Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices Effective: 30/11/2009
4.6.3.4. Limiting locked memory
[ug] Real time programs and databases can establish the locking of virtual memory pages in the main
memory. To do so, the programs require the privilege (proc_lock_memory) which must be
configured for the zone. Databases in part use memory locking for shared segments to optimize
performance (ISM – intimate shared memory). Nowadays, however, DISM (Dynamic ISM, e.g. with
Oracle) is also used frequently, which will only establish memory locking when it becomes possible.
The amount of locked memory in a zone can be configured for a zone by setting the locked value
to a certain amount with zonecfg: add capped-memory. The administrator of the local zone
is not able to change this setting.
Locked memory enhances the performance of the application. But it is also a disadvantage because it
is subtracted directly from the available main memory. It is not available for other purposes.. Whether
a process requires locked memory can be learned from the documentation of the application or with
the command pmap -x <pid>.
This setting should be made if a process within a zone requires locked memory in order to run, or to
perform (DISM). Size limitation, however, should be done with the setting for virtual memory (swap).
4.6.4. Network limitation (IPQoS)
[dd] The IP traffic of a zone to an IP address can be limited with IP QoS. The command
ipqosconf(1M) creates the file /etc/inet/ipqosinit.conf in the global zone which
contains the configuration for IPQoS. This configuration is used to make only a specific network
bandwidth available to certain zones.
4.6.5. IPC limits (Semaphore, shared memory, message queues)
[ug] IPC settings can be done by means of settings in the project since Solaris 9; this also applies of
course to settings within a zone.
From Solaris 10 8/07, upper limits for these values can be set in the zone configuration. These values
can be modified in the zone configuration or from t he global zone. The administrator of the local zone
is not able to change these values.
Adjustable parameters are:
•max-msg-ids maximum number of message queue IDs
•max-sem-ids maximum number of semaphore IDs
•max-shm-ids maximum number of shared memory IDs
•max-shm-memory maximum size of shared memory in the zone
With this, it can be ensured that the appropriate settings cannot be exceeded in the zone.
4.6.6. Privileges and resource management
[ug] In Solaris 10, privileged system calls are examined at a fine-granular level. Privileges th at allow
using these calls can be configured. This technology has been adopted from Trusted Solaris. For
example, the authorization to mount a file system can be transferred to a user. This can be
configured using role based access control (RBAC).
Local zones have only a subset of the privileges active compared to the global zone. This is the main
protection mechanism to separate local zones. A root process in the local zone basically lacks the
authorization to view processes outside the zone and to access all hardware.
Solaris 10 11/06 made it possible to assign additional privileges for the zone in the zone configuration
with zonecfg: set limitpriv=... .
These privileges are, among others, DTrace, lock memory and network raw access. An exact listing
of privileges in zones and their allocation can be found at:
http://docs.sun.com/app/docs/doc/817-1592/6mhahuou9?a=view
61