The instructions in this section configure labeled zones on a system that has been assigned at most two IP addresses. For other configurations, see the configuration options in Task Map: Preparing For and Enabling Trusted Extensions.
Task |
Description |
For Instructions |
---|---|---|
1. Run the txzonemgr script. |
The txzonemgr script creates a GUI that presents the appropriate tasks as you configure your zones. | |
2. Create, install, boot, and halt the first zone. |
In the default configuration, create the PUBLIC zone. This zone forms the template for other labeled zones. | |
3. Manage network interfaces in the global zone. |
Configure interfaces in the global zone, or create logical interfaces and configure them in the global zone. | |
4. Create a clone. |
Clone the first zone. The clone is not assigned a label. | |
5. Verify that the first zone is working correctly. |
Test connection with a non-Trusted Extensions system. | |
6. Label the cloned zone. |
Add a label to a cloned zone. | |
7. Create a zone from a snapshot. |
Create the rest of the zones. | |
8. Create a labeled working environment. |
Activate the PUBLIC and INTERNAL workspaces. |
This script steps you through the tasks to properly configure, install, initialize, and boot labeled zones. In the script, you name each zone, associate the name with a label, install the packages to create a virtual OS, and then boot the zone to start services in that zone. The script includes copy zone and clone zone tasks. You can also halt a zone, change the state of a zone, and add zone-specific network interfaces.
This script presents a dynamically-determined menu that displays only valid choices for the current circumstances. For instance, if the status of a zone is configured, the Install zone menu item is not displayed. Tasks that are completed do not display in the list.
You have assumed the root role.
Open a terminal window in the fourth workspace.
Run the txzonemgr script.
# /usr/sbin/txzonemgr |
The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your installation.
To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.
To view the current state of zone completion, click Return to Main Menu in the Labeled Zone Manager.
You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system.
You are in the root role. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.
You have not created a zone yet.
Click OK to the following dialog box:
Do you want to create the public zone using default settings? |
After the public zone is created, another terminal window appears. Its title is Zone Terminal Console: public. The public zone boots, initializes, and then prompts for the root password.
Press the F2 key twice to provide the password for the root role.
The zone reboots.
The Labeled Zone Manager dialog box displays the state and options for the public zone.
Halt the public zone by selecting Halt from the Labeled Zone Manager.
In the Zone Terminal Console window, a notice appears: Notice: Zone Halted
From the public zone options list, click Select another zone...
In this task, you configure the networking in the global zone. You must create exactly one all-zones interface. An all-zones interface is shared by the labeled zones and the global zone. The shared interface is used to route traffic between the labeled zones and the global zone. To configure this interface, do one of the following:
Create a logical interface from a physical interface, then share the physical interface.
This configuration is the simplest to administer. Choose this configuration when your system has been assigned two IP addresses. In this procedure, the logical interface becomes the global zone's specific address, and the physical interface is shared between the global zone and the labeled zones.
Share a physical interface
Choose this configuration when your system has been assigned one IP address. In this configuration, the physical interface is shared between the global zone and the labeled zones.
Share a virtual network interface, vni0
Choose this configuration when you are configuring DHCP, or when each subnetwork is at a different label. For a sample procedure, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.
In the Solaris Express Community Edition, the loopback interface in Trusted Extensions is created as an all-zones interface. Therefore, you do not need to create a vni0 shared interface.
To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to Route an Existing Labeled Zone.
The public zone is halted.
The Labeled Zone Manager is displayed. To open this GUI, see Run the txzonemgr Script.
From the public zone options list, you have clicked Select another zone...
In the Labeled Zone Manager, select the global zone.
Select Configure Network Interfaces.
A list of interfaces is displayed. Look for an interface that is listed with the following characteristics:
Type of physical
IP address of your hostname
Template of cipso
State of Up
Select the interface that corresponds to your hostname.
From the list of commands, select Share with Shared-IP Zones.
Click Cancel to return to the global zone command list
To connect to other systems on your network that are running Trusted Extensions, select Add Multilevel Access to Remote Host...
You have completed Create the First Labeled Zone and Configure the Network Interfaces in Trusted Extensions. The public zone is still halted.
The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.
From the Labeled Zone Manager, select Create a new zone...
You are prompted to Enter Zone Name.
Type snapshot as the zone name.
A list of options appear for the snapshot zone.
Select Clone...
A list of installed zones appears. The list includes the name public.
Double-click public.
The snapshot zone does not install automatically, so select Set Manual Booting The snapshot zone doesn't need a label since it is never booted. Verify the Boot option is not available.
Select Set Manual Booting.
The snapshot zone is never booted, therefore it does not need a label. Verify that the Boot option is not available.
The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use the X server. Therefore, zone networking must work before a zone can be used. For background information, see Planning for Multilevel Access.
The Labeled Zone Manager dialog box displays the global zone.
Select Select another zone and choose public.
Enter the IP address of a system on your network not running TX. Then enter Boot You see the zone booting messages in the Zone Console window. Login as root, and run ifconfig -a Verify that the primary interface and IP address are available in this zone. Verify that you can ping the host to which you previously added remote access. Now logout and close the Zone Console window.
Select Add Single-level Access to Remote Host...
In the public: Zone Console Terminal window, log in as root.
Run the ifconfig -a command.
# ifconfig -a |
Verify that the primary interface and IP address are available in this zone.
Verify that you can ping the host to which you previously added single-level access.
# ping remote-single-level-host |
Log out and close the Zone Console Terminal window.
This procedure creates the internal zone. Use this procedure to create the rest of your labeled zones.
You are in the root role. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.
You have completed Clone the First Zone in Trusted Extensions.
In the Labeled Zone Manager, select Select another zone.
Choose global.
Select Create a new zone:
The prompt, Enter Zone Name:, appears
Type internal.
A one-item list for the internal zone appears.
Choose Select Label....
From the label selection dialog box, select INTERNAL USE ONLY from the Sensitivity column and click OK.
In the list of options for the internal zone, select Clone....
Select snapshot from the list of installed zones.
snapshotis the only item in the list.
Select Boot.
This procedure creates two labeled workspaces and opens a labeled window in a labeled workspace
You have completed Create a Zone From the Snapshot.