[zones-discuss] chroot env into zone
Hello, I've running chroot environment (only apache, php and mysql)on Solaris 10u5 and I want this environment move to ZONE environment. Problem is with packages because zoneadm install all packages from global ZONE. Is there only way that I install this ZONE and after installing ZONE remove unused packages ? Regards, -- Maciej Browarski ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] chroot env into zone
Maciej Browarski wrote: Hello, I've running chroot environment (only apache, php and mysql)on Solaris 10u5 and I want this environment move to ZONE environment. Problem is with packages because zoneadm install all packages from global ZONE. Is there only way that I install this ZONE and after installing ZONE remove unused packages ? Regards, You'll need to make a native unbranded zone.. google privsnz and that should put you on the right track.. I've recently done this as well.. I know you're @Sun, but feel free to email directly if you need help.. ./C ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Code Review for 6613349 setuid not allowed message could be more useful
I'm looking for reviewers for '6613349 setuid not allowed message could be more useful'. I've tested it on a b101 system without any issues. It's pretty straightforward (and small) -- just modifying the message to display the filesystem path (instead of the device number) and making it zone aware (which is why I included security-discuss and zones-discuss). The webrev is at http://cr.opensolaris.org/~jbk/6613349 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Code Review for 6613349 setuid not allowed message could be more useful
I'm looking for reviewers for '6613349 setuid not allowed message could be more useful'. I've tested it on a b101 system without any issues. It's pretty straightforward (and small) -- just modifying the message to display the filesystem path (instead of the device number) and making it zone aware (which is why I included security-discuss and zones-discuss). Why do you use the mntpnt and why not the vp-v_path? Casper ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Code Review for 6613349 setuid not allowed message could be more useful
On Wed, Nov 12, 2008 at 12:46 PM, [EMAIL PROTECTED] wrote: I'm looking for reviewers for '6613349 setuid not allowed message could be more useful'. I've tested it on a b101 system without any issues. It's pretty straightforward (and small) -- just modifying the message to display the filesystem path (instead of the device number) and making it zone aware (which is why I included security-discuss and zones-discuss). Why do you use the mntpnt and why not the vp-v_path? Casper Originally I did that, but there was concern v_path might not always be correct (or available) (such as renames or with hard links IIRC), and so might generate a confusing message in those situations. I wasn't aware of any mechanism that could take exec_file or the vnode and generate a nice canonical pathname that didn't suffer from renaming or hard link issues, so the mountpoint was chosen instead. I think ideally it'd be nice to have both (in case the offending binary is deleted, you can still figure out where it took place). ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ipfilter (ipf.conf) entries in zonecfg?
Well, I forgot to mention that we were using S10u6, but the idea I had was to apply the filter rules in the global zone. As far as I can tell, crossbow is not integrated with NV or OS either :) It looks like we are going to need to somehow wrapper it, or put the entire ipf.conf for all zones on all physical nodes. Thanks, Tommy -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] chroot env into zone
Start with a real minimal build of Solaris, build a sparse zone. The zones then take ~200MB. No, its not a CHROOT, but you can chroot apps that support it (named) within the zone so that there is absolutely nothing that can be accessed if it somehow is broken... but the minimal install should reduce your patching requirements and the sparse zone makes it so that IF someone breaks in, they can't break most of the executables as they are on a read-only filesystem. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ipfilter (ipf.conf) entries in zonecfg?
I have about 50-60 zones spread across 3 security contexts ;) ~tommy On Nov 12, 2008, at 6:38 PM, Ha Bailey wrote: Have you considered Trusted Extensions? As long as you do not need multiple zones of the same security context on the same physical server, it might work out for you. (in other words, you cant have two internet zones on a single host). This might help you: http://www.sun.com/bigadmin/content/submitted/trusted_ext_corp.jsp Robert Bailey On Nov 7, 2008, at 12:13 PM, Tommy McNeely wrote: Hello Zones experts, We are attempting to create a new data center architecture that favors virtualization with zones. Previously, if we wanted to have zones from different security contexts (front-end, back-end, internet, etc), they had to be in different physical machines (or LDOMS). Now that we have the ability (ok, as of s10u4, but we have been busy) to use ipfilter between zones on the same host, we believe there may be enough separation to have zones in different security contexts on the same global-zone. I would like to get people's feedback on what they would think of creating the ability to have ipfilter rules, that would normally be located in ipf.conf in the global zone, inside the zonecfg. When the zone is brought online it could pipe the rules into ipf -f - or something. I am thinking the zonecfg seems like a good place to store them because when I want to move a zone from one machine to another, I would prefer the firewall came along with the zone. We have discussed using vnic interfaces (crossbow?), but I don't believe thats integrated yet? Besides, we don't really trust the application administrator (zone administrator) with the firewall, so we'd like to keep its configuration in the global zone, which I assume would still work even with vnic's. QUESTION: If we put the firewall (ipf.conf) inside the zone and use a private IP instance, can they can put a pass out quick on vnic0 keep state and they have the ability to connect to any other zone on the same machine? I know that rule in the global zone makes it that way, but maybe ip stack instances fix that? ~tommy ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Somewhat unusual exclusive-IP type configuration needed
Steffen Weiberle wrote: On 10/20/08 10:58, Joe Barbey wrote: Hi all, I've got a situation that doesn't seem to be really covered in the various docs I've read up to now. I have a number of servers where I want to do something like the following, if possible. Any help would be greatly appreciated. I would like to host a number of zones on a server, let's say an m4000, but I want those zones to be on a different subnet than the global. So far, no problem: use exclusive-IP. However, currently I don't have enough NICs to give one each to all zones. One thought I had was a sort of mix of shared-IP and exclusive-IP. Give a couple of different zones the same NIC in exclusive-IP mode. I haven't tried it, but I'm fairly certain this won't work, as each zone will try to control the NIC itself. http://blogs.sun.com/stw/entry/using_ip_instances_with_vlans This is with Solaris 10 8/07, to take advantage of IP Instanced delivered in that update. Steffen I'm responding to Steffen, but it really applies to you all. Thanks! Using VLANs worked perfectly. We ended up buying some quad gig NICs, but still had one or two zones that were without connection. As they were QA or expected to be low bandwidth servers, I used VLANs an had them share a connection with the global. A quick re-config on the switch port, and all was well. Thanks again for the suggestions! -- Joe Barbey IS Network Support Senior office: (715) 425-4357 Davee Library room 166C cell: (715) 821-0008 UW - River Falls ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] static routes vs default routes (zones in different subnets)
Hi all, I'm pleased to read I'm not the sole victim of what I'm calling the solaris zone route bug. Please take a look below to my comment. Le 10 nov. 08 à 17:51, Tommy McNeely a écrit : On Nov 10, 2008, at 7:09 AM, Paul Kraus wrote: On Sun, Nov 9, 2008 at 10:34 PM, Tommy McNeely [EMAIL PROTECTED] wrote: ... hence my shared-ip is the only thing available (feasible) comment :) If this has changed, or is being worked on in OpenSolaris, I would *love* to hear about it. Network interface virtualization! http://opensolaris.org/os/project/crossbow/ I think some of the deep dark kernel stuff is integrated to OpenSolaris (and thus Solaris Express), but not everything yet? Crossbow will be the solution. Sure ! But when ? And on which version of Solaris ? For now Exclusive-IP is a sort of workaround. Not a real one ! See why : - IPFilter rules are visible from the zone. With Shared-IP, they not. - If you need an IPMP configuration, you need to setup 2 physicals interfaces (or 801.1Q switch) and 3 IP-address per zone - Exclusive-IP are not available on all physical interfaces on S10 (I have an old qfe on my desk I'd love to use !) - When you just try to use default mechanisms (I mean shared-IP, default route defined on global zone), you're never sure of where you IP packets will be sent (thru which default router ?) To be short, Exclusive-IP is a great enhancement to S10, but we'll need at least two other stuff before crossbow : 1) Exclusive-IP for ANY NIC 2) A clever routing mechanism to associate different routing tables on different zones. My .02 euro-cents. Nico ___ zones-discuss mailing list zones-discuss@opensolaris.org