Search Results

Search found 2 results on 1 pages for 'bleonard'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 1/1 | 1 

  • Giving a Zone "More Power"

    - by Brian Leonard
    In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone. For example, there a 82 distinct privileges available to the global zone: bleonard@solaris:~$ ppriv -l | wc -l 82 You can view the descriptions for each of those privileges as follows: bleonard@solaris:~$ ppriv -lv contract_event Allows a process to request critical events without limitation. Allows a process to request reliable delivery of all events on any event queue. contract_identity Allows a process to set the service FMRI value of a process contract template. ... Or for just one or more privileges: bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write file_dac_read Allows a process to read a file or directory whose permission bits or ACL do not allow the process read permission. file_dac_write Allows a process to write a file or directory whose permission bits or ACL do not allow the process write permission. In order to write files owned by uid 0 in the absence of an effective uid of 0 ALL privileges are required. However, in a non-global zone, only 43 of the 83 privileges are available by default: root@myzone:~# ppriv -l zone | wc -l 43 The missing privileges are: cpc_cpu dtrace_kernel dtrace_proc dtrace_user file_downgrade_sl file_flag_set file_upgrade_sl graphics_access graphics_map net_mac_implicit proc_clock_highres proc_priocntl proc_zone sys_config sys_devices sys_ipc_config sys_linkdir sys_dl_config sys_net_config sys_res_bind sys_res_config sys_smb sys_suser_compat sys_time sys_trans_label virt_manage win_colormap win_config win_dac_read win_dac_write win_devices win_dga win_downgrade_sl win_fontpath win_mac_read win_mac_write win_selection win_upgrade_sl xvm_control However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace: root@myzone:~# dtrace -l ID PROVIDER MODULE FUNCTION NAME The DTrace privileges can be added, however, as follows: bleonard@solaris:~$ sudo zonecfg -z myzone Password: zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user" zonecfg:myzone> verify zonecfg:myzone> exit bleonard@solaris:~$ sudo zoneadm -z myzone reboot Now I can run DTrace from within the zone: root@myzone:~# dtrace -l | more ID PROVIDER MODULE FUNCTION NAME 1 dtrace BEGIN 2 dtrace END 3 dtrace ERROR 7115 syscall nosys entry 7116 syscall nosys return ... Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone: bleonard@solaris:~$ sudo zoneadm -z myzone reboot privilege "dtrace_kernel" is not permitted within the zone's privilege set zoneadm: zone myzone failed to verify Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.

    Read the article

  • Getting Audio from a Zone

    - by bleonard
    Now that I have Firefox and Java Web Start running from a zone, the last piece of the puzzle was audio (essential because most Flash content is accompanied by sound).  In the global zone there's a nice little utility called audiotest for testing your sound: bleonard@solaris:~$ audiotest Sound subsystem and version: SunOS Audio 4.0 (0x00040003) Platform: SunOS 5.11 snv_151a i86pc *** Scanning sound adapter #1 *** /dev/sound/audio810:0dsp (audio engine 0): audio810#0 - Performing audio playback test... <left> ................OK <right> ...............OK <stereo> ..............OK <measured sample rate 47727.00 Hz (-0.57%)> *** All tests completed OK *** Of course, before you can try audiotest in a zone, it must be installed: root@myzone:~# pkg install audio-utilities Packages to install: 1 Create boot environment: No DOWNLOAD PKGS FILES XFER (MB) Completed 1/1 6/6 0.4/0.4 PHASE ACTIONS Install Phase 20/20 PHASE ITEMS Package State Update Phase 1/1 Image State Update Phase 2/2 However, we'll need to do more than just install audiotest: root@myzone:~# audiotest /dev/mixer: No such file or directory The device file is missing from /dev. The audio devices also need to be added to the zone. For this we modify the zone configuration as follows: bleonard@solaris:~$ sudo zonecfg -z myzone Password: zonecfg:myzone> add device zonecfg:myzone:device> set match=/dev/audio* zonecfg:myzone:device> end zonecfg:myzone> add device zonecfg:myzone:device> set match=/dev/sound/* zonecfg:myzone:device> end zonecfg:myzone> add device zonecfg:myzone:device> set match=/dev/mixer* zonecfg:myzone:device> end zonecfg:myzone> add device zonecfg:myzone:device> set match=/dev/sndstat zonecfg:myzone:device> end zonecfg:myzone> verify zonecfg:myzone> exit Then reboot the zone: bleonard@solaris:~$ sudo zoneadm -z myzone reboot After which, audiotest should work: root@myzone:~# audiotest Sound subsystem and version: SunOS Audio 4.0 (0x00040003) Platform: SunOS 5.11 snv_151a i86pc *** Scanning sound adapter #1 *** /dev/sound/audio810:0dsp (audio engine 0): audio810#0 - Performing audio playback test... <left> ................OK <right> ...............OK <stereo> ..............OK <measured sample rate 48208.00 Hz (0.43%)> *** All tests completed OK *** You can also examine /dev/sndstat for additional information: root@myzone:~# cat /dev/sndstat SunOS Audio Framework Audio Devices: 0: audio810#0 Intel AC'97, ICH (DUPLEX) Mixers: 0: audio810#0 Intel AC'97, ICH AC'97 codec: SigmaTel STAC9700 However, when testing the sound from Firefox (from a user account other than root), such as this recent Flash presentation on Solaris availability, you may still be disappointed. This is simply a permissions problem, as the devices only have read and write permissions for root: root@myzone:~# ls -l /dev/audio* crw------- 1 root root 99, 3 Jul 1 10:21 /dev/audio crw------- 1 root root 99, 4 Jul 1 10:21 /dev/audioctl To address this: root@myzone:~# chmod 777 /dev/audio* root@myzone:~# chmod 777 /dev/sound/* And you should be all set.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

1