Oracle Solaris Trusted Extensions Configuration Guide

ProcedureAdd a Network Interface to Route an Existing Labeled Zone

This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each labeled zone is connected to a separate physical network. The labeled zones use the network routing that the global zone provides.

Note –

The global zone must configure an IP address for every subnet in which a non-global zone address is configured.

Before You Begin

You are superuser in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones.

  1. In the global zone, type the IP addresses and hostnames for the additional network interfaces into the /etc/hosts file.

    Use a standard naming convention, such as adding -zone-name to the name of the host.

    ## /etc/hosts in global zone   hostname-zone-name1   hostname-global-name1   hostname-zone-name2   hostname-global-name2
  2. For the network for each interface, add entries to the /etc/netmasks file.

    ## /etc/netmasks in global zone

    For more information, see the netmasks(4) man page.

  3. In the global zone, plumb the zone-specific physical interfaces.

    1. Identify the physical interfaces that are already plumbed.

      # ifconfig -a
    2. Configure the global zone addresses on each interface.

      # ifconfig interface-nameN1 plumb
      # ifconfig interface-nameN1 up
      # ifconfig interface-nameN2 plumb
      # ifconfig interface-nameN2 up
    3. For each global zone address, create a hostname.interface-nameN file.

      # /etc/hostname.interface-nameN1
      # /etc/hostname.interface-nameN2

    The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.

  4. Assign a security template to each zone-specific network interface.

    If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.

    You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

  5. Halt every labeled zone to which you plan to add a zone-specific interface.

    # zoneadm -z zone-name halt
  6. Start the Labeled Zone Manager.

    # /usr/sbin/txzonemgr
  7. For each zone where you want to add a zone-specific interface, do the following:

    1. Select the zone.

    2. Select Add Network.

    3. Name the network interface.

    4. Type the IP address of the interface.

  8. In the Labeled Zone Manager for every completed zone, select Zone Console.

  9. Select Boot.

  10. In the Zone Console, verify that the interfaces have been created.

    # ifconfig -a
  11. Verify that the zone has a route to the gateway for the subnet.

    # netstat -rn

To debug zone configuration, see the following: