Trusted Extensions Configuration and Administration

Exit Print View

 
Updated: July 2014
 
 

How to Configure a Separate Name Service for Each Labeled Zone

This procedure configures a separate name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnet that runs at the label of the zone, and the subnetwork has its own naming server for that label. In a labeled zone, if you plan to install packages that require a user account at that label, you might configure a separate name service per zone. For background information, see Applications That Are Restricted to a Labeled Zone and Decisions to Make Before Creating Users in Trusted Extensions.

Before You Begin

The Labeled Zone Manager is displayed. To open this GUI, see How to Create Labeled Zones Interactively. You are in the root role in the global zone.

  1. In the Labeled Zone Manager, select Configure per-zone name service, and click OK.
    Note - This option is intended to be used once, during initial system configuration.
  2. Configure each zone's nscd service.

    For assistance, see the nscd(1M) man page.

  3. Reboot the system.
    # /usr/sbin/reboot

    After the reboot, the account of the user who assumed the root role to run the Labeled Zone Manager in Step 1 is configured in each zone. Other accounts that are specific to a labeled zone must be manually added to the zone.

    Note - Accounts that are stored in the LDAP repository are still managed from the global zone.
  4. For every zone, verify the route and the name service daemon.
    1. In the Zone Console, list the nscd service. 
      zone-name # svcs -x name-service/cache
svc:/system/name-service/cache:default (name service cache)
State: online since September 10, 2012  10:10:12 AM PDT
See: nscd(1M)
See: /var/svc/log/system-name-service-cache:default.log
Impact: None.
    2. Verify the route to the subnetwork. 
      zone-name # netstat -rn
Example 4-3  Removing a Name Service Cache From Each Labeled Zone

After testing one name service daemon per zone, the system administrator decides to remove the name service daemons from the labeled zones and run the daemon in the global zone only. To return the system to the default name service configuration, the administrator opens the txzonemgr GUI, selects the global zone, and selects Unconfigure per-zone name service, then OK. This selection removes the nscd daemon in every labeled zone. Then, the administrator reboots the system.

Next Steps

When configuring user and role accounts for each zone, you have three options.

  • You can create LDAP accounts in a multilevel LDAP directory server.

  • You can create LDAP accounts in separate LDAP directory servers, one server per label.

  • You can create local accounts.

Separately configuring a name service daemon in each labeled zone has password implications for all users. Users must authenticate themselves to gain access to any of their labeled zones, including the zone that corresponds to their default label. Furthermore, either the administrator must create accounts locally in each zone, or the accounts must exist in an LDAP directory where the zone is an LDAP client.

In the special case where an account in the global zone is running the Labeled Zone Manager, txzonemgr, the account's information is copied into the labeled zones so that at least that account is able to log in to each zone. By default, this account is the initial user account.

Copyright © 1992, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next