Configure the Network Interfaces in Trusted Extensions
Note –
If you are configuring your system to use DHCP or to prevent networks from contacting the global zone, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.
In this task, you configure the networking in the global zone. You must create exactly one all-zones interface. An all-zones interface is shared by the labeled zones and the global zone. The shared interface is used to route traffic between the labeled zones and the global zone. To configure this interface, do one of the following:
-
Create a logical interface from a physical interface, then share the physical interface.
This configuration is the simplest to administer. Choose this configuration when your system has been assigned two IP addresses. In this procedure, the logical interface becomes the global zone's specific address, and the physical interface is shared between the global zone and the labeled zones.
-
Share a physical interface
Choose this configuration when your system has been assigned one IP address. In this configuration, the physical interface is shared between the global zone and the labeled zones.
-
Share a virtual network interface, vni0
Choose this configuration when you are configuring DHCP, or when each subnetwork is at a different label. For a sample procedure, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.
To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to an Existing Labeled Zone.
Before You Begin
You are superuser in the global zone.
The Labeled Zone Manager is displayed. To open this GUI, see Run the txzonemgr Script.
-
In the Labeled Zone Manager, select Manage Network Interfaces and click OK.
A list of interfaces is displayed.
Note –In this example, the physical interface was assigned a host name and an IP address during installation.
-
Select the physical interface.
A system with one interface displays a menu similar to the following. The annotation is added for assistance:
vni0 DownVirtual Network Interface eri0 global 10.10.9.9 cipso Up Physical Interface
-
Select the appropriate task for this network interface.
You are offered three options:
View Template Assign a label to the interface Share Enable the global zone and labeled zones to use this interface Create Logical Interface Create an interface to use for sharing
-
On a system with one IP address, share the physical interface.
In this configuration, the host's IP address applies to all zones. Therefore, the host's address is the all-zones address. This host cannot be used as a multilevel server. For example, users cannot share files from this system. The system cannot be an LDAP proxy server, an NFS home directory server, or a print server.
-
Skip the next step.
You are successful when the physical interface is an all-zones interface.
-
On a system with two IP addresses, create a logical interface.
Then, share the physical interface.
This is the simplest Trusted Extensions network configuration. In this configuration, the main IP address can be used by other systems to reach any zone on this system, and the logical interface is zone-specific to the global zone. The global zone can be used as a multilevel server.
-
Select Create Logical Interface and click OK.
Dismiss the dialog box that confirms the creation of a new logical interface.
-
Select Set IP address and click OK.
-
At the prompt, specify the host name for the logical interface and click OK.
For example, specify machine1-services as the host name for the logical interface. The name indicates that this host offers multilevel services.
-
At the prompt, specify the IP address for the logical interface and click OK.
For example, specify 10.10.9.2 as the IP address for the logical interface.
-
Select the logical interface again and click OK.
-
Select Bring Up and click OK.
The interface is displayed as Up.
eri0 global 10.10.9.1 cipso Up eri0:1 global 10.10.9.2 cipso Up
-
Share the physical interface.
You are successful when at least one interface is an all-zones interface.
-
Example 4–2 Viewing the /etc/hosts File on a System With a Shared Logical Interface
On a system where the global zone has a unique interface and labeled zones share a second interface with the global zone, the /etc/hosts file appears similar to the following:
# cat /etc/hosts ... 127.0.0.1 localhost 192.168.0.11 machine1 loghost 192.168.0.12 machine1-services |
In the default configuration, the tnrhdb file appears similar to the following:
# cat /etc/security/tsol/tnrhdb ... 127.0.0.1:cipso 192.168.0.11:cipso 192.168.0.12:cipso 0.0.0.0:admin_low |
If the all-zones interface is not in the tnrhdb file, the interface defaults to cipso.
Example 4–3 Displaying the Shared Interface on a Trusted Extensions System With One IP Address
In this example, the administrator is not planning to use the system as a multilevel server. To conserve IP addresses, the global zone is configured to share its IP address with every labeled zone.
The administrator selects Share for the hme0 interface on the system. The software configures all zones to have logical NICs. These logical NICs share a single physical NIC in the global zone.
The administrator runs the ifconfig -a command to verify that the physical interface hme0 on network interface 192.168.0.11 is shared. The value all-zones is displayed:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
all-zones
inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255
|
The administrator also examines the contents of the /etc/hostname.hme0 file:
192.168.0.11 all-zones |
- © 2010, Oracle Corporation and/or its affiliates