Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 Nov 2010, at 10:50 , Orvar Korvar wrote: petrben, Yes that is my question too: is running in a local zone safer?. That is why I created this thread. I was thinking something like this: If someone hacks my WinXP, then he must bypass VBox. Then he is inside the local zone. Then he must get root access to the local zone. Then he must break the zone to get into the global zone. When he is in the global zone, he must gain root access. Then he is in my computer. To prevent this, I shut down the NIC to the global zone. Then there is no communication between the global zone and local zones. So how can a hacker inside a local zone, gain access to the global zone? The global zone does not respond to any communication, because it's NIC is down. There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul But you say something like: if a hacker takes control over VBox, then he also gets inside the kernelspace and then he bypasses zones and everything and is inside the global zone? He does not have to go through NICs and zones and what not? There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Not all zones will start at system boot on b133
On 9 mrt 2010, at 00:26, Jordan Vaughan wrote: Hi Paul, I wrote the code that introduced the zcons (zone console) ioctl that's failing on your system. I'll investigate this problem as soon as possible. Does this problem occur consistently (i.e., every time you boot your system)? Does it ever happen when you manually boot a zone? Yes as far as I can tell zones fail to boot on each boot. I upgraded to 134 yesterday and after the reboot to enable b134 3 out of 8 zones had not booted. If you need more info or logging please let me know. Paul Thanks, Jordan On 03/ 1/10 04:20 AM, Paul van der Zwan wrote: When I boot my b133 system not all zones will get started, even when they are marked with auto-boot = yes. In the smf log /var/svc/log/system-zones:default.log I see: [ Feb 26 21:14:44 Enabled. ] [ Feb 26 21:15:09 Executing start method (/lib/svc/method/svc-zones start). ] Booting zones: webzone mailzone buildzone dns devERROR: error while acquiring slave handle of zone console for dev: No such device or address console setup: device initialization failed ERROR: error while acquiring slave handle of zone console for buildzone: No such device or address console setup: device initialization failed zone 'dev': could not start zoneadmd zoneadm: zone 'dev': call to zoneadmd failed zone 'buildzone': could not start zoneadmd zoneadm: zone 'buildzone': call to ERROR: error while acquiring slave handle of zone console for mailzone: No such device or address console setup: device initialization failed zoneadmd failed zone 'mailzone': could not start zoneadmd zoneadm: zone 'mailzone': call to zoneadmd failed . [ Feb 26 21:15:24 Method start exited with status 0. ] When I do a zoneadm boot for the zones that have failed to boot they start without any problem. Any ideas ? Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Error on zoneadm attach -u when going from b132 to b133
I upgraded my system from b132 to b133 this weekend and I got error messages when I ran attach -u to upgrade my zones. The second run of the install of updated packages fails. In the log I find: $ pfexec cat /var/tmp/dns.attach_log.sCaydi [Saturday, 20 February 2010 20:57:50 CET] Log File: /var/tmp/dns.attach_log.sCaydi [Saturday, 20 February 2010 20:57:52 CET] Attaching... [Saturday, 20 February 2010 20:57:52 CET] existing [Saturday, 20 February 2010 20:57:52 CET] [Saturday, 20 February 2010 20:57:52 CET] Sanity Check: Passed. Looks like an OpenSolaris system. pkg: 'network/ftp' matches multiple packages network/ftp service/network/ftp 'network/dns/bind' matches multiple packages service/network/dns/bind network/dns/bind 'network/ssh' matches multiple packages network/ssh service/network/ssh If I run attach -u a second time it attaches without doing anything, or giving an error. Are my zones OK or are they partly upgraded ? Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Error on zoneadm attach -u when going from b132 to b133
On 22 feb 2010, at 12:02, Frank Batschulat (Home) wrote: On Mon, 22 Feb 2010 11:49:46 +0100, Paul van der Zwan paul.vanderz...@sun.com wrote: I upgraded my system from b132 to b133 this weekend and I got error messages when I ran attach -u to upgrade my zones. The second run of the install of updated packages fails. In the log I find: $ pfexec cat /var/tmp/dns.attach_log.sCaydi [Saturday, 20 February 2010 20:57:50 CET] Log File: /var/tmp/dns.attach_log.sCaydi [Saturday, 20 February 2010 20:57:52 CET] Attaching... [Saturday, 20 February 2010 20:57:52 CET] existing [Saturday, 20 February 2010 20:57:52 CET] [Saturday, 20 February 2010 20:57:52 CET] Sanity Check: Passed. Looks like an OpenSolaris system. pkg: 'network/ftp' matches multiple packages network/ftp service/network/ftp 'network/dns/bind' matches multiple packages service/network/dns/bind network/dns/bind 'network/ssh' matches multiple packages network/ssh service/network/ssh If I run attach -u a second time it attaches without doing anything, or giving an error. Are my zones OK or are they partly upgraded ? I think exactly this issue is listed in the 133 release notes, and it states running a 2nd attach will work. if our marvellous opensolaris.org system would work you could read the 133 release notes here on the indiana discuss alias: http://opensolaris.org/jive/thread.jspa?threadID=124275 That seems to be it. Must have missed it.. Thanks Paul --- frankB ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [osol-discuss] Error on zoneadm attach -u when going from b132 to b133
On 22 feb 2010, at 12:26, Alan Burlison wrote: Paul van der Zwan wrote: If I run attach -u a second time it attaches without doing anything, or giving an error. Are my zones OK or are they partly upgraded ? Sounds like an issue mentioned in the release notes: http://mail.opensolaris.org/pipermail/opensolaris-announce/2010-February/001411.html http://defect.opensolaris.org/bz/show_bug.cgi?id=14673 That seems to be it. Glad I did what the release notes say I should have done ;-) Thanks Paul -- Alan Burlison -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [osol-discuss] GDM connect to GDM in a zone ?
On 2 feb 2010, at 00:54, Brian Cameron wrote: Paul: Is it possible to run GDM inside a zone on b131 ? I would like to have a zone I can use to run stuff like netbeans etc in, and I don’t want to use the global zone for that. It would think that it should be possible, though I have not tried it myself. As far as I can tell the gdm smf service depends on dbus and that is marked as global zone only. I do not believe that GDM depends on the system D-Bus service. Instead, D-Bus and ConsoleKit communicate with each other via D-Bus. So, it depends on D-Bus, but not the system D-Bus instance. Well , according to the default SMF configuration it seems to. Maybe this is a bogus dependency but that’s the way the system is configured by default. I’ll see what happens if I delete the dependency from SMF. So, this should not be an issue, I'd think. If anything, there may be an issue with the battery status applet in GDM not working properly if it cannot connect to the system D-Bus, though that may not be an issue if you are using a server that does not run on a battery. It is on a server so that applet would not be useful anyway. One more complication is that gdm is missing the old dtlogin option to select a remote host to connect to. Or is that option hidden/disabled by default ? The new GDM does support running as an XDMCP server and supports running XDMCP clients via indirect queries. However, it currently does not support the ability to launch the XDMCP chooser from the login screen. This is a known regression: https://bugzilla.gnome.org/show_bug.cgi?id=592976 Is there anything I need to configure to have gdm be an XDMCP server ? Is there any other way to connect to a xdmcp server from gdm ? Brian ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] GDM connect to GDM in a zone ?
Is it possible to run GDM inside a zone on b131 ? I would like to have a zone I can use to run stuff like netbeans etc in, and I don’t want to use the global zone for that. As far as I can tell the gdm smf service depends on dbus and that is marked as global zone only. One more complication is that gdm is missing the old dtlogin option to select a remote host to connect to. Or is that option hidden/disabled by default ? TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Downgrading zones on Opensolaris 2009.x ( b131)
I have upgraded my Opensolaris system to b131 and followed the zoneadm detach/attach -u procedure to upgrade my zones to b131 as well. Unfortunately I am running into bug 6912829 ( causes panic on zoneadm halt ) quite often. Downgrading the global zone by beadm activating my old be is easy. But how do I get my zones back ? Zoneadm attach complains that the zone is a newer rev than the global zone and that the global zone should be upgraded… TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone with IP address from a different subnet
James Carlson writes: Steffen Weiberle writes: BTW, this only works for default routes. Static ones don't work. at least that is my/others' experience. That's not true. Default routes are not supposed to be special. They're just regular network routes that happen to have 0/0 as a destination. Eh ... nuts. I forgot about the special strangeness around default routes in zones. I still think it's not good, but you're right about that. Is there any official documentation of this 'strangeness' because if there isn't ( and I haven't been able to find it so far), it's still a bug. Either a code bug or a documentation bug. Paul PS We are running into this problem at a project at the moment and it cost us a lot of hours figuring out why routing isn't working as we supposed it should :-( ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Patches via Live Upgrade with 2 zones on Solaris 10 Update 4 failed
Have you tried a luactivate directly after the lumake ? There is a bug in cpio that causes lucreate to fail to create the zones in the new be when there is a server in the zone that uses unix domain sockets. One server I had that caused the problem was the admin server used for the directory server. I don't have the CR number available right now. Paul, After reading that BigAdmin article that przemol suggested I see that I should have tried the luactivate after the lumake. You may be onto something with the unix domain sockets. The zone that failed (ldap-supplc) is running Directory Server 5.2P4. Looking at the box now in production I see that there are several sockets from the netstat -an output below for the admin server. Since I turned Directory Server off before running the LU commands I would have thought those sockets would be cleaned up? If you can find the CR number maybe it's related to my system. I only ran into it with the servers enabled at boot in the zones, disabling the servers seems to fix the problem. The sockets apparently only were created when the server was running. Even though I had the zones halted the lucreate process started them enough to have the server processes started. I did get an error message from lucreate that the zone copy in the new BE was not created correctly. If you don't get that error you are probably running into something else. The CR number is 2154382, it's an old one but has been bumped up to P1. Paul 60005bdc728 stream-ord /var/Sun/mps/admin-serv/tmp/iwsadmin.2012 60005bdc8f0 stream-ord /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 60005bdcab8 stream-ord /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 60005bdcc80 stream-ord 600070e1640 /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 60005bdce48 stream-ord 6000713c000 /var/Sun/mps/admin-serv/tmp/iwsadmin.2012 60005bdd010 stream-ord 600070e1640 /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 60005bdd1d8 stream-ord 6000713c000 /var/Sun/mps/admin-serv/tmp/iwsadmin.2012 60005bdd3a0 stream-ord 60006e04d40 /var/run/.inetd.uds 60005bdd730 stream-ord 600070e1640 /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 Thanks, -Eric ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
On 11 Dec 2007, at 13:23, caroline wrote: Hi, I set up exclusive-ip zone, using theses instructions : set ip-type=excluse add net set physical=ce The ce interface currently cannot be used with exclusive ip instances. Look at the crosbow faq for supported network interfaces: http://www.opensolaris.org/os/project/crossbow/faq/#ipinst_any_nic Paul When I boot the zone, I don't see physical interface anymore zone1# ifconfig -a lo0: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 inet 127.0.0.1 netmask ff00 Is there other configuration to add ? Thanks a lot carol This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Shared-ip routing and VNI interface
I'm having a problem figuring out why my ping replies never get sent. I have a Blade 1500 running Solaris 10 08/07 On it I have 2 active local zones, zone1 and zone2, their configs are: # zonecfg -z zone1 export create -b set zonepath=/zones/zone1 set autoboot=false set ip-type=shared add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.200.50 set physical=vni0 end and # zonecfg -z zone2 export create -b set zonepath=/zones/zone2 set autoboot=false set ip-type=shared add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.200.51 set physical=vni1 end The global zone has 192.168.200.14 configured on bge0 The default gateway is 192.168.200.4. If I configure a host route routing 192.168.200.50 to 192.168.200.14 on the router (192.168.200.4) and ping 192.168.200.50 I see echo request packets arrive on the bge0 interface but I never see any replies go out. 192.168.200.4 - 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 744) 192.168.200.4 - 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 745) 192.168.200.4 - 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 746) The routing table shows: netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface - - -- - default 192.168.200.4UG1 0 192.168.42.0 192.168.42.1 U 1 0 bge0:1 192.168.200.0192.168.200.14 U 1 5 bge0 224.0.0.0192.168.200.14 U 1 0 bge0 127.0.0.1127.0.0.1UH1 38 lo0 ifconfig -a shows : # ifconfig -a lo0: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 inet 127.0.0.1 netmask ff00 lo0:1: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 zone zone1 inet 127.0.0.1 netmask ff00 lo0:2: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 zone zone2 inet 127.0.0.1 netmask ff00 bge0: flags=1000843UP,BROADCAST,RUNNING,MULTICAST,IPv4 mtu 1500 index 2 inet 192.168.200.14 netmask ff00 broadcast 192.168.200.255 ether 0:3:ba:2f:c1:bb bge0:1: flags=1000843UP,BROADCAST,RUNNING,MULTICAST,IPv4 mtu 1500 index 2 inet 192.168.42.1 netmask ff00 broadcast 192.168.42.255 vni0: flags=20010100c0RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL mtu 0 index 3 inet 0.0.0.0 netmask 0 vni0:1: flags=20010100c1UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL mtu 0 index 3 zone zone1 inet 192.168.200.50 netmask ff00 vni1: flags=20010100c0RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL mtu 0 index 4 inet 0.0.0.0 netmask 0 vni1:1: flags=20010100c1UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL mtu 0 index 4 zone zone2 inet 192.168.200.51 netmask ff00 # Any ideas ? Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
On 3 Dec 2007, at 12:49, James Carlson wrote: Paul Van Der Zwan writes: I'm having a problem figuring out why my ping replies never get sent. There's no way for any of your configured zones to transmit, so they don't. Vni is really not much different from lo0. You cannot transmit packets on vni -- it's just a place to hang a local IP address. That's why they say NOXMIT when you configure them. The global zone has 192.168.200.14 configured on bge0 You need to give your zones access to bge0 if you want them to transmit there. You give access by assigning an address on that interface. What I was trying to do was have the option of running multiple zones, on different hosts, configured with the same IP address on a VNI interface so a loadbalancer can balance between different zones, each with the same configuration as far as the application, running within the zone,is concerned. If I give each zone a unique address on the bge0 intf. and an application address on the vni, will the zone be able to route traffic out to the client? For example: service address=10.1.1.1 default gateway=192.168.1.254 zone1 on host1 has 192.168.1.1 on bge0 and 10.1.1.1 on vni0 zone1 on host2 has 192.168.1.2 on bge0 and 10.1.1.1 on vni0 The loadbalancer routes 10.1.1.1 traffic for session1 to 192.168.1.1 Would traffic from zone1 be able to go out to the internet using the default gateway 192.168.1.254 with a source of 10.1.1.1 or would the source become 192.168.1.1 ( even if the application binds to 10.1.1.1 ) ? Is there some documentation on the routing in Solaris 10 esp. in combination with zones ? TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
