Re: [zones-discuss] Possible to use zones for hardening? Security?
Not true. b134 has crossbow and you can configure it such that the global zone does not have access to to the internet. See http://chrisgerhard.wordpress.com/2009/01/01/http-proxy-in-a-zone/ --chris -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I stand corrected. Thanks for the update Glenn. Jerry On 09/30/10 16:33, Glenn Faden wrote: > VBox definitely works in zones. It installs a global zone SMF service, > VBoxService, to take care of loading the kernel modules since this can't > be done by a NGZ. > > see http://www.virtualbox.org/changeset/24240 > > --Glenn > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 10/ 1/10 10:33 AM, Glenn Faden wrote: VBox definitely works in zones. It installs a global zone SMF service, VBoxService, to take care of loading the kernel modules since this can't be done by a NGZ. see http://www.virtualbox.org/changeset/24240 Ah, so I was correct is stating VirtualBox can't be *installed* in a zone. I didn't realise it could be run in a zone when installed in the global zone. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
VBox definitely works in zones. It installs a global zone SMF service, VBoxService, to take care of loading the kernel modules since this can't be done by a NGZ. see http://www.virtualbox.org/changeset/24240 --Glenn Jerry Kemp wrote: Ian, I believe that you are correct in your comment about running VirtualBox in a zone. Why I haven't attempted it myself, I believe that VirtualBox will not work from a zone because VirtualBox needs to load kernel modules. here is an example: ultra20 /root 401 # modinfo | grep -i vbox 175 f85127f0a88 345 1 vboxnet (VirtualBox NetAdp 3.1.4r57640) 177 f8682000 24de8 344 1 vboxdrv (VirtualBox HostDrv 3.1.4r57640) 250 f89e2000 6a20 346 1 vboxflt (VirtualBox NetDrv 3.1.4r57640) 250 f89e2000 6a20 - 1 vboxflt (VirtualBox NetMod 3.1.4r57640) 251 f89e9000 4598 347 1 vboxusbmon (VirtualBox USBMon 3.1.4r57640) 252 f89ee000 6de8 348 1 vboxusb (VirtualBox USB 3.1.4r57640) ultra20 /root 402 # uname -a SunOS ultra20 5.11 snv_130 i86pc i386 i86pc ultra20 /root 403 # Jerry On 09/30/10 15:55, Ian Collins wrote: I don't think you can install VirtualBox in a zone. If you are using VirtualBox, you can use the same networking tricks to get isolation as you would use for a zone. ___ zones-discuss mailing list zones-discuss@opensolaris.org -- ORACLE ® Glenn Faden | Senior Principal Software Engineer Phone: +1 650 786 4003 | Mobile: +1 415 637 8181 Oracle Solaris Security, Solaris Core OS Technology Engineering ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ian, I believe that you are correct in your comment about running VirtualBox in a zone. Why I haven't attempted it myself, I believe that VirtualBox will not work from a zone because VirtualBox needs to load kernel modules. here is an example: ultra20 /root 401 # modinfo | grep -i vbox 175 f85127f0a88 345 1 vboxnet (VirtualBox NetAdp 3.1.4r57640) 177 f8682000 24de8 344 1 vboxdrv (VirtualBox HostDrv 3.1.4r57640) 250 f89e2000 6a20 346 1 vboxflt (VirtualBox NetDrv 3.1.4r57640) 250 f89e2000 6a20 - 1 vboxflt (VirtualBox NetMod 3.1.4r57640) 251 f89e9000 4598 347 1 vboxusbmon (VirtualBox USBMon 3.1.4r57640) 252 f89ee000 6de8 348 1 vboxusb (VirtualBox USB 3.1.4r57640) ultra20 /root 402 # uname -a SunOS ultra20 5.11 snv_130 i86pc i386 i86pc ultra20 /root 403 # Jerry On 09/30/10 15:55, Ian Collins wrote: >> > I don't think you can install VirtualBox in a zone. If you are using > VirtualBox, you can use the same networking tricks to get isolation as > you would use for a zone. > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 10/ 1/10 09:42 AM, Orvar Korvar wrote: Ok, now I am confused. I want to shut down all internet connection to my global zone. I dont want to shut down the global zone, only the internet connection. I want to reach internet only from local zones. Some of the local zones will have a server application running. Others will just be used for surfing. I will install VirtualBox in the local zones. I don't think you can install VirtualBox in a zone. If you are using VirtualBox, you can use the same networking tricks to get isolation as you would use for a zone. Is this possible or not? Some say yes, other say no? The response you didn't quote answered your question: On 09/30/10 08:38 AM, Glenn Faden wrote: Assuming you're using the shared IP stack (default), it is sufficient for the global zone interface(s) to be plumbed so that the non-global zones can use logical instances of the interface(s). So setting the GZ interfaces as "down' will prevent network access to/from the global zone. I believe I should use exclusive-ip in the local zones? Or? You can, but you don't have to. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, now I am confused. I want to shut down all internet connection to my global zone. I dont want to shut down the global zone, only the internet connection. I want to reach internet only from local zones. Some of the local zones will have a server application running. Others will just be used for surfing. I will install VirtualBox in the local zones. Is this possible or not? Some say yes, other say no? I believe I should use exclusive-ip in the local zones? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org