5 >>> string pset.units population >>> uint pset.load 10 >>> uint pset.size 5 >>> string pset.comment > > Regards > Christian > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Resource Management Issue.
On Dec 15, 2010, at 1:18 AM, Ketan wrote: > B'coz .. the application user is telling that they are recieving memory > related errors What are the error messages? > and its responding too slow and the RSS column for that particular zone is > pretty high around 13G as compared to locked memory usage in kstat o/p Older versions of some memory-measurement tools counted shared memory multiple times: once for each process that was using the shmem. That might explain the report of 13G. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ON SMB/NFS server support for non-global zones
On Sun, Dec 5, 2010 at 5:26 PM, Fabian R. Breschi wrote: >> A bit more clarity on that caution is due - this only >> applies to an >> NFS mount from the global zone on which the >> non-global zone is >> running. Further, I thought that this was an >> interaction between UFS >> and NFS that could cause a problem and that the NFS >> share was coming >> from ZFS the problem didn't exist. > > I'm totally using ZFS allocation with no involvement at all for UFS, so I > guess that the idea of achieving a share using the global-zone as the server > including the non-global zone dir it can be valid anyway? Yes, you can use NFS to share a directory from the global zone to other systems, *and* use LOFS to mount that same directory into a zone on the same system as the global zone. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How secure are zones? Hackers?
Orvar, The document http://hub.opensolaris.org/bin/download/Project+isc/WebHome/820%2D7017.pdf may give you a better understanding of the security capabilities of Solaris Zones. --JeffV On Tue, Nov 30, 2010 at 8:48 AM, Orvar Korvar wrote: > I am thinking if it is safer to reach the outside world internet, via a Zone. > Will this add additional security, with respect to the global zone? > > I think this is an interesting question? > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones zone.max-shm-memory setting.
Back to the original question (locked-shm-memory on servers): If you are running multiple applications on a server, and at least one of them uses shared memory, you should consider using max-shm-memory or max-locked-memory for the zone that will use shared memory. Any memory that a process locks down cannot be paged out. That helps performance of the application, but reduces the amount of memory that can be paged out. If the amount that can be paged out is too small, Solaris cannot run as intended, and performance of all of the system's workloads will suffer. Some forms of shared memory (e.g. ISM) automatically lock those memory pages. Other forms (e.g. DISM) allow the process to lock the shared memory. If you don't set a cap on shared memory or locked memory, the zone might lock a significant portion of the system's RAM, leaving very little that can be paged out if there isn't enough RAM for all of the zones. In that situation, performance of all of the other zones will suffer greatly, perhaps making them unusable. Performance of the zone using shared memory may also be impacted. However, if you set a shared memory cap on a zone that uses shared memory, and you set it too low, performance of that zone will suffer, or the application will fail. It is important to know how much memory your applications will lock - if they lock any. To determine how much memory a zone's processes lock, first find the zone's current ID number: GZ# zoneadm list -cv ID NAME ... 0 global ... 1 myzone ... Then use that number with the kstat command: GZ# kstat 'caps:1:lockedmem_zone_1:usage' module: caps ... name: lockedmem_zone_1 ... usage: 4096 --JeffV On Mon, Nov 29, 2010 at 2:23 PM, Enda O'Connor wrote: > Hi > Locked memory is typically used by oracle database, ie ISM/DISM segments > etc, not likely to be used on desktop, apps that use shared memory tend to > try and pin it in memory to give max performance. > I wouldn't think a desktop would need this typically. > > De > On 29/11/2010 19:16, Jordan Vaughan wrote: >> >> "Locked memory" is the same as "pinned memory": In other words, pages >> that won't be paged to disk. Applications can request that pages be >> "locked" into memory. The pager won't page locked pages to disk. >> >> Regarding an "appropriate value for desktop usage": It depends on what >> kinds of applications you're using. Most applications don't use >> locked/pinned pages. I don't set this property on my desktop, but you >> could set it to a small value. (0M?) >> >> Jordan >> >> On 11/27/10 01:15 PM, Orvar Korvar wrote: >>> >>> At the same time, I would like to ask exactly what is "locked" RAM? >>> How much is an apropriate value for desktop usage? 2GB? >>> >>> add capped-memory >>> set locked=2GB >>> end >> ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes wrote: >> Limit the damage if the Zone's VBox application is somehow >> subverted by the guest OS. > > There are VBox modules in the kernel and the containers framework > can't stop misbehavior in kernelspace. The use of kernel modules in VBox doesn't weaken the security of Zones. Other software accessible in a zone ultimately uses kernel modules. Gaining unfettered control over kernel space is the hard part. In any case, please see more detail below. >> Beyond security, running VBox in a Zone allows you to make >> use of Zone Resource Controls and Crossbow networking. >> Cool stuff! > > No question about cool features. My concern is if running VBox in a > local zone has any security advantage regarding an evil guest over > running it in the global one. And if so, why? Because all processes running in a zone run with a reduced privilege set, compared to processes running in the global zone. For example, a process in a zone cannot have the proc_zone privilege, so a process in one zone cannot send a signal to another process. Also, by default, a process in a zone does not have the sys_time privilege, so it cannot change the system's time clock. (The global zone administrator can give the sys_time privilege to one or more zones, after which they would be able to change the system's time clock.) See the man page privileges(5). Is the security framework of Zones good enough? An independent security certification gave Solaris Trusted Extensions (which uses Zones to compartmentalize information) a rating of EAL4+ with three different profiles - the highest rating achieved by a general purpose operating system. For more information on security and Solaris Zones, please read the paper "Understanding the Security Capabilities of Solaris Zones" written by Glenn Brunette and myself: http://hub.opensolaris.org/bin/download/Project+isc/WebHome/820%2D7017.pdf . --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] lucreate failure call to zoneadmd failed
Hi Paul, It looks like the ABE's copy of zone z01.nyc-sed3 can't be brought to the state it needs to be in, to continue LU processing. Can the "real" zone z01.nyc-sed3 be booted? "zoneadm list..." shows it's not currently running. If it won't boot, try to address that problem first. --JeffV On Tue, Nov 2, 2010 at 4:50 PM, Paul Kraus wrote: > I apologize for posting here, as this is not specifically an > OpenSolaris issue, but I have a support case open and am not making > any headway, and I need to complete the LU by the reboot window > tomorrow night. > > - Solaris 10U8 > - Current LU and Pkg/Patch admin patches applied > - One NG Zone on UFS > - OS on UFS > - About 300 ZFS datasets > - Separate /, /var, /opt > > Any help or suggestions would be appreciated. > >> df -h -F ufs > Filesystem size used avail capacity Mounted on > /dev/md/dsk/d7 9.6G 3.6G 5.9G 39% / > /dev/md/dsk/d6 5.8G 1.2G 4.5G 22% /var > /dev/md/dsk/d30 4.9G 1.8G 3.1G 38% /zones > /dev/md/dsk/d31 7.9G 1.8G 6.0G 24% /export/home > /dev/md/dsk/d32 4.9G 1.7G 3.2G 35% /opt >> > >> sudo lucreate -n 10U9 -m /:/dev/md/dsk/d0:ufs -m /var:/dev/md/dsk/d4:ufs -m >> /opt:/dev/md/dsk/d33:ufs > Determining types of file systems supported > Validating file system requests > Preparing logical storage devices > Preparing physical storage devices > Configuring physical storage devices > Configuring logical storage devices > Analyzing system configuration. > Comparing source boot environment file systems with the file > system(s) you specified for the new boot environment. Determining which > file systems should be in the new boot environment. > Updating boot environment description database on all BEs. > Updating system configuration files. > The device is not a root device for > any boot environment; cannot get BE ID. > Creating configuration for boot environment <10U9>. > Source boot environment is . > Creating boot environment <10U9>. > Creating file systems on boot environment <10U9>. > Creating file system for in zone on . > Creating file system for in zone on . > Creating file system for in zone on . > Mounting file systems for boot environment <10U9>. > Calculating required sizes of file systems for boot > environment <10U9>. > Populating file systems on boot environment <10U9>. > Checking selection integrity. > Integrity check OK. > Populating contents of mount point . > Populating contents of mount point . > Populating contents of mount point . > Copying. > Creating shared file system mount points. > Copying root of zone to . > Creating compare databases for boot environment <10U9>. > Creating compare database for file system . > Creating compare database for file system . > Creating compare database for file system . > Updating compare databases on boot environment <10U9>. > Making boot environment <10U9> bootable. > ERROR: unable to mount zones: > zoneadm: zone 'z01.nyc-sed3': zone root /zones/01-10U9/root is > reachable through /zones/01/root/.alt.tmp.b-M7b.mnt > zoneadm: zone 'z01.nyc-sed3': call to zoneadmd failed > ERROR: unable to mount zone in > ERROR: unmounting partially mounted boot environment file systems > ERROR: cannot mount boot environment by icf file > ERROR: Unable to remount ABE <10U9>: cannot make ABE bootable > ERROR: no boot environment is mounted on root device > Making the ABE <10U9> bootable FAILED. > ERROR: Unable to make boot environment <10U9> bootable. > ERROR: Unable to populate file systems on boot environment <10U9>. > ERROR: Cannot make file systems for boot environment <10U9>. >> > >> zoneadm list -icv > ID NAME STATUS PATH BRAND IP > 0 global running / native shared > 1 z01.nyc- running /zones/01 native shared >> > >> sudo lustatus > Boot Environment Is Active Active Can Copy > Name Complete Now On Reboot Delete Status > -- -- - -- -- > u8 yes yes yes no - > 10U9 no no no yes - >> > > -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On Sun, Sep 26, 2010 at 5:03 PM, Orvar Korvar wrote: > Ok, so I shut down e1000g0 which means my global zone can not access > internet. The local zone will have e1000g0:1 which I do not shut down, which > means the local zone can access internet. Correct? > > But, if we look at this picture > http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris > I see a virtual switch in the middle. I dont really understand the purpose of > the virtual switch in the middle. What is it for? It is a feature in Project Crossbow. In one sense, it is the mechanism by which several entities (e.g. several zones) share a physical NIC. In other words, vSwitches connect vNICs to a physical NIC. > Should I also have a vswitch in the middle? And connect all local zones to > the vswitch? That depends on your goals. Unless you have more NICs than zones, you will need at least one vSwitch. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
If you configure a zone to use the exclusive-IP feature, the global zone will not be able to use the zone's network interfaces. See the zonecfg(1M) man page. On Sat, Sep 25, 2010 at 6:23 AM, Orvar Korvar wrote: > I am a home user with a PC and two SunRay2. > > I wonder if it is possible to shut down all internet connections to my global > zone, and create a zone with VirtualBox to reach internet? > > 1) global zone: no internet connection > 2) zone: virtualbox + Win7 to surf the web, for me > 3) zone: virtualbox + Win7 to surf the web, for my girlfriend > > I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later > (which will have Crossbow I assume) > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] confusing zone login processes
What is 3386? Is it the zone's init? Just a guess: Zone users are not allowed to learn of pids outside of the zone. --JeffV Sent from my Tricorder On Jun 2, 2010, at 3:30 AM, "Frank Batschulat (Home)" > wrote: just noticed something strange, perhaps someone has an explanation ? after booting a zone and login to that: osoldev.batschul./export/home/techdocs/solaris_kernel/zones.=> pfexec zoneadm -z zone2 boot osoldev.batschul./export/home/techdocs/solaris_kernel/zones.=> ps - eafd -Z | grep login global batschul 3821 993 0 07:59:32 pts/3 0:00 grep login global root 2301 1750 0 07:43:19 pts/5 0:00 zlogin -C zone2 now login to the zone: osoldev.batschul./export/home/batschul.=> pfexec zlogin zone2 [Connected to zone 'zone2' pts/6] Last login: Wed Jun 2 07:52:29 on pts/6 Oracle Corporation SunOS 5.11 snv_140 May 2010 from the NGZ I see: r...@zone2:~# ps -eafd|grep login root 3823 3386 0 07:59:39 pts/6 0:00 /usr/bin/login -z global -f root root 3836 3824 0 08:00:30 pts/6 0:00 grep login from tge GZ I see: osoldev.batschul./export/home/techdocs/solaris_kernel/zones.=> ps - eafd -Z | grep login global root 3822 975 0 07:59:39 pts/2 0:00 zlogin zone2 zone2 root 3823 3822 0 07:59:39 ?? 0:00 /usr/bin/ login -z global -f root global root 2301 1750 0 07:43:19 pts/5 0:00 zlogin -C zone2 global batschul 3831 993 0 07:59:43 pts/3 0:00 grep login hugh? where does it got that from ? zone2 root 3823 3822 0 07:59:39 ?? 0:00 /usr/bin/ login -z global -f root this only happens when I use pfexec zlogin zone2, it does not happen when logging in on the console ie. pfexec zlogin -C zone2 thanks frankB ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible bug in zonemgr.2.0.6
That suggestion would be an improvement, but implies that any value greater than 1 must be an integer, which isn't true. --JeffV Sent from my Tricorder On Apr 28, 2010, at 5:14 AM, Loïc Mahé wrote: The comment for capped-cpu is wrong since this parameter doesn't accept ranges : resource = cpu The cpu resource type specifies the upper limit (cap) by number (or range) of CPUs for this zone. Valid arguments for this resource type include the following: Maximum number: 3 Range: 2-4 should be instead : resource = cpu The cpu resource type specifies the upper limit (cap) by number CPUs for this zone. Valid arguments for this resource type specify an integer up to the total number of CPUs on the system, but can also less than 1, representing a fraction of a cpu. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Use Zones/Containers or VirtualBox for application?
On Wed, Jan 6, 2010 at 8:51 AM, David Browning wrote: > I built an Opensolaris media server and backup machine for my local network. > > At some point I would like to add ampache to my setup. If you are not > familiar, it is a media server that will stream audio/video to client devices > over the internet. > > Obviously this requires that this application be exposed to the big bad > world. So I would like to isolate this program as much as possible. I'm > hoping to leverage other's experience and knowledge to figure out which would > be the best way/approach to do this, so I'm not spinning my wheels down the > wrong path. David, You might want to read http://blogs.sun.com/JeffV/entry/shrink_wrap_security1 and http://blogs.sun.com/JeffV/entry/zones_security, which also points to a Sun BluePrint I co-authored. The blog and BP discuss methods to harden zones, including preventing an intruder from modifying the OS, i.e. leaving a Trojan horse behind, and applying resource controls to minimize DoS attacks. It's even possible to do both: Zones on VBox, or VBox in a zone: http://blogs.sun.com/JeffV/entry/layered_virtualization . --JeffV Principal Field Technologist Sun Microsystems, Inc. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Any way to limit I/O?
On Tue, Dec 22, 2009 at 6:12 PM, andrew wrote: > Is there any way to limit the amount of I/O that a zone can do? I'm thinking > particularly of disk IOPS, but a general way of limiting I/O would be fine > too. You can limit network I/O using features of Project Crossbow. It's fully described at http://opensolaris.org . --JeffV Principal Field Technologist Sun Microsystems, Inc. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Application leaking on local zone
It would be useful to know if the memory leak is in locked memory or not. What isthe output of the following command, in both cases (app in GZ, app in a zone): GZ# pmap -x --JeffV On Thu, Dec 17, 2009 at 5:09 AM, AdinaKalin wrote: > Hello, > > I'm struggling with the following problem and I have no idea how to > solve it. > I'm testing an application which is running fine on a global zone,but > memory leaking when installed on a local zone. > > The local zone has its whole root and a very simple, basic configuration: > bash-3.00# zonecfg -z mdmMDMzone > zonecfg:mdmMDMzone> info > zonename: mdmMDMzone > zonepath: /mdmMDMzone > brand: native > autoboot: true > bootargs: > pool: > limitpriv: default,dtrace_proc,dtrace_user,proc_priocntl,proc_lock_memory > scheduling-class: FSS > ip-type: shared > net: > address: 192.168.109.14 > physical: e1000g0 > defrouter not specified > > One of the application processes, when started on global zone, has an > rss of about 5 GB ( prstat -s rss ) and it keeps this size to the end of > the test. If I stop the application on global zone and I start it on > local zone, the same process starts with the normal size ( 5gb on prstat > -s rss ) but is growing during the test ( I saw it 25GB on a server > with 32 gb RAM ) until is failing. I don't understand why is this > behavior and if the application has a memory leak, why I don't see it on > the > global zone. > > Any help is more than welcome!!! > > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Difference between resource management attribbutes
On Tue, Oct 20, 2009 at 1:20 PM, Ketan wrote: > Can anyone answer my questions > > 1. Whats the difference between project.max-locked-memory and max-rss. > And out these 2 which is the preferred way of limiting the physical memory in > a project or zone. RSS means "Resident Set Size" and can be considered to be the amount of RAM that the project's processes are using. Locked memory is the pages of RAM that have been locked - pages that cannot be paged out. > 2. How to restrict the swap memory in projects There is a swap-cap for zones. See resource_controls(5). ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Processor Pool for zone: core & threads question
On Fri, Oct 9, 2009 at 11:04 AM, Joseph Balenzano wrote: > Paolo Merisio wrote: > > Hi all, > > actually we can add to zone configuration an object called "dedicated-cpu" > with properties "ncpus" and "importance". > This object create a dedicated cpu Pool when zone starts and puts from 1 to > "ncups" cpus in this pool, property "importance" is usefull when system has > to decide to wich dedicated pool assign a cpu (in case of two or more zone > with dedicated-cpu). > So, is the system that has to decide wich cpu put in wich pool. > But I know that I can compromise performance if I put threads that comes > from different core in different pool, so I (administrator) keep all threads > of one core togheter in same pool. > For example, with Niagara2+ processor: > pool1-->pset1 (cpu 0,1,2,3,4,5,6,7) (eight threads of first core) > pool2-->pset2 (cpu 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23) (16 > threads, second and third cores) > > But system is unaware of core and threads so it may put cpu 3,4,5 (three > threads of first core) in one dedicated pool, and cpu 6,7,8,9 (2 threads > from core 1 and core 3) in another dedicated pool. > > Also by creating Dynamic Pool (pset.min < pset.max) and setting "Objective" > property we can delegate to sustem cpu movement from one pool to another > pool. > Again in cluster 3.2 we can let system create a dedicated pool for our > Resource Group, anda again system is responsable to decide wich cpu put in > wich pool. > > [b]Question is: > It's possible to say to the system to keep threads of single core togheter > when it moves cpu from one pool to another ? > If is not, does anyone thinks this maybe a usefull features? > > > Yes. It already has been requested in CR 6615957 > Until that RFE has been fuldilled, you can use poolcfg(1M) to move CPUs in and out of psets to get the exact set of CPUs in the pools. For example: poolcfg -dc 'transfer to pset SUNWtmp_myzone ( cpu 2 )' moves CPU 2 from its current pset to the pset used for zone 'myzone'. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Resource Management Question
On Fri, Oct 9, 2009 at 8:36 AM, Ketan wrote: > I 've 2 questions regarding resource pools and projects, > > 1. My system has 5 zones and 2 pools configured. > Now, how can i check which zone is running with with pool with the ps > command , not with zonecfg command. See poolstat(1M). > 2. How can i check a process is running under which project ? Can you explain that question? How did you assign it to a project? --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] unable to move processors in pset
On Thu, Oct 8, 2009 at 1:08 PM, Ketan wrote: > bash-3.00# poolcfg -d -c 'transfer 8 from pset pset_default to pset-app' > poolcfg: cannot transfer 8 from pset_default to pset-app: Invalid > configuration > bash-3.00# > why i 'm getting this error ? Probably pset-app is already at its maximum. Are [dynamic] pools enabled? # svcs -a | grep pools What is the current CPU configuration? # poolstat --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Solaris 8/9 branded zones on Nevada and/or x86
On Fri, Oct 2, 2009 at 5:59 AM, Rainer Orth wrote: > As far as I've been able to find out so far, Solaris 8 and 9 branded > zones are available and supported on Solaris 10 only right now, and only > for SPARC. Are there any plans to provide them for x86 and Nevada, too? There wasn't much Solaris 8 or Solaris 9 deployed on x86, so, to the best of my knowledge, there will not be a Solaris 8 Containers or Solaris 9 Containers for x86. As for Nevada - do you also mean x86? > There are two reasons I'm asking: I'd like to test current versions of > GCC on older Solaris releases without having to run on bare metal. Of > course I could use VirtualBox or xVM on x86, but the performance won't > be too good (I tested a GCC bootstrap on xVM dom0 quite some time ago > and it took about twice as long as on bare metal). And on SPARC, I > don't have a spare Ldom available to run Solaris 10, but would rather > use a zone on a V880 running Nevada. > > Especially given the fact that Sun wants to get Solaris 10 users on bare > metal to Nevada (Solaris 11, whatever) quickly by providing Solaris 10 > branded zones, it would only make sense to provide S8/S9 branded zones > on S11 as well. I follow your logic. It is very important to distinguish between the bi-weekly builds of OpenSolaris, the supported releases of the OpenSolaris distro, and the-next-version-of-Solaris-after-10. They are different entities, and the abilities to run S8C or S9C on each of those are very different things. S8C and S9C are (non-open-source) products that Sun (as opposed to other distributors of OpenSolaris distros) makes available. I don't think that this is an appropriate place for discussion of Sun's product futures. But I have been wrong about such things before... --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Per-zone CPU Usage Reporting?
Hernan, In addition to Mike's point about short-lived processes, prstat doesn't tell me how much CPU time a process used during its life. Solaris Accounting will generate a record for each process, showing how much CPU time it used, and which zone it was in. If you collect all of the records, you can sum CPU time for each zone. They need a tool which uses those records for input and generates a report for chargeback. --JeffV On Fri, Sep 18, 2009 at 9:31 AM, Hernan Saltiel wrote: > Hello, Jeff! > Have you tried "prstat -Z"? Is this not what you are looking for? > Best regards, > > HeCSa. > http://www.aosug.com.ar > > On Fri, Sep 18, 2009 at 10:27 AM, Jeff Victor > wrote: >> >> Has anyone written a tool to provide per-zone reporting of CPU usage - >> that can be shared? I know someone who wants to do this. >> >> Thanks in advance, >> --JeffV >> ___ >> zones-discuss mailing list >> zones-discuss@opensolaris.org > > > > -- > HeCSa > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Per-zone CPU Usage Reporting?
Has anyone written a tool to provide per-zone reporting of CPU usage - that can be shared? I know someone who wants to do this. Thanks in advance, --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] NFS server in zones
On Sun, Aug 2, 2009 at 8:02 PM, Anon Y Mous wrote: > I found this thread at forums.sun.com : > > http://forums.sun.com/thread.jspa?threadID=5333685 > > Looks like some ambitious Solaris sysadmins have already been running UNFS3 > in Solaris Zones! Yes, I mentioned this concept over a year ago during a live webinar; see http://www.sun.com/bigadmin/xperts/sessions/25_containers/index.jsp?xpertQuestions=2 . I had tested it on Solaris 10, on my x86 laptop, beforehand. It seems to work fine, and it took less than 30 minutes to download, compile and run it. I thought I blogged about it, but now I can't find the entry. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
Thanks Jim. But the context is OpenSolaris, so time-to-patch is much less relevant. (Instead, time-to-update is relevant.) I strongly doubt that Solaris 10 will ever have a "server" distro. It's too late in the life of S10 for that. And because we're talking about OpenSolaris, disk space usage shouldn't matter as much because zone clone will automatically create a ZFS clone. (This is also true on Solaris 10 10/08 and after *if* you choose to put your zones on ZFS. But with OpenSolaris it will be the default because ZFS is the default fs type for the root fs.) My goal is not to argue that a GUI should always be installed. I like the concept. And the point about increasing security via package minimization is a good one that has been discussed many times over the years. I have occasionally asked for application-specific installation choices, but that has never happened. But if a 'server-only' option (like I mentioned last time) isn't difficult to achieve, perhaps that's the best path to take. But only if it meets the needs. --JeffV On Sun, Jul 19, 2009 at 5:08 AM, James Litchfield wrote: > In the days of packages and Solaris 10 (i.e., what is used now > and will be for quite a while)... > > A) Much less time to install and instantiate whole root zones > if you get rid of a lot of dross. This includes service instantiation. > Less disk space used for the zone. Disk space savings of more than 50% > and often 75% can be achieved. > > I have run into this at one major retail corporation and several > financial > institutions. Disk space concerns were common to all of them and > there were also concerns at some of them about the time it would take > for dynamic container provisioning in response to load conditions. > > B) Concerns about security holes. If you don't have something on the system, > you don't have to patch it or update it on the off chance someone could > exploit it. If something is not on the system, you don't have to worry > about > as yet undiscovered security holes. > > This is a serious concern for many customers. > > C) Less time to install and less time to patch. > > JIm > > > > Jeff Victor wrote: >> >> On Fri, Jul 17, 2009 at 11:07 PM, Anon Y Mous >> wrote: >> >>>> >>>> One thing I've found to be true though: either a machine is all zoned, >>>> or not. >>>> It gets horribly confusing to have real activity in the global zone, >>>> where you can half see the non-global zones, so if you have zones >>>> on a machine then it's easier to run nothing in the global zone and >>>> just use it as an administrative container. >>>> >>> >>> Since you brought it up. I think what we really need is an officially >>> supported OpenSolaris Indiana 2009.xx SERVER distribution from Sun >>> Microsystems that can be downloaded from genunix.org and does what you just >>> described: i.e. it installs itself with no X-windows and just runs as a >>> command line only minimal "administrative container" for zones with no GNOME >>> desktop, no Thunderbird mail reader, no GNOME games, etc. etc. >>> >> >> There is humorous irony here, given how much 'flak' Sun took over the >> years for its outdated GUI - until Solaris adopted Gnome. Now that >> [Open}Solaris have a modern UI, you want to get rid of it... ;-) >> >> Seriously, it would be helpful for Sun to understand the advantages of >> a release that doesn't have a GUI as an option. In other words, what >> problems are caused by the existence of the GUI software (besides >> wasted disk space)? >> >> Instead of a separate distro, perhaps it would be simpler for >> everybody if there was a "no-GUI server" installation option that >> simply doesn't install the GUI tools. Would that meet your needs? >> >> Another option: Have you tried using the Automated Installer to >> install OpenSolaris without X, Gnome, etc.? >> >> >>> >>> A lot of my paying clients are big time Linux users, they pay for >>> RHEL and for the long term supported versions of Ubuntu Server, etc. and >>> they have been wanting to try migrating some server instances over to >>> OpenSolaris Indiana within the last six months or so to gain benefits from >>> zones and ZFS, they like OpenSolaris Indiana for the most part, but they've >>> been very turned off by the fact that OpenSolaris Indiana forces them to >>> have all this desktop software installed when what they really want is a >>&
Re: [zones-discuss] Using zones for simple usage
On Fri, Jul 17, 2009 at 11:07 PM, Anon Y Mous wrote: >> One thing I've found to be true though: either a machine is all zoned, or >> not. >> It gets horribly confusing to have real activity in the global zone, >> where you can half see the non-global zones, so if you have zones >> on a machine then it's easier to run nothing in the global zone and >> just use it as an administrative container. > > Since you brought it up. I think what we really need is an officially > supported OpenSolaris Indiana 2009.xx SERVER distribution from Sun > Microsystems that can be downloaded from genunix.org and does what you just > described: i.e. it installs itself with no X-windows and just runs as a > command line only minimal "administrative container" for zones with no GNOME > desktop, no Thunderbird mail reader, no GNOME games, etc. etc. There is humorous irony here, given how much 'flak' Sun took over the years for its outdated GUI - until Solaris adopted Gnome. Now that [Open}Solaris have a modern UI, you want to get rid of it... ;-) Seriously, it would be helpful for Sun to understand the advantages of a release that doesn't have a GUI as an option. In other words, what problems are caused by the existence of the GUI software (besides wasted disk space)? Instead of a separate distro, perhaps it would be simpler for everybody if there was a "no-GUI server" installation option that simply doesn't install the GUI tools. Would that meet your needs? Another option: Have you tried using the Automated Installer to install OpenSolaris without X, Gnome, etc.? > A lot of my paying clients are big time Linux users, they pay for RHEL > and for the long term supported versions of Ubuntu Server, etc. and they have > been wanting to try migrating some server instances over to OpenSolaris > Indiana within the last six months or so to gain benefits from zones and ZFS, > they like OpenSolaris Indiana for the most part, but they've been very turned > off by the fact that OpenSolaris Indiana forces them to have all this desktop > software installed when what they really want is a minimal server OS (similar > to Ubuntu's "Ubuntu Server" distribution that comes without a GNOME desktop) > and they also didn't like the fact that I wasn't able to deploy any new zones > for a while when the IPS repository went down a while ago. I believe that you can now create a local repository. This might help: http://wikis.sun.com/display/IpsBestPractices/Setting+Up+and+Maintaining+Package+Repositories ("Setting Up and Maintaining Package Repositories"). -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
On Thu, Jul 16, 2009 at 5:30 PM, Peter Tribble wrote: > On Tue, Jul 14, 2009 at 1:15 PM, Harry Putnam wrote: >> Alexander Skwar writes: >> >>> What he plans can be done easily using NGZ (non-global zones). >>> An NGZ also adds just a little bit of overhead (if any at all) to the >>> system - unlike vbox. >> >> So you're saying a zone to handle all backup work is a sensible way to >> go at it... >> >> Can you tell me what would be the advantage of creating a zone for >> that as against just doing thru the normal os... no zones. > > Personally, I wouldn't use zones for this. Zones give you isolation - either > for security or to run multiple instances. (Amongst other things.) A bit of > complexity for no benefit. > > Isolating the mail server in a zone, on the other hand, makes more sense. > Anything you expose to incoming traffic from outside is good. > > Nameservice I'm not sure: what acts as nameservice to the global zone? Something that has the best security possible. If the GZ only needs to know about a few machines on the LAN, you could just use /etc/inet/hosts in the global zone, and put the nameserver in a zone. In some situations, that would be very helpful, e.g. if the nameserver is talking to the Internet for DNS resolution. In other situations, e.g. the system should be talking to the Internet, putting the nameserver in a zone would not help much. > One thing I've found to be true though: either a machine is all zoned, or not. > It gets horribly confusing to have real activity in the global zone, > where you can half see the non-global zones, so if you have zones on a > machine then it's > easier to run nothing in the global zone and just use it as an administrative > container. Further, Sun's recommendation is limit GZ use to platform management tasks - managing the zones - and put all apps in zones. The system benefits from the isolation mentioned earlier and the immutability of operating system binaries. No Trojan Horses in sparse-root zones! -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] /export/home missing on non global zone
Is this Solaris 10 or OpenSolaris? Which update or release? On Sun, Jun 21, 2009 at 1:29 PM, John Larsen wrote: > Hello, > > im new to solaris and zones. > > I am exploring non-global zones for environment setup for testing. I have > installed non-global zone and able to login etc and su to root. But I > /export/home is missing and I am unable to create directories even as root. > > r...@opensolarisa:/export# zonecfg -z webOne > webOne: No such zone configured > Use 'create' to begin configuring a new zone. > zonecfg:webOne> create > zonecfg:webOne> set zonepath=/export/home/webone > zonecfg:webOne> add net > zonecfg:webOne:net> set physical=e1000g0 > zonecfg:webOne:net> set address=192.168.15.110 > zonecfg:webOne:net> end > zonecfg:webOne> exit > > Does this have something to do with using sparse or whole root? Should I > create zfs filesystem prior to creating a pool or isnt that done > automatically when creating the zone? -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zonestat 1.4.1 problem
Sorry, it's either line 513/514 - the one that gets the kstat "swapresv_zone" or 504/504, the one that gets the kstat "lockedmem_zone". I need to clean out the "deadwood" in v1.5, too. On Thu, Jun 11, 2009 at 5:41 PM, Phil Freund wrote: > Jeff, > > Those lines were already commented out. It looks like the problem is in these > lines: > > 500 # Get amount and cap of memory locked by processes in each zone. > 501 $kstat->update(); > 502 my $zh = $kstat->{caps}; > 503 foreach my $z (keys(%$zh)) { > 504 ($lkd_use[$z], $lkd_cap[$z]) = @{$kstat->{caps}{$z} > 505 {"lockedmem_zone_".$z}}{qw(usage > value)}; > 506 #printf ("kstat: lkd_use[$z > 507 $lkd_use_sum += $lkd_use[$z]; > 508 # $lkd_cap[$z] = $lkd_cap[$z]/1024; > 509 # printf ("$z:lkd:%d MB / %d %s.\n", $lkd_use[$z]/1024/1024, > 510 # $lkd_cap[$z]>(1024^3) ? $lkd_cap[$z]/1024/1024/1024 : > $lkd_cap[$z]/1024, > 511 # $lkd_cap[$z]>(1024^3) ? "TB" : "MB"); > 512 > 513 ($vm_use[$z], $vm_cap[$z]) = @{$kstat->{caps}{$z} > 514 {"swapresv_zone_".$z}}{qw(usage value)}; > 515 $vm_use_sum += $vm_use[$z]; -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zonestat 1.4.1 problem
On Wed, Jun 10, 2009 at 4:03 PM, Phil Freund wrote: > I have a couple of servers that are still running U1 but I'd still like to > use zonestat to get as much info as I can. > > I get the following output when I run zonestat 1.4.1 with debug turned on: > > root> zonestat -l -N > /usr/sbin/prtconf > /bin/pagesize > /bin/echo 'pages_pp_maximum/D;segspt_minfree/D' | mdb -k > /usr/sbin/zoneadm list -v > /usr/sbin/psrinfo > /usr/bin/svcs -H pools > svcs: Pattern 'pools' doesn't match any instances > /bin/ps -eo zone,pset,pid,comm | grep ' [z]*sched' > /usr/bin/ipcs -mbZ > Attempt to access disallowed key 'caps' in a restricted hash at zonestat line > 502. > root> > > Any ideas on how to fix this? Temporarily, you can fix this by commenting out these lines in the zonestat script: $statname = sprintf "swapresv_zone_%d", $zoneid{$z}; $vm_use[$zoneid{$z}] = $kstat->{caps}{$zoneid{$z}}{$statname}{usage}; $vm_use_sum += $vm_use[$zoneid{$z}]; $vm_cap[$zoneid{$z}] = $kstat->{caps}{$zoneid{$z}}{$statname}{value}; That kstat wasn't added until the swap cap was added, in S10 5/08. Solaris releases older than that will all have that problem. Sorry about that. This bug is on my list to fix for v1.5 of zonestat. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Isolation & Host Protection (vbox in a zone panics system)
On Thu, Jun 11, 2009 at 2:06 AM, Michael McKnight wrote: > Hello everyone, > > I recently took on a project to run a VirtualBox guest within a whole Solaris > zone. The idea was to protect the Solaris system from any crashes vbox might > have. I need to run vbox on a production system, but I didn't want to put > the whole system at risk. > > I was using Solaris 5/09 x86 with VirtualBox 2.2.2. Vbox would run ok as > long as I didn't try to power-off the virtual machine. When I would power > off a vbox guest, within just a few mins the Solaris host would panic with > the following message in syslog: > > [i]genunix: [ID 335743 kern.notice] BAD TRAP: type=e (#pf Page fault) > rp=d55a3ccc addr=490070e4 occurred in module "genunix" due to an illegal > access to a user address[/i] > > This was easily repeatable... and in two cases even made the host OS > unbootable -- device driver couldn't be loaded. Without vbox running, the > zone would function as expected and run indefinitely without issue. > > As a result of this, I had to change the version of vbox I was using and run > the vbox within the global zone (risky). It seems to be running rock solid > so far, but the whole experience has left me seriously questioning the safety > of Solaris zones. Plus, I don't have the option of isolating the vbox > machines as I originally had hoped. > > This is where I need help. I may simply have a misunderstanding of what a > zone can do. My understanding was that applications (ie vbox) running within > a zone would be completely isolated from the host system. Bad software, > security breaches, etc. would all be contained within the zone and the host > system, and any other zones, would be protected from a problem zone. As I > have explained above, this was not the case. > > So, what should I expect from zones? Since they are not fully isolated from > the global zone and underlying host, what degree of confidence should I put > into their resiliency and their security? If, as I experienced, a rogue > application can cause a system panic, wouldn't a potential intruder be able > to do the same thing? > > I really was falling in love with Zones and the potential I thought they > would offer me, but this experience has really made me question my decision > to use them and I need some help understanding exactly what went wrong. > > If anyone can offer some insight, I'd be grateful. Michael, Your experience shows that zones have a high degree of isolation for user-level applications, but that the isolation can be significantly reduced whenever the kernel is modified in some way. I am assuming that when you installed VirtualBox, you installed the SUNWvboxkern package in the global zone. That package adds a kernel module to the kernel. That software runs independently of the zones framework. If there is a bug in that software - or any other kernel module - it has the potential to cause the kernel to panic. As you have seen, this affects all zones on the system. The same is true if you add a 3rd party file system which requires a kernel module or device driver. I suggest discussing the symptom experienced by your system at http://forums.virtualbox.org/ , or reporting this as a bug at: http://www.virtualbox.org/wiki/Bugtracker . --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] FSS and processor sets
Ketan, Adding to Steffen's comments: if you are not using zones, or if you are configuring multiple zones to share a processor set, you would use the poolcfg(1M) command to set pool.scheduler to FSS. See also libpool(3LIB) and resource_controls(5). On Thu, Jun 11, 2009 at 9:02 AM, Steffen Weiberle wrote: > On 06/11/09 08:38, Ketan wrote: >> >> I read somewhere which says """FSS can be assigned to processor sets, >> resulting in more sensitive control of priorities on a server than raw >> processor sets"" can any one tell me how we can assign FSS to processor set >> and how it works ? >> Thanx . > > If you create manual resource pools, you can also assign shares to the zones > assigned to the pool so they can 'share' the CPUs in the pool. > > So if you create a resource pool P with N CPUs, and you assign zones a, b, > and c to pool P, with shares of 100, 200, and 300, respectively, when all N > CPUs are utilized by the zones, the scheduler with give zone a 100/600*N, > zone b 200/600*N, and zone c 300/600*N of the resources (barring other > constraints such as blocking on I/O). > > This does not work if you use the dedicated-cpu directive, as it create a > resource pool for the zone, and there is one-to-one relationship between the > pool and the zone. > > Within a zone you can also use FSS for projects. > > Steffen > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared IP or Exclusive IP with vnics
On Tue, Apr 28, 2009 at 6:09 AM, Vincent Boisard wrote: > Thanks for your help, > > Let me summarize this: > > - Shared IP has the advantage that the global zone fully administers the > network: zone don't have to (and even CAN'T) bother with it. There may be a > slight advantage performance wise. > - Exclusive IP with VNIC is needed for some features and enables bandwidth > management between the network and zones (Does it make sense to try to > manage bandwidth between zones ?) I would add: - Exclusive IP is needed in certain situations, but without VNICs the number of exclusive-IP zones is severely restricted - usually 1 or 2 of them per system. With VNICs you can have hundreds of exclusive-IP zones. > On Mon, Apr 27, 2009 at 11:58 PM, Steffen Weiberle > wrote: >> >> On 04/27/09 13:40, Vincent Boisard wrote: >>> >>> Hi everyone, >>> >>> I am wondering, as Crossbow is now integrated, does it still make sense >>> to use Shared IP Zones or is it better to use exclusive-ip zones with a vnic >>> for each of them. >>> With a vnic, we can benefit from the bandwidth management and al, but >>> they may be performance issues... >>> >>> What do you think about it ? >> >> Some cases need exclusive IP Instances, such as where you need to have >> isolation, force traffic in certain ways (static routes, preventing kernel >> from looping traffic back up [1]). >> >> In those cases where you have a choice to use either, the primary reason I >> see going shared IP is that the global administrator manages the network. >> With exclusive IP, the non-global administrator can/must manage that. Maybe >> not a big deal, unless you give root privileges to the zones users, and they >> can then make changes with out any constraints, and that is something that >> is not desirable in your installation. >> >> Steffen >> >> >> [1] Two or more VNICs on the same NIC with IP addresses on the same subnet >> will *not* have traffic leave the system. Something to keep in mind. The >> destination MAC address must be on a different node on the network for it to >> go out the NIC. That node could be a VNIC on a different NIC, but not on the >> same VNIC. Underneath the VNICs is essentially a switch, to help create the >> picture. This is partially good--traffic between zones sharing a VNIC is >> slower than shared (not sure how much) and faster than going out on the >> wire. Yet you still have the other benefits. >> >> -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] solaris10 brand project proposal
Just in case you need it: another +1. On Mon, Apr 27, 2009 at 9:18 PM, Jerry Jelinek wrote: > Dan Price wrote: >> >> Belatedly, a big +1. Jerry, if you have not already, I can take this to the >> OGB for creation. > > Thanks Dan. I think we have enough votes now. I will see about getting this > set up this week. If I need a hand, I'll let you know. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zonestat v1.4 Available
On Thu, Apr 9, 2009 at 4:44 AM, Henrik Johansson wrote: > Nice work Jeff! Thanks Henrik! > Some thoughts: > > Would not 1024 be bettet suited than 1000 for shorten? Currently if I set a > swap capping with zonecfg to 256G it is displayed as 275G in zonestat. > > It would be nice to check for patch 127127-11, 137137-09 etc instead of > looking at /etc/release since the system could have been patched instead of > upgraded. I agree, on both of those. They are in the ToDo list. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Zonestat v1.4 Available
I posted Zonestat v1.4 at the Zone Statistics project page http://opensolaris.org/os/project/zonestat (click on "Files" in the left navbar). My blog http://blogs.sun.com/jeffv lists the new features and bug fixes. Please send questions and requests to zones-discuss@opensolaris.org . --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones, Solaris 10 and ZFS...do zones need to sit on rpool ?
On Mon, Apr 6, 2009 at 3:12 PM, Paul Davis wrote: > > 121430-33 (or higher) supports ZFS root with ZFS zonepaths (each in their > own zpools). Been testing this extensively as a POC and it works, lucreate > plus patching. We did file bug 6819838 on preservation of mountpoint > settings after lucreate when set at the zfs level vs. zpool level, but other > than that pleased with the functionality. I believe the restriction is that > you MUST use ZFS root and not UFS root w/ ZFS zones. Paul, can you verify that with whoever decides those things? --JeffV > Enda O'Connor wrote: >> >> Hi >> As far as I'm aware the latest Lu patches remove this restriction >> 121430-xx, but I have cc'ed the zfs team for some guidance. >> >> Enda >> >> Alexander Skwar wrote: >>> >>> Hi! >>> >>> On Mon, Apr 6, 2009 at 19:55, Nicolas Dorfsman >>> wrote: >>> >>>Le 6 avr. 09 à 19:35, Alexander Skwar a écrit : >>> >>>On Mon, Apr 6, 2009 at 13:46, Nicolas Dorfsman >>> wrote: >>> >>> I'm waiting for some patch to allow non-local zones to >>>be located out of the rpool before upgrading my customer >>>mainframe (s/mainframe/sf15k/). >>> >>> Is there anybody here who knows if or when it'd be >>>available ? >>> >>>Is it not allowed to have non-global zones on an arbitrary >>>zpool? Who says so? >>> >>>I'm curious, because my zone roots are NOT located on >>>rpool and things *seem* to work fine. Or am I running into >>>some sort of problem by doing this? >>> >>>You could read : >>> >>> I *could* :) >>> >>>In other words : if you never apply patchs, everything's fine. If >>>you'd like to patch, you may need to use some trick (like detaching >>>zone and re-attaching them on a OS supporting your conf). >>> >>> Thanks a lot, I wasn't actually aware of that limitation. >>> >>> Learn something new every day... :/ >>> >>>So...now we're friend you and me, waiting for a patch. :) >>> >>> Yes, seems like. Thanks a lot for reading the important part to >>> me. I appreciate it! >>> >>> Best regards, >>> Alexander >>> -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Zones Parallel Patching
Just FYI: I measured patching throughput improvement with the not-yet-released Zones Parallel Patching patch. You can read about my findings at http://blogs.sun.com/JeffV/entry/patching_zones_goes_zoom . --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Container support
On Fri, Mar 13, 2009 at 5:36 AM, Stewart Mathieson wrote: > IHAC who is using the Solaris Migration Tools/Solaris 8 Container and the > licence agreement in the download talks about only being a 90 day evaluation > RTU licence > > https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewLicense-Start > > Its very unclear if the 90 day limit mentioned in section 3 a) will apply > here. I know that if my customer wants support then they have to pay for a > subscription etc but if they just download and use containers will they find > that the solaris 8 containers stops working after 90 days? The license statement was intended to be very clear about the message "you (or 'your customer') can use the Solaris 8 Containers software legally for a 90-day trial period. To continue legally using the software on that system, after that period, you ('they') need to purchase the combination License/Support Contract." The last item is one part number. Whether it stops working after 90 days should be irrelevant. If they want to use it past that point, they need a License/Support contract. If they don't want to use it, they shouldn't care if it stops working, right? --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] resource pool for Zone
On Sat, Mar 7, 2009 at 4:35 AM, Anthony Yeung wrote: > Can we setup resource pool inside a Zone? HI Anthony, If you are logged into a zone, you cannot set up a resource pool. If you want to create a resource pool and assign a zone to it, you can do that from the global zone. You can either create a pool first, with poolcfg(1M) and pooladm(1M), or you can use zonecfg(1M) and the "dedicated-cpu" feature. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone in a pset with high load generating high packet loss at the frame level
On Thu, Mar 5, 2009 at 1:48 PM, Steve Lawrence wrote: > On Thu, Mar 05, 2009 at 01:22:25PM -0500, Jeff Victor wrote: >> On Thu, Mar 5, 2009 at 11:00 AM, Gael wrote: >> > On Wed, Mar 4, 2009 at 9:06 AM, Jeff Victor >> > wrote: >> >> >> >> Some questions: >> >> 1. Do you use "set pool=" anymore, now that the dedicated-cpu feature >> >> exists? >> > >> It is now clear to me that this feature would need to support >> disabling interrupts when a zone uses "set pool=". Currently, all pool >> attributes are configured using the pool tools (poolcfg, pooladm) and >> I don't see any reason to not continue. When I write this up, it will >> fulfill that need. > > Ae you proposing that we add support for pset-interrupt disposition config > to the pools framework? Such as a property on a pool-pset >"boolean pset.interrupts = false"?? The short answer is "yes." BobN and I came to the same conclusion just a few hours ago... :-) CPUs already have cpu.status which can be on-line, no-intr (LWPs but no interrupt handlers), or off-line (no LWPs but still able to handle interrupts). A pset.interrupts field would allow Solaris to set cpu.status on CPUs as they enter the pset. Zones could then use that so we can increase their isolation. When a CPU re-enters the default pset, it becomes able to handle interrupts again. When needed, intrd will give it one (or more). > I think the right solution for "pool=" is this or similar. It could also > be a string value, such as: > >"none" no interrupts handled on cpus in the pool-pset. >"zone" Device interrupts for bound zones are serviced. >"any" Any device interrupts can be dispatched to the pset. I don't see how we could do "zone" in all situations - there isn't a 1:1 mapping between zone and device (except for exclusive-IP). Imagine zoneA and zoneB on a pset (psetAB) with pset.interrupts=zone. Further, zoneA and zoneC share e1000g0, but zoneB doesn't. Finally, zoneC has its own pset. Where does the interrupt handler for e1000g0 go - psetAB or psetC? Or are you suggesting that interrupts from one device can be intercepted and diverted to a CPU associated with a specific pset, based on which process the interrupt is/should be associated with? Or am I misunderstanding the description of "zone"? > Zonecfg could make use of these pool-pset properties to implement the > desired behavior for "dedicated-cpu". Exactly. > The default value should be "any". zonecfg should set "zone" for all > dedicated-cpu zones. zoneadm could warn if "pool=" is set, the zone has > dedicated devices, zone the pset for that pool has not been configured to > be "zone". The only devices we can be sure are dedicated for the boot-session of a zone are NICs. So this whole "segregate the interrupts per zone/pset combo" will be limited at best. It would be nice if we could generalize it like you say, but I don't think it's workable yet. > legacy psets (psrset) could be extended to support this property via some new > flags. > > Ther other part of this is how to reconsile zonecfg and/or pools settings > for interrupts, with device-cpu mappings that are specified via dladm. > Currently, dladm allows the specification of a list of cpu ids. Another > way to approach this would be to point dladm directly at the desired pool. Which "currently" are you on? :-) I'm on NV94 and I don't see anything like that in dladm(1M) I'm beginning to think this is really a two-phase project: * Phase 1: make it easier to disable interrupts on a zone's pset (one configured with the pool property or dedicated-cpu resource) * Phase 2: optimize this by enabling a zone's pset to handle interrupts from a device which is exclusively bound to this zone. I think that most people that need any of this only need Phase 1. Philosophically, shifting interrupt handlers into the default pset is consistent with the original zones principles: hardware is part of the platform, not part of a zone. So I'm not even convinced that we should be allowing zones' psets to selectively "attract" interrupt handlers. Great conversation! --JeffV >> >> 2. Is it sufficient to simply disable interrupts on a zone's pset? >> > >> > In our case, we do pset only when licensing requires it (aka >> > oracle,datastage,sybase,borland apps) or when the applications behave >> > poorly >> > and we keep hearing that by lack of budget/resources, the issue cannot be >> > addressed and without direct impact on the business itsel
Re: [zones-discuss] Zone in a pset with high load generating high packet loss at the frame level
Thanks for the great feedback Gael. Comments below. On Thu, Mar 5, 2009 at 11:00 AM, Gael wrote: > > On Wed, Mar 4, 2009 at 9:06 AM, Jeff Victor wrote: >> >> Some questions: >> 1. Do you use "set pool=" anymore, now that the dedicated-cpu feature exists? > > We got over one hundred physical frames running zones here, covering nearly > all versions of Solaris 10, we are currently sticking to set pool until we > can get the whole environment upgraded. Before that, cannot afford to have > the whole team of admins handling zones differently depending on the OS > version. Headache... It is now clear to me that this feature would need to support disabling interrupts when a zone uses "set pool=". Currently, all pool attributes are configured using the pool tools (poolcfg, pooladm) and I don't see any reason to not continue. When I write this up, it will fulfill that need. >> 2. Is it sufficient to simply disable interrupts on a zone's pset? > > In our case, we do pset only when licensing requires it (aka > oracle,datastage,sybase,borland apps) or when the applications behave poorly > and we keep hearing that by lack of budget/resources, the issue cannot be > addressed and without direct impact on the business itself, nothing will > change. Gael, I realized that my question was vague. When you use a pool, you're using a pset. Do you mean that you only use pools and psets when licensing requires it? Also, I couldn't tell how the comment responded to the question. > What about creating an IO pset, and then disabling the interrupt on > everything else while using it as a FSS pool or psets pools ? Very similar > to ldom I would think... Yes, that occurred to me, too. You can do that now, either with a pset that's being used by a zone or with the default pset. But I'm not convinced there's enough reason to separate an I/O pset from the default pset. There's great potential for wasted CPU cycles. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone in a pset with high load generating high packet loss at the frame level
On Thu, Mar 5, 2009 at 9:15 AM, Bob Netherton wrote: > >> 1. Do you use "set pool=" anymore, now that the dedicated-cpu feature exists? > > Until Oracle develops a more rational licensing scheme you should > expect this feature to be in use. I may have many Oracle instances, > each in a separate zone, using the same pool. Good point. I was thinking of Oracle licensing with dedicated-cpu, but didn't assign enough importance to the model you mentioned. > The sampling on this discussion list may not give you a good idea of its use. > Might > pose this question on your blog as well ? A capital idea! > That said, this requires manual configuration of the pool. To which 'this' do you refer? The current use of "set pool=" or my proposed property "set interrupts=disabled"? > I don't think it would be asking too much for customers using this feature to > also set up a boot time service (SMF or RC) to disable interrupts on all CPUs > in the pool. I think you are saying "I don't think there is a need for set interrupts=disabled' because that can be accomplished in an SMF service or RC script." If you are not saying that, I apologize for mis-interpreting and ask that you help me understand. But assuming I got it right the first time... :-) ...I respectfully disagree, for the following reasons: 1. Few people know how to create an SMF service. I don't know how to do that. I'm confident that I could learn - probably by reading your blog :-) - but it's not something I have ever done. We have been telling people to not use RC any more, so I don't consider RC a viable option. 2. The step that disables interrupts for a zone's CPUs should be equally applicable whether the zone uses a "permanent pool" (via "set pool=") or a temporary pool (via dedicated-cpu). It's not possible to disable interrupts on a temporary pool at boot time because it doesn't exist yet, so we would be recommending SMF for permanent pools and adding a new feature for dedicated-cpu, which is unnecessarily confusing and might require learning more about SMF than most people want to learn. (Imagine telling someone that to use an SMF feature they must learn how to create a zone.) 3. The configuration information specifying disabled interrupts for a zone should move with the zone via zoneadm... detach/attach. That will happen with zonecfg, but will not happen with SMF/RC. >> 2. Is it sufficient to simply disable interrupts on a zone's pset? > > I like your idea of turning off interrupts for dynamic resource pools > under zoneadm/rcapd control, and leaving it a configurable item. I > would also think that when CPUs are removed from the pool that > interrupts should be turned back on unless given to a another > pool with interrupts=disabled. I would hate for several zone > reboots to turn off interrupts to all CPUs :-( Oh, I don't know, ;-) I function better without interruptions... Seriously, that's a good point. Fortunately, Solaris prevents that from happening - see psradm(1M)). The final proposal should require that zoneadm check the return code from p_online(2) and the zone must not boot if the calls fails and the return code is EBUSY. In addition, some consideration should be given to this type of situation: many zone re-boots could shift all interrupt handling to one CPU, which might be a CMT thread... Perhaps there should be a system tunable for "minimum portion of the system's CPUs which must be enabled for interrupts." Or perhaps this becomes one of the many ways that Solaris allows one to shoot oneself in the foot... --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone in a pset with high load generating high packet loss at the frame level
I have received several private comments expressing interest in this topic, so I'd like to generate more discussion and attempt to focus on a solution that meets most or all of the needs. Summary of problem: - A zone can be configured so that its processes do not run on the CPUs in the default pset, but in a different pset. The zone can have exclusive access to those CPUs, or one or more other zones can be configured to share that pset. Zone configuration is not aware of interrupt handlers. When Solaris boots, it must assign each device's interrupt handler to a CPU. It does so without knowledge of psets or zones. The lack of awareness of integration between zones and interrupt handlers leads to situations where heavy CPU utilization in one zone can lead to performance or performance-related problems in other zones. For example, the interrupt handler for a network interface may be assigned to a CPU that is later also assigned to a zone which doesn't use that NIC. This can cause dropped network packets that are to/from zones which are not using that CPU. These problems violate the main goal of zones: workload isolation. - The "first order of magnitude" solution is to simply disable interrupts on zones which are assigned to non-default psets. This is often effective, but in practice requires custom scripts. Management of those scripts across a data center can be burdensome or even overwhelming. In addition, that solution may not meet the goal of workload isolation. A system could be configured with multiple zones that have separate (exclusive) NICs and CPUs. Disabling interrupts on the zones' psets will move all interrupt handling into the default pset. Solaris might assign all of the NIC interrupt handlers to one of those CPUs. Network activity generated by one zone could interfere with the ability to quickly handle network traffic associated with a different zone. Therefore, it might be desirable to configure an exclusive-IP zone so that the interrupt handler for its NIC(s) are assigned to CPUs in that zone's pset. Here are some possible solutions: 1. Add to zonecfg a property which requires that a zone's CPUs not handle interrupts. The syntax could be simple: zonecfg -z myzone set interrupts=disabled exit If the zone is configured to run in the default pset, 'verify' shoudl fail, and the zone should refuse to boot. It's not clear what should happen if the zone is booting into a shared pset that allready has zones *and* interrupt handlers. 2. Place an interrupt property in the "dedicated-cpu" feature. zonecfg -z myzone add dedicated-cpu set ncpus=4 set interrupts=disabled end exit That syntax doesn't handle zones which use "set pool=". 3. Associate an interrupt property with the "exclusive-ip" feature to allow the user to specify that all non-network interrupt handlers should be moved to the default pset, and interrupts for this zone's NIC should be handled by this zone's pset. zonecfg -z myzone set ip-type=exclusive add net set physlcal=e1000g0 set interrupts=enabled end exit Another NIC in that zone would have a separate 'interrupts' property. Its interrupts could also be handled by this zone's pset or by the default pset. Some questions: 1. Do you use "set pool=" anymore, now that the dedicated-cpu feature exists? 2. Is it sufficient to simply disable interrupts on a zone's pset? 3. Are there any other devices which (A) can be assigned exclusively to a zone (via 'set match') and generate enough interrupts to cause problems? 4. Implementing (1) or (2) should be relatively simple. Choice (3) might be significantly more effort, and might delay any of this functionality. Which is better: more granular configuration of interrupt handling or faster relief? (Either way, I wouldn't expect Sun to do this during CY2009. However, if you have sufficient interest and ability... :-) ). --JeffV On Tue, Mar 3, 2009 at 11:26 PM, Jeff Victor wrote: > On Tue, Mar 3, 2009 at 8:39 PM, Gael wrote: >> >> Many thanks to Bob Netherton and Jeff for their quick help on that painful >> issue. >> The solution was to use psrset -f on the heavily used pset. >> It is fully supported and a recommended situation when CPU starvation causes >> interrupts not to be serviced in time and they get lost. Credit goes to >> Rickey Weisner for this tip. >> >> I have monitored that zone today for multiple hours without seeing any >> packet loss while it was cranking up its cpu usage... >> Jeff, following a previous mail today, as a fervent customer ;), I would >> love to see that feature directly accessible thru the zone configuration to >> avoid having to create a script and a dirty workaround to enable that >> feature on boot. Is there a RFE # out there that I can be
Re: [zones-discuss] Zone in a pset with high load generating high packet loss at the frame level
On Tue, Mar 3, 2009 at 8:39 PM, Gael wrote: > > Many thanks to Bob Netherton and Jeff for their quick help on that painful > issue. > The solution was to use psrset -f on the heavily used pset. > It is fully supported and a recommended situation when CPU starvation causes > interrupts not to be serviced in time and they get lost. Credit goes to > Rickey Weisner for this tip. > > I have monitored that zone today for multiple hours without seeing any > packet loss while it was cranking up its cpu usage... > Jeff, following a previous mail today, as a fervent customer ;), I would > love to see that feature directly accessible thru the zone configuration to > avoid having to create a script and a dirty workaround to enable that > feature on boot. Is there a RFE # out there that I can be added to thru Sun > Support ? Got a case opened on that issue. Yes, the CR is 6199531 - "Device interrupts not bound to cpus configured within a nonglobal zone" Please ask your contact in Sun Service to add an SR for you. > Will continue to monitor the situation for a few days, and if I see anything > wrong, I will update that thread > Again, thanks ! > Regards > > On Tue, Mar 3, 2009 at 2:19 PM, Jeff Victor wrote: > - Show quoted text - >> >> Hello Gael, >> >> On Mon, Mar 2, 2009 at 10:08 PM, Gael wrote: >> > Hello >> > >> > Got a zone running SAS with cpu capping enabled using a processor set as we >> > see a few processes using quite a bit of cpu there too often. >> >> Is that zone assigned to a resource pool, or is it using the >> dedicated-cpus feature? >> >> > When the process is running (chewing 100% of its pset), the frame nic >> > (server is a E2900 with a ce interface) is dropping 20-30 % of its packets >> > causing a headache. >> >> My first guess is that the NICs interrupts are going to a CPU that the >> zone is using, and the CPU doesn't have enough power to run the zone's >> workload *and* be an effective NIC interrupt handler. >> >> Please run the "intrstat" command as root in the global zone, to >> determine which CPU is handling interrupts for that NIC. Also, check >> which CPU(s) that zone can use. >> >> Please let us know what you learn from those. >> >> > Doesn't appear to be a network load issue. Not a lot happening there >> > visibly. >> > >> > With Solaris 10 u4 or u6, what elegant way would you recommend to avoid >> > that >> > disruption caused by a single zone ? -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone in a pset with high load generating high packet loss at the frame level
Hello Gael, On Mon, Mar 2, 2009 at 10:08 PM, Gael wrote: > Hello > > Got a zone running SAS with cpu capping enabled using a processor set as we > see a few processes using quite a bit of cpu there too often. Is that zone assigned to a resource pool, or is it using the dedicated-cpus feature? > When the process is running (chewing 100% of its pset), the frame nic (server > is a E2900 with a ce interface) is dropping 20-30 % of its packets > causing a headache. My first guess is that the NICs interrupts are going to a CPU that the zone is using, and the CPU doesn't have enough power to run the zone's workload *and* be an effective NIC interrupt handler. Please run the "intrstat" command as root in the global zone, to determine which CPU is handling interrupts for that NIC. Also, check which CPU(s) that zone can use. Please let us know what you learn from those. > Doesn't appear to be a network load issue. Not a lot happening there visibly. > > With Solaris 10 u4 or u6, what elegant way would you recommend to avoid that > disruption caused by a single zone ? > > Regards > > -- > Gael > > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zonestat.pl without Resource Pools
On Fri, Feb 20, 2009 at 2:49 PM, Derek McEachern wrote: > Jeff, > > Sorry this has taken so long to get to but yes, if I enable the pools and > pools/dynamic services it runs as expected. Good. Until I can create v1.3.1, that is a good workaround. It is an extra step, but doesn't hurt performance - or anything else. > Has any work started on a 'real' zonestat yet? I believe that design work has begun, but these things take time... > On Tue, Feb 17, 2009 at 9:44 PM, Jeff Victor > wrote: >> >> On Tue, Feb 17, 2009 at 4:09 PM, Derek McEachern >> wrote: >> > We are in the process of deploying applications into zones and I've been >> > looking at how to monitor what each zone is up to regarding resource usage. >> > I downloaded the zonestat.pl script to play around with and out of the >> > box it didn't actually give me any zone specific information. >> > >> > After poking around the code it turns out it won't break out any zone >> > level details unless resource pooling is enabled. We are deploying our >> > zones >> > without resource restrictions. >> >> This is a known problem with v1.3. I am working on v1.3.1 which will >> fix that problem. >> >> As a temporary workaround: does it work correctly if you enable pools >> and don't configure any? >> >> GZ# svcadm enable pools >> GZ# svcadm enable pools/dynamic >> >> >> > I hacked the script to get around this problem for now but is this a >> > feature we can get added to the baseline? Jeff, how are changes handled >> > to >> > this >> > script since you appear to the owner? >> >> To make a contribution to the OpenSolaris community, first you would >> register as a contributor. The other option is to request a specific >> change in behavior, and I will try to get to it promptly. >> >> However, please understand (as the project web pages state) that this >> is a prototype to help us learn what a 'real' zonestat should do. The >> 'real' zonestat would be written in C or D for improved functionality >> and considerably better performance. This Perl script consumes a great >> deal of CPU cycles. >> >> >> --JeffV > > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Share a non-global zone folder
On Thu, Feb 19, 2009 at 11:28 AM, Asif Iqbal wrote: > Hi > > I am running solaris 10 update 6. I know I cannot nfs share a non-global zone > folder. > > I want to have a central syslog server on non global zone and have the > log file shared with remote hosts > > Is there a workaround? A zone can be an NFS client. You could create a file system on an NFS server, and have the zone mount the file system and write the log to it. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] NTP client in non-global zone
On Thu, Feb 19, 2009 at 9:54 AM, Timothy Kennedy wrote: > > > Nicolas Dorfsman wrote: >> >> It would be a great idea to have a easy solution to give these privileges >> to a zone. > > in zonecfg for a given zone, > set limitpriv=default,proc_lock_memory,proc_priocntl,sys_time > > David Comay has an interesting blog post on this that can be found > here: http://blogs.sun.com/comay/entry/privilege_set_me_free > that explains the reasons for permissions additional to sys_time. Here's another one: http://blogs.sun.com/JeffV/entry/shrink_wrap_security1 . You'd think I would have updated the FAQ by now... :-( I just updated it, but changed it to "NTP client". I don't know NTP well enough to know if a zone can be an NTP *server*. If anyone knows Sun's position on this, I will add it to the FAQ. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zonestat.pl without Resource Pools
On Tue, Feb 17, 2009 at 4:09 PM, Derek McEachern wrote: > We are in the process of deploying applications into zones and I've been > looking at how to monitor what each zone is up to regarding resource usage. > I downloaded the zonestat.pl script to play around with and out of the box it > didn't actually give me any zone specific information. > > After poking around the code it turns out it won't break out any zone level > details unless resource pooling is enabled. We are deploying our zones > without resource restrictions. This is a known problem with v1.3. I am working on v1.3.1 which will fix that problem. As a temporary workaround: does it work correctly if you enable pools and don't configure any? GZ# svcadm enable pools GZ# svcadm enable pools/dynamic > I hacked the script to get around this problem for now but is this a feature > we can get added to the baseline? Jeff, how are changes handled to this > script since you appear to the owner? To make a contribution to the OpenSolaris community, first you would register as a contributor. The other option is to request a specific change in behavior, and I will try to get to it promptly. However, please understand (as the project web pages state) that this is a prototype to help us learn what a 'real' zonestat should do. The 'real' zonestat would be written in C or D for improved functionality and considerably better performance. This Perl script consumes a great deal of CPU cycles. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Add a zpool to a Zone w/o reboot
Sorry Alex, I didn't include enough information to properly convey my idea. >From the *global* zone, you would use # mount -F lofs /root/ For example: # mount -F lofs /mypool/zones/myzone-usr-local /zones/myzone/root/usr/local On Mon, Feb 16, 2009 at 5:50 PM, Maidak Alexander J wrote: > Thanks for the suggestion, unfortunately it doesn't work... > > # zfs get zoned slabzone1-zp01 > NAMEPROPERTY VALUE SOURCE > slabzone1-zp01 zoned on local > # zlogin slabzone1 > # zfs mount slabzone1-zp01 > cannot open 'slabzone1-zp01': dataset does not exist > > I wonder what rebooting the zone does to get it to be able to access the > dataset, its almost like its "importing" the zpool. I'll have to do some > research. > > zpool list/get commands do work inside the zone (example follows > slabzone1-zp00 is a zpool already allocated to the zone). > > # zlogin slabzone1 > # zpool list > NAME SIZE USED AVAILCAP HEALTH ALTROOT > slabzone1-zp00 3.97G 399M 3.58G 9% ONLINE - > # zpool get all slabzone1-zp00 > NAMEPROPERTY VALUE SOURCE > slabzone1-zp00 size 3.97G - > slabzone1-zp00 used 399M- > slabzone1-zp00 available3.58G - > slabzone1-zp00 capacity 9% - > slabzone1-zp00 altroot - default > slabzone1-zp00 health ONLINE - > slabzone1-zp00 guid 12130506518989635213 - > slabzone1-zp00 version 10 default > slabzone1-zp00 bootfs - default > slabzone1-zp00 delegation on default > slabzone1-zp00 autoreplace off default > slabzone1-zp00 cachefile- default > slabzone1-zp00 failmode waitdefault > > I think whatever happens must happen at the zpool level, because when you add > a top level dataset (ex tank/zonedata) to a zone it can "see" the tank zpool > using the zpool list/get commands. > > Thanks, > > Alex > > > -Original Message- > From: Ben Rockwood [mailto:b...@cuddletech.com] > Sent: Friday, February 13, 2009 4:12 PM > To: Maidak Alexander J > Cc: zones-discuss@opensolaris.org > Subject: Re: [zones-discuss] Add a zpool to a Zone w/o reboot > > Maidak Alexander J wrote: >> I added a zpool to a nonglobal zone using the following method: >> >> # *zpool list slabzone1-zp01* >> NAME SIZE USED AVAILCAP HEALTH ALTROOT >> slabzone1-zp01 4.19G 112K 4.19G 0% ONLINE - >> # *zonecfg -z slabzone1* >> zonecfg:slabzone1> *add dataset* >> zonecfg:slabzone1:dataset> *set name=slabzone1-zp01* >> zonecfg:slabzone1:dataset> *end* zonecfg:slabzone1> *exit* >> >> How can I get the nonglobal zone to "see" the zpool without rebooting >> the nonglobal zone? >> > > I'm not sure you can,... a reboot is always the best method, but if I were to > try it I'd: > > * Add the dataset proprty (you did that) > * Umount the dataset (zfs umount slabzone1-zp01) > * Set the "zoned" property (zfs set zoned=on slabzone1-zp01) > * Attempt to mount it inside the zone (zfs mount zlabzone1-zp01) > > Remember, you are providing a dataset to the zone, not a pool. In your case, > the zone root will be given to the pool, but thats not required. > Because of this, don't bother with 'zpool' commands in the zone, they don't > work. > > Good luck. > > benr. > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Making directories in /usr visible (from global zone) in non-global zone
On Tue, Feb 10, 2009 at 12:26 AM, Arun Gupta wrote: > Thanks Jeff, > > How do I know whether it's a sparse-root or whole-root zone ? >From the global zone, use "zonecfg -z info" and look for entries about inherit-pkg-dir. If there are four (/usr, /lib, and two others) then it's a sparse-root zone, and /usr should look the same in the zone as in the GZ. If they are not present, it's a whole-root zone, and the zone has its own /usr which may include software not available in the GZ or in other zones. > I took the default options when creating zones. If that's true, it's a sparse-root zone, and anything in the GZ's /usr would be visible in the zone's /usr. If a sparse-root zone can't see things in /usr that the GZ can, either another loopback mount is needed, or something is broken. It's hard to know without more information, such as: Output of "zonecfg ... info" Output of "mount" in both the GZ and the zone. > -Arun > > Jeff Victor wrote: >> >> Is it a sparse-root zone or a whole-root zone? It should be visible in >> a sparse-root, but a whole-root zone has its own separate copy of >> /usr. >> >> On Mon, Feb 9, 2009 at 6:50 PM, Arun Gupta wrote: >>> >>> I installed GlassFish in global zone in /usr directory. However this >>> directory does not seem to be visible in non global zone. Do I need to do >>> something special to make it visible ? >>> >>> Bunch of other directories in /usr are visible. >>> >>> What am I missing ? >> >> -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ip-type private won't work for me
Please provide the output of "ifconfig -a" and "netstat -rn" for each non-global zone. On Mon, Feb 9, 2009 at 6:08 PM, Charles Meo wrote: > Greetings all, > > I have been trying to set up a X2200 with a global zone on an internal LAN > with bge0, and two zones for web servers each having a private IP address > on the nge interfaces. > > While I was able to bring up both zones and ifconfig the interfaces, after > that nothing worked. Couldn't ping in or out or do anything with them. No > arp information was being gathered. The same interfaces configured > directly into the global zone with the same IP numbers worked fine. > > I can't see what I've done wrong, can anyone see what the problem might > be? I need this to work... > > Regards, > > Charles Meo > Infrastructure Team Leader > LTX Pty Ltd > Phone: 03 8699 7900 > Mobile: 0409 258 471 > Email: charles@ltx.com.au > Website: www.ltx.com.au > > > > Unencrypted electronic mail is not secure and may be intercepted, > modified, or otherwise interfered with during delivery. If you have any > doubts as to the authenticity of the sender or the contents of this email, > please contact us immediately by telephone to confirm. This electronic > transmission is intended only for those to whom it is addressed. It may > contain information that is confidential, privileged or exempt from > disclosure by law. Any claim to privilege is not waived or lost by reason > of mistaken transmission of this information. If you are not the intended > recipient, you must not distribute or copy this transmission and should > immediately notify the sender. Your costs for doing this will be > reimbursed by the sender. This email is also subject to copyright. No part > of it should be reproduced, adapted or communicated without the written > consent of the copyright owner. Any personal information in this email > must be handled in accordance with the Privacy Act 1988 (Cth). > > zones-discuss-requ...@opensolaris.org wrote on 10/02/2009 06:53:37 AM: > >> [image removed] >> >> zones-discuss Digest, Vol 46, Issue 5 >> >> zones-discuss-request >> >> to: >> >> zones-discuss >> >> 10/02/2009 06:54 AM >> >> Please respond to zones-discuss >> >> Send zones-discuss mailing list submissions to >>zones-discuss@opensolaris.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >>http://mail.opensolaris.org/mailman/listinfo/zones-discuss >> or, via email, send a message with subject or body 'help' to >>zones-discuss-requ...@opensolaris.org >> >> You can reach the person managing the list at >>zones-discuss-ow...@opensolaris.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of zones-discuss digest..." >> >> >> Today's Topics: >> >>1. Re: Install zones, configure as DHCP client (Arun Gupta) >>2. Re: Install zones, configure as DHCP client (James Carlson) >>3. Re: Install zones, configure as DHCP client (Bill Walker) >>4. Re: Install zones, configure as DHCP client (Arun Gupta) >>5. Re: Install zones, configure as DHCP client (Arun Gupta) >>6. Re: Install zones, configure as DHCP client (Arun Gupta) >>7. Re: Install zones, configure as DHCP client (James Carlson) >> >> >> -- >> >> Message: 1 >> Date: Mon, 09 Feb 2009 05:57:24 -0800 >> From: Arun Gupta >> Subject: Re: [zones-discuss] Install zones, configure as DHCP client >> To: James Carlson >> Cc: Bill Walker , zones-discuss@opensolaris.org >> Message-ID: <49903644.7000...@sun.com> >> Content-Type: text/plain; format=flowed; charset=ISO-8859-1 >> >> Hi James, >> >> Can you explain what is "exclusive stack instance" mean in this context > ? >> >> Will creating zones in a Virtual Box image qualify as that ? >> >> -Arun >> >> James Carlson wrote: >> > Bill Walker writes: >> >> If you are really needing DHCP for some reason, I'll defer to others >> >> with more experience in those realms. >> > >> > The only supported way to do this today is to use exclusive stack >> > instance zones ("set ip-type = exclusive"). It would be nice to have >> > DHCP supported as an option for interface configuration via zoneadmd, >> > and the DHCP client has the features necessary to make this work, but >> > that feature hasn't been added to Zones. >> > >> > RFE 5005887 also covered this case, but it was closed out when the >> > exclusive stack instance feature was integrated, and I don't think a >> > new RFE was ever opened. >> > >> >> -- >> Application Platform, Sun Microsystems, Inc. >> Blog: http://blogs.sun.com/arungupta >> >> >> -- >> >> Message: 2 >> Date: Mon, 9 Feb 2009 09:08:07 -0500 >> From: James Carlson >> Subject: Re: [zones-discuss] Install zones, configure as DHCP client >> To: Arun Gupta >> Cc: Bill Walker , zones-discuss@opensolaris.org >> Message-ID: <18832.14535.881075.382...@gargle.gargle.howl> >> Content-Type: text/plain; charset=us-ascii >>
Re: [zones-discuss] Making directories in /usr visible (from global zone) in non-global zone
Is it a sparse-root zone or a whole-root zone? It should be visible in a sparse-root, but a whole-root zone has its own separate copy of /usr. On Mon, Feb 9, 2009 at 6:50 PM, Arun Gupta wrote: > I installed GlassFish in global zone in /usr directory. However this > directory does not seem to be visible in non global zone. Do I need to do > something special to make it visible ? > > Bunch of other directories in /usr are visible. > > What am I missing ? -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Moving zones between different sparc architecture
On Thu, Feb 5, 2009 at 3:36 PM, pol.barthel...@sun.com wrote: > Hello, > It is supported to move zones from a sun4u to a sun4v or vice-versa ? Full support is available for that, starting with S10 10/08 (aka U6). -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Adding a NIC to running zones
A NIC can be added to a running shared-IP zone by using the ifconfig command its zone parameter. Can an unplumbed NIC be added to a running exclusive-IP zone usnig the same method? (I don't have a system with enough NICs to test this.) Thanks, --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Creating ZFS filesystems prior to zoneadm install
Hi Jason, I frequently recommend creating a writable /usr/local under the read-only /usr to solve this problem. One simple method to do this is: zonecfg -z myzone add fs set special=/mypool/zones/usr-local set dir=/usr/local set type=lofs end exit Will that work for you? --JeffV On Thu, Jan 22, 2009 at 1:17 PM, Jason King wrote: > Is there any way to create non-legacy, canmount=yes filesystems with > set mountpoints for a zone prior to zoneadm install? > > I'm trying to do some zone creation automation, and one of the things > is a per-zone, writable /usr/local (yes it's not 'standard' but then I > can count on one hand the number of packages that properly install in > /opt, so not even worth going there). The current solution I've been > doing is something like this: > > zfs create pool/zones/ > chmod 700 pool > zfs create -o mountpoint=none pool/zones/fs > > zonecfg -z zonename > create > ... > ... > add dataset >set name = rpool/zones/fs > end > ... > > zoneadm -z zonename install > > (tweak a few files under /zones//root prior to initial boot) > > zlogin -z zonename -C > > > zfs create -o mountpoint=/usr/local rpool/zones//fs/local > zfs create -o mountpoint=/export rpool/zones/ zfs create rpool/zones//fs/export/home > ... and so on > > However, since some packages install into /usr/local (again it's > something that has to be dealt with), it would be desirable to have > /usr/local available during the zoneadm install process. But as far > as I can tell, you cannot set the mountpoint property (without setting > canmount to no or noauto) until the zone is running (and only then > within the zone). > > Any ideas? > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Privilege for sticky bit?
Why is the sys_config priv needed to set the sticky bit on a file or directory? This priv is not allowed in a zone, so a process in a zone can't set the sticky bit. Thanks for pointers... --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] New Sun BluePrint on Solaris Zones
Hot off the press! Glenn Brunette and I wrote a Sun BluePrint that explains the security features of Solaris Zones/Containers: http://wikis.sun.com/display/BluePrints/Understanding+the+Security+Capabilities+of+Solaris+Zones+Software Contents * Zone Root File System * Process Containment * Operating System Privileges o Default Privileges o Required Privileges o Prohibited Privileges o Optional Privileges * Operating System Kernel Modules * Operating System Devices * Networking o Shared IP o Exclusive IP * Operating System Files * Operating System Security Configuration * Resource Management o Memory Controls + Physical and Virtual Memory Capping + Shared Memory + Locked Memory o CPU Controls + Fair Share Scheduler + CPU Capping + Private Pool + Shared Pool o Miscellaneous Controls * File Integrity Checks * Security Auditing * Solaris Trusted Extensions * Summary -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Bandwidth
Hi Jon, With shared-IP zones the network statistics are not broken out per-zone. If you configure the zone as an exclusive-IP zone, it gets its own NICs, and the per-NIC counters will display what you want. You didn't mention if your interest was in Solaris, OpenSolaris, or both. In the future, project Crossbow will provide virtual NICs (VNICs) which can be assigned per-zone, and IIRC the counters will all be broken out per-VNIC, again giving you what you want. But that's not even in OpenSolaris yet. On Mon, Dec 8, 2008 at 9:34 PM, Jon Ringuette <[EMAIL PROTECTED]> wrote: > Hello, > Sorry if I am missing something obvious but is there a good way either via > the Zone or Global Zone's SNMP to get the current bandwidth usage for a > specific Zone or a command someone can think of that would give me this > information? Currently it appears as though netstat -i in a zone is giving > the same results as in the global? > thank you, > -- > Jon Ringuette -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can't initialize ldapclient in non-global zones on snv_81
Hi Josh, Given that no one has responded to this in 2 weeks, I think you'll need to place a call to Sun Support to get this resolved, if you haven't already. On Tue, Nov 25, 2008 at 1:02 PM, Josh Rivel <[EMAIL PROTECTED]> wrote: > Hello, > > I have roughly 700 devices running OpenSolaris snv_81 with crossbow. > > I used Sun's ldapclient to initialize the box to use LDAP authentication > against an OpenLDAP server with no problems. > > However, if I try to use ldapclient from any non-global zone (each box has 3 > additional zones on it) it totally locks up the machine and I have to reboot > it. > > Here's a snippet from a non-global zone: > bash-3.2# uname -a > SunOS opensolaris-logging 5.11 net-virt_xb_21_snv_81_021308 i86pc i386 i86pc > > * I can ping the ldap server, and connect to it on port 389: > > bash-3.2# ping 10.x.x.208 > 10.x.x.208 is alive > bash-3.2# telnet 10.x.x.208 389 > Trying 10.x.x.208... > Connected to 10.x.x.208. > Escape character is '^]'. > > * However, when I try and initialize the ldapclient, here's what happens: > > bash-3.2# /usr/sbin/ldapclient manual -v -a defaultsearchbase=dc=foo,dc= > net -a domainname=foo.net 10.x.x.208 > Parsing defaultsearchbase=dc=foo,dc=net > Parsing domainname=foo.net > Arguments parsed: >defaultSearchBase: dc=foo,dc=net >domainName: foo.net >defaultServerList: 10.x.x.208 > Handling manual option > Proxy DN: NULL > Proxy password: NULL > Authentication method: 0 > Authentication method: 0 > No proxyDN/proxyPassword required > About to modify this machines configuration by writing the files > Stopping network services > sendmail not running > nscd not running > autofs not running > ldap not running > nisd not running > nis(yp) not running > file_backup: stat(/etc/nsswitch.conf)=0 > file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) > file_backup: stat(/etc/defaultdomain)=0 > file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) > file_backup: stat(/var/nis/NIS_COLD_START)=-1 > file_backup: No /var/nis/NIS_COLD_START file. > file_backup: nis domain is "foo.net" > file_backup: stat(/var/yp/binding/foo.net)=-1 > file_backup: No /var/yp/binding/foo.net directory. > file_backup: stat(/var/ldap/ldap_client_file)=0 > file_backup: (/var/ldap/ldap_client_file -> > /var/ldap/restore/ldap_client_file) > file_backup: (/var/ldap/ldap_client_cred -> > /var/ldap/restore/ldap_client_cred) > Starting network services > start: /usr/bin/domainname foo.net... success > start: sleep 10 microseconds > start: sleep 20 microseconds > start: sleep 40 microseconds > start: sleep 80 microseconds > start: sleep 160 microseconds > start: sleep 320 microseconds > start: sleep 640 microseconds > start: sleep 1280 microseconds > start: sleep 2560 microseconds > start: sleep 5120 microseconds > start: sleep 1770 microseconds > start: network/ldap/client:default... timed out > start: network/ldap/client:default... offline to disable > stop: sleep 10 microseconds > stop: sleep 20 microseconds > stop: sleep 40 microseconds > stop: sleep 80 microseconds > stop: sleep 160 microseconds > stop: sleep 320 microseconds > stop: sleep 640 microseconds > stop: sleep 1280 microseconds > stop: sleep 2560 microseconds > stop: sleep 890 microseconds > stop: network/ldap/client:default... timed out > restart: sleep 10 microseconds > restart: sleep 20 microseconds > restart: milestone/name-services:default... success > Error resetting system. > Recovering old system settings. > Stopping network services > sendmail not running > nscd not running > autofs not running > Stopping ldap > stop: sleep 10 microseconds > stop: sleep 20 microseconds > stop: sleep 40 microseconds > stop: sleep 80 microseconds > stop: sleep 160 microseconds > stop: sleep 320 microseconds > stop: sleep 640 microseconds > stop: sleep 1280 microseconds > stop: sleep 2560 microseconds > stop: sleep 890 microseconds > stop: network/ldap/client:default... timed out > Stopping ldap failed with (7) > Error (1) while stopping services during reset > recover: stat(/var/ldap/restore/defaultdomain)=0 > recover: open(/var/ldap/restore/defaultdomain) > recover: read(/var/ldap/restore/defaultdomain) > recover: old domainname "foo.net" > recover: stat(/var/ldap/restore/ldap_client_file)=0 > recover: file_move(/var/ldap/restore/ldap_client_file, > /var/ldap/ldap_client_file)=0 > recover: stat(/var/ldap/restore/ldap_client_cred)=0 > recover: file_move(/var/ldap/restore/ldap_client_cred, > /var/ldap/ldap_client_cred)=0 > recover: stat(/var/ldap/restore/NIS_COLD_START)=-1 > recover: stat(/var/ldap/restore/foo.net)=-1 > recover: stat(/var/ldap/restore/nsswitch.conf)=0 > recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0 > recover: stat(/var/ldap/restore/defaultdomain)=0 > recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdo
Re: [zones-discuss] Java out of memory error in a zone
On Sun, Dec 7, 2008 at 11:15 AM, Ian Matchett <[EMAIL PROTECTED]> wrote: > On Solaris 8/07 a customer is running in a zone but java 1.5 is getting out > of memory error. The fact that it's running in a zone is irrelevant unless the software is trying to modify the kernel, drivers, etc. This can be demonstrated by running it once in the global zone, or by solving the real problem. > Top shows 32GB RAM and 5GB free. > > Even Java -version get this error. > Can we run zonestat on Solaris 10? Yes. It is open-source, unsupported software, but I have tested it on a couple versions of Solaris 10. If there is a problem, please report it here. Please use the latest version, 1.3. > If not what commands inside a zone can we used to figure free RAM and swap. > and free CPU cycles. > > What commands should we get the sysadmin run in the global zone to > understand the system and zonecfg? rcapstat -z shows the RAM cap currently in effect and how much is being used. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones and network
Hi Elkhaoul, Unless you have used a non-default configuration, zones can communicate with each other and with the global zone using IP addresses even if the network cable has been removed. On Wed, Dec 3, 2008 at 11:27 AM, elkhaoul elkhaoul <[EMAIL PROTECTED]> wrote: > Hi, > > I have multiple Zones within the same server, I ll disconnect the cable. > > Is The Network communication between zones (+server) still working ? > > Thanks for any help. > > Rgds > > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Dynamically chaninging zone.cpu-shares has no effect
Hi Rainer, (see below) On Tue, Nov 25, 2008 at 9:18 AM, Rainer Orth <[EMAIL PROTECTED]> wrote: > I've recently tried to temporarily change zone.cpu-shares of the global > zone on a Sun Fire X4200 M2 running Solaris 10 Update 5. Per default, both > the global and the imap zone have 10 shares: > > global% zonecfg -z global info rctl > rctl: >name: zone.cpu-shares >value: (priv=privileged,limit=10,action=none) > global% zonecfg -z imap info rctl > rctl: >name: zone.cpu-shares >value: (priv=privileged,limit=10,action=none) > > FSS is the default scheduler: > > global% dispadmin -d > FSS (Fair Share) > > For a benchmark run, I wanted to temporarily increase the shares of the > global zone. I tried both to increase global zone shares to 100 and > reducing imap zone shares to 1: > > global# prctl -i zone -n zone.cpu-shares -r -v 100 global > global# prctl -i zone -n zone.cpu-shares -r -v 1 imap > global# prctl -i zone -n zone.cpu-shares global imap > zone: 0: global > NAMEPRIVILEGE VALUEFLAG ACTION RECIPIENT > zone.cpu-shares >privileged100 - none - >system 65.5K max none - > > zone: 4: imap > NAMEPRIVILEGE VALUEFLAG ACTION RECIPIENT > zone.cpu-shares >privileged 1 - none - >system 65.5K max none - > > Unfortunately, this had no effect, as can be seen with prstat -Z: > > PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP > 2711 ro 6848K 6392K run 10 236:19:41 12% john/1 > 2710 ro 6848K 6384K cpu2 60 236:01:19 12% john/1 > 2707 ro 6976K 6512K run 10 235:53:41 12% john/1 > 2835 ro 6976K 6524K run 70 235:42:22 11% john/1 > 1981 root 4556K 4076K sleep 590 1:27:03 1.5% prstat/1 > 6539 root 2504K 2008K cpu3590 0:00:00 0.0% prstat/1 > 6293 vmail 20M 5256K sleep 590 0:00:04 0.0% imap/1 > 429 root 5600K 3052K sleep 590 0:12:12 0.0% automountd/3 > 1356 10016M 15M sleep 580 0:28:48 0.0% imap-login/1 > 1358 10012M 11M sleep 490 0:12:59 0.0% imap-login/1 > 6459 vmail 42M 8220K sleep 570 0:00:02 0.0% imap/1 > 6201 vmail3852K 3020K sleep 590 0:00:00 0.0% imap/1 > 6921 noaccess 323M 238M sleep 590 0:12:31 0.0% java/25 > 6284 vmail3240K 2400K sleep 550 0:00:00 0.0% imap/1 > 1357 10010M 9784K sleep 590 0:12:10 0.0% imap-login/1 > ZONEIDNPROC SWAP RSS MEMORY TIME CPU ZONE > 0 64 784M 909M11% 953:58:18 49% global > 4 387 541M 349M 4.3% 1:11:04 0.1% imap > > > > Total: 451 processes, 731 lwps, load averages: 4.70, 4.70, 4.77 > > There are four single-threaded processes in the global zone, each of which > could consume a whole core (the box has 4 dual-core cpus), but still the > global zone remains at ca. 50% cpu consumption. Solaris sees this as an 8-CPU system. A single-threaded process can't consume more than 1/8th of the system - 12.5%. So far, everything is as it should be. Running a fifth copy of that program should result in five processes, each at 12% - for a total of 60%. > Starting additional processes has no effect either, even if they run as root. > I seem not to be > able to exceed the old zone.cpu-shares value of 50. Are you saying that you have tried to run more than 4 copies of that program, and together they use about 50%? For example, if you run 6 of them, they each get 8%? Also, does "ps -ec" show that those 4 processes are in the FSS class? > In addition to those zone.cpu-shares, per-project cpu shares are in effect > for user ro, but not for root: > > global# getent project user.ro > user.ro:2110project.cpu-shares=(privileged,1,none);project.max-lwps=(privileged,256,deny) > global# getent project user.root > user.root:1 > > Nonetheless, inside the global zone, cpu consumption between root and ro is > almost equal (as if root had one share as well). > > Is there any way to have the new zone.cpu-shares take effect without > rebooting the machine? Given that this is also the department's IMAP > server, I'd very much like to avoid this. > >Rainer > > - > Rainer Orth, Faculty of Technology, Bielefeld University > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Mon, Nov 17, 2008 at 10:33 PM, Mike Gerdts <[EMAIL PROTECTED]> wrote: > On Mon, Nov 17, 2008 at 7:44 PM, Jeff Victor <[EMAIL PROTECTED]> wrote: >> Hi Kevin, >> >> I believe that you cannot patch your way from U1 to U5 - i.e. that the >> system is missing some functionality that would be there if you had >> applied the updates - but your point is still valid. I will look into >> the correctness of using patch levels to detect feature availability. > > Huh? There are very few features delivered in Solaris updates that > aren't delivered via patches. So few that I can only think of one > time where it has made a difference (postgres version different > between updates). When really important features are released as new > packages "genesis patches" are delivered to deliver the feature. This > is how the U1 + patches system below has zfs on it even though zfs > didn't come out until U2. Hoping to summarize this sub-thread: A patch can only modify an existing package. An update can have new packages as well as patches to existing packages. In general, you can't patch your way to, or past, an update which has new packages. There have been times when an empty package was placed into an update in an attempt to make it possible to add functionality later simply by adding a patch. "Proof by blog" is hardly sufficient, but http://blogs.sun.com/patch/entry/solaris_10_5_08_update provides an example: "The Solaris 10 05/08 Patch Bundle contains the equivalent set of patches to the Solaris 10 05/08 (Update 5) release. The patch bundle does not include the new packages contained in the Solaris 10 05/08 (Update 5) release. Therefore, new features in Update 5 which depend upon new packages introduced in that release will not be available in the patch bundle." Moving forward: That raises several questions: are new pkgs added often? (>400 were added after S10 3/05 so far.) Do those packages add new features? (I think that's a safe assumption, but I don't know of a mapping from feature to pkg.) Are any of those features used by zonestat.pl? (I don't know of any, so it's likely that you can patch your way from S10 FCS to "all of zonestat works" even though the system wouldn't have all of the features in U5.) In any case, it became clear early in this thread that checking /etc/release was inadequate, and so the ToDo for v1.3 includes fixing this. Sample code - from this community - to check for each of the necessary features added during the life of S10 would be greatly appreciated... Rules and ideas for contributing code can be found at http://www.opensolaris.org/os/communities/participation/ . > All of the functionality that this script cares about for this comes > as part of the recommended patch set. Consider this system: > > # cat /etc/release > Solaris 10 1/06 s10s_u1wos_19a SPARC > Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. >Use is subject to license terms. > Assembled 07 December 2005 > > # uname -rv > 5.10 Generic_127111-09 > > That puts it somewhere in between U4 and U5 for kernel patches. > Because the recommended bundle was used, it puts it somewhere in > between for other aspects (e.g. libzonecfg, etc.) as well. Let's take > a look at the checks that zonestat does for updates: > > 356 # For zones with RAM caps (U4+), get current values for RAM > usage and Cap. > 357 if ($update>3) { > 358open (RCAP, "/usr/bin/svcs -H rcap|"); > > # svcs -H rcap > disabled May_03 svc:/system/rcap:default > > Exists but disabled. > > 440 if ($update>4) { > 441open(PRCTL, "/bin/prctl -Pi zone -n zone.cpu-cap $z|"); > 442while () { > > Not at update 5's kernel and related patch set yet, so I wouldn't > expect that this would work. However, let's take a look at another > system that was installed with update 4 but has update 5+ patches. > > # cat /etc/release > Solaris 10 8/07 s10s_u4wos_12b SPARC > Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. >Use is subject to license terms. >Assembled 16 August 2007 > > # uname -rv > 5.10 Generic_137111-08 > > # prctl -Pi zone -n zone.cpu-cap > zone: 3: > zone.cpu-cap system 4294967295 inf deny - > > -- -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Moving the zonepath (directory) to another file system
It should be possible to: zoneadm -z move /zones/tmp/ zoneadm -z move / That prevents a need to use zonecfg or doing unsupported things. Yes? On Wed, Nov 19, 2008 at 3:03 PM, Christine Tran <[EMAIL PROTECTED]> wrote: > On Wed, Nov 19, 2008 at 2:16 PM, Amol Chiplunkar > <[EMAIL PROTECTED]> wrote: > >> I would also look at zoneadm -z move >> e.g. zoneadm -z /large-filesystempath/ >> Unless you are particular about '/zones' path, you don't even have to >> remount it as /zones > > This is a unique problem. Turns out we're not the only one. We had > to move the zonepath somewhere else, but the "somewhere else" needs to > have the same mountpoint. It's the underlying devices that we want to > change. Obviously, zoneadm move will move /oldzonepath to > /newzonepath but how will I remount to /oldzonepath, I can't change > zonepath with zonecfg. Eventually I had to manually edit the stuff in > /etc/zones, not that I advocate anyone to do this, but it worked for > us. > > CT > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
Hi Kevin, I believe that you cannot patch your way from U1 to U5 - i.e. that the system is missing some functionality that would be there if you had applied the updates - but your point is still valid. I will look into the correctness of using patch levels to detect feature availability. On Mon, Nov 17, 2008 at 6:09 PM, Young, Kevin <[EMAIL PROTECTED]> wrote: > Jeff, > I am wondering about the logic in how the script identifies specific > versions. It appears that you are looking at /etc/release to define > this. This seems to limit some features of your script because I have a > Solaris 10 update 1 system that has been updated to 05/08 (update 5) but > /etc/release still reflects update 1 (updated using 05/08 patch bundle). > > I am using CPU caps but your tool doesn't recognize that I have that > feature available. Since these features really come from the kernel > version, would that be a better way to identify release version in your > script; Just a thought. > > In the meantime I tricked the script to think I am on update 5 and I am > getting better results. > > > -= Kevin =- > > > -Original Message- > From: Jeff Victor [mailto:[EMAIL PROTECTED] > Sent: Monday, November 10, 2008 9:01 AM > To: Young, Kevin > Cc: zones-discuss@opensolaris.org > Subject: Re: [zones-discuss] Zone Statistics: monitoring resource use of > zones > > On Mon, Nov 10, 2008 at 11:21 AM, Young, Kevin <[EMAIL PROTECTED]> > wrote: >> I am curious if you have plans to make it Solaris 10 compatible. > > I do all development on Solaris 10. The script makes an effort to > distinguish between the different capabilities of the different > Solaris 10 updates. > > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Victor >> Sent: Sunday, November 09, 2008 5:54 PM >> To: zones-discuss@opensolaris.org >> Subject: [zones-discuss] Zone Statistics: monitoring resource use of > zones >> >> It has become clear that there is a need to monitor resource >> consumption of workloads in zones, and an easy method to compare >> consumption to resource controls. In order to understand how a >> software tool could fulfill this need, I created an OpenSolaris >> project and a prototype to get started. If this sounds interesting, >> you can find the project and Perl script at: >> http://opensolaris.org/os/project/zonestat/ . >> >> If you have any comments, or suggestions for improvement, please let >> me know on this e-mail list or via private e-mail. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Sun, Nov 16, 2008 at 10:58 PM, Mike Gerdts <[EMAIL PROTECTED]> wrote: > On Sun, Nov 16, 2008 at 7:40 PM, Jeff Victor <[EMAIL PROTECTED]> wrote: >> To me, the clearest example would be a kstat, per zone, which provides >> the total amount of CPU time for all of the processes in each zone, >> since the zone booted. This would enable tools like zonestat to >> request the datum occasionally, in order to determine CPU time per >> quantum of elapsed time. > > zonestat shouldn't be needed to give this information. Of course. I guess I wasn't clear. I was trying to say "the clearest example of a kstat that is needed is a kstat, per zone... That kstat could then be used by many *stat tools, including zonestat, prstat, etc." > Per zone, project, and user data should be available that allows prstat to > display this information. When I use prstat -mz or prstat -ma, I > would expect the collected microstate accounting data would be used to > populate the display. Other fine points about this include: > > - Currently prstat shows time decayed summaries in the bottom panel, even > when microstate data is displayed at the top. Time decayed data > is confusing, particularly when trying to correlate application events that > last just several seconds to CPU consumption. Not only is it confusing, it can be very wrong, e.g. if there are many short-lived processes that come and go between the snapshots that prstat takes. That's why a kstat like the one described above is needed. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
Peter, Your statements are exactly the reason(s) I wrote this prototype. Solaris engineering is researching this topic, and at listening as we type... :-) They are very interested in feedback generated by the use of this prototype. Any specific ideas you have regarding kstats you think we need, would be welcomed on this alias. To me, the clearest example would be a kstat, per zone, which provides the total amount of CPU time for all of the processes in each zone, since the zone booted. This would enable tools like zonestat to request the datum occasionally, in order to determine CPU time per quantum of elapsed time. Look for v1.3 of zonestat later this week. It uses the Perl kstats module and improves the correctness of zone -> pool mappings. Each of these also reduce the amount of CPU time needed to collect the data it reports. On Fri, Nov 14, 2008 at 3:21 PM, Peter Tribble <[EMAIL PROTECTED]> wrote: > On Mon, Nov 10, 2008 at 1:54 AM, Jeff Victor <[EMAIL PROTECTED]> wrote: >> It has become clear that there is a need to monitor resource consumption of >> workloads in zones, and an easy method to compare >> consumption to resource controls. In order to understand how a software tool >> could fulfill this need, I created an OpenSolaris >> project and a prototype to get started. If this sounds interesting, you can >> find the project and Perl script at: >> http://opensolaris.org/os/project/zonestat/ . >> >> If you have any comments, or suggestions for improvement, please let me know >> on this e-mail list or via private e-mail. > > That reminds me of a blog entry from a year ago: > > http://blogs.sun.com/menno/entry/resource_control_observability_using_kstats > > Just looking at zonestat.pl, it perpetrates many of the horrors I'm used to > seeing. That's not a criticism, just additional evidence that we desperately > need better interfaces to make getting some of this information easy. There > are - I think - 11 different binaries you invoke to get the various > bits of information > you need. While some of them could be replaced by inline calls to the Kstat > module, others clearly can't. Yet some of the information could just be stored > in kstats, which would make getting at it much easier. > > I think what I'm saying is this: what can zonestat tell us about what > additional > kstats should be kept, and what additional APIs would be useful to make > writing > such utilities easier? -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Mon, Nov 10, 2008 at 11:21 AM, Young, Kevin <[EMAIL PROTECTED]> wrote: > I am curious if you have plans to make it Solaris 10 compatible. I do all development on Solaris 10. The script makes an effort to distinguish between the different capabilities of the different Solaris 10 updates. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Victor > Sent: Sunday, November 09, 2008 5:54 PM > To: zones-discuss@opensolaris.org > Subject: [zones-discuss] Zone Statistics: monitoring resource use of zones > > It has become clear that there is a need to monitor resource > consumption of workloads in zones, and an easy method to compare > consumption to resource controls. In order to understand how a > software tool could fulfill this need, I created an OpenSolaris > project and a prototype to get started. If this sounds interesting, > you can find the project and Perl script at: > http://opensolaris.org/os/project/zonestat/ . > > If you have any comments, or suggestions for improvement, please let > me know on this e-mail list or via private e-mail. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Mon, Nov 10, 2008 at 12:30 AM, Mike Gerdts <[EMAIL PROTECTED]> wrote: > On Sun, Nov 9, 2008 at 7:54 PM, Jeff Victor <[EMAIL PROTECTED]> wrote: >> >> >> If you have any comments, or suggestions for improvement, please let >> me know on this e-mail list or via private e-mail. > > I've had such needs for a while and have developed some tools to help my > organization with that. > Unfortunately, I'm not able to share that code. I am able to share > suggestions... > > I am in a habit of: > > #! /usr/bin/perl -w > > use strict; Yes, those generated warnings when I had used them earlier. I wanted to get the code "out the door" and took a couple of shortcuts to do that. I will address the warnings soon and put those checks back in place. > That catches a lot of mistakes that may be masked by: > > close STDERR; > > which I never do. :) :-) Another of the short cuts. I hope to remove those short cuts in v1.3, which should be done this week. > Please do not use /etc/release as a test of kernel functionality. > Those that patch to an equivalent level as the update release have a > similar level of functionality. A better mechanism would be to check > for specific kernel patches. Great idea, I'll look into it. > # Get amount and cap of memory locked by processes in each zone. > # "kstat -p caps:*:lockedmem_zone_*" conveniently summarizes all zones for us. > # > open(KSTAT, "/usr/bin/kstat -p caps:*:lockedmem_zone_* |"); > while () { > > You could just use Sun::Solaris::Kstat rather than forking another perl > script. Yup, that was in the ToDo list: convert all uses of /usr/bin/kstat to uses of the Kstat module. I might sneak that into v1.3 along with significant improvements in identifying zone->project mappings. > My feeling on capped memory is that if it becomes an issue and capped > swap is not really close to capped memory, the over-consumptive zone > has too high of a chance of causing horrible I/O problems for all > zones. That is, the cap is likely to do more harm than good. This > may change if swap can go onto solid state disk. I only mention this, > because I don't see a purpose in capping RSS, rather I cap swap. For "fast leaks" and DoS attacks, I agree. The RAM cap helps with slow leaks and temporary overconsumption of RAM. > FWIW, I tend to use the term "reserved memory" instead of "swap" > because that is less confusing to most people. That's a useful perspective. If you choose the swap cap - which is really a VM cap - so that the sum of the swap caps is less than RAM, you have effectively implemented 'reserved memory.' (I'm ignoring RAM usage of the global zone, which shouldn't be ignored in practice.) But you must be careful: nothing prevents you from 'over-reserving' memory. If you have 'reserved' all of system memory in this way, and add a new zone with its own 'reserve,' you will have over-subscribed memory. That might be a good thing, as long as no one is surprised if the system starts paging. However, the entire concept of reserved memory limits the scalability of the system. Imagine 4 zones with swap caps of 4GB, on a system with 16GB of RAM. (Again, I'm ignoring the GZ.) Unless you allow yourself to over-subscribe RAM, you can't add more zones, even if those 4 zones are only using 1GB each during normal conditions. Balance is needed. When paging must be avoided at all costs, 'reserving' memory by setting proper swap-caps makes a great deal of sense. When paging is unlikely because the workload is well understood, and a small amount of paging would not be horrible, and zone 'density' is important, reserving memory would not make sense. Many situations would call for memory 'reservations' on some zones, and RAM caps on others. > For CPU related stats, take a look at a discussion I started a while back: > > http://mail.opensolaris.org/pipermail/perf-discuss/2005-November/002048.html Cool. Also, Jim Fiori had a simple idea for counting CPU time per zone with almost no perf impact: use DTrace to implement a probe which fires every M microseconds, and increments a per-zone counter. But that's a short-term solution. We need a per-zone counter in the kernel that tallies CPU time per zone. > One project I would like to kick off sometime is doing per user, per > project, and per zone microstate accounting. Excellent idea. I'll watch for it! :-) > I didn't have a chance to check logic closely or run it on a test > system. I'll offer more feedback if needed when I get a chance to > test it. It is a great start and I can't wait to see it progress. Thanks! -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ipfilter (ipf.conf) entries in zonecfg?
On Fri, Nov 7, 2008 at 12:13 PM, Tommy McNeely <[EMAIL PROTECTED]> wrote: > Hello Zones experts, > > We are attempting to create a new data center architecture that favors > virtualization with zones. Previously, if we wanted to have zones from > different security contexts (front-end, back-end, internet, etc), they > had to be in different physical machines (or LDOMS). Now that we have > the ability (ok, as of s10u4, but we have been busy) to use ipfilter > between zones on the same host, we believe there may be enough > separation to have zones in different security contexts on the same > global-zone. > > I would like to get people's feedback on what they would think of > creating the ability to have ipfilter rules, that would normally be > located in ipf.conf in the global zone, inside the zonecfg. When the > zone is brought "online" it could pipe the rules into "ipf -f -" or > something. I am thinking the zonecfg seems like a good place to store > them because when I want to "move" a zone from one machine to another, > I would prefer the firewall came along with the zone. > > We have discussed using vnic interfaces (crossbow?), but I don't > believe thats integrated yet? Besides, we don't really trust the > application administrator (zone administrator) with the firewall, so > we'd like to keep its configuration in the global zone, which I assume > would still work even with vnic's. > > QUESTION: If we put the firewall (ipf.conf) inside the zone and use a > private IP instance, can they can put a "pass out quick on vnic0 keep > state" and they have the ability to connect to any other zone on the > same machine? I know that rule in the global zone makes it that way, > but maybe ip stack instances fix that? Crossbow is not a feature in S10. You mentioned the use of S10U4 above. In that context, the simple answer to your question is "no, because VNICs don't exist." --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Zone Statistics: monitoring resource use of zones
It has become clear that there is a need to monitor resource consumption of workloads in zones, and an easy method to compare consumption to resource controls. In order to understand how a software tool could fulfill this need, I created an OpenSolaris project and a prototype to get started. If this sounds interesting, you can find the project and Perl script at: http://opensolaris.org/os/project/zonestat/ . If you have any comments, or suggestions for improvement, please let me know on this e-mail list or via private e-mail. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Questions regarding Solaris containers
On Wed, Oct 22, 2008 at 8:04 PM, Tamer Embaby <[EMAIL PROTECTED]> wrote: > Steffen Weiberle wrote: >>> 5. Can somebody clarify me whether ZFS is supported for containers? >>> Since ZFS has the concept of creating pool of devices first and on top >>> of that file systems can be created. I would like to know what kind of >>> support is there today for ZFS for Solaris containers? >>> >> This is evolving. You can delegate a ZFS file system into a zone. With >> the upcoming S10 10/08, the zone path is fully supported on ZFS. A >> future is to have a zone clone automatically do a ZFS clone--this is >> already in Solaris Nevada/SXCE. >> > Can you please clarify what is the problem of having zonepath on ZFS on > S10 prior to 10/08? You can't apply a Solaris update to a zoned system, prior to 10/08. The software that applies updates doesn't understand ZFS, and can't figure out how to make the zones accessible. The exception is non-native zones (including Solaris 8 Containers), which are never updated by the Solaris 10 updater software. > I already have 2 servers running S10 5/08, each running multiple zones, > some of these are having their "zonepath" on ZFS, and so far I never got any > issues. Even some > of these zones are branded Solaris 8 zones. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneroot on nfs?
On Tue, Oct 21, 2008 at 4:17 PM, Ben Rockwood <[EMAIL PROTECTED]> wrote: > Jason King wrote: >> I haven't found any documentation (yet, still looking), that says >> anything either way, but I'm wondering to facilitate zone migration if >> you can place a zone root on an NFS filesystem? Obviously would only >> be mounted on 1 server at any given time, but outside of that, just >> wondering if it should work, or if I should look at SAN/iscsi luns if >> I want to be able to move it around. > > It should work but its not recommended because NFS caching sucks > ass. The synchronous nature of NFS means that its gonna be much slower > than it should be. iSCSI/SAN may have performance issues over local > disk as well, but at least you still have a local filesystem cache. NFS/iSCSI/SAN performance should be better than local disk if the remote storage device has a non-disk frontend, e.g. cache RAM, SSD, etc. > > benr. > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Running Oracle Database inside Solaris 8/9 Container Using Sun Cluster
On Mon, Oct 20, 2008 at 1:19 PM, Eric Li <[EMAIL PROTECTED]> wrote: > Dear All, > > Our customers like to run existing Oracle database inside Solaris 8/9 > container using Sun Cluster. Please kindly advise if > - Is this configuration certified by Oracle? You should ask Oracle. They will want to know what Oracle software and version you are using. In my experience, the version of Oracle DB running on the S8 system was so old that Oracle didn't support it on any platform. > - Will it be supported by Oracle? > - Will Sun Cluster support this? (Sun Cluster 3.2 02/08?) Sun Cluster supports S8C's and S9C's. > - Any references? > > Thank you in advance for your help. > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Questions regarding Solaris containers
On Mon, Oct 20, 2008 at 9:29 PM, Challa, Narsimha Reddy (STSD-HYD) <[EMAIL PROTECTED]> wrote: > 7. Can we get CPU and Memory utilization statistics used by a specific > container (either from with in the container or from global zone)? "prstat -Z" may provide the data you want to see. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Confirming Zone running Container
Although it's a feature, if you need this functionality, the global zone can store its name in a file which the Container can read. On Thu, Oct 2, 2008 at 3:05 PM, Nicolas Dorfsman <[EMAIL PROTECTED]> wrote: > Le 2 oct. 08 à 21:00, Bruce, Phillip a écrit : > > If your logged into a container, how can your verify the name of the global > zone running the container? > > You can't ! > And this is a feature not a bug. > Nicolas -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [sysadmin-discuss] Patch Strategy
Nicolas Dorfsman wrote: > Hi all, > > > My english should not good enough to make you understand. > > STOP please to write zonepath on ZFS is supported. Everytime you say > that, the next sentence is to say "but with limitations, blabla". > We try to provide all of the relevant information that people need to make educated decisions. In this case, some people read the details, and chose to use zones on ZFS in Solaris 10 because they do not plan to upgrade the system. Other people read the information and chose to wait until upgrading works correctly. It seems to me that you do not want to use zones on ZFS. That seems to be a good choice for you. > How many customer made the error to use ZFS as zonepath, and few > months later got a "no way" when asking how to patch or upgrade ? > If they read and understood the details, using zones on ZFS was not an error. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [sysadmin-discuss] [Fwd: [Fwd: Patch Strategy]]
Adding zones-discuss. Mike Gerdts wrote: > On Mon, Sep 22, 2008 at 4:57 AM, <[EMAIL PROTECTED]> wrote: > >> While U6 has many significant enhancements, most notably ZFS Root/Boot, it >> is likely that Zones on ZFS will only be fully supported in U7. >> > > This is really quite surprising and disappointing since there seems to > have been a rather steady stream of messages over the past 6 to > (almost) 12 months saying that the various problems around patching > have been solved. What's missing? Upgrade? Since I don't use > upgrade I have been holding off mainly because patching has had so > many issues in S10 that I didn't have a lot of confidence that it > wouldn't be broken again just to have Sun say "you know, zones on ZFS > are not supported." > > I know this isn't the right place to gripe about S10 (I'll do it there > too) but we could really use a clear statement on Sunsolve that > states: > > 1) What functionality, if any, Sun will commit to supporting with > regards to zones on ZFS. > 2) What specific limitations are known. > > ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Sybase 12.5.1 in Solaris 8 Container, raw?
I have heard that Sybase runs in a Solaris 8 Container. Can anyone provide details on versions of Sybase that have been run in a Solaris 8 Container, and whether Sybase can run in an S8C and use raw devices ? Thanks, --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] vxfs "setting=value" style mount options
On Wed, Sep 10, 2008 at 8:58 AM, Jerry Jelinek <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: >> On Wed, Sep 10, 2008 at 12:55:53PM +0100, Lewis Thompson wrote: >>> On Tue, 2008-09-09 at 09:04 -0400, Jeff Victor wrote: >>>> The zonecfg man page has an example of the use of fs options: >>>> >>>>zonecfg:myzone3> add fs >>>>zonecfg:myzone3:fs> set dir=/usr/local >>>>zonecfg:myzone3:fs> set special=/opt/local >>>>zonecfg:myzone3:fs> set type=lofs >>>>zonecfg:myzone3:fs> add options [ro,nodevices] >>>>zonecfg:myzone3:fs> end >>>> >>>> Have you attempted to specify the options using that syntax? >>> Hi Jeff and Jerry >>> >>> Thank you, I was indeed using the wrong syntax and have added the >>> options successfully now >>> >>> Thanks for fast response >> >> Could we please discuss why fs options specified in zone configuration are >> better then just /etc/vfstab ? > > Using fs causes the mount to be managed/controlled by the global zone admin. > Zones itself does the mount > based on how the zone is configured. > > Using the zone's vfstab means you have to give device access to the zone, > which also means that the zone has > the ability to construct a bad file system on the device and panic the > machine, so this is inherently less secure > than using fs. > > However, sometimes you want to give device access to the zone, so both > techniques are available, but it is generally > preferred to use fs, since it is more constrained and secure than adding a > device to the zone. Also, there is one situation - not part of the original request - where the use of /etc/vfstab is not only preferable, it's required: NFS mounts. If a zone needs to mount an NFS share from a different system, the zone's administrator must perform the mount, either manually - from within the zone - or automatically, in the zone's /etc/vfstab. -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] vxfs "setting=value" style mount options
Hi Lewis, On Tue, Sep 9, 2008 at 6:03 AM, Lewis Thompson <[EMAIL PROTECTED]> wrote: > Hi, > > I have a simple zone configured to test the VxFS 'convosync=direct' > option. It's an s10u5 machine with no additional patches: > >zonecfg:lt203398:fs> info >fs: >dir: /foo >special: /dev/lofi/1 >raw: /dev/rlofi/1 >type: vxfs >options: [rw] > > So far so good, but when I try and add a VxFS-style 'setting=value' > option, zonecfg fails: > >zonecfg:lt203398:fs> set options=[convosync=direct] >syntax error at '=' The zonecfg man page has an example of the use of fs options: zonecfg:myzone3> add fs zonecfg:myzone3:fs> set dir=/usr/local zonecfg:myzone3:fs> set special=/opt/local zonecfg:myzone3:fs> set type=lofs zonecfg:myzone3:fs> add options [ro,nodevices] zonecfg:myzone3:fs> end Have you attempted to specify the options using that syntax? > >From mount_vxfs man page: > >convosync=direct|dsync|unbuffered|closesync|delay > > So my question is: do we support these vxfs options when setting up > filesystem definitions? If I manually edit the zone definition file to > add the convosync=direct option then a zoneadm boot fails with fsck exit > status 32... > > Many thanks, > > Lewis > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones CPU resource management
See http://tinyurl.com/5jwe3l , but here's the brief version: Basic, which can be modified by the owner of the calling process Privileged, which can be modified only by privileged (superuser) callers System, which is fixed for the duration of the operating system instance On Tue, Sep 2, 2008 at 8:01 PM, Vincent Boisard <[EMAIL PROTECTED]> wrote: > Thanks for your help, > > Comments below ... > > On 9/2/08, Jeff Victor <[EMAIL PROTECTED]> wrote: >> >> Hello Vincent, >> >> From your message, it appears that you do not need to use capped-cpu. >> However, if you find that you have a need to use both, it will work, >> although there is potential to confuse Solaris and/or yourself. For >> example, what happens if you set cpu-shares so that a zone must get at >> least 25% of 4 cores, but capped-cpu=0.5? Further, setting a CPU cap >> can prevent a zone from using CPU cycles that are otherwise unused. >> Why waste your expensive CPU? >> >> You do want to ensure that each zone gets enough processing cycles to >> accomplish its tasks. This can be achieved with cpu-shares. You might >> start by setting cpu-shares to 100 for the global zone, and 10 for >> each of the non-global zones. If you find that the system is >> frequently experiencing CPU contention, and one zone isn't getting >> enough CPU time, just increase that zone's share quantity. >> >> You might want to give the VOIP zone 50 shares instead of 10 because >> of the sensitivity to computational latency. Is the VOIP software >> multi-threaded? If not, then it will never use more than 25-30% of the >> CPU power of the system in any situation. > > How long does the system take to adjust when there is a contention? Is it > noticeable ? > However, I will follow your advice and experiment ... > >> It is important that the global zone gets all it needs. Otherwise you >> may interfere with proper operation of key infrastructure components >> like the paging daemon. > > I have noticed that prctl show 2 types for the cpu-shares: privileged (the > one we set) and system (always max value ie 65K). What's the difference ? > >> Also, docs.sun.com says: >> "The capped-cpu resource and the dedicated-cpu resource are >> incompatible. The cpu-shares rctl and the dedicated-cpu resource are >> incompatible." > > thanks again for your help, > > Vincent > > >> On Tue, Sep 2, 2008 at 1:38 PM, Vincent Boisard <[EMAIL PROTECTED]> >> wrote: >> > hello, >> > >> > I am currently setting up a home server. It will be my main storage >> > server, >> > but I will also be consolidating other applications on it (voip server, >> > video streaming, app server, ...) >> > I plan to use a Quad-core processor (namely the Q6600) with 8GB of RAM. >> > >> > I have been reading all the docs I can find about resource management >> > but >> > there are still some areas unclear to me: >> > >> > - Can capped-cpu and cpu-share be used at the same time: It there is no >> > contention Z1 use only 3 cpu and Z2 3 cpus max, but if there is >> > contention >> > have 75/25% sharing? >> > >> > - What is ZFS cpu usage ? (How much cpu should I reserve for the global >> > zone >> > ?) >> > >> > More specifically, my setup would be something like: >> > >> > Global zone:ZFS storage, NFS and Samba servers >> > VOIP Zone: SIP PBX : should always have enough >> > processing >> > power to handle a few calls (home setup) >> > download zone:handles all downloads (torrent /http). Low >> > priority. >> > Video streaming zone : use VLC to stream videos on the network (maybe >> > later >> > some VOD). >> > Video encoding zone : should use all available cpus but low priority >> > Database Zone: MySQl and/or Postgresql >> > App Server Zone:SAMP stack and/or Glassfish >> > >> > I do not expect high load on these zones (this is not a business >> > production >> > server, mainly a development environment and home application with few >> > concurrent calls). >> > >> > I am a bit at a loss on how to implement this. >> > Is FSS and cpu-shares enough ? >> > Should I use resource pools ? dynamic resource pools ? >> > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones CPU resource management
Hello Vincent, >From your message, it appears that you do not need to use capped-cpu. However, if you find that you have a need to use both, it will work, although there is potential to confuse Solaris and/or yourself. For example, what happens if you set cpu-shares so that a zone must get at least 25% of 4 cores, but capped-cpu=0.5? Further, setting a CPU cap can prevent a zone from using CPU cycles that are otherwise unused. Why waste your expensive CPU? You do want to ensure that each zone gets enough processing cycles to accomplish its tasks. This can be achieved with cpu-shares. You might start by setting cpu-shares to 100 for the global zone, and 10 for each of the non-global zones. If you find that the system is frequently experiencing CPU contention, and one zone isn't getting enough CPU time, just increase that zone's share quantity. You might want to give the VOIP zone 50 shares instead of 10 because of the sensitivity to computational latency. Is the VOIP software multi-threaded? If not, then it will never use more than 25-30% of the CPU power of the system in any situation. It is important that the global zone gets all it needs. Otherwise you may interfere with proper operation of key infrastructure components like the paging daemon. Also, docs.sun.com says: "The capped-cpu resource and the dedicated-cpu resource are incompatible. The cpu-shares rctl and the dedicated-cpu resource are incompatible." On Tue, Sep 2, 2008 at 1:38 PM, Vincent Boisard <[EMAIL PROTECTED]> wrote: > hello, > > I am currently setting up a home server. It will be my main storage server, > but I will also be consolidating other applications on it (voip server, > video streaming, app server, ...) > I plan to use a Quad-core processor (namely the Q6600) with 8GB of RAM. > > I have been reading all the docs I can find about resource management but > there are still some areas unclear to me: > > - Can capped-cpu and cpu-share be used at the same time: It there is no > contention Z1 use only 3 cpu and Z2 3 cpus max, but if there is contention > have 75/25% sharing? > > - What is ZFS cpu usage ? (How much cpu should I reserve for the global zone > ?) > > More specifically, my setup would be something like: > > Global zone:ZFS storage, NFS and Samba servers > VOIP Zone: SIP PBX : should always have enough processing > power to handle a few calls (home setup) > download zone:handles all downloads (torrent /http). Low > priority. > Video streaming zone : use VLC to stream videos on the network (maybe later > some VOD). > Video encoding zone : should use all available cpus but low priority > Database Zone: MySQl and/or Postgresql > App Server Zone:SAMP stack and/or Glassfish > > I do not expect high load on these zones (this is not a business production > server, mainly a development environment and home application with few > concurrent calls). > > I am a bit at a loss on how to implement this. > Is FSS and cpu-shares enough ? > Should I use resource pools ? dynamic resource pools ? > > Thanks for your help, > > Vincent > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] rcapd
Hi Syed, I would not be surprised to find that rcapd is behaving correctly on your system. All of the containers in one Solaris instance share one Solaris paging system and one set of swap devices. When rcapd is paging the memory pages of one container out to the swap device, other workloads sharing that disk will take longer to write to that disk. This is similar to other virtualized solutions (e.g. hypervisors) that have similar constraints, similar workloads and are sharing one internal disk for swap space. If your other containers are not paging at all, you can reduce this effect by configuring your swap space on its own disk drive. The "disk-write" transactions from those other containers will then *not* wait for paging activity of the container with a RAM cap that is too low. Do you know why that one container is using up more memory than the cap? Is the cap too low, or the application behaving badly? On Mon, Sep 1, 2008 at 7:55 AM, syed <[EMAIL PROTECTED]> wrote: > Hi , > > I am facing an issue with rcapd, currently I have setup 8 sparse-root > containers on a server with 32G physical memory , I have capped each of > these containers varyingly and there is no issue with capping and it works > fine. > > The issue arises when one of the containers eats up more memory (rapidly) > than it has been allocated .It causes other non global zones to be less > (noticable ) responsive while rcapd is trying to curb this unruly behaviour > by one of the containers.I am wondering if this is due to heavy paging ? > > Has anyone else seen such behaviour, or is this an acceptable behaviour ? Any > comments or experiences would be really helpful . -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Memory allocation for non-global zones
On Wed, Aug 27, 2008 at 1:20 PM, Patrick Ho <[EMAIL PROTECTED]> wrote: > Can a non-global zone utilize all the available memory on the system if > resource management is not used and rcap is not used? A non-global zone could use up most of the free physical memory on the system. If that happened, Solaris would begin paging physical memory pages out to the swap disk(s) to ensure that there is free physical memory. If this continues, maybe the swap disk will fill up, and then more requests for memory will fail. Or maybe performance will become very bad because the system is paging all the time. That's why the global zone administrator can set a physical memory cap on a non-global zone using the resource management controls. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] going beyond 255 zones
This doesn't answer your question, but it may help resolve issues you haven't experience yet: I created 1,000 zones on a system. I wrote about the experience here: http://blogs.sun.com/JeffV/entry/spawning_0_5kz_hr_part http://blogs.sun.com/JeffV/entry/spawning_0_5kz_hr_part1 http://blogs.sun.com/JeffV/entry/title_spawning_0_5kz_hr On Tue, Aug 26, 2008 at 3:18 PM, Michael Harsch <[EMAIL PROTECTED]> wrote: > Team, > > I'm new to zones-discuss, so apologies if this has already been posted. > > I would like to configure hundreds (maybe thousands) of zones on a > single machine. I've had good luck up until ~250 running zones, at > which point I run out room to alias more loopback network interfaces. > Here's the error messsage from the global zone: > >Aug 26 17:05:03 iwa1-ar zoneadmd[15796]: [zone 'zone0506'] WARNING: > skipping network interface 'lo0' which may not be present/plumbed in > the global zone.: No buffer space available > > And from the zone trying to boot: > >Aug 27 01:13:02 zone0506 smcboot[26563]: bind: Cannot assign > requested address > > On the global zone, the loopback interface (lo0) has 255 aliases and > (I assume) can't add anymore. I got around this problem with the > regular interfaces by adding more physical interfaces to the machine > and configured the zones in blocks of 250 each assigned to different > physical interfaces. I seem to be blocked at the loopback device > though. > > Does anyone know if there is a way around this? Could I somehow add > additional loopback addresses and tell the zones at configuration time > to latch on to something other than lo0 for the loopback alias? > > Thanks, > > MikeH > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] non global zone memory allocation enquiry
rcapstat(1M). On Thu, Aug 21, 2008 at 1:29 AM, Gauss Tang - Sun Microsystems <[EMAIL PROTECTED]> wrote: > Dear Expert, > > We can check the zone memory allocation via command > > zonecfg -z zonename info > > capped-memory: > physical: 256M > > But how to check this info after longin the zone? > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] cmn_err / zcmn_err
IMO the behavior of errors in zones should mimic that of errors in non-zoned systems, with the addition of the concept of the global zone as platform administrative area, as you stated. So the message in this case should go to the global zone and to the zone in which the error occurred. On Mon, Aug 11, 2008 at 9:42 PM, Jason King <[EMAIL PROTECTED]> wrote: > I'm working on rfe 6613349 suid not allowed message could be better, > and one issue is that the current error message uses cmn_err() > (usr/src/uts/common/os/exec.c:613). I'm pretty sure this should use > zcmn_err(), since (to me at least) I would think the message should > (at least) go to the zone where the event occurred. I am wondering if > someone more familiar with zones can confirm this. > > Assuming that it should go to the zone where the event was created, I > was also contemplating echoing the message to the global zone as well, > but including zone_t->zonename in the global zone. With the > philosophy of the global zone as an administrative area while the > actual 'work' of the machine goes in within zones, having the > information there (as well as in the zone itself) would seem useful as > well, however I don't know if it would violate any rules about > separation (I'm hoping someone can comment on this). > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] df Reporting 0K Size in Non-Global Zone
On S10 8/07 I just created a zone with a zonepath on a ZFS fs, and it seems to work correctly: global# zlogin ozone # df -k Filesystemkbytesused avail capacity Mounted on /1007529 81998 925531 9%/ /dev 1007529 81998 925531 9%/dev ... global# zonecfg -z ozone zonecfg:ozone> info zonename: ozone zonepath: /tmpool/ozone ... global# zfs list NAME USED AVAIL REFER MOUNTPOINT tmpool 80.2M 904M 80.1M /tmpool --- On nv88 I get the same behavior. What type of dataset are you using - file system or zvol? Would you send the output of "zfs list"? On Tue, Aug 12, 2008 at 4:35 PM, Ben Rockwood <[EMAIL PROTECTED]> wrote: > I've started working with snv_89 and found the following problem: > > > # zlogin testzone02 df -k > Filesystemkbytesused avail capacity Mounted on > / 0 37833 52390967 1%/ > /dev 0 0 0 0%/dev > /lib 2062186 502546 149777526%/lib > > > The underlying storage is a ZFS Dataset, and the capacity of the zone root is > based on the quota set on the dataset. I've set refquota and reservation > and others just in case there was an undocumented change but to no avail. > > This isn't a major issue because the capacity and values are still correct, > but users do find it annoying and in some cases it is breaking monitoring > scripts. > > There are several bugs that look close but uncertain as to whether a bug > exists for this yet or not. > > Thanks. > > benr. > > > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] setting up Multipath for local zones in Solaris 10
Yes, a zone can be configured as an "exclusive-IP" zone which gives it the ability to configure IPMP within the zone - and other networking abilities. See http://blogs.sun.com/JeffV/entry/high_availability_networking_for_solaris and http://docs.sun.com/app/docs/doc/817-1592/gepxo?l=en&a=view&q=exclusive+ip++zone . On Fri, Aug 15, 2008 at 10:27 AM, Sanjay Akula <[EMAIL PROTECTED]> wrote: > Hi ALL, > > Is it possible to set up multipath for Local Zones in Solaris zones? I know > we can setup multipath for global zone. > > -- > Regards, > > SysAdmin > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Solaris 8 (brandz) container license information
> I am planning to migrate a server running Solaris 8 > to a Solaris 8 container. .. On the new server I want to install > Solaris 10 (global zone) and install 2 Solaris 8 > containers (brandz) under that global zone. I was > told that there is no need to purchase solaris 8 or 9 > (brandZ) license. Can someone please confirm this. I > contacted one of the Sun resellers. He told me that > Solaris 8 and 9 containers are included in the > Solaris 10 distro at no charge. The last time I checked, you can download the software for free at sun.com for a 90-day trial. http://www.sun.com/software/solaris/containers/getit.jsp says: "For full support in a production environment please contact your Sun sales team to purchase a Solaris 8 Containers subscription. A Solaris 10 Premium Subscription or a Sun System Gold or Platinum Service Plan is also required." You should ask the Sun partner to find the appropriate part number for the subscription. > Is Oracle certified to run on Solaris 8 container? Is > someone running Oracle on a Solaris 8 container. Yes, people are running Oracle 8 and 9. You'd have to ask Oracle if they certify their software on S8 Containers. In most cases the situation doesn't get any worse from a support standpoint: I think Oracle doesn't support Oracle 8 any longer, so moving an Oracle 8 instance from a Solaris 8 system to a Solaris 8 Container doesn't reduce the support level. --JeffV This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Orcale support
If you mean "does Oracle support Oracle products in Solaris 8/9 Containers" the answer would depend on which Oracle product, and which version of that product. Many of the Oracle products that are currently running on Solaris 8 systems are very old versions, and Oracle no longer supports them on Solaris 8 systems. In any case, Oracle should be answering the question. Marco A. Leão Lopez wrote: > Hi all!!! > > Is Oracle supported in Solaris 8/9 Container ? > Please copy me in the answer as I am not in the alias.. > > Best > ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Default and max values for new rctls
What are the default and maximum values for the new zone-specific resource controls: zone.max-shm-memory zone.max-shm-ids zone.max-msg-ids zone.max-sem-ids ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Detect pkgs installed with -G?
How can someone learn whether a package was installed in the global zone *with* -G - or without it? ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can the network interface of a local zone get a dynamic ipv4 address?
Lu, Baolu wrote: > Hi, > > A simple question about the local zone. > > How to make the local zone network interface get a dynamic ipv4 address? > > For example, the global zone has one phisical network interface, > e1000g0. > It gets the dynamic ipv4 address from the DHCP server located on another > > server. > > Does the following make sense? > > ... ... > zonecfg:my-zone> add net > zonecfg:my-zone> set address=dhcp > zonecfg:my-zone> set physical=e1000g0 > zonecfg:my-zone> end > ... ... I see the problem now. When using this feature, you must not set the 'address' parameter. Instead, only set the 'physical' parameter. You should specify the use of DHCP either in the zone's file /etc/sysidcfg before you boot the zone for the first time, or by using the zone's file /etc/dhcp.e1000g0. See the man page for dhcp(5) for more information. Also, note that a zone which uses this feature will have *exclusive* access to this NIC. No other zone, even the global zone, will be able to use this NIC. > This doesn't work for me on my system. > The local zone get a address of 192.168.74.200, > while the global address is in the segment of 10.239.*.* > > How to get this work? -- -- Jeff VICTOR Sun Microsystemsjeff.victor @ sun.com OS AmbassadorSr. Technical Specialist Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can the network interface of a local zone getadynamic ipv4 address?
Lu, Baolu wrote: > Mybe there is some misunderstanding, I want a DHCP client in the local > zone. > > That means the zone NIC interface can get the dynamic IPv4 address from > my DHCP server, which is located at someplace else. Yes, you should be able to do that as Dan described. What happens when you enter this in the global zone? # zonecfg -z set ip-type=exclusive Does it give an error message? > On Friday, August 03, 2007 12:51 PM, Dan Price wrote: > >> On Fri 03 Aug 2007 at 12:39PM, Lu, Baolu wrote: >>> Thanks for reply. >>> >>> I use snv_68 32 bits. The zonecfg doesn't support >>> >>> set ip-type >>> >>> command. >>> >>> Which build is this feature available since on? >> Since Build 57. Are you sure it isn't there? Try this: >> >> zonecfg help set|grep ip >> >> You should get >> >>(global)ip-type >> >> If not, then I'm not sure what is up. The other thing I forgot >> to mention is that IP instances needs you to have a physical network >> connection (or VLAN) which you can assign to the zone. >> >> See also this thread, which has some more good info about >> IP Instances: >> >> http://www.opensolaris.org/jive/thread.jspa?messageID=102102 >> >> I also realize that this isn't a great answer overall-- that it >> would be nice if this "just worked." We'll keep trying to improve >> things in this space. >> >>-dp >> >> -- >> Daniel Price - Solaris Kernel Engineering - [EMAIL PROTECTED] - >> blogs.sun.com/dp > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org -- -- Jeff VICTOR Sun Microsystemsjeff.victor @ sun.com OS AmbassadorSr. Technical Specialist Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] CA etrust compatible with zones?
Also, note that the list in the FAQ is only a *very* small subset of the software packages which have been successfully tested in a zone. Joseph Balenzano wrote: > Joe, > 8.0 SP1 supports Solaris Zones for x86 and SPARC. > > Joe Nyilas - RAS SSE wrote: >> I have a customer interested in adopting zones as a core technology. >> They currently use CA's etrust 8.0 SP1 product to enforce security >> policies as well as compliance logging on all their Solaris systems. >> Would anyone know if this will work on either a sparse or full root >> zone? The OS used by the CU is u3 / S10 11/06. >> >> I checked the Zone FAQ and did not see it listed. CA's website limits >> information for non authenticated visitors, so I can't see the >> installation instructions for the product. I did find this compatibility >> matrix: >> http://supportconnectw.ca.com/public/etrust/etrust_ac/infodocs/etrustac-matrix.asp >> >> which references zones, but for a different version of the product. >> >> Any and all RTFM pointers appreciated. >> >> /jn >> > > -- -- Jeff VICTOR Sun Microsystemsjeff.victor @ sun.com OS AmbassadorSr. Technical Specialist Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq -- ___ zones-discuss mailing list zones-discuss@opensolaris.org