Javi's blog Javier Conde

I often receive questions from colleagues and customers about guidelines to apply on a system after the installation of Solaris.

A lot of people keep installing the "Entire distribution", which gives you ~4 GB of binaries and libraries, most of which you will never use. With the size of the actual disks, this is not a problem anymore.

The less known part of this is that there are some applications that are started by default, and that require a lot of memory... And that are never used in a server. Stopping these applications can reduce the memory used by Solaris and will give you more space to run your applications.

If you have Solaris Zones running on it, you multiply this amount of memory used by the number of zones, and this time, there is a big impact. Same thing when you have ldoms and you need to adjust the memory assigned to each domain. Also, if you don't put a sysidcfg file before you start the zone for the first time, the "Secure By Default" is not active and the questions is not asked during the zone identification.

Solaris 10 allows you to install the OS with the "Secure By Default" option. On OpenSolaris, this is the default mode. With this mode, all the non-secure services are disabled and some others remain enabled, but listening only on localhost. More information about the "Secure By Default" option can be found at http://opensolaris.org/os/community/security/projects/sbd/sbd_design/

Even in the "Secure By Default" mode, there are a number of applications that are enabled and in most of the cases, they are never used.

The following example is done in a Solaris Zone, just after the installation. After the first boot of the zone, the memory footprint is quite important:

ZONEID    NPROC  SWAP   RSS MEMORY      TIME  CPU ZONE                             0       60  736M  784M    38%  20:15:11 0.2% global                           3       32  158M  228M    11%   0:00:53 0.1% jco

So by default, there are 32 process running and 228 MB of RAM used.

After activating the "Secure by Default", things don't change too much

root@jco# netservices limited restarting syslogd restarting sendmail restarting wbem dtlogin needs to be restarted. Restart now? [Y] restarting dtlogin root@jco# init 6 root@global# prstat -Z ZONEID    NPROC  SWAP   RSS MEMORY      TIME  CPU ZONE                             4       24  148M  218M    11%   0:00:52  34% jco

Still 24 process and 218MB of RAM...

Taking a look to the services still running, there are a list of them that can be safely disabled. The zone is intended to run an application, and all the rest is not needed. Services like the graphical login or the webconsole are rarely used. Here is a list with an example of services that can be disabled:

svc:/system/filesystem/autofs:default svc:/network/rpc/bind:default svc:/network/inetd:default svc:/application/management/wbem:default svc:/network/smtp:sendmail svc:/application/font/fc-cache:default svc:/application/cde-printinfo:default svc:/application/graphical-login/cde-login:default svc:/network/rpc/gss:default svc:/application/font/stfsloader:default svc:/network/rpc/smserver:default svc:/system/filesystem/volfs:default svc:/network/security/ktkt_warn:default svc:/network/rpc/cde-ttdbserver:tcp svc:/network/rpc/cde-calendar-manager:default svc:/network/rpc-100235_1/rpc_ticotsord:default svc:/system/webconsole:console

After disabling it, the zone is now running very light:

ZONEID    NPROC  SWAP   RSS MEMORY      TIME  CPU ZONE 4       13   23M   25M   1.2%   0:00:16 0.0% jco

With this little tuning, the memory overhead of using Solaris Zones is reduced.