Andreas.Haas at Sun.COM
2007-May-09 11:47 UTC
[dtrace-discuss] Dtrace workig only in global zone?
Hi all, it seems there are problems with running DTrace in non-global zones under Solaris 10. Can anyone confirm this? Is there a workaround to overcome this? If needed, we could provide additional information on the case where we encountered this. Right now we have understood it to the point that we can say priviledges as reported by # ppriv -v $$ are simply not sufficient even though it is run as user "root" in the zone. Thanks, Andreas
Casper.Dik at Sun.COM
2007-May-09 11:52 UTC
[dtrace-discuss] Dtrace workig only in global zone?
>Hi all, > >it seems there are problems with running DTrace in non-global zones >under Solaris 10. Can anyone confirm this? Is there a workaround to >overcome this?"It is not allowed (by default)".> # ppriv -v $$ > >are simply not sufficient even though it is run as user "root" in the zone.Correct; the default zone conffiguration lacks the necessary privileges. With configurable zone privileges youc an add dtrace privilege to the zone but there will still be limits; you don''t want the zones to be able to look at everything which goes on in the kernel and that makes certain bits of not possible (dtrace_proc and dtrace_user are not much of an issue) Casper
Andreas.Haas at Sun.COM
2007-May-09 12:41 UTC
[dtrace-discuss] Dtrace workig only in global zone?
On Wed, 9 May 2007, Casper.Dik at Sun.COM wrote:> >> Hi all, >> >> it seems there are problems with running DTrace in non-global zones >> under Solaris 10. Can anyone confirm this? Is there a workaround to >> overcome this? > > "It is not allowed (by default)". > >> # ppriv -v $$ >> >> are simply not sufficient even though it is run as user "root" in the zone. > > > Correct; the default zone conffiguration lacks the necessary privileges. > > With configurable zone privileges youc an add dtrace privilege to > the zone but there will still be limits; you don''t want the zones > to be able to look at everything which goes on in the kernel and that > makes certain bits of not possible (dtrace_proc and dtrace_user are > not much of an issue)Thanks! I found further information on this in "New Features in Solaris Express 5/06" http://docs.sun.com/app/docs/doc/820-0724/6nceocr8k?a=view "Running DTrace in a Non-Global Zone" http://docs.sun.com/app/docs/doc/819-2450/6n4o5mdia?a=view actually use of kernel probes is not of interest for us anyways. Only pid probes are needed. I guess all we have to figure out is what Solaris version contains Solaris Express 5/06 feature set. Regards, Andreas
Since the global zone can see/monitor processes in non-global zones, you can run DTrace in the global zone to trace processes in non-global zones. Rayson On 5/9/07, Andreas.Haas at sun.com <Andreas.Haas at sun.com> wrote:> On Wed, 9 May 2007, Casper.Dik at Sun.COM wrote: > > > > >> Hi all, > >> > >> it seems there are problems with running DTrace in non-global zones > >> under Solaris 10. Can anyone confirm this? Is there a workaround to > >> overcome this? > > > > "It is not allowed (by default)". > > > >> # ppriv -v $$ > >> > >> are simply not sufficient even though it is run as user "root" in the zone. > > > > > > Correct; the default zone conffiguration lacks the necessary privileges. > > > > With configurable zone privileges youc an add dtrace privilege to > > the zone but there will still be limits; you don''t want the zones > > to be able to look at everything which goes on in the kernel and that > > makes certain bits of not possible (dtrace_proc and dtrace_user are > > not much of an issue) > > Thanks! I found further information on this in > > "New Features in Solaris Express 5/06" > http://docs.sun.com/app/docs/doc/820-0724/6nceocr8k?a=view > > "Running DTrace in a Non-Global Zone" > http://docs.sun.com/app/docs/doc/819-2450/6n4o5mdia?a=view > > actually use of kernel probes is not of interest for us anyways. > Only pid probes are needed. > > I guess all we have to figure out is what Solaris version > contains Solaris Express 5/06 feature set. > > Regards, > Andreas > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss at opensolaris.org >
On Wed 09 May 2007 at 02:41PM, Andreas.Haas at sun.com wrote:> Thanks! I found further information on this in > > "New Features in Solaris Express 5/06" > http://docs.sun.com/app/docs/doc/820-0724/6nceocr8k?a=view > > "Running DTrace in a Non-Global Zone" > http://docs.sun.com/app/docs/doc/819-2450/6n4o5mdia?a=view > > actually use of kernel probes is not of interest for us anyways. > Only pid probes are needed. > > I guess all we have to figure out is what Solaris version > contains Solaris Express 5/06 feature set.This specific feature will be in the upcoming Solaris 10 Update release (slated for this summer). I''m sorry for the delay in getting this back into S10-- we did the best we could. I also wrote a blog entry about this: http://blogs.sun.com/dp/entry/dtrace_zones_crazy_delicious -dp -- Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - blogs.sun.com/dp