[zones-discuss] Ancestor filesystems writable by zone admin - by design?
Hi All, I'm not sure what I'm seeing is by design or by misconfiguration. I created a filesystem tank/zones to hold some zones, then created a specific zone filesystem tank/zones/basezone. Then built a zone, setting zonepath=/tank/zones/basezone. If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone tank tank/zones tank/zones/basezone tank/zones/basezone/ROOT tank/zones/basezone/ROOT/zbe This in itself is not ideal - if a zone become compromised then it's revealing something about the underlying pool and filesystems. I can live with it. However, if I become root in the zone then the ancestor filesystem is *writable*. I can write a file in /tank/zones! So if I delegate root access to a zone to someone, all of a sudden they can write to the entire pool? Am I doing something wrong? Any and all suggestions welcome! Thanks Miles -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] How to enable a service of a zone that is not running...
I would like to svcadm enable a service of a non-global zone who's state is not 'running'. Is that possible? If so, how? Thanks in advance, Brad Brad Diggs Principal Field Technologist Sun Microsystems, Inc. Phone x52957/+1 972-992-0002 Mail bradley.di...@sun.com Blog http://TheZoneManager.com Blog http://BradDiggs.com ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Defaultrouter problem?
Hi all, I'm at customer site to configure an m8000 with 9 zones and Solaris 10 U7 fresh installation with the latest kernel patch (141414-10) The domain uses only 2 nics (bge0 and nxge0) configured in C class with vlan tagging and ipmp active-active: bge15000 + nxge15000 == ipmp15 with defrouter 10.1.115.254 bge16000 + nxge16000 == ipmp16 with defrouter 10.1.116.254 bge17000 + nxge17000 == ipmp17 with defrouter 10.1.117.254 bge18000 + nxge18000 == ipmp18 with defrouter 10.1.118.254 GZ == ipmp15 NGZ 1 to 3 == ipmp18 NGZ 4 to 6 == ipmp38 NGZ 7 to 9 == ipmp39 How can we see the configuration above need 4 defrouters, one for the GZ and three for the NGZ Here's the output of 'netstat -rn' after the boot of all zones: Routing Table: IPv4 Destination Gateway Flags Ref Use Interface - - -- - default 10.1.115.254 UG1 0 default 10.1.116.254 UG1 1 bge16000 default 10.1.117.254 UG1 2 bge17000 default 10.1.118.254 UG1 2 bge18000 139.164.63.0 10.1.115.25 U 1 1 bge15000 224.0.0.010.1.115.25 U 1 0 bge15000 127.0.0.1127.0.0.1UH1 42 lo0 The steps above configure perfectly all the 9 NGZ and they run well. The problem is on the Global Zone: the clients that use GZ to manage the system get diconnected regularly or sometimes can't connect! When that happens, trying traceroute to clients from GZ console seems that it uses a bad defrouter, the one on another vlan, not the right one!!! (for example 10.1.117.254 on bge17000 insted of 10.1.115.254 on bge15000) I didn't find a way to make it run correctly. I've tryied to set a fixed route in GZ to the clients network and it seems to go... but in this way the NGZ can't reach clients because they use the wrong default router to contact the right network. I've followed all the procedures and the best practices... Any idea how to configure defrouter in GZ and to make it run? Best regards, Stefano Stefano Pini Senior Technical Specialist at SUN Microsystems Spa Viale Fulvio Testi 327 20162 Milano Italy Contact | stefano.p...@sun.com - www.sun.com/italy ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Defaultrouter problem?
Stefano Pini wrote: The steps above configure perfectly all the 9 NGZ and they run well. The problem is on the Global Zone: the clients that use GZ to manage the system get diconnected regularly or sometimes can't connect! When that happens, trying traceroute to clients from GZ console seems that it uses a bad defrouter, the one on another vlan, not the right one!!! (for example 10.1.117.254 on bge17000 insted of 10.1.115.254 on bge15000) When you're in the global zone, all of those interfaces, subnets and default routes are the same. There's no special one reserved only for the global zone's use. The global zone can (and will!) use any of them. If they're not actually usable by the global zone, then you've got a problem. Possible solutions include: - Use exclusive stack zones instead. If you do that, though, you won't be able to have groups of zones sharing a single interface. (You could do something like this with VNICs, but not on S10, as S10 doesn't have those.) - Direct the traffic originating from the global zone using IP Filter. You could filter based on source address and use the on keyword to direct that traffic to go out via a particular interface, just as your desired default route would do (if it worked). - Stop using default routes, and use network specific routes. If the networks that the global zone must reach are distinct from the ones that the non-global zones must reach, then you should be able to come up with a set of routes that will direct traffic appropriately based on remote address. (A routing protocol may help.) - Modify your default routers so that they know how to deal with traffic from the global zone. -- James Carlson 42.703N 71.076W carls...@workingcode.com ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How to enable a service of a zone that is not running...
Do you mean you mean from the global zone like this? zlogin $ZONE_NAME svcadm enable svc:/system/foo Brad Diggs wrote: I would like to svcadm enable a service of a non-global zone who's state is not 'running'. Is that possible? If so, how? Thanks in advance, Brad Brad Diggs Principal Field Technologist Sun Microsystems, Inc. Phone x52957/+1 972-992-0002 Mailbradley.di...@sun.com Bloghttp://TheZoneManager.com Bloghttp://BradDiggs.com -- Trevor Pretty | Technical Account Manager | +64 9 639 0652 | +64 21 666 161 Eagle Technology Group Ltd. Gate D, Alexandra Park, Greenlane West, Epsom Private Bag 93211, Parnell, Auckland www.eagle.co.nz This email is confidential and may be legally privileged. If received in error please destroy and immediately notify us. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How to enable a service of a zone that is not running...
Not exactly. That will work if the zone is running. However, it will not work for a non-running zone because because it requires an execution environment to run within. Imagine if you will that we created a zone and then shut it down and halted it. Now, while the zone is down how can I enable say the smb service which is disabled by default. Brad Brad Diggs Principal Field Technologist Sun Microsystems, Inc. Phone x52957/+1 972-992-0002 Mail bradley.di...@sun.com Blog http://TheZoneManager.com Blog http://BradDiggs.com On Sep 27, 2009, at 6:01 PM, Trevor Pretty wrote: Do you mean you mean from the global zone like this? zlogin $ZONE_NAME svcadm enable svc:/system/foo Brad Diggs wrote: I would like to svcadm enable a service of a non-global zone who's state is not 'running'. Is that possible? If so, how? Thanks in advance, Brad Brad Diggs Principal Field Technologist Sun Microsystems, Inc. Phone x52957/+1 972-992-0002 Mail bradley.di...@sun.com Blog http://TheZoneManager.com Blog http://BradDiggs.com -- Trevor Pretty | Technical Account Manager | +64 9 639 0652 | +64 21 666 161 Eagle Technology Group Ltd. Gate D, Alexandra Park, Greenlane West, Epsom Private Bag 93211, Parnell, Auckland www.eagle.co.nz This email is confidential and may be legally privileged. If received in error please destroy and immediately notify us. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How to enable a service of a zone that is not running...
On Sun, Sep 27, 2009 at 10:50 AM, Brad Diggs bradley.di...@sun.com wrote: I would like to svcadm enable a service of a non-global zone who's state is not 'running'. Is that possible? If so, how? Thanks in advance, Brad Brad Diggs Principal Field Technologist You can cause it to become enabled on the next boot with: echo svcadm enable $fmri $zonepath/root/var/svc/profile/upgrade This will get processed when manifest-import runs early in the zone boot process. I'm not so sure that this is considered to be an interface, so it may break at any time. It is probably best to ask on smf-discuss if you care about the stability of this mechanism. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Defaultrouter problem?
On Sun, Sep 27, 2009 at 1:18 PM, James Carlson carls...@workingcode.com wrote: Stefano Pini wrote: The steps above configure perfectly all the 9 NGZ and they run well. The problem is on the Global Zone: the clients that use GZ to manage the system get diconnected regularly or sometimes can't connect! When that happens, trying traceroute to clients from GZ console seems that it uses a bad defrouter, the one on another vlan, not the right one!!! (for example 10.1.117.254 on bge17000 insted of 10.1.115.254 on bge15000) When you're in the global zone, all of those interfaces, subnets and default routes are the same. There's no special one reserved only for the global zone's use. The global zone can (and will!) use any of them. If they're not actually usable by the global zone, then you've got a problem. Possible solutions include: - Use exclusive stack zones instead. If you do that, though, you won't be able to have groups of zones sharing a single interface. (You could do something like this with VNICs, but not on S10, as S10 doesn't have those.) - Direct the traffic originating from the global zone using IP Filter. You could filter based on source address and use the on keyword to direct that traffic to go out via a particular interface, just as your desired default route would do (if it worked). - Stop using default routes, and use network specific routes. If the networks that the global zone must reach are distinct from the ones that the non-global zones must reach, then you should be able to come up with a set of routes that will direct traffic appropriately based on remote address. (A routing protocol may help.) - Modify your default routers so that they know how to deal with traffic from the global zone. The standard deployment mechanism that I have been using for 3+ years involves having the global zone and non-global zones on different subnets. In my case, I use link-based IPMP and as such there are no global zone interfaces that are up on the networks that the global zone is not supposed to use. I have had absolutely no problems like those described by Stefano with this configuration, despite having a sizable deployment. As such, I know that either there is a workable configuration or there is a regression. Note that I have had problems with this configuration WRT zone interfaces becoming the primary(? - that is, not a virtual) IP on a given NIC. Those problems should no longer be a problem. Also, prior to the defaultrouter property on zone network interfaces, it also required some customization to the zone boot process such that after the first zone on a network plumbed its address, I would then have to add the new default route. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
