Information Technology Reference
In-Depth Information
Table 6.2
Privileges Not Allowed in Containers,
continued
Privilege
The privilege gives a process the ability to . . .
Link and unlink directories
sys_linkdir
Mount and unmount file systems; add and remove swap devices
sys_mount
Administer CPUs, processor sets, and resource pools
sys_res_config
Manage third-party modules' use of the kernel
suser()
function
sys_suser_compat
The configurable security of Containers is a core component of Immutable
Service Containers. ISCs are an architectural deployment pattern used to describe
a platform for highly secure service delivery. They provide a security-reinforced
Container into which a specific service (i.e., an application) or a set of services
is deployed. For more information, see
http://hub.opensolaris.org/bin/
Each Container has its own
namespace
. A namespace is the complete set of rec-
ognized names for entities such as users, hosts, printers, and others. In other
words, a namespace represents a mapping of human-readable names to names
or numbers that are more appropriate to computers. The user namespace maps
user names to user identification numbers (UIDs). The host name namespace
maps host names to IP addresses. As in any Oracle Solaris system, namespaces in
Containers can be managed using the
/etc/nsswitch.conf
file.
One simple outcome of having an individual namespace per Container is sepa-
rate mappings of user names to UIDs. When managing Containers, remember
that a user in one Container with UID 238 is a different user from UID 238 in
another Container.
Also, each Container has its own Service Management Facility (SMF). SMF
starts, monitors, and maintains network services such as
sshd
. As a consequence,
each Container appears on the network just like any other Solaris system, using
the same well-known port numbers for common network services.
Each Container includes a property called its
brand
. A Container's brand deter-
mines how it interacts with the Oracle Solaris kernel. Most of this interaction oc-
curs via Solaris system calls. Some brands call for system calls to be used without
modification; other brands add a layer of software that translates the Container's
Search WWH ::
Custom Search