Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management Oracle Solaris 11.1 Information Library |
Part I Oracle Solaris Resource Management
1. Introduction to Resource Management
2. Projects and Tasks (Overview)
Determining a User's Default Project
Setting User Attributes With the useradd and usermod Commands
Commands Used With Projects and Tasks
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Introduction to Oracle Solaris Zones
16. Non-Global Zone Configuration (Overview)
17. Planning and Configuring Non-Global Zones (Tasks)
18. About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)
19. Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
20. Non-Global Zone Login (Overview)
21. Logging In to Non-Global Zones (Tasks)
22. About Zone Migrations and the zonep2vchk Tool
23. Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)
24. About Automatic Installation and Packages on an Oracle Solaris 11.1 System With Zones Installed
25. Oracle Solaris Zones Administration (Overview)
26. Administering Oracle Solaris Zones (Tasks)
27. Configuring and Administering Immutable Zones
28. Troubleshooting Miscellaneous Oracle Solaris Zones Problems
Part III Oracle Solaris 10 Zones
29. Introduction to Oracle Solaris 10 Zones
30. Assessing an Oracle Solaris 10 System and Creating an Archive
31. (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone
32. Configuring the solaris10 Branded Zone
33. Installing the solaris10 Branded Zone
The project identifier is an administrative identifier that is used to identify related work. The project identifier can be thought of as a workload tag equivalent to the user and group identifiers. A user or group can belong to one or more projects. These projects can be used to represent the workloads in which the user (or group of users) is allowed to participate. This membership can then be the basis of chargeback that is based on, for example, usage or initial resource allocations. Although a user must be assigned to a default project, the processes that the user launches can be associated with any of the projects of which that user is a member.
To log in to the system, a user must be assigned a default project. A user is automatically a member of that default project, even if the user is not in the user or group list specified in that project.
Because each process on the system possesses project membership, an algorithm to assign a default project to the login or other initial process is necessary. The algorithm is documented in the man page getprojent(3C). The system follows ordered steps to determine the default project. If no default project is found, the user's login, or request to start a process, is denied.
The system sequentially follows these steps to determine a user's default project:
If the user has an entry with a project attribute defined in the /etc/user_attr extended user attributes database, then the value of the project attribute is the default project. See the user_attr(4) man page.
If a project with the name user.user-id is present in the project database, then that project is the default project. See the project(4) man page for more information.
If a project with the name group.group-name is present in the project database, where group-name is the name of the default group for the user, as specified in the passwd file, then that project is the default project. For information on the passwd file, see the passwd(4) man page.
If the special project default is present in the project database, then that project is the default project.
This logic is provided by the getdefaultproj() library function. See the getprojent(3PROJECT) man page for more information.
You can use the following commands with the -K option and a key=value pair to set user attributes in local files:
Set default project for user
Modify user information
Local files can include the following:
/etc/group
/etc/passwd
/etc/project
/etc/shadow
/etc/user_attr
If a network naming service such as NIS is being used to supplement the local file with additional entries, these commands cannot change information supplied by the network name service. However, the commands do verify the following against the external naming service database:
Uniqueness of the user name (or role)
Uniqueness of the user ID
Existence of any group names specified
For more information, see the useradd(1M), usermod(1M), and user_attr(4) man pages.
You can store project data in a local file, in the Domain Name System (DNS), in a Network Information Service (NIS) project map, or in a Lightweight Directory Access Protocol (LDAP) directory service. The /etc/project file or naming service is used at login and by all requests for account management by the pluggable authentication module (PAM) to bind a user to a default project.
Note - Updates to entries in the project database, whether to the /etc/project file or to a representation of the database in a network naming service, are not applied to currently active projects. The updates are applied to new tasks that join the project when either the login or the newtask command is used. For more information, see the login(1) and newtask(1) man pages.
Operations that change or set identity include logging in to the system, invoking an rcp or rsh command, using ftp, or using su. When an operation involves changing or setting an identity, a set of configurable modules is used to provide authentication, account management, credentials management, and session management.
For an overview of PAM, see Chapter 14, Using Pluggable Authentication Modules, in Oracle Solaris 11.1 Administration: Security Services.
Resource management supports naming service project databases. The location where the project database is stored is defined in the /etc/nsswitch.conf file. By default, files is listed first, but the sources can be listed in any order.
project: files [nis] [ldap]
If more than one source for project information is listed, the nsswitch.conf file directs the routine to start searching for the information in the first source listed, and then search subsequent sources.
For more information about the /etc/nsswitch.conf file, see Chapter 2, Name Service Switch (Overview), in Oracle Solaris Administration: Naming and Directory Services and nsswitch.conf(4).
If you select files as your project database source in the nsswitch.conf file, the login process searches the /etc/project file for project information. See the projects(1) and project(4) man pages for more information.
The project file contains a one-line entry of the following form for each project recognized by the system:
projname:projid:comment:user-list:group-list:attributes
The fields are defined as follows:
The name of the project. The name must be a string that consists of alphanumeric characters, underline (_) characters, hyphens (-), and periods (.). The period, which is reserved for projects with special meaning to the operating system, can only be used in the names of default projects for users. projname cannot contain colons (:) or newline characters.
The project's unique numerical ID (PROJID) within the system. The maximum value of the projid field is UID_MAX (2147483647).
A description of the project.
A comma-separated list of users who are allowed in the project.
Wildcards can be used in this field. An asterisk (*) allows all users to join the project. An exclamation point followed by an asterisk (!*) excludes all users from the project. An exclamation mark (!) followed by a user name excludes the specified user from the project.
A comma-separated list of groups of users who are allowed in the project.
Wildcards can be used in this field. An asterisk (*) allows all groups to join the project. An exclamation point followed by an asterisk (!*) excludes all groups from the project. An exclamation mark (!) followed by a group name excludes the specified group from the project.
A semicolon-separated list of name-value pairs, such as resource controls (see Chapter 6, Resource Controls (Overview)). name is an arbitrary string that specifies the object-related attribute, and value is the optional value for that attribute.
name[=value]
In the name-value pair, names are restricted to letters, digits, underscores, and periods. A period is conventionally used as a separator between the categories and subcategories of the resource control (rctl). The first character of an attribute name must be a letter. The name is case sensitive.
Values can be structured by using commas and parentheses to establish precedence.
A semicolon is used to separate name-value pairs. A semicolon cannot be used in a value definition. A colon is used to separate project fields. A colon cannot be used in a value definition.
Note - Routines that read this file halt if they encounter a malformed entry. Any projects that are specified after the incorrect entry are not assigned.
This example shows the default /etc/project file:
system:0:::: user.root:1:::: noproject:2:::: default:3:::: group.staff:10::::
This example shows the default /etc/project file with project entries added at the end:
system:0:::: user.root:1:::: noproject:2:::: default:3:::: group.staff:10:::: user.ml:2424:Lyle Personal::: booksite:4113:Book Auction Project:ml,mp,jtd,kjh::
You can also add resource controls and attributes to the /etc/project file:
To add resource controls for a project, see Setting Resource Controls.
To define a physical memory resource cap for a project using the resource capping daemon described in rcapd(1M), see Attribute to Limit Physical Memory Usage for Projects.
To add a project.pool attribute to a project's entry, see Creating the Configuration.
If you are using NIS, you can specify in the /etc/nsswitch.conf file to search the NIS project maps for projects:
project: nis files
The NIS maps, either project.byname or project.bynumber, have the same form as the /etc/project file:
projname:projid:comment:user-list:group-list:attributes
For more information, see Chapter 5, Network Information Service (Overview), in Oracle Solaris Administration: Naming and Directory Services.
If you are using LDAP, you can specify in the /etc/nsswitch.conf file to search the LDAP project database for projects:
project: ldap files
For more information about LDAP, see Chapter 9, Introduction to LDAP Naming Services (Overview), in Oracle Solaris Administration: Naming and Directory Services. For more information about the schema for project entries in an LDAP database, see Oracle Solaris Schemas in Oracle Solaris Administration: Naming and Directory Services.