Troubleshooting Your Trusted Extensions Configuration

In Trusted Extensions, the labeled zones communicate with the X server through the global zone. Therefore, the labeled zones must have usable routes to the global zone.

Labeled Zone Is Unable to Access the X Server

Description:

If a labeled zone cannot successfully access the X server, you might see messages such as the following:

• No route available

• Cannot reach globalzone-hostname:0

Cause:

The labeled zones might not be able to access the X server for any of the following reasons:

• The zone is not initialized and is waiting for the sysidcfg process to complete.

• The labeled zone's host name is not recognized by the naming service that runs in the global zone.

• No interface is specified as all-zones.

• The labeled zone's network interface is down.

• NFS mounts do not work.

Steps toward a solution:

Do the following:

1. Log in to the zone.

   You can use the zlogin command.

   # zlogin -z zone-name

   If you cannot log in as root, use the zlogin -S command to bypass authentication.

2. Verify that the zone is running.

   # zoneadm list

   If a zone has a status of running, the zone is running at least one process.

3. Address any problems that prevent the labeled zones from accessing the X server.

   • Initialize the zone by completing the sysidcfg process.

     Run the sysidcfg program interactively. Answer the prompts in the Zone Terminal Console, or in the terminal window where you ran the zlogin command.

     To run the sysidcfg process noninteractively, you can do one of the following:

     • Choose the Initialize item for the zone from the /usr/sbin/txzonemgr script.

       The Initialize item enables you to supply default values to the sysidcfg questions.

     • Write your own sysidcfg script.

       For more information, see the sysidcfg(4) man page.

   • Verify that the X server is available to the zone.

     Log in to the labeled zone. Set the DISPLAY variable to point to the X server, and open a window.

     # DISPLAY=global-zone-hostname:n.n
     # export DISPLAY
     # /usr/bin/gimp

     If a labeled window does not appear, the zone networking has not been configured correctly for that labeled zone.

   • Configure the zone's host name with the naming service.

     The zone's local /etc/hosts file is not used. Instead, equivalent information must be specified in the global zone. The information must include the IP address of the host name that is assigned to the zone.

   • No interface is specified as all-zones.

     Unless all your zones have IP addresses on the same subnet as the global zone, you might need to configure an all-zones (shared) interface. This configuration enables a labeled zone to connect to the X server of the global zone. If you want to restrict remote connections to the X server of the global zone, you can use vni0 as the all-zones address.

     If you do not want an all-zones interface configured, you must provide a route to the global zone X server for each zone. These routes must be configured in the global zone.

   • The labeled zone's network interface is down.

     # ifconfig -a

     Use the ifconfig command to verify that the labeled zone's network interface is both UP and RUNNING.

   • NFS mounts do not work.

     In the root role, restart automount in the zone. Or, add a crontab entry to run the automount command every five minutes.

Public Zone Does Not Connect to Global Zone

Before You Begin

The Labeled Zone Manager dialog box displays the global zone.

1. Select Select another zone and choose public.
2. Select Add Single-level Access to Remote Host...
   1. At the prompt, type the IP address of a system on your network that is not running Trusted Extensions.
   2. Select Boot.

      Zone booting messages appear in the Zone Console Terminal window.

3. In the public: Zone Console Terminal window, log in as root.
4. Run the ipadm show-addr command.

   # ipadm show-addr
   ADDROBJ          TYPE       STATE     ADDR
   bge0/?           static     ok        127.0.0.1/8
   all-zones/?      static     ok        192.168.84.3/24

   Verify that the primary interface and IP address are available in this zone.

5. Verify that you can ping the host to which you previously added single-level access.

   # ping remote-single-level-host

6. Log out and close the Zone Console Terminal window.

Desktop Panels Do Not Display

1. Assume the root role.
2. If one panel is visible on the screen, use the right mouse button to add applets to the panel, or to create a new panel.
3. If you do not have a visible panel on the screen, move the panels to the bottom.
   • Edit the top_panel_screenn file.
     1. Change to the directory that defines the panel locations.

        % cd $HOME/.gconf/apps/panel/toplevels
        % ls
        %gconf.xml    bottom_panel_screen0/   top_panel_screen0/
        % cd top_panel_screen0
        % ls
        %gconf.xml             top_panel_screen0/

     2. Edit the %gconf.xml file that defines the location of the top panels.

        % vi %gconf.xml

     3. Find all orientation lines, and replace the string top with bottom.

        For example, make the orientation line appear similar to the following:

        /toplevels/orientation" type="string">
                        <stringvalue>bottom</stringvalue>

   • For all users of the system, place the the panels on the bottom of the desktop.

     # export SETUPPANEL="/etc/gconf/schemas/panel-default-setup.entries"
     # export TMPPANEL="/tmp/panel-default-setup.entries"
     # sed 's/<string>top<\/string>/<string>bottom<\/string>/' $SETUPPANEL > $TMPPANEL
     # cp $TMPPANEL $SETUPPANEL
     # svcadm restart gconf-cache

4. Log out and log in again.

   If you have more than one panel, the panels stack at the bottom of the screen.