DOCSLIB.ORG

Virtualization and Namespace Isolation in the Solaris Operating System (PSARC/2002/174)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Virtualization and Namespace Isolation in the Solaris Operating System (PSARC/2002/174) Virtualization and Namespace Isolation in the Solaris Operating System (PSARC/2002/174) John Beck, David Comay, Ozgur L., Daniel Price, and Andy T. Solaris Kernel Technology Andrew G. and Blaise S. Solaris Network and Security Technologies Revision 1.6 (OpenSolaris) September 7, 2006 ii Contents 1 Introduction 1 1.1 Zone Basics . 2 1.2 Zone Principles . 3 1.3 Terminology and Conventions . 5 1.4 Outline . 6 2 Related Work 7 3 Zone Runtime 9 3.1 Zone State Model . 9 3.2 Zone Names and Numeric IDs . 10 3.3 Zone Runtime Support . 10 3.3.1 zoneadmd(1M) ............................... 10 3.3.2 zsched . 12 3.4 Listing Zone Information . 12 4 Zone Administration 13 4.1 Zone Configuration . 13 4.1.1 Configuration Data . 14 4.2 Zone Installation . 15 4.3 Virtual Platform Administration . 16 4.3.1 Readying Zones . 16 4.3.2 Booting Zones . 16 4.3.3 Halting Zones . 17 4.3.4 Rebooting Zones . 17 4.3.5 Automatic Zone Booting . 18 4.4 Zone Login . 18 4.4.1 Zone Console Login . 18 4.4.2 Interactive and Non-Interactive Modes . 19 4.4.3 Failsafe Mode . 20 4.4.4 Remote Login . 20 4.5 Monitoring and Controlling Zone Processes . 21 iii 5 Administration within Zones 23 5.1 Node Name . 23 5.2 Name Service Usage within a Zone . 23 5.3 Default Locale and Timezone . 24 5.4 Initial Zone Configuration . 24 5.5 System Log Daemon . 24 5.6 Commands . 25 5.7 Internals of Booting Zones . 25 5.7.1 zinit . 25 6 Packaging and Installation 27 6.1 File Access . 28 6.2 Zone models . 28 6.2.1 Whole Root model . 29 6.2.2 Sparse Root model . 29 6.3 Package refactoring . 29 7 Security 31 7.1 Credential Handling . 31 7.2 Fine-Grained Privileges . 32 7.2.1 Safe Privileges . 32 7.2.2 Zone Privilege Limits . 32 7.2.3 Privilege Escalation . 35 7.3 Role-Based Access Control . 36 7.4 Chroot Interactions . 36 7.5 Audit . 37 8 Process Model 39 8.1 Signals and Process Control . 39 8.2 Global Zone Visibility and Access . 40 8.3 /proc ....................................... 40 8.4 Core Files . 41 9 File Systems 43 9.1 Configuration . 43 9.1.1 Zonecfg File System Configuration . 43 9.2 Size Restrictions . 44 9.3 File System-Specific Issues . 44 9.4 File System Traversal Issues . 46 iv 10 Networking 49 10.1 Partitioning . 49 10.2 Interfaces . 50 10.3IPv6........................................ 52 10.3.1 Address Auto-configuration . 52 10.3.2 Address Selection . 52 10.4 IPQoS . 53 10.5 IPsec . 53 10.6 Raw IP Socket Access . 53 10.7 DLPI Access . 54 10.8 Routing . 54 10.9 IP Multipathing . 54 10.10Mobile IP . 54 10.11NCA . 55 10.12DHCP . 55 10.13TCP Connection Teardown . 55 10.14Tuning . 55 10.15Unbundled Software . 56 10.15.1 SunScreen . 56 10.15.2 IP-Filter . 56 11 Devices 57 11.1 Device Categories . 57 11.1.1 Unsafe Devices . 58 11.1.2 Fully-Virtual Devices . 58 11.1.3 Sharable-Virtual Devices . 59 11.1.4 Exclusive-Use Devices . 59 11.2 /dev and /devices Namespace . 59 11.3 Device Management: Zone Configuration . 60 11.4 Device Management: Zone Runtime . 61 11.4.1 Read-Only mount of /dev ........................ 62 11.5 Device Privilege Enforcement . 62 11.5.1 DDI Impact . 63 11.5.2 File System Permissions . 63 11.5.3 The Trouble with Ioctls . 63 11.5.4 Illegal dev_t’s............................... 64 11.6 Device Driver Administration . 64 11.7 Zone Console Design . 64 11.8 Pseudo-Terminals . 65 11.9 ftpd . 66 v 12 Resource Management and Observability 69 12.1 Solaris Resource Management Interactions . 70 12.1.1 Accounting . 70 12.1.2 Projects, Resource Controls and the Fair Share Scheduler . 70 12.1.3 Resource Pools . 71 12.2 kstats ....................................... 71 13 Inter-Process Communication 73 13.1 Pipes, STREAMS, and Sockets . 73 13.2 Doors . 73 13.3 Loopback Transport Providers . 74 13.4 System V IPC . 74 13.5 POSIX IPC . 75 13.6 Event Channels . 75 14 Interoperability and Integration Issues 77 14.1 Project Dependencies . 77 14.2 Other Related Solaris Projects . 78 14.2.1 Solaris FMA . ..
Load more

Recommended publications
  • Oracle Solaris: the Carrier-Grade Operating System Technical Brief
    An Oracle White Paper February 2011 Oracle Solaris: The Carrier-Grade Operating System Oracle White Paper—Oracle Solaris: The Carrier-Grade OS Executive Summary.............................................................................1 ® Powering Communication—The Oracle Solaris Ecosystem..............3 Integrated and Optimized Stack ......................................................5 End-to-End Security ........................................................................5 Unparalleled Performance and Scalability.......................................6 Increased Reliability ........................................................................7 Unmatched Flexibility ......................................................................7 SCOPE Alliance ..............................................................................7 Security................................................................................................8 Security Hardening and Monitoring .................................................8 Process and User Rights Management...........................................9 Network Security and Encrypted Communications .......................10 Virtualization ......................................................................................13 Oracle VM Server for SPARC .......................................................13 Oracle Solaris Zones .....................................................................14 Virtualized Networking...................................................................15
    [Show full text]
  • New/Usr/Src/Cmd/Mdb/Common
    new/usr/src/cmd/mdb/common/modules/genunix/findstack.c 1 new/usr/src/cmd/mdb/common/modules/genunix/findstack.c 2 ********************************************************** 642 return (DCMD_USAGE); 21346 Thu Feb 18 08:40:37 2016 new/usr/src/cmd/mdb/common/modules/genunix/findstack.c 644 if (interesting) { 6583 remove whole-process swapping 645 if (sobj != NULL || excl_sobj != NULL || ********************************************************** 646 tstate_str != NULL || excl_tstate_str != NULL) { ______unchanged_portion_omitted_ 647 mdb_warn( 648 "stacks: -i is incompatible with -[sStT]\n"); 583 /*ARGSUSED*/ 649 return (DCMD_USAGE); 584 int 650 } 585 stacks(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv) 651 excl_sobj = "CV"; 586 { 652 excl_tstate_str = "FREE"; 587 size_t idx; 653 } 589 char *seen = NULL; 655 if (caller_str != NULL) { 656 mdb_set_dot(0); 591 const char *caller_str = NULL; 657 if (mdb_eval(caller_str) != 0) { 592 const char *excl_caller_str = NULL; 658 mdb_warn("stacks: evaluation of \"%s\" failed", 593 uintptr_t caller = 0, excl_caller = 0; 659 caller_str); 594 const char *module_str = NULL; 660 return (DCMD_ABORT); 595 const char *excl_module_str = NULL; 661 } 596 stacks_module_t module, excl_module; 662 caller = mdb_get_dot(); 597 const char *sobj = NULL; 663 } 598 const char *excl_sobj = NULL; 599 uintptr_t sobj_ops = 0, excl_sobj_ops = 0; 665 if (excl_caller_str != NULL) { 600 const char *tstate_str = NULL; 666 mdb_set_dot(0); 601 const char *excl_tstate_str = NULL; 667 if (mdb_eval(excl_caller_str) !=
    [Show full text]
  • Ubuntu Kung Fu
    Prepared exclusively for Alison Tyler Download at Boykma.Com What readers are saying about Ubuntu Kung Fu Ubuntu Kung Fu is excellent. The tips are fun and the hope of discov- ering hidden gems makes it a worthwhile task. John Southern Former editor of Linux Magazine I enjoyed Ubuntu Kung Fu and learned some new things. I would rec- ommend this book—nice tips and a lot of fun to be had. Carthik Sharma Creator of the Ubuntu Blog (http://ubuntu.wordpress.com) Wow! There are some great tips here! I have used Ubuntu since April 2005, starting with version 5.04. I found much in this book to inspire me and to teach me, and it answered lingering questions I didn’t know I had. The book is a good resource that I will gladly recommend to both newcomers and veteran users. Matthew Helmke Administrator, Ubuntu Forums Ubuntu Kung Fu is a fantastic compendium of useful, uncommon Ubuntu knowledge. Eric Hewitt Consultant, LiveLogic, LLC Prepared exclusively for Alison Tyler Download at Boykma.Com Ubuntu Kung Fu Tips, Tricks, Hints, and Hacks Keir Thomas The Pragmatic Bookshelf Raleigh, North Carolina Dallas, Texas Prepared exclusively for Alison Tyler Download at Boykma.Com Many of the designations used by manufacturers and sellers to distinguish their prod- ucts are claimed as trademarks. Where those designations appear in this book, and The Pragmatic Programmers, LLC was aware of a trademark claim, the designations have been printed in initial capital letters or in all capitals. The Pragmatic Starter Kit, The Pragmatic Programmer, Pragmatic Programming, Pragmatic Bookshelf and the linking g device are trademarks of The Pragmatic Programmers, LLC.
    [Show full text]
  • Sun Microsystems Solaris 10 What's
    Solaris 10 What’s New Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. Part No: 817–0547–15 January 2005 Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, docs.sun.com, AnswerBook, AnswerBook2, SunVTS, Java, J2SE, J2EE, JavaServer, JumpStart, Sun Fire, StarOffice, Sun Blade, Sun Ray, Solstice Enterprise Agents, CacheFS, Sun StorEdge, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. FireWire is a trademark of Apple Computer, Inc., used under license. Netscape and Netscape Navigator are trademarks or registered trademarks of Netscape Communications Corporation. Mozilla is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries.
    [Show full text]
  • Solaris 10 End of Life
    Solaris 10 end of life Continue Oracle Solaris 10 has had an amazing OS update, including ground features such as zones (Solaris containers), FSS, Services, Dynamic Tracking (against live production operating systems without impact), and logical domains. These features have been imitated in the market (imitation is the best form of flattery!) like all good things, they have to come to an end. Sun Microsystems was acquired by Oracle and eventually, the largest OS known to the industry, needs to be updated. Oracle has set a retirement date of January 2021. Oracle indicated that Solaris 10 systems would need to raise support costs. Oracle has never provided migratory tools to facilitate migration from Solaris 10 to Solaris 11, so migration to Solaris has been slow. In September 2019, Oracle decided that extended support for Solaris 10 without an additional financial penalty would be delayed until 2024! Well its March 1 is just a reminder that Oracle Solaris 10 is getting the end of life regarding support if you accept extended support from Oracle. Combined with the fact gdpR should take effect on May 25, 2018 you want to make sure that you are either upgraded to Solaris 11.3 or have taken extended support to obtain any patches for security issues. For more information on tanningix releases and support dates of old and new follow this link ×Sestive to abort the Unix Error Operating System originally developed by Sun Microsystems SolarisDeveloperSun Microsystems (acquired by Oracle Corporation in 2009)Written inC, C'OSUnixWorking StateCurrentSource ModelMixedInitial release1992; 28 years ago (1992-06)Last release11.4 / August 28, 2018; 2 years ago (2018-08-28)Marketing targetServer, PlatformsCurrent: SPARC, x86-64 Former: IA-32, PowerPCKernel typeMonolithic with dynamically downloadable modulesDefault user interface GNOME-2-LicenseVariousOfficial websitewww.oracle.com/solaris Solaris is the own operating system Of Unix, originally developed by Sunsystems.
    [Show full text]
  • Lecture 1: Introduction to UNIX
    The Operating System Course Overview Getting Started Lecture 1: Introduction to UNIX CS2042 - UNIX Tools September 29, 2008 Lecture 1: UNIX Intro The Operating System Description and History Course Overview UNIX Flavors Getting Started Advantages and Disadvantages Lecture Outline 1 The Operating System Description and History UNIX Flavors Advantages and Disadvantages 2 Course Overview Class Specifics 3 Getting Started Login Information Lecture 1: UNIX Intro The Operating System Description and History Course Overview UNIX Flavors Getting Started Advantages and Disadvantages What is UNIX? One of the first widely-used operating systems Basis for many modern OSes Helped set the standard for multi-tasking, multi-user systems Strictly a teaching tool (in its original form) Lecture 1: UNIX Intro The Operating System Description and History Course Overview UNIX Flavors Getting Started Advantages and Disadvantages A Brief History of UNIX Origins The first version of UNIX was created in 1969 by a group of guys working for AT&T's Bell Labs. It was one of the first big projects written in the emerging C language. It gained popularity throughout the '70s and '80s, although non-AT&T versions eventually took the lion's share of the market. Predates Microsoft's DOS by 12 years! Lecture 1: UNIX Intro The Operating System Description and History Course Overview UNIX Flavors Getting Started Advantages and Disadvantages Lecture Outline 1 The Operating System Description and History UNIX Flavors Advantages and Disadvantages 2 Course Overview Class Specifics 3
    [Show full text]
  • Adventures with Illumos
    > Adventures with illumos Peter Tribble Theoretical Astrophysicist Sysadmin (DBA) Technology Tinkerer > Introduction ● Long-time systems administrator ● Many years pointing out bugs in Solaris ● Invited onto beta programs ● Then the OpenSolaris project ● Voted onto OpenSolaris Governing Board ● Along came Oracle... ● illumos emerged from the ashes > key strengths ● ZFS – reliable and easy to manage ● Dtrace – extreme observability ● Zones – lightweight virtualization ● Standards – pretty strict ● Compatibility – decades of heritage ● “Solarishness” > Distributions ● Solaris 11 (OpenSolaris based) ● OpenIndiana – OpenSolaris ● OmniOS – server focus ● SmartOS – Joyent's cloud ● Delphix/Nexenta/+ – storage focus ● Tribblix – one of the small fry ● Quite a few others > Solaris 11 ● IPS packaging ● SPARC and x86 – No 32-bit x86 – No older SPARC (eg Vxxx or SunBlades) ● Unique/key features – Kernel Zones – Encrypted ZFS – VM2 > OpenIndiana ● Direct continuation of OpenSolaris – Warts and all ● IPS packaging ● X86 only (32 and 64 bit) ● General purpose ● JDS desktop ● Generally rather stale > OmniOS ● X86 only ● IPS packaging ● Server focus ● Supported commercial offering ● Stable components can be out of date > XStreamOS ● Modern variant of OpenIndiana ● X86 only ● IPS packaging ● Modern lightweight desktop options ● Extra applications – LibreOffice > SmartOS ● Hypervisor, not general purpose ● 64-bit x86 only ● Basis of Joyent cloud ● No inbuilt packaging, pkgsrc for applications ● Added extra features – KVM guests – Lots of zone features –
    [Show full text]
  • Solaris Zones: Operating System Support for Consolidating Commercial Workloads Daniel Price and Andrew Tucker – Sun Microsystems, Inc
    Solaris Zones: Operating System Support for Consolidating Commercial Workloads Daniel Price and Andrew Tucker – Sun Microsystems, Inc. ABSTRACT Server consolidation, which allows multiple workloads to run on the same system, has become increasingly important as a way to improve the utilization of computing resources and reduce costs. Consolidation is common in mainframe environments, where technology to support running multiple workloads and even multiple operating systems on the same hardware has been evolving since the late 1960’s. This technology is now becoming an important differentiator in the UNIX and Linux server market as well, both at the low end (virtual web hosting) and high end (traditional data center server consolidation). This paper introduces Solaris Zones (zones), a fully realized solution for server consolidation projects in a commercial UNIX operating system. By creating virtualized application execution environments within a single instance of the operating system, the facility strikes a unique balance between competing requirements. On the one hand, a system with multiple workloads needs to run those workloads in isolation, to ensure that applications can neither observe data from other applications nor affect their operation. It must also prevent applications from over-consuming system resources. On the other hand, the system as a whole has to be flexible, manageable, and observable, in order to reduce administrative costs and increase efficiency. By focusing on the support of multiple application environments rather than multiple operating system instances, zones meets isolation requirements without sacrificing manageability. Introduction mutually incompatible when run on the same server. In one real-world example, two poorly written appli- Within many IT organizations, driving up system utilization (and saving money in the process) has cations at a customer site both wanted to bind a net- become a priority.
    [Show full text]
  • Hardware-Driven Evolution in Storage Software by Zev Weiss A
    Hardware-Driven Evolution in Storage Software by Zev Weiss A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Sciences) at the UNIVERSITY OF WISCONSIN–MADISON 2018 Date of final oral examination: June 8, 2018 ii The dissertation is approved by the following members of the Final Oral Committee: Andrea C. Arpaci-Dusseau, Professor, Computer Sciences Remzi H. Arpaci-Dusseau, Professor, Computer Sciences Michael M. Swift, Professor, Computer Sciences Karthikeyan Sankaralingam, Professor, Computer Sciences Johannes Wallmann, Associate Professor, Mead Witter School of Music i © Copyright by Zev Weiss 2018 All Rights Reserved ii To my parents, for their endless support, and my cousin Charlie, one of the kindest people I’ve ever known. iii Acknowledgments I have taken what might be politely called a “scenic route” of sorts through grad school. While Ph.D. students more focused on a rapid graduation turnaround time might find this regrettable, I am glad to have done so, in part because it has afforded me the opportunities to meet and work with so many excellent people along the way. I owe debts of gratitude to a large cast of characters: To my advisors, Andrea and Remzi Arpaci-Dusseau. It is one of the most common pieces of wisdom imparted on incoming grad students that one’s relationship with one’s advisor (or advisors) is perhaps the single most important factor in whether these years of your life will be pleasant or unpleasant, and I feel exceptionally fortunate to have ended up iv with the advisors that I’ve had.
    [Show full text]
  • Wdd-Ebook.Pdf
    The illumos Writing Device Drivers Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in the U.S. and in other countries. U.S. Government Rights – Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements. This distribution may include materials developed by third parties. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, the Solaris logo, the Java Coffee Cup logo, docs.sun.com, Java, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
    [Show full text]
  • Sun SPARC Enterprise T5440 Servers
    Sun SPARC Enterprise® T5440 Server Just the Facts SunWIN token 526118 December 16, 2009 Version 2.3 Distribution restricted to Sun Internal and Authorized Partners Only. Not for distribution otherwise, in whole or in part T5440 Server Just the Facts Dec. 16, 2009 Sun Internal and Authorized Partner Use Only Page 1 of 133 Copyrights ©2008, 2009 Sun Microsystems, Inc. All Rights Reserved. Sun, Sun Microsystems, the Sun logo, Sun Fire, Sun SPARC Enterprise, Solaris, Java, J2EE, Sun Java, SunSpectrum, iForce, VIS, SunVTS, Sun N1, CoolThreads, Sun StorEdge, Sun Enterprise, Netra, SunSpectrum Platinum, SunSpectrum Gold, SunSpectrum Silver, and SunSpectrum Bronze are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd. T5440 Server Just the Facts Dec. 16, 2009 Sun Internal and Authorized Partner Use Only Page 2 of 133 Revision History Version Date Comments 1.0 Oct. 13, 2008 - Initial version 1.1 Oct. 16, 2008 - Enhanced I/O Expansion Module section - Notes on release tabs of XSR-1242/XSR-1242E rack - Updated IBM 560 and HP DL580 G5 competitive information - Updates to external storage products 1.2 Nov. 18, 2008 - Number
    [Show full text]
  • DVD Authoring System for Opensolaris Installation and Usage Manual
    DVD Authoring System for OpenSolaris Installation and Usage Manual Authors: Igor Struchkov, Vladimir Omelin 1 Preface DVD authoring is one of the most common tasks fulfilled by personal computers nowadays. Modern operating systems, including Linux and Windows, have numerous software packages, both open-source and proprietary, for DVD authoring. OpenSolaris is now aiming at a competitive role in the niche of desktop operating systems and therefore all kinds of end-user applications, such as DVD authoring software, must become available in it. The goal of this project is to build a full-featured DVD authoring system for OpenSolaris by porting available open-source Linux packages and developing all non-portable features. After some preliminary research it became clear that most of back-end work, including audio/video encoding and iso image construction, can be done by command-line utilities that can be ported from Linux to OpenSolaris. On the other hand, a GUI front-end was decided to be built almost from scratch using some ideas from open-source project Varsha. The main idea was to develop the front-end on JavaTM platform, making it as portable as possible. It turned out to be a very good decision in rapidly changing and unstable world of OpenSolaris distributions, and the developed front-end stays functional in any combination of installed packages. 2 1. Architecture of the DVD Authoring System Architecture of the DVD authoring system consists of several components of different kinds. One group of components, called Utilities, consists of command-line tools running in native Solaris environment. This group includes dvdauthor, mjpegtools, ffmpeg, sox and dvd-slideshow.
    [Show full text]