Re: [zones-discuss] Interfaces to automate zone system identification
Zoram, As far as I know, there is no zones API for querying the global zone's configuration. The Zone Manager project was created to help you simplify zone creation and management. This is a perfect example of how it helps you out. The way that I re-use the global config through the Zone Manager is to copy the relevant configuration files from the global zone into the non-global zone. Here are a couple of examples: Create a zone using the global zone's nsswitch.conf and resolv.conf # zonemgr -a add -n z1 -z /zones -P pw -I "192.168.0.7|bge0|24|z1" \ -C /etc/nsswitch.conf -C /etc/resolv.conf Or alternatively, if you prefer to just use one of the standard nss templates, the following works as well. # zonemgr -a add -n z1 -z /zones -P pw -I "192.168.0.7|bge0|24|z1" \ -C "/etc/nsswitch.dns|/etc/nsswitch.conf" -C /etc/resolv.conf Hope that helps! Brad On Thu, 2007-11-15 at 18:58 +0530, Zoram Thanga wrote: > Hi Mike, > > Mike Gerdts wrote: > > On Nov 15, 2007 4:04 AM, Zoram Thanga <[EMAIL PROTECTED]> wrote: > >> Hi All, > >> > >> I'd like to automate system identification for a zone when it is freshly > >> installed. In most cases, I'd like to keep the same settings for domain > >> name, name service, security policy, etc., as in the global zone. > > > > It sounds like simply copying in whole or part the relevant files from > > the global zone and making the appropriate modifications to > > $zonepath/root/etc/.sysid* (forget the exact file name) would be a > > workable approach. This would have to be done from the global zone. > > Yes, the program will only run in the global zone, and only once after > the new zone is installed. > > However, I'm wondering if we can count on the presence of /etc/sysidcfg > on the global zone. Once a system has been initialized, we could safely > remove /etc/sysidcfg and there would be no problem, right? > > > > >> I'm wondering if there are (C) library interfaces to determine which > >> name service is used in the global zone, so that I can make the > >> following entry in the zone's /etc/sysidcfg file: > > > > To the best of my knowledge, such an API is not even available to > > query in the same zone (e.g. global zone querying global zone). Such > > an API that allowed cross-zone queries of this information would cross > > isolation boundaries that have been held rather dear with zones. > > No, I am not looking to cross zone boundaries here - just obtain all the > necessary information from the global zone and apply them to the freshly > installed NGZs. Of course, if the user wants to specify sysid settings > that are different from those of the global zone, she would be allowed > to do so. But if she just wants to re-use the same name service setting, > security policy setting, etc, then that's when I'd like to query the GZ > for those informations. > > > > >> name_service={} > >> > >> So, I'd like do something like: > >> > >> name_service = get_name_service() > >> > >> if (name_service is NIS) { > >> /* get domain name */ > >> /* get yp master */ > >> } else if (name_service is NIS+) { > >> /* get NIS+ details */ > >> } else if (name_service is LDAP) { > >> /* get LDAP details */ > >> } else if (name_service is DNS) { > >> /* get DNS details */ > >> } ... > > > > This approach, much like the one used by sysidconfig, is broken. What > > happens when you use LDAP for everything except hosts and DNS for > > hosts? If you are coming up with a new solution for setting up naming > > services, please don't repeat this mistake. > > > > Yes. I am aware of the complications, and no we're not trying to come up > with new naming service solutions :) I just want to know how to query > the settings when the user says "use the same settings as in the GZ". > > > You may want to take a look at zonemgr. It will do quite a bit of > > customization of a zone without interaction and may be just what you > > are looking for. > > > > I'll take a look. Can zonemgr query the settings if the user didn't > specify them? > > Thanks, > Zoram -- The Zone Manager http://opensolaris.org/os/project/zonemgr ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hello, I highly recommend that you use version 1.8.1 instead of 1.8 as it includes many bug fixes that are not in 1.8. Having said that, mounting a configuration file used by the global zone into a non-global zone can be a security risk. I wouldn't recommend it. Here is a example to illustrate how you could readonly mount a file via lofs from a global zone into a non-global zone during zone creation through the zone manager with the -r flag. # z=`uname -n` # cp /etc/hosts /etc/${z} # zonemgr -F -a add -n z1 -z /zones -P pw -r "/etc/${z}|/etc/global" # cksum /etc/hosts 2265366463 1183/etc/hosts # zlogin z1 "cksum /etc/global" 2265366463 1183/etc/global # zonemgr-a info -n z1 Zone information for zone z1 zonename: z1 zonepath: /zones/z1 brand: native autoboot: true bootargs: pool: limitpriv: scheduling-class: ip-type: shared inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr fs: dir: /etc/global special: /etc/globalhostname raw not specified type: lofs options: [ro,nodevices] attr: name: comment type: string value: "Zone z1" Hope that helps! Just as an FYI... the next version of the zonemgr which I hope to complete soon has a new unified mounting syntax that works for all the main supported filesystems available today. It is still in alpha so I haven't yet posted on the site. If you are interested in trying it out, send me a separate e-mail and I will gladly send you a copy. Brad On Tue, 2007-11-20 at 14:29 +0100, Konstantin Gremliza wrote: > Hi there, > > I have a question regarding zonemgr. > > We would like to use lofs to mount (ro) a file /etc/GLOBAL into the > zones. It should contain the name of the global zone so anyone can > easily find out, what system he is really on. > > Zonemgr 1.8 only supports directories for readonly lofs mounts: option > -r > > Can it be changed to support files ? > > Thanks and regards, > > Konstantin > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org -- - _/_/_/ _/_/ _/ _/ Brad Diggs _/ _/_/ _/_/ _/Communications Area Market _/_/_/ _/_/ _/ _/ _/ Senior Directory Architect _/ _/_/ _/ _/_/ _/_/_/ _/_/_/ _/ _/ Office: 972-992-0002 E-Mail: [EMAIL PROTECTED] M I C R O S Y S T E M S ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Actually it is kind of there already. Put a command in /usr/bin in the global zone that displays the Global zone name. This shared file system it is available to the local zones. When you build a full zone, this command goes with it. The only issue is if you change the Global zone name on a system, the full zone will need to be updated. Very rare. See: http://www.logiqwest.com/dataCenter/Demos/RunBooks/Zones/listingGlobal.html My concern is this functionality is actually a security violation. Konstantin Gremliza wrote: Hi there, I have a question regarding zonemgr. We would like to use lofs to mount (ro) a file /etc/GLOBAL into the zones. It should contain the name of the global zone so anyone can easily find out, what system he is really on. Zonemgr 1.8 only supports directories for readonly lofs mounts: option -r Can it be changed to support files ? Thanks and regards, Konstantin ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Michael Barto Software Architect LogiQwest Inc. 16458 Bolsa Chica Street, # 15 Huntington Beach, CA 92649 http://www.logiqwest.com/ [EMAIL PROTECTED] Tel: 714 377 3705 Fax: 714 840 3937 Cell: 714 883 1949 'tis a gift to be simple This e-mail may contain LogiQwest proprietary information and should be treated as confidential. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hi there, I have a question regarding zonemgr. We would like to use lofs to mount (ro) a file /etc/GLOBAL into the zones. It should contain the name of the global zone so anyone can easily find out, what system he is really on. Zonemgr 1.8 only supports directories for readonly lofs mounts: option -r Can it be changed to support files ? Thanks and regards, Konstantin ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hi Tomas, Tomas Heran wrote: > Hi Zoram, > > you might want to take a look at Project Duckwater - Simplified name > services management: http://www.opensolaris.org/os/project/duckwater/. > > Now, Duckwater's command for creating and managing name services > configuration - nscfg(1M) - doesn't know anything about zones, but I can > add an RFE for us to be able to export a name service profile (the set > of all name service configuration) into a file which you can later > import somewhere else - e.g. you would configure name services in global > zone, then exported this configuration (using nscfg) into a file and > later imported this file (again, using nscfg) into your non-global > zone(s). > > Would that work for you? This sounds promising. My basic requirement is that I should be able to non-interactively install and boot a zone (why? because interactive install/boot is too tedious in a multi-node environment like Sun Cluster). The user, if he wishes to, can explicitly enter the sysidcfg(4) parameters for the zone. But we expect that in most cases the only thing that would be different would be the root password (it would be unwise to have the same root password for global and non-global zones), and for the rest of the parameters use either a. global zone settings (name service, nfsv4 domain, security policy, timezone,...) or b. reasonable defaults (e.g., terminal) Stable interfaces to query name service configuration of the global zone (or any zone for that matter) will be a great help. Thanks, Zoram > > Regards, > Tomas > > > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org -- Zoram Thanga::Sun Cluster Development::http://blogs.sun.com/zoram ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
On Nov 19, 2007 1:46 PM, Tomas Heran <[EMAIL PROTECTED]> wrote: > Hi Zoram, > > you might want to take a look at Project Duckwater - Simplified name > services management: http://www.opensolaris.org/os/project/duckwater/. > > Now, Duckwater's command for creating and managing name services > configuration - nscfg(1M) - doesn't know anything about zones, but I can > add an RFE for us to be able to export a name service profile (the set > of all name service configuration) into a file which you can later > import somewhere else - e.g. you would configure name services in global > zone, then exported this configuration (using nscfg) into a file and > later imported this file (again, using nscfg) into your non-global > zone(s). > > Would that work for you? Butting in here, it would work just fine for me. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system
Hi Zoram, you might want to take a look at Project Duckwater - Simplified name services management: http://www.opensolaris.org/os/project/duckwater/. Now, Duckwater's command for creating and managing name services configuration - nscfg(1M) - doesn't know anything about zones, but I can add an RFE for us to be able to export a name service profile (the set of all name service configuration) into a file which you can later import somewhere else - e.g. you would configure name services in global zone, then exported this configuration (using nscfg) into a file and later imported this file (again, using nscfg) into your non-global zone(s). Would that work for you? Regards, Tomas This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system identification
Hi Mike, Mike Gerdts wrote: > On Nov 15, 2007 4:04 AM, Zoram Thanga <[EMAIL PROTECTED]> wrote: >> Hi All, >> >> I'd like to automate system identification for a zone when it is freshly >> installed. In most cases, I'd like to keep the same settings for domain >> name, name service, security policy, etc., as in the global zone. > > It sounds like simply copying in whole or part the relevant files from > the global zone and making the appropriate modifications to > $zonepath/root/etc/.sysid* (forget the exact file name) would be a > workable approach. This would have to be done from the global zone. Yes, the program will only run in the global zone, and only once after the new zone is installed. However, I'm wondering if we can count on the presence of /etc/sysidcfg on the global zone. Once a system has been initialized, we could safely remove /etc/sysidcfg and there would be no problem, right? > >> I'm wondering if there are (C) library interfaces to determine which >> name service is used in the global zone, so that I can make the >> following entry in the zone's /etc/sysidcfg file: > > To the best of my knowledge, such an API is not even available to > query in the same zone (e.g. global zone querying global zone). Such > an API that allowed cross-zone queries of this information would cross > isolation boundaries that have been held rather dear with zones. No, I am not looking to cross zone boundaries here - just obtain all the necessary information from the global zone and apply them to the freshly installed NGZs. Of course, if the user wants to specify sysid settings that are different from those of the global zone, she would be allowed to do so. But if she just wants to re-use the same name service setting, security policy setting, etc, then that's when I'd like to query the GZ for those informations. > >> name_service={} >> >> So, I'd like do something like: >> >> name_service = get_name_service() >> >> if (name_service is NIS) { >> /* get domain name */ >> /* get yp master */ >> } else if (name_service is NIS+) { >> /* get NIS+ details */ >> } else if (name_service is LDAP) { >> /* get LDAP details */ >> } else if (name_service is DNS) { >> /* get DNS details */ >> } ... > > This approach, much like the one used by sysidconfig, is broken. What > happens when you use LDAP for everything except hosts and DNS for > hosts? If you are coming up with a new solution for setting up naming > services, please don't repeat this mistake. > Yes. I am aware of the complications, and no we're not trying to come up with new naming service solutions :) I just want to know how to query the settings when the user says "use the same settings as in the GZ". > You may want to take a look at zonemgr. It will do quite a bit of > customization of a zone without interaction and may be just what you > are looking for. > I'll take a look. Can zonemgr query the settings if the user didn't specify them? Thanks, Zoram -- Zoram Thanga::Sun Cluster Development::http://blogs.sun.com/zoram ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Interfaces to automate zone system identification
Hi All, I'd like to automate system identification for a zone when it is freshly installed. In most cases, I'd like to keep the same settings for domain name, name service, security policy, etc., as in the global zone. I'm wondering if there are (C) library interfaces to determine which name service is used in the global zone, so that I can make the following entry in the zone's /etc/sysidcfg file: name_service={} So, I'd like do something like: name_service = get_name_service() if (name_service is NIS) { /* get domain name */ /* get yp master */ } else if (name_service is NIS+) { /* get NIS+ details */ } else if (name_service is LDAP) { /* get LDAP details */ } else if (name_service is DNS) { /* get DNS details */ } ... Also, is there a library interface to get what the security_policy setting is in the global zone? So I want to do something like: security_policy = get_security_policy() if (security_policy is kerberos) { /* get kerberos details */ } else if ... ... Thanks, Zoram -- Zoram Thanga::Sun Cluster Development::http://blogs.sun.com/zoram ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Interfaces to automate zone system identification
On Nov 15, 2007 4:04 AM, Zoram Thanga <[EMAIL PROTECTED]> wrote: > Hi All, > > I'd like to automate system identification for a zone when it is freshly > installed. In most cases, I'd like to keep the same settings for domain > name, name service, security policy, etc., as in the global zone. It sounds like simply copying in whole or part the relevant files from the global zone and making the appropriate modifications to $zonepath/root/etc/.sysid* (forget the exact file name) would be a workable approach. This would have to be done from the global zone. > > I'm wondering if there are (C) library interfaces to determine which > name service is used in the global zone, so that I can make the > following entry in the zone's /etc/sysidcfg file: To the best of my knowledge, such an API is not even available to query in the same zone (e.g. global zone querying global zone). Such an API that allowed cross-zone queries of this information would cross isolation boundaries that have been held rather dear with zones. > name_service={} > > So, I'd like do something like: > > name_service = get_name_service() > > if (name_service is NIS) { > /* get domain name */ > /* get yp master */ > } else if (name_service is NIS+) { > /* get NIS+ details */ > } else if (name_service is LDAP) { > /* get LDAP details */ > } else if (name_service is DNS) { > /* get DNS details */ > } ... This approach, much like the one used by sysidconfig, is broken. What happens when you use LDAP for everything except hosts and DNS for hosts? If you are coming up with a new solution for setting up naming services, please don't repeat this mistake. You may want to take a look at zonemgr. It will do quite a bit of customization of a zone without interaction and may be just what you are looking for. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org