Version 3.1-enSolaris 10 Container Guide - 3.1 4. Best Practices

Effective: 30/11/2009

4.6.3.4. Limiting locked memory

[ug] Real time programs and databases can establish the locking of virtual memory pages in the main memory. To do so, the programs require the privilege (proc_lock_memory) which must be configured for the zone. Databases in part use memory locking for shared segments to optimize performance (ISM – intimate shared memory). Nowadays, however, DISM (Dynamic ISM, e.g. with Oracle) is also used frequently, which will only establish memory locking when it becomes possible.

The amount of locked memory in a zone can be configured for a zone by setting the locked value to a certain amount with zonecfg: add capped-memory. The administrator of the local zone is not able to change this setting.

Locked memory enhances the performance of the application. But it is also a disadvantage because it is subtracted directly from the available main memory. It is not available for other purposes.. Whether a process requires locked memory can be learned from the documentation of the application or with the command pmap -x <pid>.

This setting should be made if a process within a zone requires locked memory in order to run, or to perform (DISM). Size limitation, however, should be done with the setting for virtual memory (swap).

4.6.4. Network limitation (IPQoS)

[dd]The IP traffic of a zone to an IP address can be limited with IPQoS. The command ipqosconf(1M) creates the file /etc/inet/ipqosinit.conf in the global zone which contains the configuration for IPQoS. This configuration is used to make only a specific network bandwidth available to certain zones.

4.6.5. IPC limits (Semaphore, shared memory, message queues)

[ug] IPC settings can be done by means of settings in the project since Solaris 9; this also applies of course to settings within a zone.

From Solaris 10 8/07, upper limits for these values can be set in the zone configuration. These values can be modified in the zone configuration or from the global zone. The administrator of the local zone is not able to change these values.

Adjustable parameters are:

 

max-msg-ids

maximum number of message queue IDs

max-sem-ids

maximum number of semaphore IDs

max-shm-ids

maximum number of shared memory IDs

max-shm-memory

maximum size of shared memory in the zone

With this, it can be ensured that the appropriate settings cannot be exceeded in the zone.

4.6.6. Privileges and resource management

[ug] In Solaris 10, privileged system calls are examined at a fine-granular level. Privileges that allow using these calls can be configured. This technology has been adopted from Trusted Solaris. For example, the authorization to mount a file system can be transferred to a user. This can be configured using role based access control (RBAC).

Local zones have only a subset of the privileges active compared to the global zone. This is the main protection mechanism to separate local zones. A root process in the local zone basically lacks the authorization to view processes outside the zone and to access all hardware.

Solaris 10 11/06 made it possible to assign additional privileges for the zone in the zone configuration with zonecfg: set limitpriv=... .

These privileges are, among others, DTrace, lock memory and network raw access. An exact listing of privileges in zones and their allocation can be found at:

http://docs.sun.com/app/docs/doc/817-1592/6mhahuou9?a=view

61

Page 68
Image 68
Sun Microsystems 10 Limiting locked memory, Network limitation IPQoS, IPC limits Semaphore, shared memory, message queues