System V IPC resource controls for Zones
By menno on Oct 25, 2006
Some weeks ago, I putback my code for 6306668 (RFE: there need to be zone limits for project-based system V resource controls). The fix went into Nevada build 48 which is now available as Solaris Express 10/06 (available here).
Without such zone limits for project-based System V IPC resource controls, a non-global zone administrator could possibly starve other zones by consuming inordinate amounts of System V IPC resources. Particularly in cases where the non-global zone administrator cannot be trusted (either by malice or lack of knowledge and understanding of the impact of his actions) this can be an issue.
The existing zone.\* resource controls have been extended with four new resource controls:
zone.max-shm-memory- the total amount of shared memory allowed for a zone, expressed as a number of bytes.
zone.max-shm-ids- the maximum number of shared memory IDs allowed for a zone, expressed as an integer.
zone.max-sem-ids- the maximum number of semaphore IDs allowed for a zone, expressed as an integer.
zone.max-msg-ids- the maximum number of message queue IDs allowed for a zone, expressed as an integer.
These resource controls give the global zone administrator the ability to limit the total consumption of System V IPC resources by processes in a zone. The non-global zone administrator is still able to control the allocation of System V IPC resources inside the zone using the existing project.\* resource controls. So regardless of the limits that a non-global zone administrator sets on projects in the zone, the total amount of IPC resources used by the zone can never exceed the limit set by the global zone administrator.
Setting these resource controls is done in the usual way using
$ zonecfg -z aap zonecfg:aap> add rctl zonecfg:aap:rctl> set name=zone.max-shm-memory zonecfg:aap:rctl> add value (priv=privileged,limit=1073741824,action=deny) zonecfg:aap:rctl> end zonecfg:aap> exit
The limit will be in effect after booting the zone. Adding or changing one of these resource controls to a running zone without rebooting can be done using
One thing to note is that for compatibilty reasons there are no default privileged limits on these resource controls, only a system limit. Having a default privileged limit could break existing configurations because up to now there was no limit at the zone level. Therefore, adding a limit to a running zone requires you to use the
-t privileged option to add the privileged limit.
To add a 1 GB limit to a running zone you would use:
prctl -n zone.max-shm-memory -t privileged -v 1073741824 -i zone aap
Once the privileged limit is present, changing the limit to 2 GB would be done like this:
prctl -n zone.max-shm-memory -r -v 2147483648 -i zone aap