[dtrace-discuss] [Fwd: Re: Dtrace in Containers...??]

Fri Jan 5 10:40:11 PST 2007

Dan,

Regarding the incorporation of Dtrace capabilities within Containers,
I wanted to get a "pulse" on current and near-term support for this in
current/planned Solaris 10 updates (unless only Nevada will handle this
capabilty, which was not my prior understanding).  Any details / URL's
explaining the capabilites would also be helpfull.

Please let me know as I have a major Telco interested in using these 
capabilities asap.

Thanks,

Todd Jobson
Sr. Enterprise Architect
Sun Microsystems

Dan Price wrote:

>On Tue 28 Mar 2006 at 11:30PM, Robert Milkowski wrote:
>  
>
>>That's a very good news.
>>
>>Is PSARC case anywhere publicly available?
>>    
>>
>
>There was no PSARC case; the bug reports are mostly available.
>An overview is available here:
>
>http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4970596
>
>  
>
>>What kind of restrictions are they going to be?
>>I guess that despite of privileges one won't be able to "see" outside
>>a local zone or maybe new privilege(s) are introduced to cover this?
>>Or maybe only some providers are available (and only with filters like
>>zoneid == X for syscall provider, etc.)?
>>    
>>
>
>See my just-posted mail on this topic.
>
>        -dp
>  
>

>On Tue 28 Mar 2006 at 10:34AM, Todd Jobson wrote:
>  
>
>>> Dtrace team,
>>> 
>>> What are our plans for supporting (or allowing) DTrace use within 
>>> Containers (not the Global zone) ?    I have several large telco customers 
>>> that are holding off on Containers in S10 until their development and test 
>>> communities (which would have separate containers.. but not global root 
>>> access) have permission/priveledged access to run Dtrace within their local 
>>> containers to diagnose their apps...
>>> 
>>> Please let me know any timelines and/or internal docs that might 
>>> describe where we stand on this recurring issue from clients.
>>    
>>
>
>Well, I guess this is as good a time as any to announce that I've
>integrated initial support for DTrace inside of Containers (a.k.a.
>non-global zones) as of Friday, Mar 24, 2006.  This means that in
>future Solaris Express and Community Express builds (those based on
>Nevada B37 or higher), you can use a subset of DTrace functionality
>inside of non-global zones.
>
>Here's how to use this functionality:
>
>        # zonecfg -z myzone
>        zonecfg:myzone> set limitpriv=default,dtrace_proc,dtrace_user
>        zonecfg:myzone> ^D
>
>        # zoneadm -z myzone boot
>
>        # zlogin myzone
>        myzone# dtrace -l
>        ...
>
>        myzone# plockstat -Ap `pgrep startd`
>        ...
>
>Note that either or both of the dtrace_proc and dtrace_user privileges
>may be granted to a zone, but dtrace_kernel may not be (zoneadm will
>enforce this).  The lack of dtrace_kernel means that not every DTrace
>script will work, since kernel state is not available to DTrace inside
>of a zone; but we think this represents a good start.
>
>Additional virtualization work has been done to ensure that data from
>other zones is not visible inside the zone, and to ensure that the
>interactions with other relevant privileges (proc_owner and proc_zone)
>behave as expected.
>
>        -dp
>
> -- Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - 
> blogs.sun.com/dp
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20070105/543a3742/attachment.html