TITLE: System V resource controls for Zones. SUMMARY: This case proposes adding the following resource controls to Solaris: zone.max-shm-memory Committed zone.max-shm-ids Committed zone.max-msg-ids Committed zone.max-sem-ids Committed These controls will provide a mechanism for limiting System V resources used by all processes within a zone. Patch binding is requested for these new resource controls DETAIL: The following resource controls were introduced by [2] for projects: project.max-shm-memory Committed (was Evolving) project.max-shm-ids Committed (was Evolving) project.max-sem-ids Committed (was Evolving) project.max-msg-ids Committed (was Evolving) These were introduced as a replacement for /etc/system variables which required a reboot in order to tune System V memory limits. Similar controls are needed for Zones[1] so that various applications, such as databases, can be safely deployed in a non-global zone where the administrator may not be trusted. The introduction of zone.max-locked-memory[3] and configurable privileges[4] enables the deployment of database applications such as Oracle into non-global zones. These applications also need limits on System V resources in order to be deployed reliably. For example, if a non-global zone is able to consume all the shm-id's on a system, it would be able to starve other zones from running any applications which use System V shared memory. As a solution, zone.* resource controls for system V objects, identical to the existing project.* resource controls, are proposed. These controls will behave identically to their project.* counterparts, except that they can only be administered by a global zone admin using zonecfg(1m) and the existing "add rctl" subcommand. A non-global zone administrator can manipulate project.* System V resource controls to limit projects within the non-global zone, but the total System V resources consumed by the non-global zone will always be limited by the zone.* resource controls set from the global zone. For compatablity, these privileged zone.* System V rctls will be given no default values. Adding default zone System V limit values would potentially break existing configurations on upgrade. EXPORTED INTERFACES zone.max-shm-memory Committed zone.max-shm-ids Committed zone.max-msg-ids Committed zone.max-sem-ids Committed REFERENCES: [1] PSARC/2002/174 Virtualization and Namespace Isolation in Solaris [2] PSARC/2002/694 System V IPC resource controls [3] PSARC/2004/580 zone/project.max-locked-memory Resource Controls [4] PSARC/2006/124 Configurable Privileged for Zones