Home Music Tech Info Tech Blog About Us Contact Us

SOLARIS PROJECT AND USER ACCOUNT MANAGEMENT

For Solaris 9 and below, kernel parameter adjustments required for applications such as databases are configured in /etc/system. And once adjustments are made, a reboot is required for it to take effect. Starting with Solaris 10, these kernel adjustments are now done through Project Resource Management. Adjustments done through the projects does not require a reboot anymore. All is needed for the user associated to the project is to re-login for changes to take effect. This is such a convenience especially when multiple applications are running on the same server where you have to fight for a schedule of reboot.

Below is a table of kernel parameter definition and their equivalent in projects.

shmmax - indicates maximum allowable size of shared memory segment

(default=1048576 (1mb) max=4294967295 (4gb))

shmmin - smallest size (bytes) of a shared memory segment

(default=1 max=4294967295)

shmmni - maximum shared memory segments in the system

(default=100 max=2147483647)

shmseg - maximum number of shared memory segments a user process can attach.

Usually set equal to shmmni (default=6 max=32767 (32k))

semmns - the number of semaphores in the system

(SID_A+SID_B)+(SID_C * 2)+(no. of instances * 10)

where: SID_A,SID_B,SID_C = processes value per instance

SID_C = has the largest value

semmni - the number of semaphore set identifiers that can be

created at any one time

semmsl - maximum number of semaphores that can be in one semaphore set.

Should be equal to or greater than the value of oracle processes.

SOLARIS 9 PARAMETER	SOLARIS 10 PARAMETER	SOLARIS 10 DEFAULT
Set shmsys:shminfo_shmmax=4294967295	project.max-shm-memory	1/4 Physical Mem
Set shmsys:shminfo_shmmin=1	obsolete/removed
Set shmsys:shminfo_shmmni=200	project.max-shm-ids	128
set shmsys:shminfo_shmseg=10	obsolete/removed
set semsys:seminfo_semmns=4096	obsolete/removed
Set semsys:seminfo_semmni=100	project.max-sem-ids	128
Set semsys:seminfo_semmsl=1024	process.max-sem-nsems	512
Set semsys:seminfo_semopm=100	project.max-sem-ops	512
set semsys:seminfo_semvmx=32767	obsolete/removed
set noexec_user_stack=1
set abort_enable=2

How To Check The Current User ID And The Assigned Project ID

How To Check The Default Resource Control Value Of A Project

How To Temporarily Assign A Resource Control Value To A Project

How To Permanently Assign A Resource Control Value To A Project Using System Console Tool

How To Permanently Assign A Resource Control Value To A Project Using Command Line

Creating A User With Assigned Project

How To Check All Resource Values Of A Current Session To Verify Changes Made

How To Check All Default Values Of A Project

How To Check A List Of Running Processes And Their Assigned Projects

How To Switch The User Primary Project To Another Project

CHECKING SOLARIS PROJECT KERNEL PARAMETERS

TO CHECK THE CURRENT USER ID AND THE ASSIGNED PROJECT ID

# id -p

uid=0(root) gid=0(root) projid=1(user.root)

TO CHECK THE RESOURCE CONTROL VALUE OF A PROJECT

Example for Project user.root:

# prctl -n project.max-shm-memory -i project user.root

project: 1: user.root

NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT

project.max-shm-memory

privileged 249MB - deny -

system 16.0EB max deny -

# prctl -n project.max-sem-ids -i project user.root

project: 1: user.root

NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT

project.max-sem-ids

privileged 128 - deny -

system 16.8M max deny -

Example for current user:

# prctl -n process.max-sem-nsems $$

process: 633: -sh

NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT

process.max-sem-nsems

privileged 512 - deny -

system 32.8K max deny -

SETTING SOLARIS PROJECT KERNEL PARAMETERS

TO TEMPORARILY ASSIGN A RESOURCE CONTROL VALUE TO A PROJECT

An example to temporarily set 2 GB max shared memory:

# prctl -n project.max-shm-memory -v 2gb -r -i project user.root

# prctl -n project.max-shm-memory -i project user.root

project: 1: user.root

NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT

project.max-shm-memory

privileged 2.00GB - deny -

system 16.0EB max deny -

An Example to temporarily set a process parameter of current session:

1. get the process id

UNIX> who -mHT

NAME LINE TIME IDLE PID COMMENTS

orasu + pts/1 Apr 29 10:27 . 9334 (57.23.211.129)

2. list existing value of process param of current session

UNIX> prctl -n process.max-sem-nsems $$

process: 9334: -ksh

NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT

process.max-sem-nsems

privileged 6.14K - deny -

system 32.8K max deny -

3. Temporary set a new value of process param

As root,

# prctl -n process.max-sem-nsems -v 8192 -r -i process 9334

4. Verify new settings

UNIX> prctl -n process.max-sem-nsems 9334

process: 9334: /usr/local/sbin/sshd -R

NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT

process.max-sem-nsems

privileged 8.19K - deny -

system 32.8K max deny -

TO PERMANENTLY ASSIGN A RESOURCE CONTROL VALUE TO A PROJECT

NOTE: The following is an example of a step-by-step in creating groups, projects and users with assigned projects based on the requirements of an Oracle database install.

Using SYSTEM MANAGEMENT CONSOLE tool, To permanently set any resource control:

UNIX> /usr/sadm/bin/smc &

From the system management console,

1) create group:

orainst, oradba, oraoper, sunweb

default primary project: group.staff

2) create user:

oradb (primary grp: orainst)

sunweb (primary grp: webadmin)

3) create project:

user.oracle

* at resource control tab, add shared memory settings for oracle:

project.max-shm-memory, threshold=4294967295, Modifiable by = Privileged, no signal, action = deny

process.max-sem-nsems, threshold=2048, Modifiable by = Privileged, no signal, action = deny

user.sunweb

4) Assign users to project:

oradb -> user.oracle

sunweb -> user.sunweb

OR, Using COMMAND LINE To Permanently Set Resource Control:

NOTE: The following is an example of a step-by-step in creating groups, projects and users with assigned projects based on the requirements of an Oracle database install.

Kernel parameters now have to be modified via the project file. To set the kernel parameters for Oracle 10g Database:

first as root edit /etc/system and add the following:

set noexec_user_stack=1

(the settings above requires reboot)

NOTE: Metalink Note 395334.1 explains Why do we need to set

NOEXEC_USER_STACK to 1 before Oracle installation as a mandatory step:

Sometimes programs allocate buffers but do not always check the size of

the data coming into these buffers. An unwanted program can overflow such

a buffer by placing a pointer to its own code and take control of the

application with the privileges assigned to that application. Solaris 9

introduced the option to disable execution of user programs on the stack

and assist in preventing this type of issue. This feature is only

available on SPARC and AMD64 systems because it requires hardware support

that is not available in current Intel 32bit CPUs. The protection is

setup by employing the system wide parameter 'set noexec_user_stack=1'

in the /etc/system file.

then, also as root, execute the following:

1) Create the required groups.

groupadd -g 1001 orainst

groupadd -g 1002 oradba

groupadd -g 1003 oraoper

2) Create a project with kernel parameter settings.

At minimum, the database requires to have the following resources set:

max-shm-memory = 4gb

max-file-descriptor = 4096

max-sem-nsems = 1024

The settings of the file descriptors must not exceed the hard limit. You can check the the hard and soft limits through the following commands:

UNIX> ulimit -H -n

UNIX> ulimit -S -n

In projects, use the priv parameter to set the hard limit and basic to set the soft limit for your max-file-descriptor.

projadd -p 200 -c "Oracle Database Project" \

-K "project.max-shm-memory=(priv,4294967296,deny)" \

-K "process.max-sem-nsems=(priv,1024,deny)" \

-K "process.max-file-descriptor=(basic,4096,deny)" oracledb

where:

-p assigned project id (is optional)

-U list of member users

-G list of member group

-c comment

-K key values

verify changes added in /etc/project

To modify existing project use projmod.

projmod -s -K "project.max-shm-memory=(priv,4gb,deny)" \

-K "process.max-sem-nsems=(priv,2000,deny)" \

-K "process.max-file-descriptor=(basic,4096,deny)" oracledb

3) Create user - oradb - with assigned project

useradd -g orainst -G oradba,oraoper -p oracledb -K "project=oracledb" -m \

-s /bin/ksh -d /export/home/oradb -c "Oracle Database Owner" -u 1001 oradb

passwd oradb

verify user attributes related to project assignment in /etc/user_attr

4) Check All Kernel Resource Settings Of A Current Session

4.1) Verify the user's shell settings

switch to oracle user:

su - oradb

check if oracle user project is not the default:

should be,

UNIX> id -p

uid=102(oradb) gid=101(orainst) projid=100(oracle)

and not,

UNIX> id -p

uid=102(oradb) gid=101(orainst) projid=3(default)

get taskid of current shell of oracle user:

UNIX> ps -o taskid -p $$

TASKID

display resource settings of a task

UNIX> prctl -i task 57

4.2) Verify the project default settings

Note: There has to be at least one process running that uses

the project otherwise you get error:

"prctl: oracle: No controllable process found in task, project, or zone."

Basic remedy is to open a shell by oracle user.

UNIX> prctl -i project oracle

TO CHECK A LIST OF RUNNING PROCESSES AND THEIR ASSIGNED PROJECTS

UNIX> prstat -J

TO SWITCH THE USER PRIMARY PROJECT TO ANOTHER PROJECT

1. login as the user

2. set a new project for the current log

newtask -p oracledb -c $$

Information Technology