3 Best Practices for Running Oracle Databases in Solaris Containers Sun Microsystems, Inc.
• Whole root model — The whole root zone model provides for maximum
configurability by installing the required packages and any selected optional zones
into the private file systems of the zone. The advantages of this model include the
ability for zone administrators to customize their zone’s file system layout and add
arbitrary unbundled or third-party packages.
Solaris Zones provide the standard Solaris interfaces and application environment; they
do not impose a new ABI or API. In general, applications do not need to be ported to
Solaris Zones. However, applications running in non-global zones may need to be aware
of non-global zone behavior, depending on the Solaris interfaces they use. In particular:
• All processes running in a zone have a reduced set of privileges, which is a subset of
the privileges available in the global zone. This set of privileges is available to the root
user. Non-root users of a zone have a subset of those privileges. By default, non-
global zone non-root users have privileges that are the “logical AND” of the privileges
available to non-root users in the global zone and the privileges available to that
zone.
Processes that require a privilege not available in a non-global zone can fail to
run, or in a few cases fail to achieve full performance.
• Administrators can modify the privileges that a zone has, reducing or expanding the
set. This provides the ability to enhance security by removing privileges not needed
by applications running in that zone, or to give a zone a non-default privilege in order
to improve the functionality or performance of an application. The privilege
proc_lock_memory
, required to use Dynamic Intimate Shared Memory (DISM), is
now in the default privileges set of zones.
• Each non-global zone may have its own logical network and loopback interface.
Bindings between upper-layer streams and logical interfaces are restricted such that
a stream may only establish bindings to logical interfaces in the same zone. Likewise,
packets from a logical interface can only be passed to upper-layer streams in the
same zone as the logical interface.
• Each zone can be configured with exclusive-IP privileges which allow it to have its
own IP resources. This gives full functionality and independence from the global
zone's IP. Specifically, an exclusive-IP zone can manage its own network interfaces,
routing table, IPQoS configuration, and IP Filter rules.
• Non-global zones have access to a restricted set of devices. In general, devices are
shared resources in a system. Therefore, restrictions within zones are put in place so
that security is not compromised.
• Two categories of iSCSI storage are supported with zones. A zone can be installed into
a directory which is mounted in the global zone and is backed by iSCSI storage. (See a
description of Network-Attached Containers by Jeff Victor, documented at
http://blogs.sun.com/jeffv/date/20080408
.) Alternatively, iSCSI storage can
be mounted into the global zone, and a directory from the file system can be
loopback mounted into a zone.
评论2
最新资源