You need to interpose the zone_create function, add the privilege to the privilege mask and call the
original zone_create. See RFE 4966416, it explains how to do it by LD_PRELOAD a library .
It works on solaris 10 update 2.

Regards,

Pascal



Jeff Victor wrote On 12/18/06 20:46,:
Pascal Fortin - SSI - Southern Europe Solution Center wrote:
Hi all,

My customer is doing this by granting the privilege sys_net_config to the local zone.
I know and he knows that this is not permitted and supported. He does this at his own risk.
No problem so far.

Hi Pascal,

What version of Solaris is he using?  With Nevada build 50, attempting to boot a zone which has been configured with that privilege results in:

privilege "sys_net_config" is not permitted within the zone's privilege set
zoneadm: zone <zonename> failed to verify

and the zone does not boot.


James Carlson wrote On 12/18/06 16:34,:
Jeff Victor writes:
 
Detlef Drewanz wrote:
   
I know dhcp-server and bootp-server were not possible to run in local zones. So now with S10 11/06 we can configure some more privileges into a zone. E.g. if I add the privilege net_raw_access to a zone, can I then run dhcp-server or dhcp-server in a local zone (because I should now be able to listen for broadcasts) ?
     
Funny, I was wondering about that, and decided to attempt to resolve this today.  If anyone has an answer, I'd like to hear it.  But I'll be working on this today.
   

in.dhcpd does SIOCSXARP to hotwire the ARP entry, which means at least
sys_net_config is required.  sys_net_config is on the list of
privileges that cannot be added to a zone:

% grep sys_net_config /usr/lib/brand/native/config.xml
        <privilege set="prohibited" name="sys_net_config" />
%
It seems unlikely that this will work.

 

-- 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
    <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; ">
    <TITLE></TITLE>
    <META NAME="GENERATOR" CONTENT="StarOffice 6.0  (Win32)">
    <META NAME="CREATED" CONTENT="20050921;15041060">
    <META NAME="CHANGED" CONTENT="20050921;15155613">
</HEAD>
<BODY LANG="fr-FR">
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<TABLE WIDTH=450 BORDER=0 CELLPADDING=0 CELLSPACING=0>
    <COL WIDTH=121>
    <COL WIDTH=329>
    <TR VALIGN=TOP>
        <TD WIDTH=121 HEIGHT=121>
            <P><A HREF="" class="moz-txt-link-rfc2396E" href="http://www.sun.com/">"http://www.sun.com/"><IMG SRC="" class="moz-txt-link-rfc2396E" href="http://www.sun.com/emrkt/sigs/6g_top.gif">"http://www.sun.com/emrkt/sigs/6g_top.gif" NAME="Image1" ALIGN=BOTTOM WIDTH=121 HEIGHT=116 BORDER=0></A></P>
        </TD>
        <TD WIDTH=329>
            <P><FONT SIZE=1><FONT FACE="Arial"><B>Pascal FORTIN </B><BR>Services
            Account Manger<BR><BR><B>Sun Microsystems France</B><BR>13 avenue
            Morane Saulnier <BR>78140 Velizy Villacoublay<BR><BR>Phone x30401
            / +33 1 34 03 04 01<BR>Mobile +33 6 85 83 10 01<BR>Email
            <A HREF="" class="moz-txt-link-rfc2396E" href="mailto:[EMAIL PROTECTED]">"mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A></FONT></FONT></P>
        </TD>
    </TR>
</TABLE>
<P><BR><BR>
</P>
</BODY>
</HTML>



--


Pascal FORTIN
Services Account Manger

Sun Microsystems France
13 avenue Morane Saulnier
78140 Velizy Villacoublay

Phone x30401 / +33 1 34 03 04 01
Mobile +33 6 85 83 10 01
Email [EMAIL PROTECTED]



_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to