Oracle Solaris Trusted Extensions Configuration Guide

ProcedureAdd a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

This procedure sets zone-specific default routes for existing labeled zones. In this configuration, the labeled zones do not use the global zone for routing.

The labeled zone must be plumbed in the global zone before the zone is booted. However, to isolate the labeled zone from the global zone, the interface must be in the down state when the zone is booted. For more information, see Chapter 17, Non-Global Zone Configuration (Overview), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.

Note –

A unique default route must be configured for every non-global zone that is booted.

Before You Begin

You are superuser in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones. You are using either the vni0 interface or the lo0 interface to connect the labeled zones to the global zone.

  1. For every network interface, determine its IP address, netmask, and default router.

    Use the ifconfig -a command to determine the IP address and netmask. Use the zonecfg -z zonename info net command to determine if a default router has been assigned.

  2. Create an empty /etc/hostname.interface file for each labeled zone.

    # touch /etc/hostname.interface
    # touch /etc/hostname.interface:n

    For more information, see the netmasks(4) man page.

  3. Plumb the network interfaces of the labeled zones.

    # ifconfig zone1-network-interface plumb
    # ifconfig zone2-network-interface plumb
  4. Verify that the labeled zone's interfaces are in the down state.

    # ifconfig -a
    zone1-network-interface zone1-IP-address down
    zone2-network-interface zone2-IP-address down

    The zone-specific addresses are configured when the zone is booted.

  5. For the network for each interface, add entries to the /etc/netmasks file.

    ## /etc/netmasks in global zone

    For more information, see the netmasks(4) man page.

  6. Assign a security template to each zone-specific network interface.

    Create security templates of host type cipso that reflect the label of every network. To create and assign the templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

  7. Run the txzonemgr script, and open a separate terminal window.

    In the Labeled Zone Manager, you will add the network interfaces for the labeled zones. In the terminal window, you will display information about the zone and set the default router.

  8. For every zone to which you are going to add a zone-specific network interface and router, complete the following steps:

    1. In the terminal window, halt the zone.

      # zoneadm -z zone-name halt
    2. In the Labeled Zone Manager, do the following:

      1. Select the zone.

      2. Select Add Network.

      3. Name the network interface.

      4. Type the IP address of the interface.

      5. In the terminal window, verify the zone configuration.

        # zonecfg -z zone-name info net
        net:   address: IP-address
               physical: zone-network-interface
               defrouter not specified
    3. In the terminal window, configure the default router for the labeled zone's network.

      # zonecfg -z zone-name
      zonecfg:zone-name > select net address=IP-address 
      zonecfg:zone-name:net> set defrouter=router-address 
      zonecfg:zone-name:net> end 
      zonecfg:zone-name > verify 
      zonecfg:zone-name > commit 
      zonecfg:zone-name > exit 

      For more information, see the zonecfg(1M) man page and How to Configure the Zone in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.

    4. Boot the labeled zone.

      # zoneadm -z zone-name boot
    5. In the global zone, verify that the labeled zone has a route to the gateway for the subnet.

      # netstat -rn

      A routing table is displayed. The destination and interface for the labeled zone is different from the entry for the global zone.

  9. To remove the default route, select the zone's IP address, then remove the route.

    # zonecfg -z zone-name
    zonecfg:zone-name > select net address=zone-IP-address
    zonecfg:zone-name:net> remove net defrouter=zone-default-route
    zonecfg:zone-name:net>  info net
       address: zone-IP-address
       physical: zone-network-interface
       defrouter not specified

Example 4–5 Setting a Default Route for a Labeled Zone

In this example, the administrator routes the Secret zone to a separate physical subnet. Traffic to and from the Secret zone is not routed through the global zone. The administrator uses the Labeled Zone Manager and the zonecfg command, then verifies that routing works.

The administrator determines that qfe1 and qfe1:0 are not currently in use. and creates a mapping for two labeled zones. qfe1 is the designated interface for the Secret zone.

Interface IP Address    Netmask        Default Router

First, the administrator creates the /etc/hostname.qfe1 file and configures the /etc/netmasks file.

# touch /etc/hostname.qfe1

# cat /etc/netmasks
## /etc/netmasks in global zone

Then, the administrator plumbs the network interface and verifies that the interface is down.

# ifconfig qfe1 plumb
# ifconfig -a

Then, in the Solaris Management Console, the administrator creates a security template with a single label, Secret, and assigns the IP address of the interface to the template.

The administrator halts the zone.

# zoneadm -z secret halt

The administrator runs the txzonemgr script to open the Labeled Zone Manager.

# /usr/sbin/txzonemgr

In the Labeled Zone Manager, the administrator selects the Secret zone, selects Add Network, and then selects a network interface. The administrator closes the Labeled Zone Manager.

On the command line, the administrator selects the zone's IP address, then sets its default route. Before exiting the command, the administrator verifies the route and commits it.

# zonecfg -z secret
zonecfg: secret > select net address= 
zonecfg: secret:net> set defrouter= 
zonecfg: secret:net> end 
zonecfg: secret > verify 
zonecfg: secret > commit 
zonecfg: secret > info net 
     physical: qfe1
zonecfg: secret > exit 

The administrator boots the zone.

# zoneadm -z secret boot

In a separate terminal window in the global zone, the administrator verifies the sending and receiving of packets.

# netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use  Interface 
-------------------- -------------------- ----- ----- ------- --------- 
default             UG        1    2664 qfe0         UG        1     240 qfe1         U         1     183 qfe1:0              UH        1     380 lo0