Sun Microsystems 10 Computer Hardware User Manual


 
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices Effective: 30/11/2009
4.2. Paradigms
Paradigms are design rules for the construction of zones. Depending on the application, a decision
must be made which one of them should be applied.
4.2.1. Delegation of admin privileges to the application department
[ug] Administration of an application can be delegated to the department responsible for the
application. Through zone isolation, the root administrator can influence only resources that are
assigned to the zone. This also applies to other defined privileged users in the zone (see process
privileges, ppriv).
If a zone is assigned to a shared IP instance, the network can only be configured in the global
zone.
If a zone had an exclusive IP instance assigned to it, the administrator of this zone can
undertake the network configuration for the zone independently.
File systems can be specified from the global zone (zonecfg add fs).
File system administration can be handed over to the administrator of the local zone
(zonecfg add device).
4.2.2. Applications in local zones only
[ug] If local zones are used for applications, it is recommended not to use the global zone for
applications as well.
Only then it is possible for computer hardware administration to remain purely with the platform
administrators of the global zone.
Platform administrators are the administrators who administer the global zone. They have
access to the hardware (cabinet, power cable, hard drives) and perform the Solaris installation
in the global zone. The platform administrator is also responsible for kernel patching and
rebooting the entire system.
It is not necessary to give the application admin access to the global zone.
If the application admin needs root access, he/she can receive the root password for the local
zone of his/her application. He/she must then, however, assume responsibility for the availability
of the application, in consultation with operations.
Requests for disk space are submitted through platform administration who can assign
resources to the corresponding local zone, following approval by storage administration (if
separate).
For network configuration, a distinction must be made between a shared and an exclusive IP
instance. Contrary to a shared IP instance, the administrator of a zone with exclusive IP
instance can undertake network administration himself.
In the global zone, only system-oriented applications are installed that are required for management,
monitoring or backup/restore purposes. To increase availability, cluster software can be used as well.
Advantages:
Responsibilities for system, storage and application can be distinctly separated.
Root-user access to the basic system is restricted to system administration. This results in
improved stability.
Disadvantages:
Some applications are not yet explicitly released for use in zones. Usually, the applications work
in zones but they have not yet been certified by the manufacturer of the application.
46