Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019
 
 

How to Authorize a User to Perform Cold Migration of an Individual Zone

Perform this procedure to delegate a Zone Migration administrator to cold migrate a specific zone.

Before You Begin

This procedure assumes the user is already assigned rights and authorizations to create, modify, and delete zone configurations. See Example 30, Authorizing a User to Configure Zones on a System.

  1. Assume the root role.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  2. Set the auths and user properties of the admin resource.
    global$ zonecfg -z zonename
    zonecfg:zonename> add admin
    zonecfg:zonename:admin> set user=username
    zonecfg:zonename:admin> set auths=migrate.cold
    zonecfg:zonename:admin> end
    zonecfg:zonename> commit

    username is authorized for this zone only.

  3. Verify the zone administrator's rights in the non-global zone and the global zone.

    In this example, jdoe is the user and the zone name is zone1.

    global$ zonecfg -z zone1 info admin
    admin:
             user: jdoe
             auths: migrate.cold
    
    global$ auths jdoe
    solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.zone.migrate.cold/zonename
    
    global$ profiles jdoe
    jdoe:
    Zone Cold Migration
    Basic Solaris User
    All
Example 29  Authorizing a User to Migrate All Zones on a System

This example sets authorization for user jdoe to perform cold migration of any zone on the source system.

global$ usermod -P +"Zone Migration" -A +solaris.zone.migrate jdoe

Verify the auths and profiles:
global$ auths jdoe
solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.zone.migrate
global$ profiles jdoe
jdoe:
Zone Migration
Basic Solaris User
All
Example 30  Authorizing a User to Configure Zones on a System

This example assigns the user jdoe the required profiles and authorizations needed to create, modify, and delete any zone configuration, then verifies the assignments. This assignment is necessary for the user to perform a cold migration.

global$ usermod -P +"Zone Configuration" -A +solaris.zone.config jdoe

global$ auths jdoe
solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.zone.config

global$ profiles jdoe
jdoe:
Zone Configuration
Basic Solaris User
All