Information Technology Reference
In-Depth Information
6.2.3.3 Networking Summary
The default network type (shared-IP) is appropriate unless a Container needs
to manage its own networking configuration or needs specific forms of network
isolation. Exclusive-IP Containers severely restrict the number of Containers per
system because of the limited number of NICs in the computer.
6.2.4 Direct Device Access
The security boundary around a Container prevents direct access to devices, in
recognition of the fact that many types of device access would allow one Container
to affect other Containers. One form of enforcement is the minimal list of device
entries available to the Container. By default, a Container has very few entries in
its /dev directory, and it doesn't have a /devices directory at all. The entries
in /dev are limited to pseudo-devices that are considered safe and necessary,
such as /dev/null .
Sometimes, however, you might want to give a Container direct access to a
device. For example, you might want to test some software in a Container in a
lab environment, but the test might require creating and destroying a file system
from within the Container. To do this, the Container needs device entries for the
disk device that will contain the file system.
Yo u c a n a c c o m p l i s h t h i s t a s k w i t h t h e add device subcommand, as shown in
the following example:
GZ# zonecfg -z zone1
zonecfg:zone1> add device
zonecfg:zone1:device> set match=/dev/rdsk/c1t0d0s6
zonecfg:zone1:device> end
zonecfg:zone1> add device
zonecfg:zone1:device> set match=/dev/dsk/c1t0d0s6
zonecfg:zone1> end
GZ# zlogin zone1
zone1# newfs /dev/rdsk/c1t0d0s6
zone1# mount /dev/dsk/c1t0d0s6 /opt/local
The direct device method gives a Container's privileged users direct control over
a file system's devices, thereby facilitating direct management of the file system.
At the same time, these users gain greater control over the system's components,
which may enable them to affect other Containers. For example, just as the root
user in a non-virtualized system can use device access to panic a UNIX system, so
assigning direct device access to a Container may give users the ability to panic
the system, stopping all of the Containers. Be very cautious when adding devices
to a Container.
 
 
Previous Page
Next Page
Oracle Solaris 10 System Virtualization Essentials
Search WWH ::




Custom Search
Home