the steps are what Jeff described:
. create a zone with a shared stack
. set the limitpriv to
"basic,contract_event,contract_observer,file_chown,file_chown_self,fil
e_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid
,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_l
ock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mo
unt,sys_nfs,sys_resource"
(the default minus some privs)
. set the ip-type to exclusive
. attempt a boot
zone z-b2 on data1.sfbay is sitting in that state if you wanna take a look.
bash-3.00# zonecfg -z z-b2 info
zonename: z-b2
zonepath: /opt/z-b2
brand: native
autoboot: false
bootargs:
pool:
limitpriv:
basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource,sys_ip_config
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /opt
Kais.
Dong-Hai Han wrote:
> Could you please give more information, like the output of zonecfg info
> and the steps you used?
>
> Best,
>
> Donghai.
>
> Kais Belgaied Wrote:
>
>> Jeff Victor wrote:
>>
>>> Zones marked "set ip-type=exclusive" automatically get the privilege
>>> sys_ip_config added to the default limit set. If I have customized
>>> a zone's limit set, and *then* mark it exclusive-IP, will the
>>> sys_ip_config priv be added to the customized list, or will the list
>>> be replaced with the default set plus sys_ip_config?
>>>
>>
>> Setting the exclusive ip-type just adds net_rawaccess and
>> sys_ip_config to the 'default' set.
>>
>> If you have customized the zone's limit set by adding privileges to
>> the 'default' set, then setting
>> ip-stack=exclusive later will just add net_rawaccess and
>> sys_ip_config to the new 'L' set.
>>
>> If you have reduced the 'default', then set ip-stack=exclusive, the
>> zone fails to verify and boot:
>>
>> # zoneadm -z z-b2 boot
>> required privilege "sys_ip_config" is missing from the zone's
>> privilege set
>> zoneadm: zone z-b2 failed to verify
>>
>> Now, it you try to manually add "sys_ip_config" from zonecfg, then
>> you'll see the following failure:
>>
>> # zoneadm -z z-b2 boot
>> privilege "sys_ip_config" is not permitted within the zone's
>> privilege set
>> zoneadm: zone z-b2 failed to verify
>>
>> Please go ahead and file bug.
>>
>>
>> Thanks,
>>
>> Kais.
>> _______________________________________________
>> crossbow-discuss mailing list
>> crossbow-discuss at opensolaris.org
>> http://opensolaris.org/mailman/listinfo/crossbow-discuss
>
>
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://opensolaris.org/mailman/listinfo/crossbow-discuss
