Oracle Solaris Trusted Extensions Configuration Guide

ProcedureConfigure a Name Service Cache in Each Labeled Zone

This procedure enables you to separately configure a name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnetwork that runs at the label of the zone, and the subnetwork has its own name server for that label.

Note –

This configuration does not satisfy the criteria for an evaluated configuration. In an evaluated configuration, the nscd daemon runs only in the global zone. Doors in each labeled zone connect the zone to the global nscd daemon.

Before You Begin

You are superuser in the global zone. root must not yet be a role. You have successfully completed Add a Network Interface to Route an Existing Labeled Zone.

This configuration requires that you have advanced networking skills. If LDAP is your naming service, you are responsible for establishing the LDAP client connection to each labeled zone. The nscd daemon caches the name service information, but does not route it.

  1. If you are using LDAP, verify a route to the LDAP server from the labeled zone.

    In a terminal window in every labeled zone, run the following command:

    zone-name # netstat -rn
  2. In the global zone, start the Labeled Zone Manager.

    # /usr/sbin/txzonemgr
  3. Select the Configure per-zone name service, and click OK.

    This option is intended to be used once, during initial system configuration.

  4. Configure each zone's nscd service.

    For assistance, see the nscd(1M) and nscd.conf(4) man pages.

  5. Reboot the system.

  6. For every zone, verify the route and the name service daemon.

    1. In the Zone Console, list the nscd service.

      zone-name # svcs -x name-service-cache
      svc:/system/name-service-cache:default (name service cache)
       State: online since October 10, 2010  10:10:10 AM PDT
         See: nscd(1M)
         See: /etc/svc/volatile/system-name-service-cache:default.log
      Impact: None.
    2. Verify the route to the subnetwork.

      zone-name # netstat -rn
  7. To remove the zone-specific name service daemons, do the following in the global zone:

    1. Open the Labeled Zone Manager.

    2. Select Unconfigure per-zone name service, and click OK.

      This selection removes the nscd daemon in every labeled zone.

    3. Reboot the system.