Information Technology Reference
In-Depth Information
The output from
privdebug
shows that the privileges
proc_priocntl
and
sys_time
are requested by
ntpdate
. A quick experiment shows that although
ntpdate
attempts to use
proc_priocntl
, it does not require this privilege to
function correctly. The only additional privilege it needs to set the system time
clock is
sys_time
.
Use
zonecfg
to modify the Container's privileges:
GZ#
zonecfg -z timelord
zonecfg:timelord>
set limitpriv=default,!sys_nfs,!sys_audit,\
!sys_acct,sys_time
zonecfg:timelord>
exit
GZ#
zoneadm -z timelord halt
While isolating the Container, why not also limit the amount of resources that
it can consume? If the Container is operating normally, the use of resource man-
agement features is unnecessary, but they are easy to configure and their use in
this situation could be valuable. These limits could reduce or eliminate the effects
of a hypothetical bug in
ntpdate
that might cause a memory leak or other un-
necessary use of resources.
Further, limiting the amount of resources that can be consumed by the Container
provides another layer of security in this environment. In particular, resource con-
straints can reduce or eliminate risks associated with a denial-of-service attack.
Note that the use of these features is not strictly necessary. Instead, their use is
shown here for completeness, to demonstrate the possibilities.
Chapter 6 described the resource controls available for Containers. Here is
a brief explanation of our choices. There are other reasonable choices for this
situation.
A few quick tests with
rcapstat
(1) show that the Container needs less than
50 MB of memory to do its job. We could cap the amount of RAM at 50 MB to
prevent this Container from consuming an unnecessary amount of RAM, but we
also want to prevent it from causing excessive paging. We can prevent a Container
from paging by setting the RAM and virtual memory (VM) caps to the same value.
However, we don't want to set the VM cap below the amount that is really needed,
so we'll be a little generous on both: 100 MB caps for both RAM and VM. A cap on
locked memory will further minimize the potential for the Container's processes
to disrupt legitimate activities without causing a problem for NTP.
NTP is not a compute-intensive activity, so we will allow it to use one-tenth
of the compute capacity of a CPU. Also, capping the number of software threads
(lightweight processes [LWPs]) limits the ability to exhaust a fixed resource: pro-
cess table slots.
Search WWH ::
Custom Search