dtrace discuss - Mar 2006 - [Fwd: Re: Dtrace in Containers...??]

Dtrace team,

What are our plans for supporting (or allowing) DTrace use within 
Containers (not the Global zone) ?    I have several large telco customers that
are
holding off on Containers in S10 until their development and test communities 
(which would have separate containers.. but not global root access) have 
permission/priveledged access to run Dtrace within their local containers to
diagnose their apps...

Please let me know any timelines and/or internal docs that might 
describe where we stand on this recurring issue from clients.
 
Thanks,

Todd Jobson
Sr. Enterprise Architect
Sun Client Solutions

On Tue, Mar 28, 2006 at 10:34:23AM -0500, Todd Jobson
wrote:
> Dtrace team,
> 
> What are our plans for supporting (or allowing) DTrace use within 
> Containers (not the Global zone) ?    I have several large telco customers 
> that are holding off on Containers in S10 until their development and test 
> communities (which would have separate containers.. but not global root 
> access) have permission/priveledged access to run Dtrace within their local
> containers to diagnose their apps...
Support went back in snv_37, in the form of:

  PSARC 2006/124 Configurable Privileges for Zones
  4966416 RFE: zone privileges should be configurable

and:

  4970596 RFE: should be able to run some DTrace programs in a zone

I don''t know what the timeline/plans for backport are.

Cheers,
- jonathan
> Please let me know any timelines and/or internal docs that might 
> describe where we stand on this recurring issue from clients.
> 
> Thanks,
> 
> Todd Jobson
> Sr. Enterprise Architect
> Sun Client Solutions
> 
> 
> 
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org
-- 
Jonathan Adams, Solaris Kernel Development

Possibly dumb question: can one not write a small
setuid c program that can run dtrace in the global
zone against programs in a predefined container?

Then someone who only has root in zone "foo"
could be added to the group who has permission
to run dtrace_foo, and that program would 
run dtrace on programs in foo only.

--dave (formerly of Sun in Toronto) c-b
This message posted from opensolaris.org

Hello Jonathan,

Tuesday, March 28, 2006, 10:05:13 PM, you wrote:

JA> Support went back in snv_37, in the form of:

JA>   PSARC 2006/124 Configurable Privileges for Zones
JA>   4966416 RFE: zone privileges should be configurable

JA> and:

JA>   4970596 RFE: should be able to run some DTrace programs in a zone

JA> I don''t know what the timeline/plans for backport are.

That''s a very good news.

Is PSARC case anywhere publicly available?

What kind of restrictions are they going to be?
I guess that despite of privileges one won''t be able to "see"
outside
a local zone or maybe new privilege(s) are introduced to cover this?

Or maybe only some providers are available (and only with filters like
zoneid == X for syscall provider, etc.)?


-- 
Best regards,
 Robert                            mailto:rmilkowski at task.gda.pl
                                       http://milek.blogspot.com

On Tue 28 Mar 2006 at 10:34AM, Todd Jobson wrote:
> Dtrace team,
> 
> What are our plans for supporting (or allowing) DTrace use within 
> Containers (not the Global zone) ?    I have several large telco customers 
> that are holding off on Containers in S10 until their development and test 
> communities (which would have separate containers.. but not global root 
> access) have permission/priveledged access to run Dtrace within their local
> containers to diagnose their apps...
> 
> Please let me know any timelines and/or internal docs that might 
> describe where we stand on this recurring issue from clients.
Well, I guess this is as good a time as any to announce that I''ve
integrated initial support for DTrace inside of Containers (a.k.a.
non-global zones) as of Friday, Mar 24, 2006.  This means that in
future Solaris Express and Community Express builds (those based on
Nevada B37 or higher), you can use a subset of DTrace functionality
inside of non-global zones.

Here''s how to use this functionality:

        # zonecfg -z myzone
        zonecfg:myzone> set limitpriv=default,dtrace_proc,dtrace_user
        zonecfg:myzone> ^D

        # zoneadm -z myzone boot

        # zlogin myzone
        myzone# dtrace -l
        ...

        myzone# plockstat -Ap `pgrep startd`
        ...

Note that either or both of the dtrace_proc and dtrace_user privileges
may be granted to a zone, but dtrace_kernel may not be (zoneadm will
enforce this).  The lack of dtrace_kernel means that not every DTrace
script will work, since kernel state is not available to DTrace inside
of a zone; but we think this represents a good start.

Additional virtualization work has been done to ensure that data from
other zones is not visible inside the zone, and to ensure that the
interactions with other relevant privileges (proc_owner and proc_zone)
behave as expected.

        -dp

-- 
Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - blogs.sun.com/dp

On Tue 28 Mar 2006 at 11:30PM, Robert Milkowski wrote:
> 
> That''s a very good news.
> 
> Is PSARC case anywhere publicly available?
There was no PSARC case; the bug reports are mostly available.
An overview is available here:

http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4970596
> What kind of restrictions are they going to be?
> I guess that despite of privileges one won''t be able to
"see" outside
> a local zone or maybe new privilege(s) are introduced to cover this?
> Or maybe only some providers are available (and only with filters like
> zoneid == X for syscall provider, etc.)?
See my just-posted mail on this topic.

        -dp

-- 
Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - blogs.sun.com/dp

On 3/29/06, Dan Price <dp at eng.sun.com> wrote:
> Well, I guess this is as good a time as any to announce that I''ve
> integrated initial support for DTrace inside of Containers (a.k.a.
> non-global zones) as of Friday, Mar 24, 2006.  This means that in
> future Solaris Express and Community Express builds (those based on
> Nevada B37 or higher), you can use a subset of DTrace functionality
> inside of non-global zones.
Dan,

This is way cool.  My developers are going to love this.
So when can I expect the next community build?


--
Just me,
Wire ...

Hello Dan,

Tuesday, March 28, 2006, 11:35:02 PM, you wrote:

DP> On Tue 28 Mar 2006 at 11:30PM, Robert Milkowski
wrote:
>> 
>> That''s a very good news.
>> 
>> Is PSARC case anywhere publicly available?
DP> There was no PSARC case; the bug reports are mostly available.
DP> An overview is available here:

DP> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4970596
>> What kind of restrictions are they going to be?
>> I guess that despite of privileges one won''t be able to
"see" outside
>> a local zone or maybe new privilege(s) are introduced to cover this?
>> Or maybe only some providers are available (and only with filters like
>> zoneid == X for syscall provider, etc.)?
DP> See my just-posted mail on this topic.

Thank you.

This is great! Our developers already like it (some not ''coz it means
no account in a global zone :)) )


-- 
Best regards,
 Robert                            mailto:rmilkowski at task.gda.pl
                                       http://milek.blogspot.com

Dan,

Regarding the incorporation of Dtrace capabilities within Containers,
I wanted to get a "pulse" on current and near-term support for this in
current/planned Solaris 10 updates (unless only Nevada will handle this
capabilty, which was not my prior understanding).  Any details / URL''s
explaining the capabilites would also be helpfull.

Please let me know as I have a major Telco interested in using these 
capabilities asap.

Thanks,

Todd Jobson
Sr. Enterprise Architect
Sun Microsystems

Dan Price wrote:
>On Tue 28 Mar 2006 at 11:30PM, Robert Milkowski wrote:
>  
>
>>That''s a very good news.
>>
>>Is PSARC case anywhere publicly available?
>>    
>>
>
>There was no PSARC case; the bug reports are mostly available.
>An overview is available here:
>
>http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4970596
>
>  
>
>>What kind of restrictions are they going to be?
>>I guess that despite of privileges one won''t be able to
"see" outside
>>a local zone or maybe new privilege(s) are introduced to cover this?
>>Or maybe only some providers are available (and only with filters like
>>zoneid == X for syscall provider, etc.)?
>>    
>>
>
>See my just-posted mail on this topic.
>
>        -dp
>  
>
>On Tue 28 Mar 2006 at 10:34AM, Todd Jobson wrote:
>  
>
>>> Dtrace team,
>>> 
>>> What are our plans for supporting (or allowing) DTrace use within 
>>> Containers (not the Global zone) ?    I have several large telco
customers
>>> that are holding off on Containers in S10 until their development
and test
>>> communities (which would have separate containers.. but not global
root
>>> access) have permission/priveledged access to run Dtrace within
their local
>>> containers to diagnose their apps...
>>> 
>>> Please let me know any timelines and/or internal docs that might 
>>> describe where we stand on this recurring issue from clients.
>>    
>>
>
>Well, I guess this is as good a time as any to announce that I''ve
>integrated initial support for DTrace inside of Containers (a.k.a.
>non-global zones) as of Friday, Mar 24, 2006.  This means that in
>future Solaris Express and Community Express builds (those based on
>Nevada B37 or higher), you can use a subset of DTrace functionality
>inside of non-global zones.
>
>Here''s how to use this functionality:
>
>        # zonecfg -z myzone
>        zonecfg:myzone> set limitpriv=default,dtrace_proc,dtrace_user
>        zonecfg:myzone> ^D
>
>        # zoneadm -z myzone boot
>
>        # zlogin myzone
>        myzone# dtrace -l
>        ...
>
>        myzone# plockstat -Ap `pgrep startd`
>        ...
>
>Note that either or both of the dtrace_proc and dtrace_user privileges
>may be granted to a zone, but dtrace_kernel may not be (zoneadm will
>enforce this).  The lack of dtrace_kernel means that not every DTrace
>script will work, since kernel state is not available to DTrace inside
>of a zone; but we think this represents a good start.
>
>Additional virtualization work has been done to ensure that data from
>other zones is not visible inside the zone, and to ensure that the
>interactions with other relevant privileges (proc_owner and proc_zone)
>behave as expected.
>
>        -dp
>
> -- Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - 
> blogs.sun.com/dp
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20070105/543a3742/attachment.html>