Version 3.1-enSolaris 10 Container Guide - 3.1 5. Cookbooks

Effective: 30/11/2009

5.4. Management and monitoring

5.4.1. DTrace in a local zone

[dd]Since Solaris 10 11/06, DTrace can be applied within local zones to processes of this zone. To enable DTrace, it is necessary to extend the set of privileges for the local zone with dtrace_proc and dtrace_user. Without these privileges, no DTrace probes will be available in the zone.

No DTrace probes available inside of zone1:

zone1# dtrace -l tail +2 zone1#

Adding DTrace capability to zone configuration:

global# zonecfg -z zone1

zonecfg:zone1> set limitpriv=default,dtrace_proc,dtrace_user zonecfg:zone1> commit

zonecfg:zone1> exit

For example, the pid provider can be used to trace a process in the own zone. dtrace -n 'pid<pid>:::entry {trace(probefunc)}'

5.4.2. Zone accounting

[ug] With the command acctadm), extended accounting can be switched on. In the predefined resource profile extended, also the name of the zone is written to the accounting records. This allows accounting data to be associated to their respective zones. It is possible to and to summarily account for zone consumption without elaborately having to assign the commands to applications, as required in traditional Unix accounting.

With Solaris 10, a library (libexacct (3LI B)) and an example program (/usr /demo/libexacc t / ) are included that allow the accounting records to be analyzed easily.

5.4.3. Zone audit

[dd] Audit can be used in two different ways regarding local zones:

Audit is configured in the global zone. By setting the zonename policy in /etc/security/audit_startup, audit enters the zone name in each audit record. With auditreduce -z <zonename> , the corresponding audit records are extracted and can be analyzed with praudit. The configuration and collection of audit data is done completely from the global zone.

Audit is configured in the global zone. In addition, the perzone policy is set in

/etc/security/audit_startup. Thereby, each zone starts its own auditd and keeps its own configurations and log files per zone. Control of the audit configuration is assigned to the administrator of the local zone.

When auditing is needed, the decision for one of the two configuration options will be done depending on control an access standards of the datacenter operations.

106

Page 113
Image 113
Sun Microsystems manual DTrace in a local zone, Zone1# dtrace -l tail +2 zone1#, Zone accounting, Zone audit, 106