Hi Folks,

Recently I was tasked to upgrade one of the zones that lives in Solaris 10 U2 
to Solaris U7. 

I am running into very strange behaviors when I update the zone with "update on 
attach". I am suspecting that the zone had wrong set of permissions from the 
beginning. 

Here is what is happening:

I copied all the zone data to update 7 with the correct index and xml files. 
Started upgrade process:
# zoneadm -z test1 boot
# zoneadm -z test1 halt
# zoneadm -z test1 detach
# zoneadm -z test1 attach -u
Getting the list of files to remove
Removing 614 files
Remove 14 of 14 packages
Installing 743 files
Add 12 of 12 packages
Updating editable files
The file </var/sadm/system/logs/update_log> within the zone contains a log of 
the zone update.

So far so good, no obvious problems.
So I connect to the console and I see the following warnings/errors which I 
normally do not see with some other zones:
# zlogin -C test1
[Connected to zone 'test1' console]

[NOTICE: Zone booting up]


SunOS Release 5.10 Version Generic_139555-08 64-bit
Copyright 1983-2009 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: test1
Loading smf(5) service descriptions: 48/66                                      
                                                                        66/66
svccfg import warnings. See /var/svc/log/system-manifest-import:default.log .
Reading ZFS config: done.
Sep 30 11:55:08 svc.startd[26453]: svc:/network/rpc/bind:default: Method 
"/lib/svc/method/rpc-bind start" failed with exit status 1.
Sep 30 11:55:08 svc.startd[26453]: svc:/network/rpc/bind:default: Method 
"/lib/svc/method/rpc-bind start" failed with exit status 1.
Sep 30 11:55:09 svc.startd[26453]: svc:/network/rpc/bind:default: Method 
"/lib/svc/method/rpc-bind start" failed with exit status 1.
Sep 30 11:55:09 svc.startd[26453]: network/rpc/bind:default failed: 
transitioned to maintenance (see 'svcs -xv' for details)
Sep 30 11:55:15 test1 sendmail[26952]: My unqualified host name (test1) 
unknown; sleeping for retry

test1 console login: Sep 30 11:55:29 test1 java[27022]: libpkcs11: 
/usr/lib/security/pkcs11_softtoken.so unexpected failure in ELF signature 
verification. Sy
stem may have been tampered with. See cryptoadm(1M). Skipping this plug-in.
Sep 30 11:55:29 test1 java[27022]: libpkcs11: 
/usr/lib/security/pkcs11_softtoken.so unexpected failure in ELF signature 
verification. System may have been ta
mpered with. See cryptoadm(1M). Skipping this plug-in.
Sep 30 11:55:42 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100083_1/rpc_tcp:default in repository: entity not found
Sep 30 11:55:42 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100083_1/rpc_tcp:default in repository: No such file or 
directory
Sep 30 11:55:43 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100083_1/rpc_tcp:default in repository: entity not found
Sep 30 11:55:43 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100083_1/rpc_tcp:default in repository: No such file or 
directory
Sep 30 11:55:43 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100068_2-5/rpc_udp:default in repository: entity not found
Sep 30 11:55:43 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100068_2-5/rpc_udp:default in repository: No such file or 
directory
Sep 30 11:55:44 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100068_2-5/rpc_udp:default in repository: entity not found
Sep 30 11:55:44 test1 inetd[26939]: Failed to update state of instance 
svc:/network/rpc-100068_2-5/rpc_udp:default in repository: No such file or 
directory
Sep 30 11:55:46 test1 java[27322]: libpkcs11: 
/usr/lib/security/pkcs11_softtoken.so unexpected failure in ELF signature 
verification. System may have been ta
mpered with. See cryptoadm(1M). Skipping this plug-in.
Sep 30 11:55:46 test1 java[27322]: libpkcs11: 
/usr/lib/security/pkcs11_softtoken.so unexpected failure in ELF signature 
verification. System may have been ta
mpered with. See cryptoadm(1M). Skipping this plug-in.
Sep 30 11:55:52 test1 inetd[26939]: Failed to register version 1 of RPC service 
instance svc:/application/font/stfsloader:default, netid ticotsord
Sep 30 11:55:52 test1 inetd[26939]: Too many bind failures for instance 
svc:/application/font/stfsloader:default, transitioning to maintenance
Sep 30 11:55:53 test1 inetd[26939]: Failed to register version 1 of RPC service 
instance svc:/network/security/ktkt_warn:default, netid ticotsord
Sep 30 11:55:53 test1 inetd[26939]: Too many bind failures for instance 
svc:/network/security/ktkt_warn:default, transitioning to maintenance

Sep 30 11:55:54 test1 inetd[26939]: Too many bind failures for instance 
svc:/network/rpc-100235_1/rpc_ticotsord:default, transitioning to maintenance
Sep 30 11:56:02 test1 keytool[27502]: libpkcs11: 
/usr/lib/security/pkcs11_softtoken.so unexpected failure in ELF signature 
verification. System may have been
 tampered with. See cryptoadm(1M). Skipping this plug-in.
Sep 30 11:56:02 test1 keytool[27502]: libpkcs11: 
/usr/lib/security/pkcs11_softtoken.so unexpected failure in ELF signature 
verification. System may have been
 tampered with. See cryptoadm(1M). Skipping this plug-in.
Terminated  ( <---- I killed the console session here )

So when I login to the zone with root user or zlogin no problems:
# zlogin test1
[Connected to zone 'test1' pts/5]
Last login: Wed Sep 23 07:57:50 on pts/4
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# bash
bash-3.00# 

I created a user in the zone gave the user a home directory and password:

bash-3.00# mkdir /export/home
bash-3.00# useradd -c 'Test User' -d /export/home/tuser1 -m -s /bin/bash tuser1
64 blocks
bash-3.00# passwd tuser1
New Password:
Re-enter new Password:
passwd: password successfully changed for tuser1

Now I try to su for the user I created:

bash-3.00# su - tuser1
su: No directory!

I decide to login with ssh from the global zone:

# exit

[Connection to zone 'test1' pts/5 closed]
# ssh tus...@192.168.1.133
Password:
Could not chdir to home directory /export/home/tuser1: Permission denied
/bin/bash: Permission denied
Connection to 192.168.1.133 closed.

Now, I know that some of the zone files had 700 permissions given which I did 
not do. Please note that I am not talking about giving /zones/test1 zone 700 
before copying/migrating data. I am talking about the actual zone files did 
have these settings from the beginning:

# ls -la /zones/test1/
total 17
drwx------   5 root     root           5 Sep 30 13:51 .
drwx------   3 root     root           3 Sep 30 00:30 ..
drwx------  12 root     root          54 Sep 30 13:53 dev
drwxr-xr-x   2 root     root           2 Sep 23 10:08 lu
drwx------  18 root     root          21 Sep 30 13:56 root

Note that root directory and dev directory inside /zones/test1 zone have 700. 
However, when I compare the top level root with some of the other zones I have, 
I saw the the other zones had 755 for root directory (and dev).

So I tried to apply 755 to root and attempt to login:
# chmod 755 root
# zlogin test1
[Connected to zone 'test1' pts/4]
Last login: Wed Sep 30 11:57:37 on pts/5
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# su - tuser1
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
-bash-3.00$

So I have the su got working but having still ssh issues from global zone
-bash-3.00$ exit
logout
# exit

[Connection to zone 'test1' pts/4 closed]
r...@ot102# ssh tus...@192.168.1.133
Password:
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
                                                                                
         #  <--- I have a cursor waiting somewhere around here in a frozen 
state, and I can't type anything and nothing works.

I am suspecting that the zone already had its permission set changed, Do you 
guys know any way around to fix this? What directory tree permission needs to 
be changed so that the zone can function properly? 

Any tips? Any suggestions?

Sorry for the long post, but please let me know if you need me to post anything 
else....
Thanks.
-- 
This message posted from opensolaris.org
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to