Re: [zones-discuss] Interfaces to automate zone system identification
Zoram,
As far as I know, there is no zones API for querying the global
zone's configuration.
The Zone Manager project was created to help you simplify zone
creation and management. This is a perfect example of how it
helps you out. The way that I re-use the global config through
the Zone Manager is to copy the relevant configuration files from
the global zone into the non-global zone. Here are a couple of
examples:
Create a zone using the global zone's nsswitch.conf and resolv.conf
# zonemgr -a add -n z1 -z /zones -P pw -I "192.168.0.7|bge0|24|z1" \
-C /etc/nsswitch.conf -C /etc/resolv.conf
Or alternatively, if you prefer to just use one of the standard nss
templates, the following works as well.
# zonemgr -a add -n z1 -z /zones -P pw -I "192.168.0.7|bge0|24|z1" \
-C "/etc/nsswitch.dns|/etc/nsswitch.conf" -C /etc/resolv.conf
Hope that helps!
Brad
On Thu, 2007-11-15 at 18:58 +0530, Zoram Thanga wrote:
> Hi Mike,
>
> Mike Gerdts wrote:
> > On Nov 15, 2007 4:04 AM, Zoram Thanga <[EMAIL PROTECTED]> wrote:
> >> Hi All,
> >>
> >> I'd like to automate system identification for a zone when it is freshly
> >> installed. In most cases, I'd like to keep the same settings for domain
> >> name, name service, security policy, etc., as in the global zone.
> >
> > It sounds like simply copying in whole or part the relevant files from
> > the global zone and making the appropriate modifications to
> > $zonepath/root/etc/.sysid* (forget the exact file name) would be a
> > workable approach. This would have to be done from the global zone.
>
> Yes, the program will only run in the global zone, and only once after
> the new zone is installed.
>
> However, I'm wondering if we can count on the presence of /etc/sysidcfg
> on the global zone. Once a system has been initialized, we could safely
> remove /etc/sysidcfg and there would be no problem, right?
>
> >
> >> I'm wondering if there are (C) library interfaces to determine which
> >> name service is used in the global zone, so that I can make the
> >> following entry in the zone's /etc/sysidcfg file:
> >
> > To the best of my knowledge, such an API is not even available to
> > query in the same zone (e.g. global zone querying global zone). Such
> > an API that allowed cross-zone queries of this information would cross
> > isolation boundaries that have been held rather dear with zones.
>
> No, I am not looking to cross zone boundaries here - just obtain all the
> necessary information from the global zone and apply them to the freshly
> installed NGZs. Of course, if the user wants to specify sysid settings
> that are different from those of the global zone, she would be allowed
> to do so. But if she just wants to re-use the same name service setting,
> security policy setting, etc, then that's when I'd like to query the GZ
> for those informations.
>
> >
> >> name_service={}
> >>
> >> So, I'd like do something like:
> >>
> >> name_service = get_name_service()
> >>
> >> if (name_service is NIS) {
> >> /* get domain name */
> >> /* get yp master */
> >> } else if (name_service is NIS+) {
> >> /* get NIS+ details */
> >> } else if (name_service is LDAP) {
> >> /* get LDAP details */
> >> } else if (name_service is DNS) {
> >> /* get DNS details */
> >> } ...
> >
> > This approach, much like the one used by sysidconfig, is broken. What
> > happens when you use LDAP for everything except hosts and DNS for
> > hosts? If you are coming up with a new solution for setting up naming
> > services, please don't repeat this mistake.
> >
>
> Yes. I am aware of the complications, and no we're not trying to come up
> with new naming service solutions :) I just want to know how to query
> the settings when the user says "use the same settings as in the GZ".
>
> > You may want to take a look at zonemgr. It will do quite a bit of
> > customization of a zone without interaction and may be just what you
> > are looking for.
> >
>
> I'll take a look. Can zonemgr query the settings if the user didn't
> specify them?
>
> Thanks,
> Zoram
--
The Zone Manager
http://opensolaris.org/os/project/zonemgr
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hello,
I highly recommend that you use version 1.8.1 instead of 1.8 as
it includes many bug fixes that are not in 1.8. Having said that,
mounting a configuration file used by the global zone into a
non-global zone can be a security risk. I wouldn't recommend it.
Here is a example to illustrate how you could readonly mount a file
via lofs from a global zone into a non-global zone during zone
creation through the zone manager with the -r flag.
# z=`uname -n`
# cp /etc/hosts /etc/${z}
# zonemgr -F -a add -n z1 -z /zones -P pw -r "/etc/${z}|/etc/global"
# cksum /etc/hosts
2265366463 1183/etc/hosts
# zlogin z1 "cksum /etc/global"
2265366463 1183/etc/global
# zonemgr-a info -n z1
Zone information for zone z1
zonename: z1
zonepath: /zones/z1
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
fs:
dir: /etc/global
special: /etc/globalhostname
raw not specified
type: lofs
options: [ro,nodevices]
attr:
name: comment
type: string
value: "Zone z1"
Hope that helps!
Just as an FYI... the next version of the zonemgr which I hope
to complete soon has a new unified mounting syntax that works
for all the main supported filesystems available today. It is
still in alpha so I haven't yet posted on the site. If you are
interested in trying it out, send me a separate e-mail and I
will gladly send you a copy.
Brad
On Tue, 2007-11-20 at 14:29 +0100, Konstantin Gremliza wrote:
> Hi there,
>
> I have a question regarding zonemgr.
>
> We would like to use lofs to mount (ro) a file /etc/GLOBAL into the
> zones. It should contain the name of the global zone so anyone can
> easily find out, what system he is really on.
>
> Zonemgr 1.8 only supports directories for readonly lofs mounts: option
> -r
>
> Can it be changed to support files ?
>
> Thanks and regards,
>
> Konstantin
> ___
> zones-discuss mailing list
> zones-discuss@opensolaris.org
--
-
_/_/_/ _/_/ _/ _/ Brad Diggs
_/ _/_/ _/_/ _/Communications Area Market
_/_/_/ _/_/ _/ _/ _/ Senior Directory Architect
_/ _/_/ _/ _/_/
_/_/_/ _/_/_/ _/ _/ Office: 972-992-0002
E-Mail: [EMAIL PROTECTED]
M I C R O S Y S T E M S
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Actually it is kind of there already. Put a command in /usr/bin in the global zone that displays the Global zone name. This shared file system it is available to the local zones. When you build a full zone, this command goes with it. The only issue is if you change the Global zone name on a system, the full zone will need to be updated. Very rare. See: http://www.logiqwest.com/dataCenter/Demos/RunBooks/Zones/listingGlobal.html My concern is this functionality is actually a security violation. Konstantin Gremliza wrote: Hi there, I have a question regarding zonemgr. We would like to use lofs to mount (ro) a file /etc/GLOBAL into the zones. It should contain the name of the global zone so anyone can easily find out, what system he is really on. Zonemgr 1.8 only supports directories for readonly lofs mounts: option -r Can it be changed to support files ? Thanks and regards, Konstantin ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Michael Barto Software Architect LogiQwest Inc. 16458 Bolsa Chica Street, # 15 Huntington Beach, CA 92649 http://www.logiqwest.com/ [EMAIL PROTECTED] Tel: 714 377 3705 Fax: 714 840 3937 Cell: 714 883 1949 'tis a gift to be simple This e-mail may contain LogiQwest proprietary information and should be treated as confidential. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hi there, I have a question regarding zonemgr. We would like to use lofs to mount (ro) a file /etc/GLOBAL into the zones. It should contain the name of the global zone so anyone can easily find out, what system he is really on. Zonemgr 1.8 only supports directories for readonly lofs mounts: option -r Can it be changed to support files ? Thanks and regards, Konstantin ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hi Tomas, Tomas Heran wrote: > Hi Zoram, > > you might want to take a look at Project Duckwater - Simplified name > services management: http://www.opensolaris.org/os/project/duckwater/. > > Now, Duckwater's command for creating and managing name services > configuration - nscfg(1M) - doesn't know anything about zones, but I can > add an RFE for us to be able to export a name service profile (the set > of all name service configuration) into a file which you can later > import somewhere else - e.g. you would configure name services in global > zone, then exported this configuration (using nscfg) into a file and > later imported this file (again, using nscfg) into your non-global > zone(s). > > Would that work for you? This sounds promising. My basic requirement is that I should be able to non-interactively install and boot a zone (why? because interactive install/boot is too tedious in a multi-node environment like Sun Cluster). The user, if he wishes to, can explicitly enter the sysidcfg(4) parameters for the zone. But we expect that in most cases the only thing that would be different would be the root password (it would be unwise to have the same root password for global and non-global zones), and for the rest of the parameters use either a. global zone settings (name service, nfsv4 domain, security policy, timezone,...) or b. reasonable defaults (e.g., terminal) Stable interfaces to query name service configuration of the global zone (or any zone for that matter) will be a great help. Thanks, Zoram > > Regards, > Tomas > > > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org -- Zoram Thanga::Sun Cluster Development::http://blogs.sun.com/zoram ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
On Nov 19, 2007 1:46 PM, Tomas Heran <[EMAIL PROTECTED]> wrote: > Hi Zoram, > > you might want to take a look at Project Duckwater - Simplified name > services management: http://www.opensolaris.org/os/project/duckwater/. > > Now, Duckwater's command for creating and managing name services > configuration - nscfg(1M) - doesn't know anything about zones, but I can > add an RFE for us to be able to export a name service profile (the set > of all name service configuration) into a file which you can later > import somewhere else - e.g. you would configure name services in global > zone, then exported this configuration (using nscfg) into a file and > later imported this file (again, using nscfg) into your non-global > zone(s). > > Would that work for you? Butting in here, it would work just fine for me. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hi Zoram, you might want to take a look at Project Duckwater - Simplified name services management: http://www.opensolaris.org/os/project/duckwater/. Now, Duckwater's command for creating and managing name services configuration - nscfg(1M) - doesn't know anything about zones, but I can add an RFE for us to be able to export a name service profile (the set of all name service configuration) into a file which you can later import somewhere else - e.g. you would configure name services in global zone, then exported this configuration (using nscfg) into a file and later imported this file (again, using nscfg) into your non-global zone(s). Would that work for you? Regards, Tomas This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system identification
Hi Mike,
Mike Gerdts wrote:
> On Nov 15, 2007 4:04 AM, Zoram Thanga <[EMAIL PROTECTED]> wrote:
>> Hi All,
>>
>> I'd like to automate system identification for a zone when it is freshly
>> installed. In most cases, I'd like to keep the same settings for domain
>> name, name service, security policy, etc., as in the global zone.
>
> It sounds like simply copying in whole or part the relevant files from
> the global zone and making the appropriate modifications to
> $zonepath/root/etc/.sysid* (forget the exact file name) would be a
> workable approach. This would have to be done from the global zone.
Yes, the program will only run in the global zone, and only once after
the new zone is installed.
However, I'm wondering if we can count on the presence of /etc/sysidcfg
on the global zone. Once a system has been initialized, we could safely
remove /etc/sysidcfg and there would be no problem, right?
>
>> I'm wondering if there are (C) library interfaces to determine which
>> name service is used in the global zone, so that I can make the
>> following entry in the zone's /etc/sysidcfg file:
>
> To the best of my knowledge, such an API is not even available to
> query in the same zone (e.g. global zone querying global zone). Such
> an API that allowed cross-zone queries of this information would cross
> isolation boundaries that have been held rather dear with zones.
No, I am not looking to cross zone boundaries here - just obtain all the
necessary information from the global zone and apply them to the freshly
installed NGZs. Of course, if the user wants to specify sysid settings
that are different from those of the global zone, she would be allowed
to do so. But if she just wants to re-use the same name service setting,
security policy setting, etc, then that's when I'd like to query the GZ
for those informations.
>
>> name_service={}
>>
>> So, I'd like do something like:
>>
>> name_service = get_name_service()
>>
>> if (name_service is NIS) {
>> /* get domain name */
>> /* get yp master */
>> } else if (name_service is NIS+) {
>> /* get NIS+ details */
>> } else if (name_service is LDAP) {
>> /* get LDAP details */
>> } else if (name_service is DNS) {
>> /* get DNS details */
>> } ...
>
> This approach, much like the one used by sysidconfig, is broken. What
> happens when you use LDAP for everything except hosts and DNS for
> hosts? If you are coming up with a new solution for setting up naming
> services, please don't repeat this mistake.
>
Yes. I am aware of the complications, and no we're not trying to come up
with new naming service solutions :) I just want to know how to query
the settings when the user says "use the same settings as in the GZ".
> You may want to take a look at zonemgr. It will do quite a bit of
> customization of a zone without interaction and may be just what you
> are looking for.
>
I'll take a look. Can zonemgr query the settings if the user didn't
specify them?
Thanks,
Zoram
--
Zoram Thanga::Sun Cluster Development::http://blogs.sun.com/zoram
___
zones-discuss mailing list
zones-discuss@opensolaris.org
[zones-discuss] Interfaces to automate zone system identification
Hi All,
I'd like to automate system identification for a zone when it is freshly
installed. In most cases, I'd like to keep the same settings for domain
name, name service, security policy, etc., as in the global zone.
I'm wondering if there are (C) library interfaces to determine which
name service is used in the global zone, so that I can make the
following entry in the zone's /etc/sysidcfg file:
name_service={}
So, I'd like do something like:
name_service = get_name_service()
if (name_service is NIS) {
/* get domain name */
/* get yp master */
} else if (name_service is NIS+) {
/* get NIS+ details */
} else if (name_service is LDAP) {
/* get LDAP details */
} else if (name_service is DNS) {
/* get DNS details */
} ...
Also, is there a library interface to get what the security_policy
setting is in the global zone? So I want to do something like:
security_policy = get_security_policy()
if (security_policy is kerberos) {
/* get kerberos details */
} else if ...
...
Thanks,
Zoram
--
Zoram Thanga::Sun Cluster Development::http://blogs.sun.com/zoram
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system identification
On Nov 15, 2007 4:04 AM, Zoram Thanga <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I'd like to automate system identification for a zone when it is freshly
> installed. In most cases, I'd like to keep the same settings for domain
> name, name service, security policy, etc., as in the global zone.
It sounds like simply copying in whole or part the relevant files from
the global zone and making the appropriate modifications to
$zonepath/root/etc/.sysid* (forget the exact file name) would be a
workable approach. This would have to be done from the global zone.
>
> I'm wondering if there are (C) library interfaces to determine which
> name service is used in the global zone, so that I can make the
> following entry in the zone's /etc/sysidcfg file:
To the best of my knowledge, such an API is not even available to
query in the same zone (e.g. global zone querying global zone). Such
an API that allowed cross-zone queries of this information would cross
isolation boundaries that have been held rather dear with zones.
> name_service={}
>
> So, I'd like do something like:
>
> name_service = get_name_service()
>
> if (name_service is NIS) {
> /* get domain name */
> /* get yp master */
> } else if (name_service is NIS+) {
> /* get NIS+ details */
> } else if (name_service is LDAP) {
> /* get LDAP details */
> } else if (name_service is DNS) {
> /* get DNS details */
> } ...
This approach, much like the one used by sysidconfig, is broken. What
happens when you use LDAP for everything except hosts and DNS for
hosts? If you are coming up with a new solution for setting up naming
services, please don't repeat this mistake.
You may want to take a look at zonemgr. It will do quite a bit of
customization of a zone without interaction and may be just what you
are looking for.
--
Mike Gerdts
http://mgerdts.blogspot.com/
___
zones-discuss mailing list
zones-discuss@opensolaris.org
