This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
SolarisNISProjectSchema
SolarisNISProjectSchema

Version management

Difference between version and

At line 1 added 104 lines
!!! Overview
We did a [Migrating From NIS To LDAP] project for a client that was using a lot of [Solaris|Solaris versions] with NIS.
We came up with [{$pagename}] [Schema Extensions] to make things work in the late 1990s.
As near as we know, projects are a Solaris Specific NIS Map.
The key file to keep track of here is the project database, /etc/project.
The project file contains a series of one-line entries, one for each configured project. (If you don't want to edit the /etc/project file by hand, you can use the projadd, projdel, and projmod commands to add, remove, or modify projects, respectively.)
Each line takes the following form (LDAP Attribute Name):
{{{
project-name:project-id:comment:user-list:group-list:attributes
}}}
* The project-name field (SolarisProjectName) is the name of the project, and must be specified as an alphanumeric string--periods (.) and colons (:) are not allowed.
* The project-id field (SolarisProjectID) is a unique numerical identifier for the project. The maximum project ID is 2,147,483,647; project IDs between 0 and 99 are reserved for the system.
* The comment field (description) is a description of the project.
* The user-list (memberUid) is a list of all the users who are allowed to associate with the project. Wildcards are allowed: an asterisk (*) permits all users to join the project, and an exclamation point (!) followed by a username excludes that user. An exclamation point followed by an asterisk (!*) excludes all users.
* The group-list field (memberGid) is analogous to the user-list field. Wildcard constructs are valid here, just as they are in the user-list field.
* The attributes field (SolarisProjectAttr) defines the resource-control attributes associated with the project.
!Here are a few of the most "attributes" interesting options:
|task.max-cpu-time|The maximum amount of CPU time available to all the processes in this project (in milliseconds).
|task.max-lwps|The maximum number of lightweight processes available to all the processes in this project.
|process.max-cpu-time|The maximum amount of CPU time available per process for each process in this project (in milliseconds).
|process.max-file-descriptor|The maximum number of file descriptors permitted to each process in this project.
|process.max-file-size|The maximum file size available to processes in this project (in bytes).
|process.max-core-size|The maximum size for a core file created by a process in this project (in bytes).
|process.max-data-size|The maximum heap size for a process in this project (in bytes).
|process.max-stack-size|The maximum stack size for a process in this project (in bytes).
|process.max-address-space|The maximum amount of address space (over all segments) available for a process in this project (in bytes).
(There are other resource controls available--these are just the ones that are most immediately interesting.)
Each attribute is specified by setting it equal to a triplet, like this:
{{{ attribute=(privlevel,value,action)}}}
There are three available values for privlevel. The first, "basic", means that the threshold can be modified by the process, without any special privileges; the second, "privileged", means that the threshold can be changed only by the superuser; the third, "system", means that the threshold is fixed for the duration of the operating system instance (for example, until a reboot).
Multiple attributes can be specified for a single project; separate them with semicolons.
Now that we've walked through the theory, let's create a project.
We can put the following line in /etc/project:
{{{ test:10000:test project:jqpublic::process.max-file-size=(privileged,16777216,deny)}}}
Alternatively, we could run projadd to create this project:
{{{
# projadd -p 10000 -c 'test project' -U jqpublic test
# grep ^test: /etc/project
test:10000:test project:jqpublic::
}}}
(Note that projadd and projmod won't let you change the resource-control field.)
This project is named "test" and has a project ID of "10000". Membership is restricted to the user "jqpublic," and any project running in the test project will not be allowed to create a file greater than 16MB (16MB = 16,777,216 bytes).
When jqpublic next logs in, they can run `projects` to get a list of all the projects they are allowed to participate in:
{{{
jqpublic@purgatorio% projects
default group.staff test
}}}
To find out which project is associated with the currently running shell, try id -p:
{{{
jqpublic@purgatorio% id -p
uid=127(jqpublic) gid=10(staff) projid=10(group.staff)
}}}
(A user's default project can be changed by editing /etc/user_attr. The syntax to use for this is "username::::project=projectname". For example:
{{{ gdm::::project=test }}}
For more information, consult the man page for user_attr(4).).
In this case, jqpublic's project is 'default.' This project has no resource constraints assigned to it. Let's confirm that the resource limitation works on the maximum file size we defined for the test project:
{{{
jqpublic@purgatorio% id -p
uid=127(gdm) gid=10(staff) projid=10(group.staff)
jqpublic@purgatorio% mkfile -v 32M testfile.project=default
testfile.project=default 33554432 bytes
jqpublic@purgatorio% newtask -p test csh
jqpublic@purgatorio% id -p
uid=127(gdm) gid=10(staff) projid=10000(test)
jqpublic@purgatorio% mkfile -v 32M testfile.project=test
testfile.project=test 33554432 bytes
Could not set length of testfile.project=test: File too large
}}}
The resource constraint worked!
You can also set up the resource-management framework so that it writes a notification to the syslog when a resource control is tripped. This can be done via rctladm:
{{{
# rctladm -e syslog process.max-file-descriptor
# rctladm |grep process.max-file-size
process.max-file-size syslog=notice [ lowerable deny file-size ]
}}}
An attempt by a user in the 'test' project to generate a 32MB file generates the following warning in /var/adm/messages:
{{{
Jun 24 23:33:09 british-museum.internal genunix: [ID 883052
kern.notice] privileged rctl process.max-file-size (value 16777216)
exceeded by process 2428
}}}
One other interesting feature about projects is that the prstat command can summarize running processes by project, if you give it the -J switch. This can be quite useful if, for example, you have a "Webserver" project to which all your Web server daemons belong. (If you aren't familiar with prstat, I encourage you to play around with it: it's a useful application. It gives output that is quite similar to that of top, but it is more lightweight. It became available in Solaris 8.)
{{{jqpublic@purgatorio% prstat -cJ }}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop