Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Cyril Plisko 
On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes  wrote:
> I bet VBox can't run inside the local zone.

Well, you lost. See VirtualBox User Manual

2.4.5 Configuring a zone for running VirtualBox

>
> On 24 November 2010 20:04, Orvar Korvar  
> wrote:
>> Uhmmm... A thought just struck me.
>>
>> Is it really possible to do what I was thinking? If I install WinXP 
>> virtually, in VirtualBox, in a local zone - then I shut down the global zone 
>> NIC - how can I reach the local zone then? It should not be possible?
>>
>> There is no connection between local zone and global zone - because global 
>> zone NIC is shutdown - so how can I surf the web from the local zone??? ssh 
>> does not work, because it connects to the global zone's NIC? Or?
>> --
>> This message posted from opensolaris.org
>> ___
>> zones-discuss mailing list
>> zones-discuss@opensolaris.org
>>
> ___
> zones-discuss mailing list
> zones-discuss@opensolaris.org
>



-- 
Regards,
        Cyril
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Zones and NPIV

2007-11-04 Thread Cyril Plisko 
On Nov 3, 2007 7:45 AM, Ran Jack Meng <[EMAIL PROTECTED]> wrote:
> Hi Folks,
>
> I'm an engineer working on the NPIV project, 
> http://opensolaris.org/os/project/npiv/, which is a method for virtualizing a 
> FibreChannel Port.
>
> It is considered useful in virtual environment as Xen and Logical Domain as 
> each virtual system could have its own FC N_PORT_ID and storages via the 
> virtual port and the virtual port could be still available after migration 
> therefore associating storage.
>
> However I'm thinking if NPIV could also be applied to Zones, and implementing 
> a prototype.
>
> The idea is to add a resource type as 'npiv' and three resource prop for it, 
> 'vpwwn'(virtual port WWN), 'vnwwn' (virtual node wwn) and 'ppwwn'(physical 
> port wwn). A subcommand in global scope, 'npiv-attach' is also added to 
> attach devices from the virtual FC port.
>
> Here is a sript showing how it should work,
> -
> [EMAIL PROTECTED]:$
> /net/kungfu/export/home1/jack/zone/snv/usr/src/cmd/zonecfg/zonecfg -z
> my-zone
> zonecfg:my-zone> info
> zonename: my-zone
> zonepath: /zone/my-zone
> ...
> zonecfg:my-zone> add npiv
> zonecfg:my-zone:npiv> set vpwwn=1011
> zonecfg:my-zone:npiv> set vnwwn=1010
> zonecfg:my-zone:npiv> set ppwwn=0100
> zonecfg:my-zone:npiv> end (A virtual port will appear here in global zone)
> zonecfg:my-zone> info
> zonename: my-zone
> zonepath: /zone/my-zone
> .
> npiv:
> vpwwn: 1011
> vnwwn: 1010
> ppwwn: 0100
> dedicated-cpu:
> ncpus: 1
> importance: 10
> 
> zonecfg:my-zone> npiv-attach
> Attaching FC dev /dev/rdsk/c7t226000C0FFAA7AF9d1s2.
> Attaching FC dev /dev/dsk/c7t226000C0FFAA7AF9d1s2.
> Attaching FC dev /dev/rdsk/c7t226000C0FFAA7AF9d0s2.
> Attaching FC dev /dev/dsk/c7t226000C0FFAA7AF9d0s2.
> zonecfg:my-zone> info
> zonename: my-zone
> zonepath: /zone/my-zone
> .
> net:
> address: 10.13.49.146
> physical: e1000g0
> npiv:
> vpwwn: 1011
> vnwwn: 1010
> ppwwn: 0100
> device:
> match: /dev/rdsk/c7t226000C0FFAA7AF9d1s2
> device:
> match: /dev/dsk/c7t226000C0FFAA7AF9d1s2
> device:
> match: /dev/rdsk/c7t226000C0FFAA7AF9d0s2
> device:
> match: /dev/dsk/c7t226000C0FFAA7AF9d0s2
> dedicated-cpu:
> ncpus: 1
> importance: 10
> ...
> zonecfg:my-zone> commit
> zonecfg:my-zone> exit
> --
> Reboot the zone then it sees FC devices
> --
> [EMAIL PROTECTED]:$ zoneadm -z my-zone halt
> [EMAIL PROTECTED]:$ zoneadm -z my-zone boot
> [EMAIL PROTECTED]:$ zlogin -C my-zone
> [Connected to zone 'my-zone' console]
>
> Sep 25 01:47:07 su: 'su root' succeeded for root on /dev/console
> Sun Microsystems Inc.   SunOS 5.11  snv_64a October 2007
> bash-3.00# format
> Searching for disks...done
>
> AVAILABLE DISK SELECTIONS:
>0. c7t226000C0FFAA7AF9d0 
>   sd65 at fp3 slave 555008
>1. c7t226000C0FFAA7AF9d1 
>   sd64 at fp3 slave 555009
> Specify disk (enter its number):
> ---
>
> Any comment on the idea and the prototype?

Jack,

I think that is very interesting and "native" extension of zones.

Couple of questions.

1. What happen if more targets are being made available
for the virtual initiator ? Does one need to get into zonecfg
and run npiv-attach again ? If not, why to run it in first place ?

2. Will cfgadm, luxadm, fcinfo etc commands work from
the zone as well ? If not, what is the interface to administer/
configure the virtual HBA from the non-global zone ?

Very much excited with your work !

-- 
Regards,
Cyril
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] RSC cards and zlogin -C to a zone clash of interest

2007-10-16 Thread Cyril Plisko 
On 10/15/07, Enda O'Connor <[EMAIL PROTECTED]> wrote:
> Timothy Kennedy wrote:
> > Ihsan Zaghmouth wrote:
> >
> >> Here's one issue that was raised by a Sun customer ... Looks like we
> >> have a clash of ineterst on "~."
> >> ...
> >> Anyone seen this before... Any thoughts ?
> >>
> >
> > That's a common frustration in my experience.  OpenSSH, including Sun's
> > variation thereof also use "~." as the escape sequence, which can have
> > unintended consequences when connected remotely.
> >
> > My solution has been to use `zlogin -e\@ -C `, which sets
> > the zlogin escape sequence to "@.", and prevents the aforementioned
> > unintended consequences. :)
> >
> > -Tim
> >
> >
> Hi
> escaping the escape should also suffice ie
> ~~.

Indeed, In fact the same problem is present when nesting ssh.
I find myself frequently doing ~~~. or even .

-- 
Regards,
Cyril
___
zones-discuss mailing list
zones-discuss@opensolaris.org