|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10|
The following task map describes common tasks that are used to back up and restore data from labeled file systems, and to share and mount directories and files that are labeled.
This role includes the Media Backup rights profile.
This role includes the Media Restore rights profile.
/usr/lib/fs/ufs/ufsrestore for major restores
/usr/sbin/tar xT for small restores
A script calling either of these commands
For details on the T option to the tar command, see the tar(1) man page.
Caution - Only these commands preserve labels.
Note - This procedure and examples are for UFS file systems.
To mount or share directories that originate in labeled zones, create a dfstab file at the label of the zone, and then restart the zone to share the labeled directories.
You must be superuser, or in the System Administrator role in the global zone on the file server.
For each zone that will share a directory, repeat the following steps:
# mkdir -p /zone/zone-name/etc/dfs
# vi /zone/zone-name/etc/dfs/dfstab
The entry describes the directory from the perspective of the zone root path. For example, the following entry shares an application's files at the label of the containing zone:
share -F nfs -o ro /viewdir/viewfiles
In the global zone, run one of the following commands for each zone. Each zone can share its directories in any of these ways. The actual sharing occurs when each zone is brought into the ready or running state.
# zoneadm -z zone-name ready
# zoneadm -z zone-name boot
# zoneadm -z zone-name reboot
# showmount -e
Example 17-2 Sharing the /export/share Directory at the PUBLIC Label
For applications that run at the label PUBLIC, the system administrator enables users to read the documentation in the /export/share directory of the public zone. The zone named public runs at the label PUBLIC.
First, the administrator creates a public workspace and edits the dfstab file.
# mkdir -p /zone/public/etc/dfs # vi /zone/public/etc/dfs/dfstab
In the file, the administrator adds the following entry:
## Sharing PUBLIC user manuals share -F nfs -o ro /export/appdocs
The administrator leaves the public workspace and returns to the Trusted Path workspace. Because users are not allowed to log in to this system, the administrator shares the files by putting the zone in the ready state:
# zoneadm -z public ready
Users can access the shared directories once the directories are mounted on the users' systems.
Note - This procedure and examples are for UFS file systems.
In Trusted Extensions, a labeled zone manages the mounting of files in its zone.
Files from unlabeled and labeled hosts can be mounted on a Trusted Extensions labeled host.
To mount the files read/write from a single-label host, the assigned label of the remote host must be identical to the zone in which the file is being mounted.
Files that are mounted by a higher-level zone are read-only.
In Trusted Extensions, the auto_home configuration file is customized per zone. The file is named by zone name. For example, a system with a global zone and a public zone has two auto_home files, auto_home_global and auto_home_public.
Trusted Extensions uses the same mounting interfaces as the Oracle Solaris OS:
To mount files at boot, use the /etc/vfstab file in the labeled zone.
To mount files dynamically, use the mount command in the labeled zone.
To automount home directories, use the auto_home_zone-name files.
To automount other directories, use the standard automount maps.
You must be on the client system, in the zone at the label of the files that you want to mount. Unless you are using the automounter, you must be superuser, or be in the System Administrator role. To mount from lower-level servers, the zone must be configured with the net_mac_aware privilege.
Most procedures include creating a workspace at a particular label. To create a workspace, see How to Add a Workspace at Your Minimum Label in Oracle Solaris Trusted Extensions User Guide.
In the labeled zone, use the mount command. For an example of mounting files dynamically, see Example 17-3.
In the labeled zone, add the mounts to the vfstab file.
For an example, see Example 17-6.
Example 17-3 Mounting Files in a Labeled Zone by Using the mount Command
In this example, the system administrator mounts a remote file system from a public zone. The public zone is on a multilevel server.
After assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In that workspace, the administrator runs the mount command.
# zonename public # mount -F nfs remote-sys:/zone/public/root/opt/docs /opt/docs
A single-label file server at the label PUBLIC also contains documents to be mounted:
# mount -F nfs public-sys:/publicdocs /opt/publicdocs
When the public zone of the remote-sys file server is in the ready or running state, the remote-sys files successfully mount on this system. When the public-sys file server is running, the files successfully mount.
Example 17-4 Mounting Files Read/Write in a Labeled Zone by Modifying the vfstab File
In this example, the system administrator mounts two remote file systems at the label PUBLIC in the local system's public zone when the public zone boots. One file system mount is from a multilevel system, and one file system mount is from a single-label system.
After assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In that workspace, the administrator modifies the vfstab file in that zone.
## Writable books directories at PUBLIC remote-sys:/zone/public/root/opt/docs - /opt/docs nfs no yes rw public-sys:/publicdocs - /opt/publicdocs nfs no yes rw
To access the files in the remote labeled zone of the multilevel system, the vfstab entry uses the zone root path of the remote system's public zone, /zone/public/root, as the directory pathname to the directories to mount. The path to the single-label system is identical to the path that would be used on an Oracle Solaris system.
In a terminal window at the label PUBLIC, the administrator mounts the files.
Example 17-5 Mounting Lower-Level Files in a Labeled Zone by Modifying the vfstab File
In this example, the system administrator mounts a remote file system from a public zone in the local system's internal zone. After assuming the System Administrator role, the administrator creates a workspace at the label INTERNAL, then modifies the vfstab file in that zone.
## Readable books directory at PUBLIC ## ro entry indicates that PUBLIC docs can never be mounted rw in internal zone remote-sys:/zone/public/root/opt/docs - /opt/docs nfs no yes ro
To access the files in the remote labeled zone, the vfstab entry uses the zone root path of the remote system's public zone, /zone/public/root, as the directory pathname to the directories to mount.
From the perspective of a user in the internal zone, the files can be accessed at /opt/docs.
In a terminal window at the label INTERNAL, the administrator mounts the files.
Example 17-6 Mounting a Lower-Level Home Directory on a System That Is Administered by Using Files
In this example, the system administrator enables users to access their home directories at every label. The labels at the site are PUBLIC, INTERNAL, and NEEDTOKNOW. This site uses two home directory servers, and is administered by using files. The second server contains the home directories for the users jdoe and pkai.
To accomplish this task, the system administrator defines the public zone NFS home directories in the public zone, and shares this configuration with the internal and needtoknow zones.
First, after assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In this workspace, the administrator creates a new file, /export/home/auto_home_public. This file contains all the customized per-user NFS specification entries.
## /export/home/auto_home_public file at PUBLIC label jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai * homedir-server:/export/home/&
Second, the administrator modifies the /etc/auto_home_public file to point to this new file.
## /etc/auto_home_public file in the public zone ## Use /export/home/auto_home_public for the user entries ## +auto_home_public + /export/home/auto_home_public
This entry directs the automounter to use the contents of the local file.
Third, the administrator similarly modifies the /etc/auto_home_public file in the internal and needtoknow zones. The administrator uses the pathname to the public zone that is visible to the internal and needtoknow zones.
## /etc/auto_home_public file in the internal zone ## Use /zone/public/export/home/auto_home_public for PUBLIC user home dirs ## +auto_home_public + /zone/public/export/home/auto_home_public
## /etc/auto_home_public file in the needtoknow zone ## Use /zone/public/export/home/auto_home_public for PUBLIC user home dirs ## +auto_home_public + /zone/public/export/home/auto_home_public
When the administrator adds the new user ikuk, the addition is made to the /export/home/auto_home_public file at the PUBLIC label.
## /export/home/auto_home_public file at PUBLIC label jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai ikuk homedir2-server:/export/home/ikuk * homedir-server:/export/home/&
The higher-level zones read down to obtain the per-user home directories from the lower-level public zone.
You must be in the zone at the label of the files that you want to mount. You must be the superuser, or in the System Administrator role.
The address might be directly assigned, or indirectly assigned through a wildcard mechanism. The address can be in a labeled template, or in an unlabeled template.
The label must be consistent with the label at which you are trying to mount the files.
If the label is higher than the label of the mounted file system, then you cannot write to the mount even if the remote file system is exported with read/write permissions. You can only write to the mounted file system at the label of the mount.
To mount file systems from any of these servers, the server must be assigned to an unlabeled template.