build a whole root Zone in a enabled Trusted Extensions system

Mon, 07 Jul 2008 00:26:28 PDT 

Hi, jf

Thanks for your reply.
As you know, The whole root zone model  include the capability for global 
administrators to customize their zones file system layout. This would be done, 
for example, to add arbitrary unbundled packages or third-party packages .
I want to install some application into a zone,it need to write to /usr and 
/opt  directory.

The following is my procedure:
1.use /usr/sbin/txzonemgr to create a new zone "whole" and select a label.

2.
# zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - PUBLIC           installed  /zone/PUBLIC                   native   shared
   - whole            configured /zone/whole                    native   shared
# 
# more /etc/zones/index
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)zones-index        1.2     04/04/01 SMI"
#
# DO NOT EDIT: this file is automatically generated by zoneadm(1M)
# and zonecfg(1M).  Any manual changes will be lost.
#
global:installed:/
PUBLIC:installed:/zone/PUBLIC:4b62a043-a4d9-c95f-aa14-825f87611ee8
whole:configured:/zone/whole:
# 
# more /etc/security/tsol/tnzonecfg
...
global:ADMIN_LOW:1:20-23/tcp;111/tcp;111/udp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000-6003/tcp
PUBLIC:0x0002-08-08:0::
whole:0x0004-08-48:0::
# 
# 
# zonecfg -z whole
zonecfg:whole> info
zonename: whole
zonepath: /zone/whole
brand: native
autoboot: true
bootargs: 
pool: 
limitpriv: 
scheduling-class: 
ip-type: shared
inherit-pkg-dir:
        dir: /lib
inherit-pkg-dir:
        dir: /platform
inherit-pkg-dir:
        dir: /sbin
inherit-pkg-dir:
        dir: /usr
inherit-pkg-dir:
        dir: /opt
inherit-pkg-dir:
        dir: /kernel
fs:
        dir: /var/tsol/doors
        special: /var/tsol/doors
        raw not specified
        type: lofs
        options: [ro]
zonecfg:whole> 
zonecfg:whole> remove inherit-pkg-dir dir=/lib
zonecfg:whole> remove inherit-pkg-dir dir=/platform
zonecfg:whole> remove inherit-pkg-dir dir=/sbin
zonecfg:whole> remove inherit-pkg-dir dir=/usr
zonecfg:whole> remove inherit-pkg-dir dir=/opt
zonecfg:whole> remove inherit-pkg-dir dir=/kernel
zonecfg:whole> 
zonecfg:whole> set autoboot=false
zonecfg:whole> set bootargs="-m quiet"
zonecfg:whole> 
zonecfg:whole> add dedicated-cpu
zonecfg:whole:dedicated-cpu> set ncpus=1-2
zonecfg:whole:dedicated-cpu> end
zonecfg:whole> 
zonecfg:whole> set 
limitpriv="default,dtrace_proc,dtrace_user,proc_priocntl,sys_time,sys_ipc_config,cpc_cpu"
zonecfg:whole> set scheduling-class=FSS
zonecfg:whole> 
zonecfg:whole> add fs
zonecfg:whole:fs> set dir=/opt/local
zonecfg:whole:fs> set special=/usr/local
zonecfg:whole:fs> set type=lofs
zonecfg:whole:fs> end
zonecfg:whole> 
zonecfg:whole> set ip-type=exclusive
zonecfg:whole> add net
zonecfg:whole:net> set physical=e1000g2
zonecfg:whole:net> end
zonecfg:whole> add net
zonecfg:whole:net> set physical=e1000g3
zonecfg:whole:net> end
zonecfg:whole> 
zonecfg:whole> add device
zonecfg:whole:device> set match=/dev/*
zonecfg:whole:device> end
zonecfg:whole> add device
zonecfg:whole:device> set match=/dev/*/*
zonecfg:whole:device> end
zonecfg:whole> add device
zonecfg:whole:device> set match=/dev/*/*/*
zonecfg:whole:device> end
zonecfg:whole> 
zonecfg:whole> add attr
zonecfg:whole:attr> set name=comment
zonecfg:whole:attr> set type=string
zonecfg:whole:attr> set value="This is a Whole Root Zone with CONFIDENTIAL: 
INTERNAL USE ONLY label."
zonecfg:whole:attr> end
zonecfg:whole> 
zonecfg:whole> info
zonename: whole
zonepath: /zone/whole
brand: native
autoboot: false
bootargs: -m quiet
pool: 
limitpriv: 
default,dtrace_proc,dtrace_user,proc_priocntl,sys_time,sys_ipc_config,cpc_cpu
scheduling-class: FSS
ip-type: exclusive
fs:
        dir: /var/tsol/doors
        special: /var/tsol/doors
        raw not specified
        type: lofs
        options: [ro]
fs:
        dir: /opt/local
        special: /usr/local
        raw not specified
        type: lofs
        options: []
net:
        address not specified
        physical: e1000g2
net:
        address not specified
        physical: e1000g3
device
        match: /dev/*
device
        match: /dev/*/*
device
        match: /dev/*/*/*
dedicated-cpu:
        ncpus: 1-2
attr:
        name: comment
        type: string
        value: "This is a Whole Root Zone with CONFIDENTIAL: INTERNAL USE ONLY 
label."
zonecfg:whole> 
zonecfg:whole> verify
zonecfg:whole> commit
zonecfg:whole> exit
# 
# zoneadm -z whole verify
WARNING: /zone/whole does not exist, so it could not be verified.
When 'zoneadm install' is run, 'install' will try to create
/zone/whole, and 'verify' will be tried again,
but the 'verify' may fail if:
the parent directory of /zone/whole is group- or other-writable
or
/zone/whole overlaps with any other installed zones.
# 
# 
# ls -la /zone
total 22
drwxr-xr-x   4 root     root         512 Jan  6  2007 .
drwxr-xr-x  34 root     root        1024 Jun  5 08:26 ..
drwx------   7 root     root         512 Sep 15  2007 PUBLIC
drwx------   2 root     root        8192 Jan  6  2007 lost+found
# 
# 
# zoneadm -z whole install
Preparing to install zone <whole>.
Creating list of files to copy from the global zone.           <-- the command 
hang


Thanks!
 
 
This message posted from opensolaris.org

Reply via email to