Appendix B Using CDE Actions to Install Zones in Trusted Extensions

This appendix covers how to configure labeled zones in Trusted Extensions by using Trusted CDE actions. If you are running the Solaris 10 11/06 release without patches, or if you are familiar with these actions, use the Trusted CDE actions. To use the txzonemgr script, see Creating Labeled Zones.

• Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

• Preparing to Create Zones by Using CDE Actions (Task Map)

• Creating Labeled Zones by Using CDE Actions (Task Map)

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Do only one of the following tasks. For the trade-offs, see Planning for Multilevel Access.

Specify Two IP Addresses for the System by Using a CDE Action

In this configuration, the host's address applies only to the global zone. Labeled zones share a second IP address with the global zone.

Before You Begin

You are superuser in the global zone. The system has already been assigned two IP addresses. You are in a Trusted CDE workspace.

1. Navigate to the Trusted_Extensions folder.

   1. Click mouse button 3 on the background.

   2. From the Workspace menu, choose Applications -> Application Manager.

   3. Double-click the Trusted_Extensions folder icon.

      This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

2. Double-click the Share Logical Interface action and answer the prompts.

   ---

   Note –

   The system must already have been assigned two IP addresses. For this action, provide the second address and a host name for that address. The second address is the shared address.

   ---

   Hostname: Type the name for your labeled zones interface IP Address: Type the IP address for the interface

   This action configures a host with more than one IP address. The IP address for the global zone is the name of the host. The IP address for a labeled zone has a different host name. In addition, the IP address for the labeled zones is shared with the global zone. When this configuration is used, labeled zones are able to reach a network printer.

   ---

   Tip –

   Use a standard naming convention for labeled zones. For example, add -zones to the host name.

   ---

3. (Optional) In a terminal window, verify the results of the action.

   # ifconfig -a

   For example, the following output shows a shared logical interface, hme0:3 on network interface 192.168.0.12 for the labeled zones. The hme0 interface is the unique IP address of the global zone.

   lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 ether 0:0:00:00:00:0 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255 hme0:3 flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 all-zones inet 192.168.0.12 netmask fffffe00 broadcast 192.168.0.255

   Starting in the Solaris 10 10/08 release, the loopback interface, lo0, is also an all-zones interface:

   lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 all-zones inet 127.0.0.1 netmask ff000000 ether 0:0:00:00:00:0 ...

Specify One IP Address for the System by Using a CDE Action

In this configuration, the host's address applies to all the zones, including the labeled zones.

Before You Begin

You are superuser in the global zone. You are in a Trusted CDE workspace.

1. Navigate to the Trusted_Extensions folder.

   1. Click mouse button 3 on the background.

   2. From the Workspace menu, choose Applications -> Application Manager.

   3. Double-click the Trusted_Extensions folder icon.

      This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

2. Double-click the Share Physical Interface action.

   This action configures a host with one IP address. The global zone does not have a unique address. This system cannot be used as a multilevel print server or NFS server.

3. (Optional) In a terminal window, verify the results of the action.

   # ifconfig -a

   The Share Physical Interface action configures all zones to have logical NICs. These logical NICs share a single physical NIC in the global zone.

   For example, the following output shows the shared physical interface, hme0 on network interface 192.168.0.11 for all the zones.

   lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 ether 0:0:00:00:00:0 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 all-zones inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255

   Starting in the Solaris 10 10/08 release, the loopback interface, lo0, is also an all-zones interface:

   lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 all-zones inet 127.0.0.1 netmask ff000000 ether 0:0:00:00:00:0 ...

Preparing to Create Zones by Using CDE Actions (Task Map)

The following task map describes the tasks for preparing the system for zone creation. For a discussion of zone creation methods, see Planning for Zones in Trusted Extensions.

Specify Zone Names and Zone Labels by Using a CDE Action

You do not have to create a zone for every label in your label_encodings file, but you can. The tnzonecfg database enumerates the labels that can have zones created for them on this system.

1. Navigate to the Trusted_Extensions folder.

   1. Click mouse button 3 on the background.

   2. From the Workspace menu, choose Applications -> Application Manager.

   3. Double-click the Trusted_Extensions folder icon.

2. For every zone, name the zone.

   1. Double-click the Configure Zone action.

   2. At the prompt, provide a name.

      ---

      Tip –

      Give the zone a similar name to the zone's label. For example, the name of a zone whose label is CONFIDENTIAL : INTERNAL USE ONLY would be internal.

      ---

3. Repeat the Configure Zone action for every zone.

   For example, the default label_encodings file contains the following labels:

   PUBLIC CONFIDENTIAL: INTERNAL USE ONLY CONFIDENTIAL: NEED TO KNOW CONFIDENTIAL: RESTRICTED SANDBOX: PLAYGROUND MAX LABEL

   Although you could run the Configure Zone action six times to create one zone per label, consider creating the following zones:

   • On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels.

   • On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label.

   • Do not create a zone for the MAX LABEL label, which is defined to be a clearance.

4. Open the Trusted Network Zones tool.

   The tools in the Solaris Management Console are designed to prevent user error. These tools check for syntax errors and automatically run commands in the correct order to update databases.

   1. Start the Solaris Management Console.

      # /usr/sbin/smc &

   2. Open the Trusted Extensions toolbox for the local system.

      1. Choose Console -> Open Toolbox.

      2. Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL).

      3. Click Open.

   3. Under System Configuration, navigate to Computers and Networks.

      Provide a password when prompted.

   4. Double-click the Trusted Network Zones tool.

5. For each zone, associate the appropriate label with a zone name.

   1. Choose Action -> Add Zone Configuration.

      The dialog box displays the name of a zone that does not have an assigned label.

   2. Look at the zone name, then click Edit.

   3. In the Label Builder, click the appropriate label for the zone name.

      If you click the wrong label, click the label again to deselect it, then click the correct label.

   4. Save the assignment.

      Click OK in the Label Builder, then click OK in the Trusted Network Zones Properties dialog box.

   You are finished when every zone that you want is listed in the panel, or the Add Zone Configuration menu item opens a dialog box that does not have a value for Zone Name.

Troubleshooting

If the Trusted Network Zones Properties dialog box does not prompt for a zone that you want to create, either the zone network configuration file does not exist, or you have already created the file.

• Check that the zone network configuration file does not already exist. Look in the panel for the name.

• If the file does not exist, run the Configure Zone action to supply the zone name. Then, repeat Step 5 to create the file.

Creating Labeled Zones by Using CDE Actions (Task Map)

One zone can be created for every entry in the Trusted Network Zone Configuration database. You made the entries in Specify Zone Names and Zone Labels by Using a CDE Action, by running the Configure Zone action.

The Trusted_Extensions folder in the Application Manager contains the following actions that create labeled zones:

• Configure Zone – Creates a zone configuration file for every zone name

• Install Zone – Adds the correct packages and file systems to the zone

• Zone Terminal Console – Provides a window for viewing events in a zone

• Initialize Zone for LDAP – Makes the zone an LDAP client and prepares the zone for booting

• Start Zone – Boots the zone, then starts all the service management framework (SMF) services

• Shut Down Zone – Changes the state of the zone from Started to Halted

The tasks are completed in the following order.

Install, Initialize, and Boot a Labeled Zone by Using CDE Actions

Because zone creation involves copying an entire operating system, the process is time-consuming. A faster process is to create one zone, make the zone a template for other zones, and then copy or clone that zone template.

Before You Begin

You have completed Specify Zone Names and Zone Labels by Using a CDE Action.

If you are using LDAP as your naming service, you have completed Make the Global Zone an LDAP Client in Trusted Extensions.

If you are going to clone zones, you have completed Create ZFS Pool for Cloning Zones. In the following procedure, you install the zone that you prepared.

1. In the Trusted_Extensions folder, double-click the Install Zone action.

   1. Type the name of the zone that you are installing.

      This action creates a labeled virtual operating system. This step takes some time to finish. Do not do other tasks on the system while Install Zone is running.

      # zone-name: Install Zone Preparing to install zone <zone-name> Creating list of files to copy from the global zone Copying <total> files to the zone Initializing zone product registry Determining zone package initialization order. Preparing to initialize <subtotal> packages on the zone. Initializing package <number> of <subtotal>: percent complete: percent Initialized <subtotal> packages on zone. Zone <zone-name> is initialized. The file /zone/internal/root/var/sadm/system/logs/install_log contains a log of the zone installation. *** Select Close or Exit from the window menu to close this window ***

   2. Open a console to monitor events in the installed zone.

      1. Double-click the Zone Terminal Console action.

      2. Type the name of the zone that was just installed.

2. Initialize the zone.

   • If you are using LDAP, double-click the Initialize Zone for LDAP action.

     Zone name: Type the name of the installed zone Host name for the zone: Type the host name for this zone

     For example, on a system with a shared logical interface, the values would be similar to the following:

     Zone name: public Host name for the zone: machine1-zones

     This action makes the labeled zone an LDAP client of the same LDAP server that serves the global zone. The action is complete when the following information appears:

     zone-name zone will be LDAP client of IP-address zone-name is ready for booting Zone label is LABEL *** Select Close or Exit from the window menu to close this window ***

   • If you are not using LDAP, initialize the zone manually by doing one of the following steps.

     The manual procedure in Trusted Extensions is identical to the procedure for the Solaris OS. If the system has at least one all-zones interface, then the hostname for all the zones must match the global zone's hostname. In general, the answers to the questions during zone initialization are the same as the answers for the global zone.

     Supply the host information by doing one of the following:

     • After you start the zone in Step 3, answer the questions in the Zone Terminal Console about system characteristics.

       Your answers are used to populate the sysidcfg file in the zone.

       ---

       Note –

       You must ensure that a route for the Trusted CDE desktop exists from the labeled zone to the global zone. For the procedure, see Resolve Local Zone to Global Zone Routing in Trusted CDE.

       ---

     • Place a custom sysidcfg file in the zone's /etc directory before booting the zone in Step 3.

3. Double-click the Start Zone action.

   Answer the prompt.

   Zone name: Type the name of the zone that you are configuring

   This action boots the zone, then starts all the services that run in the zone. For details about the services, see the smf(5) man page.

   The Zone Terminal Console tracks the progress of booting the zone. Messages that are similar to the following appear in the console:

   [Connected to zone 'public' console] [NOTICE: Zone booting up] ... Hostname: zonename Loading smf(5) service descriptions: number/total Creating new rsa public/private host key pair Creating new dsa public/private host key pair rebooting system due to change(s) in /etc/default/init [NOTICE: Zone rebooting]

4. Monitor the console output.

   Before continuing with Customize a Booted Zone in Trusted Extensions, make sure that the zone has rebooted. The following console login prompt indicates that the zone has rebooted.

   hostname console login:

Troubleshooting

For Install Zone: If warnings that are similar to the following are displayed: Installation of these packages generated errors: SUNWpkgname, read the install log and finish installing the packages.

Resolve Local Zone to Global Zone Routing in Trusted CDE

For every zone to access Trusted CDE, the DISPLAY variable must resolve. In Trusted CDE, to resolve the variable, the nodename of the labeled zone, the nodename of the global zone, and the nodename of an all-zones interface must resolve to the identical name.

Before You Begin

You are using Trusted CDE and are manually initializing a labeled zone.

1. Enable Trusted CDE to display at the label of a zone by using one of the following methods.

   • Method 1: Enable X server traffic with other systems.

     In this configuration, the labeled zones can reach other systems through the X server in the global zone.

     1. Ensure that the /etc/nodename file specifies the name of the system.

        ## /etc/nodename machine1

     2. Ensure that the /etc/hosts file specifies the name of the system.

        ## /etc/hosts 192.168.2.3 machine1 loghost

        For ToolTalk^TM services to work, the name of the system must be on the same line as loghost.

     3. Ensure that the /etc/hostname.interface file specifies the name of the system.

        In this configuration, machine1 is the all-zones interface for Trusted CDE.

        ## /etc/hostname.bge0 machine1 all-zones

   • Method 2: Limit X server traffic to the local system.

     In this configuration, the labeled zones can communicate with the X server on the local system. However, no route exists from the local X server to other systems on the network. The route must use another interface.

     1. Ensure that the /etc/nodename file specifies the name of the system.

        ## /etc/nodename machine1

     2. Ensure that the /etc/hosts file specifies the name of the system.

        Starting with the Solaris 10 10/08 release, lo0 is an all-zones interface. In this case, the file appears similar to the following:

        ## /etc/hosts 127.0.0.1 localhost machine1 loghost

        You can also use the vni0 interface.

        For ToolTalk services to work, the name of the system must be on the same line as loghost.

   • Method 3: Resolve the DISPLAY variable in another way, such as routable addresses on per-zone logical interfaces.

     For that procedure, see Adding Network Interfaces and Routing to Labeled Zones.

2. To boot the zone, return to Step 3 in Install, Initialize, and Boot a Labeled Zone by Using CDE Actions.

Customize a Booted Zone in Trusted Extensions

If you are going to clone zones, this procedure configures a zone to be a template for other zones. In addition, this procedure configures the zone for use.

1. Ensure that the zone has been completely started.

   1. In the zone-name: Zone Terminal Console, log in as root.

      hostname console login: root Password: Type root password

   2. Check that the zone is running.

      The status running indicates that at least one process is running in the zone.

      # zoneadm list -v ID NAME STATUS PATH 2 public running /

   3. Check that the zone can communicate with the global zone.

      The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use this service. Therefore, zone networking must work before the zone can be used. For assistance, see Labeled Zone Is Unable to Access the X Server.

2. In the Zone Terminal Console, disable services that are unnecessary in a labeled zone.

   If you are copying or cloning this zone, the services that you disable are disabled in the new zones. The services that are online on your system depend on the service manifest for the zone. Use the netservices limited command to turn off services that labeled zones do not need.

   1. Remove many unnecessary services.

      # netservices limited

   2. List the remaining services.

      # svcs ... STATE STIME FMRI online 13:05:00 svc:/application/graphical-login/cde-login:default ...

   3. Disable graphical login.

      # svcadm disable svc:/application/graphical-login/cde-login # svcs cde-login STATE STIME FMRI disabled 13:06:22 svc:/application/graphical-login/cde-login:default

   For information about the service management framework, see the smf(5) man page.

3. Shut down the zone.

   Choose one of the following ways:

   • Run the Shut Down Zone action.

     Provide the name of the zone.

   • In a terminal window in the global zone, use the zlogin command.

     # zlogin zone-name init 0

     For more information, see the zlogin(1) man page.

4. Verify that the zone is shut down.

   In the zone-name: Zone Terminal Console, the following message indicates that the zone is shut down:

   [ NOTICE: Zone halted]

   If you are not copying or cloning this zone, create the remaining zones in the way that you created this first zone.

5. If you are using this zone as a template for other zones, do the following:

   1. Remove the auto_home_zone-name file.

      In a terminal window in the global zone, remove this file from the zone-name zone.

      cd /zone/zone-name/root/etc # ls auto_home* auto_home auto_home_zone-name # rm auto_home_zone-name

      For example, if the public zone were the basis for cloning other zones, remove its auto_home file:

      # cd /zone/public/root/etc # rm auto_home_public

Next Steps

• If you are copying a zone, go to Use the Copy Zone Method in Trusted Extensions.

• If you are cloning a zone, go to Use the Clone Zone Method in Trusted Extensions.

Use the Copy Zone Method in Trusted Extensions

Before You Begin

• You have completed Specify Zone Names and Zone Labels by Using a CDE Action.

• You have customized a zone that is the template for cloning in Creating Labeled Zones by Using CDE Actions (Task Map).

• You are not currently running the zone that is your template for cloning.

• The Trusted_Extensions folder is displayed.

1. For every zone that you want to create, double-click the Copy Zone action.

   Answer the prompts.

   New Zone Name: Type name of target zone From Zone Name: Type name of source zone

   ---

   Caution –

   Do not perform other tasks while this task is completing.

   ---

2. When the zones are created, check the status of every zone.

   1. Double-click the Zone Terminal Console action.

   2. Log in to each zone.

   3. Complete Verify the Status of the Zone.

Use the Clone Zone Method in Trusted Extensions

Before You Begin

• You have completed Specify Zone Names and Zone Labels by Using a CDE Action.

• You have completed Create ZFS Pool for Cloning Zones.

• You have created the zone template by completing Create ZFS Pool for Cloning Zones.

• You have customized a zone that is your template for cloning in Creating Labeled Zones by Using CDE Actions (Task Map).

• The zone that is your template for cloning is shut down.

• The Trusted_Extensions folder is displayed.

1. Create a Solaris ZFS snapshot of the zone template.

   # cd / # zfs snapshot zone/zone-name@snapshot

   You use this snapshot to clone the remaining zones. For a configured zone that is named public, the snapshot command is the following:

   # zfs snapshot zone/public@snapshot

2. For every zone that you want to create, double-click the Clone Zone action.

   Answer the prompts.

   New Zone Name: Type name of source zone ZFS Snapshot: Type name of snapshot

3. Read the information in the dialog box.

   Zone label is <LABEL> zone-name is ready for booting *** Select Close or Exit from the window menu to close this window ***

4. For each zone, run the Start Zone action.

   Start each zone before running the action for another zone.

5. After the zones are created, check the status of every zone.

   1. Double-click the Zone Terminal Console action.

   2. Complete Verify the Status of the Zone.