While we found it easy to get started creating administrative roles in Solaris 10, the process will require some troubleshooting and investigation to get right. For example, we created a role for software installation tasks by assigning Suns premade installation rights profile to a new role. However, our new role needed additional privileges to work with the Blastwave third-party software packaging tool. Solaris 10 ships with a tool called ppriv to help administrators sort out which permissions specific applications require to run. Another rights management facility in Solaris 10, called Process Rights Management, enabled us to manage the rights of particular processes running on our systems.Another method that Solaris 10 offers for isolating applications is the systems new Solaris Zones feature, also called Containers or N1 Grid Containers. This facility, which is similar to the "jails" found in FreeBSD, enables administrators to create virtualized operating system instances, or Zones, in a Solaris 10 machine. Zones function as if they were individual machines, with their own separate network interfaces and, if so configured, separate versions of applications and libraries. Solaris Zones share most of their system files with the host system, or global zone; less than 100MB of files are copied to a new Zone at its creation. In contrast to fully virtualized machine environments, this saves space and reduces administration burdens because upgrades or software installations carried out on the host system can also apply to the virtualized instances. We were able to create Zones in Solaris 10 by using a handful of terminal commands. The process was straightforward, but wed love to see a Zone toolbox element for the Solaris Management Console like the one we used to manage roles and privileges. We could also use Solaris 10s resource management features to dole out resources to separate virtualized instances. Combined with the isolation and environment flexibility that Zones provide, this feature is a good fit for server consolidation tasks. Another feature in Solaris 10 that should make life easier for system administrators is Predictive Self Healing, which comprises a reworked service manager framework and a new component called Solaris Fault Manager. The service manager introduces a new way of managing services on Solaris that provides for automatic restart of processes that die or are killed improperly, including restarts of all the services on which the fallen service depends. The new manager also allows for snapshots of working service configurations and provides more verbose status information on running or failing services. Solaris Fault Manager is a subsystem that receives error messages and other data from services and hardware, interprets that data and kicks off appropriate actions such as taking a failing CPU offline and notifying an administrator. Another notable tool introduced in Solaris 10 is DTrace, which lets developers and system administrators peer more deeply into the workings of Solaris and the applications that run on it than they can with tools such as Suns truss. Perhaps most important, DTrace offers these insights without requiring that examined applications be stopped or modified. In addition, the tool is designed to be run safely on production machinesmaking DTrace a good fit for optimizing systems in realistic surroundings. Users interact with DTrace through commands and scripts written in a Sun-developed language called D, which is close in syntax to C. DTrace is an open-ended tool, so to get good results with DTrace, its helpful to have good familiarity with the applications being diagnosed. Solaris 10 marks the release of Version 3 of Suns JDS, one of the graphical interface options for Solaris. (Suns venerable Common Desktop Environment is also available for installation.) The JDS environment is based on GNOME 2.6, which provides a good desktop experience. This is despite the fact that its a version older than the GNOME 2.8 environment that Red Hat Enterprise Linux 4 includes, lacking such features as Version 2 of the Evolution groupware client. Solaris 10 includes Evolution 1.4, which lacks the integrated spam-blocking of the newer version. Click here to read the review of Red Hat Enterprise Linux 4. However, JDS 3, which is rounded out by the StarOffice 7 productivity suite and the Mozilla Web browser, makes Solaris 10 a solid desktop system, particularly for developers who can take advantage of Solaris 10 development and testing goodies like DTrace and Zones. Next page: Solaris 10 Web resources.
For example, where a name-service administrator role might enable a standard user to take on elevated rights to manage that service, Process Rights Management can limit the hardware and data resources that the name-service process is allowed to access. As a result, if the name service were compromised by an attacker, the potential damages would be limited to the resources available to that process through Process Rights Management.