Hello, Kais, Thanks for the info, the output of zonecfg shows that it's ip-type is shared, that's why it cannot have sys_ip_config, it's by design. Looks like you changed ip-type in-between your tests.
Best, Donghai. Kais Belgaied Wrote: > the steps are what Jeff described: > . create a zone with a shared stack > . set the limitpriv to > "basic,contract_event,contract_observer,file_chown,file_chown_self,fil > e_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid > > > ,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_l > > > ock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mo > > > unt,sys_nfs,sys_resource" > > (the default minus some privs) > > . set the ip-type to exclusive > > . attempt a boot > > zone z-b2 on data1.sfbay is sitting in that state if you wanna take a look. > > bash-3.00# zonecfg -z z-b2 info > zonename: z-b2 > zonepath: /opt/z-b2 > brand: native > autoboot: false > bootargs: > pool: > limitpriv: > basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource,sys_ip_config > > > scheduling-class: > ip-type: shared > inherit-pkg-dir: > dir: /usr > inherit-pkg-dir: > dir: /lib > inherit-pkg-dir: > dir: /opt > > Kais. > > Dong-Hai Han wrote: > >> Could you please give more information, like the output of zonecfg info >> and the steps you used? >> >> Best, >> >> Donghai. >> >> Kais Belgaied Wrote: >> >>> Jeff Victor wrote: >>> >>>> Zones marked "set ip-type=exclusive" automatically get the privilege >>>> sys_ip_config added to the default limit set. If I have customized >>>> a zone's limit set, and *then* mark it exclusive-IP, will the >>>> sys_ip_config priv be added to the customized list, or will the list >>>> be replaced with the default set plus sys_ip_config? >>>> >>> >>> Setting the exclusive ip-type just adds net_rawaccess and >>> sys_ip_config to the 'default' set. >>> >>> If you have customized the zone's limit set by adding privileges to >>> the 'default' set, then setting >>> ip-stack=exclusive later will just add net_rawaccess and >>> sys_ip_config to the new 'L' set. >>> >>> If you have reduced the 'default', then set ip-stack=exclusive, the >>> zone fails to verify and boot: >>> >>> # zoneadm -z z-b2 boot >>> required privilege "sys_ip_config" is missing from the zone's >>> privilege set >>> zoneadm: zone z-b2 failed to verify >>> >>> Now, it you try to manually add "sys_ip_config" from zonecfg, then >>> you'll see the following failure: >>> >>> # zoneadm -z z-b2 boot >>> privilege "sys_ip_config" is not permitted within the zone's >>> privilege set >>> zoneadm: zone z-b2 failed to verify >>> >>> Please go ahead and file bug. >>> >>> >>> Thanks, >>> >>> Kais. >>> _______________________________________________ >>> crossbow-discuss mailing list >>> crossbow-discuss at opensolaris.org >>> http://opensolaris.org/mailman/listinfo/crossbow-discuss >> >> >> >> _______________________________________________ >> crossbow-discuss mailing list >> crossbow-discuss at opensolaris.org >> http://opensolaris.org/mailman/listinfo/crossbow-discuss > > >
