Information Technology Reference
In-Depth Information
read-only loopback mounts, which makes the commands and libraries in
/usr
and
/lib
available to the Container.
These directories are called package directories because they contain the con-
tents of packages. A package from another software vendor can also be inherited
by specifying the directory containing that software. During Container configura-
tion, you can specify additional, non-Solaris package directories.
Figure 6.2
Read-Only Loopback Mount into Container
This design, called the “sparse-root” model, has several benefits. By sharing
mounts with the global zone, it significantly decreases the amount of disk space
used by a Container, shrinking it to less than 100 MB. It also reduces the amount
of RAM used by the Container when it is running because a Solaris program run-
ning in multiple Containers requires only one set of memory pages for the program
instructions, not one set per Container. In most cases, use of the sparse-root model
minimizes the effort required to administer Containers. Packages and patches
can be deployed once in the global zone, then become immediately available to all
Containers using the sparse-root model.
The last benefit of this model is security enhancement. Occasionally, intruders
have taken advantage of application software on a UNIX-like system to gain ac-
cess to the system as a privileged user. Once they have done so, they can replace
an existing operating system binary with a program that performs some malicious
task when it is run (a “Trojan horse”). An unsuspecting user who runs that pro-
gram at a later date may inadvertently cause difficult-to-diagnose problems. If the
Trojan horse program is run regularly, it can send data updates from the system
to a remote user on the Internet. A sparse-root zone significantly minimizes the
risk from this type of attack through the read-only mounts of Solaris programs.
Search WWH ::
Custom Search