[rescue] Sun's new policy sucks...
Patrick Giagnocavo
patrick at mail.zill.net
Thu Apr 7 13:11:10 CDT 2005
On Thu, Apr 07, 2005 at 01:55:09PM -0400, William Enestvedt wrote:
> > Zones are the killer app for me; maybe for your situation
> > they are simply not useful. SMF is not that bad.
> >
> Can zones be used to relpace a chroot jail? Are they easier to deal
> with?
They are jails on steroids. Big wins for my case:
1. Automatically limits CPU sharing to 1/(# zones + 1 for global
zone) in the event that applications are competing for CPU. Of
course, if only one zone needs the CPU, then it gets all the CPU time.
This is when you follow the recommendation to do "dispadmin -d FSS"
and reboot. You can customize this and give different amount of CPU
to different zones.
2. Each zone has its own root password and user database. I can give a
zone its own IP and set the root password and say to the user "here
you go..."
3. Don't have to worry about whether all the libs are in place. When
you create a zone, you specify what is mounted read-only inside the
zone - usually /usr , /lib /platform etc. are mounted read-only,
whereas in a chroot jail you might have to figure out where something
is and copy / link it.
4. You can boot, halt, reboot a zone. Takes about 15 seconds to boot
a zone. If you have a lot of jailed processes you have to figure out
which one is in which jail; with zones, you just reboot the zone and
it will come up (assuming you have done the right thing and set up
your server process to come up on boot). Maybe not that big a deal if
you have everything set up so you can kill -9 `cat /my/dir/daemon.pid`
.
For my clients, the biggie is #2, followed by #1.
--Patrick
More information about the rescue
mailing list