Re: [zones-discuss] Problem downloading packages within non-global zone

2009-07-29 Thread Steffen Weiberle 

On 07/29/09 02:47, Jack LING wrote:

by default, the network configuration of the global zone is set to auto-detect. 
I think this should be dhcp?

Reading Solaris System Administration documentations, hostname.interface 
file(s) under the /etc/inet directory is used for setting static ip address of 
interface(s). I don't know whether OpenSolaris is using the same model? Does it 
actually store network settings somewhere when I manually adjust the network 
settings at the icon shown on the tray?

Since the configuration details are from dhcp, I don't know where to put/modify 
in settings like dns server (after the initial network settings for the 1st 
time login) to the non-global zone.  Which command I can use to know the dns 
settings in the global zone?
 


thanks,
jackling


If using shared-IP, you can't use DHCP in a non-global zone. You will 
have to configure it manually, via an /etc/sysidcfg file on initial 
boot, or as Jordan said, answering questions during initial boot after 
logging into the zone's console using 'zlogin -C '.


You will have to enter things such as your DNS server (if you want to).

If you are using exclusive IP, the /etc/sysidcfg file can have all the 
network information, or you again do it via the prompts on boot.


For a DHCP version of the sysidcfg file, see 
http://blogs.sun.com/stw/entry/crossbow_is_delivered_traveling_vnics


Below are sample sysidcfg files I have lying around. I don't set up DNS. 
See 'man sysidcfg' to get examples of that.


Steffen

NOTE: the root_password fields have been modified

# cat shared17.sysidcfg
terminal=xterm
system_locale=C
network_interface=primary {
hostname=shared17
protocol_ipv6=no
}
security_policy=NONE
name_service=NONE
timezone=US/Eastern
timeserver=localhost
nfs4_domain=dynamic
root_password="foo-bar"
service_profile=limited_net

# cat master.sysidcfg
terminal=xterm
system_locale=C
network_interface=primary {
hostname=master
ip_address=10.1.111.151
netmask=255.255.255.192
protocol_ipv6=no
default_route=10.1.111.129
}
security_policy=NONE
name_service=NONE
timezone=US/Eastern
timeserver=localhost
nfs4_domain=dynamic
root_password="foo-bar"
service_profile=limited_net
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Zone copy in Live Upgrade

2009-07-29 Thread Steve Lawrence 
On Wed, Jul 29, 2009 at 08:43:05AM +0200, Martin Rehak wrote:
> Hi Steve,
> 
> On 2009.07.23 14:34:22 -0700, Steve Lawrence wrote:
> > On Thu, Jul 23, 2009 at 09:14:55AM +0200, Martin Rehak wrote:
> > > Hi Steve,
> > > 
> > > On 2009.07.22 12:32:01 -0700, Steve Lawrence wrote:
> > > > The issue is that from the global zone context (non-zlogin), stuff like
> > > > symbolic links to something like /etc could copy files from the global
> > > > zone.
> > > 
> > > I don't understand it. cpio preserves symlinks, so symlinks will appear
> > > just like symlinks in NGZ and files as a files. That means no mapping/no
> > > risk. Am I right?
> > > 
> > > > I'm not sure why this is dangerous in this case, as we are only reading
> > > > from the zone, as cpio does not traverse/open sym links, it just copes 
> > > > the
> > > > link itself.
> > 
> > I don't see a problem with it, but you should get feedback from others as 
> > well.
> > I see a problem with the current implementation.  A spoofed cpio program in
> > an evil non-global zone could create a desctructive cpio stream.  The
> > cpio -icdmP@ in the global zone could write to /.
> > 
> > Another solution could be to do the restore within the context of the
> > zlogin, to a path mounted within the zone's root.
> 
> I see.
> 
> Is there any reason why we are doing a zone copy in the zlogin at all?
> Which problems would we face if we copy a zone from global zone. That
> would eliminate problems with evil zone environment completely.

I don't see one, but check with the install team.  I'm also not sure what
is being copied here.  Is this clause to copy the "/" filesystem inside
a zone, or just those added via "add fs".  If the latter, I'm not sure why
they are being copied.  Does LU treat any of the zone's filesystems as
"shared between BE's", similar to how it treats /export/home in the global
zone?

-Steve L.

> 
> Many thanks
> -- 
> Martin
> 
> > -Steve L.
> > 
> > > 
> > > That's what I think.
> > > 
> > > > Does this all end up going through zlogin one byte at a time?
> > > 
> > > Yes, the whole stream goes through zlogin from NGZ to GZ where it is
> > > expanded.
> > > 
> > > What would be the problem if we wouldn't use any zlogin? Just a cpio on
> > > zone root to a cpio to other zone root? What is the risk there?
> > > 
> > > Thank you
> > > -- 
> > > Martin
> > > 
> > > > -Steve
> > > > 
> > > > On Wed, Jul 22, 2009 at 04:57:47PM +0200, Martin Rehak wrote:
> > > > > Hi,
> > > > > 
> > > > > I am trying to get Live Upgrade better by reimplementing some parts of
> > > > > the code. What I am not sure of is whether is it safe to do a copy of
> > > > > non global zone imports (filesystems dedicated to a zone in its 
> > > > > config)
> > > > > from the global zone.
> > > > > 
> > > > > This is existing code (lucopy.sh:1808, install-nv-clone):
> > > > > http://grok.czech.sun.com:8080/source/xref/install-nv-clone/usr/src/cmd/inst/liveupgrade/scripts/lucopy.sh
> > > > > 
> > > > > 1808  (
> > > > > 1809  fgrep -xv $mountpoint /tmp/lucopy.zonefs.$$
> > > > > 1810  cat /tmp/lucopy.zoneipd.$$
> > > > > 1811  ) | sed 's+.*+^&/+' |
> > > > > 1812  zlogin $ozonename \
> > > > > 1813  "cat > /tmp/lucopy.excl.$$; \
> > > > > 1814  (
> > > > > 1815  if [ -s /tmp/lucopy.excl.$$ ]; then
> > > > > 1816  cd $zroot$mountpoint && \
> > > > > 1817  find . -depth -print | \
> > > > > 1818  egrep -vf /tmp/lucopy.excl.$$ | \
> > > > > 1819  cpio -ocmP@
> > > > > 1820  else
> > > > > 1821  cd $zroot$mountpoint && \
> > > > > 1822find . -depth -print | cpio -ocmP@
> > > > > 1823  fi
> > > > > 1824  )" |
> > > > > 1825  ( cd $tdir && cpio -icdmP@ )
> > > > > 1826  lulib_unmount_pathname $tdir
> > > > > 
> > > > > To describe it, I would say that it will zlogin into the non global
> > > > > zone, generates there a listing which it sends onto stdin of cpio 
> > > > > which
> > > > > writes an archive on its stdout. That archive is directed to the
> > > > > stdin of cpio running _OUTSIDE_ the zone (in the global zone) which
> > > > > finally expands it and writes it to a target directory.
> > > > > 
> > > > > Unfortunatelly few lines above there is this comment:
> > > > > 
> > > > > 1769  # Mount each non-lofs zone import in a temporary location
> > > > > 1770  # and copy over the bits that belong there, extracted from
> > > > > 1771  # the running zone.  We are now reaching through zone-
> > > > > 1772  # controlled paths and thus must be extremely careful.
> > > > > 1773  # Direct copies are not safe.
> > > > > 
> > > > > And the question is: What can happen if I simply will not generate the
> > > > > listing and the archive inside the zone but will do it in the global
> > > > > zone and using 'cpio -p'?
> > > > > 
> > > > > If I generalize the problem a little bit more I would like to know 
> > > > > your
> > > > > opinion about my idea of copying whole BE inclu

Re: [zones-discuss] [networking-discuss] Problem downloading packages within non-global zone

2009-07-29 Thread James Carlson 
Jack LING wrote:
> by default, the network configuration of the global zone is set to 
> auto-detect. I think this should be dhcp?
> 
> Reading Solaris System Administration documentations, hostname.interface 
> file(s) under the /etc/inet directory is used for setting static ip address 
> of interface(s).

No.  That would be /etc/hostname.interface, not
/etc/inet/hostname.interface.

And that's useful only if you disable NWAM (physical:nwam) and enable
the legacy service (physical:default).

> I don't know whether OpenSolaris is using the same model? Does it
actually store network settings somewhere when I manually adjust the
network settings at the icon shown on the tray?
> 
> Since the configuration details are from dhcp, I don't know where to 
> put/modify in settings like dns server (after the initial network settings 
> for the 1st time login) to the non-global zone.

Generally, if you're using DHCP, you'll want to set up such things on
the DHCP server.

But it is possible to modify the /etc/default/dhcpagent file to tell the
DHCP client to avoid getting certain kinds of information from the
server, and then you can statically configure those things if you want.

It sort of defeats the whole purpose of DHCP, but it's certainly
supported.  See the dhcpagent(1M) man page for details.

>  Which command I can use to know the dns settings in the global zone?

Get shell access in the global zone and examine the /etc/resolv.conf and
/etc/nsswitch.conf files.

-- 
James Carlson 42.703N 71.076W 
___
zones-discuss mailing list
zones-discuss@opensolaris.org