Version 3.1-enSolaris 10 Container Guide - 3.1 4. Best Practices

Effective: 30/11/2009

4.1.8. Additional devices in zones 4.1.8.1. Configuration of devices

[ug] In principle, a local zone uses no physical devices. To use network interfaces exclusively in one zone, the zone has to be configured as an exclusive IP zone (4.1.7.4 Exclusive IP instance).

Disks or volumes can be inserted in a zone with zonecfg (5.1.12.6 Using a DVD drive in the local zone). To activate such a modified configuration, the zone has to be restarted. Devices can also be brought into a zone dynamically with mknod without a shutdown of a zone having(5.1.12.7 Dynamic

configuration of devices).

Device removal is done by removal with zonecfg or, for dynamically added devices, by deleting the device node.

In principle, other devices such as for example serial interfaces can be passed on to local zones as well. The task of the administrator of the global zone or the person responsible for the configuration of the local zones is to coordinate use of the devices and to avoid double allocation or double usage from global zone and local zone.

4.1.8.2. Static configuration of devices

[ug] Devices for a zone are defined during zone configuration using zonecfg with the command

add device.

Solaris then generates the device for the zone by means of a device node in the file system /dev of the zone. The /dev directory of the zone is located in the zonepath of the zone under the subdirectory dev. Devices are deleted by deleting them in the zone configuration. At the next reboot of the zone , the device is removed from its /dev directory.

This is one of the differences between the global zone and the local zones, since in the local zone, the device node is located directly in the /dev directory. The global zone only contains a symbolic link in /dev to a device entry in /devices. All devices recognized by the system, with their device nodes, are located in /devices.

A zone is not able to create device nodes by itself in its /dev since the command mknod(1M) and the system call mknod(2) is forbidden by privileges in a local zone. Furthermore, a zone can itself only mount file systems with the option nodevices whereby the device entries in this file system are not usable.

The security of zones with respect to devices is based exactly on these measures because no zone can obtain access to devices that are not configured for it.

4.1.8.3. Dynamic configuration of devices

[ug] Rebooting the local zone is sometimes not desirable although new devices have to be added to, for example, to procure additional space for a database.

Then, new devices can be added dynamically to the zone by emulating the process of static device configuration.

First, running ls -lL <device> in the global zone determines which device node lies behind the device; the important outputs here are the major and minor numbers. The major number specifies the driver and the minor number is something like the serial number of the device.

Next, the device for a zone can be created with mknod by generating the corresponding node in the /dev tree of the target zone. For security reasons, this can only be done by the administrator of the global zone (since the local zones lack privileges after all).

If access to the device is to be revoked, the node can be deleted in the /dev of the zone. In doing so, care must be taken that programs or mounts that have opened the device still retain access (as usual in Unix). A mount should be removed before access is terminated.

If the device is to be used in the zone permanently, the corresponding entry should be made in the zone configuration as well (example in 5.1.12.7 Dynamic configuration of devices).

44

Page 51
Image 51
Sun Microsystems 10 manual Static configuration of devices, Dynamic configuration of devices