Sun Microsystems 10 用户手册
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
Effective: 30/11/2009
5.4. Management and monitoring
5.4.1. DTrace in a local zone
[dd] Since Solaris 10 11/06, DTrace can be applied within local zones to processes of this zone. To
enable DTrace, it is necessary to extend the set of privileges for the local zone with dtrace_proc
and dtrace_user. Without these privileges, no DTrace probes will be available in the zone.
No DTrace probes available inside of zone1:
[dd] Since Solaris 10 11/06, DTrace can be applied within local zones to processes of this zone. To
enable DTrace, it is necessary to extend the set of privileges for the local zone with dtrace_proc
and dtrace_user. Without these privileges, no DTrace probes will be available in the zone.
No DTrace probes available inside of zone1:
zone1# dtrace -l | tail +2
zone1#
zone1#
Adding DTrace capability to zone configuration:
global# zonecfg -z zone1
zonecfg:zone1> set limitpriv=default,dtrace_proc,dtrace_user
zonecfg:zone1> commit
zonecfg:zone1> exit
zonecfg:zone1> set limitpriv=default,dtrace_proc,dtrace_user
zonecfg:zone1> commit
zonecfg:zone1> exit
For example, the pid provider can be used to trace a process in the own zone.
dtrace -n 'pid<pid>:::entry {trace(probefunc)}'
dtrace -n 'pid<pid>:::entry {trace(probefunc)}'
5.4.2. Zone accounting
[ug] With the command acctadm), extended accounting can be switched on. In the predefined
resource profile extended, also the name of the zone is written to the accounting records. This
allows accounting data to be associated to their respective zones. It is possible to and to summarily
account for zone consumption without elaborately having to assign the commands to applications, as
required in traditional Unix accounting.
[ug] With the command acctadm), extended accounting can be switched on. In the predefined
resource profile extended, also the name of the zone is written to the accounting records. This
allows accounting data to be associated to their respective zones. It is possible to and to summarily
account for zone consumption without elaborately having to assign the commands to applications, as
required in traditional Unix accounting.
With Solaris 10, a library (libexacct (3LI B)) and an example program (/usr/demo/libexacct / ) are
included that allow the accounting records to be analyzed easily.
included that allow the accounting records to be analyzed easily.
5.4.3. Zone audit
[dd] Audit can be used in two different ways regarding local zones:
[dd] Audit can be used in two different ways regarding local zones:
•
Audit is configured in the global zone. By setting the zonename policy in
/etc/security/audit_startup, audit enters the zone name in each audit record.
With auditreduce -z <zonename> , the corresponding audit records are extracted
and can be analyzed with praudit. The configuration and collection of audit data is done
completely from the global zone.
/etc/security/audit_startup, audit enters the zone name in each audit record.
With auditreduce -z <zonename> , the corresponding audit records are extracted
and can be analyzed with praudit. The configuration and collection of audit data is done
completely from the global zone.
•
Audit is configured in the global zone. In addition, the perzone policy is set in
/etc/security/audit_startup. Thereby, each zone starts its own auditd and
keeps its own configurations and log files per zone. Control of the audit configuration is
assigned to the administrator of the local zone.
/etc/security/audit_startup. Thereby, each zone starts its own auditd and
keeps its own configurations and log files per zone. Control of the audit configuration is
assigned to the administrator of the local zone.
When auditing is needed, the decision for one of the two configuration options will be done depending
on control an access standards of the datacenter operations.
on control an access standards of the datacenter operations.
106