Go to main content

Oracle® SuperCluster M8 and SuperCluster M7 Security Guide

Exit Print View

Updated: June 2020
 
 

Configure Immutable Non-Global Zones

To configure an Oracle Solaris non-global zone to be immutable, perform this task.

Note -  The Oracle Solaris 11 OS supports additional immutable zone configurations beyond the one identified in this task (fixed-configuration). For more information on these options, refer to the Oracle Solaris zonecfg(1M) man page. However, only the fixed-configuration option was tested as part of the SuperCluster architecture.

Caution  -  Adding, modifying, or deleting zone user accounts and passwords cannot be done once Oracle Solaris non-global zone immutability is enabled, as described in this task. This issue can be resolved, however, by deploying an LDAP directory to contain zone-specific information such as users, roles, groups, rights profiles, and so on.

Caution  -  The Oracle Solaris immutable zone functionality is limited to those ZFS data sets that are implemented by default in an Oracle Solaris non-global zone. Additional file systems, pools, or data sets are not subject to the immutable zone policy, although access to those file elements can be controlled using other means such as the use of read-only loopback mounts.

Note -  For more information about Oracle Solaris zones, refer to the Oracle Solaris zones documentation in the Oracle Solaris 11.4 Information Library at https://docs.oracle.com/cd/E37838_01/index.html and the Oracle Solaris 11.3 Information Library at http://docs.oracle.com/cd/E53394_01.
  1. Log in to one of the compute servers and access the host console as superuser.

    See Log into a Compute Server.

  2. Ensure that the Oracle Solaris non-global zone is shut down.

    If this command returns a value, then the Oracle Solaris non-global zone is running an you must shut it down.

    Note -  While the zone can be halted using the zoneadm command, follow the proper shut down procedures your organization has established to avoid the potential for service interruption and data loss. For more information, refer to the Oracle Solaris zoneadm(1M) man page. 
    # zoneadm list | grep -w "zone_name"
  3. Adjust the Oracle Solaris non-global zone configuration by setting the file-mac-profile zone configuration property. 
    # zonecfg -z zone_name set file-mac-profile=fixed-configuration
  4. If required, disable the non-global zone immutable configuration. 
    # zonecfg -z zone_name set file-mac-profile=none
  5. Restart the Oracle Solaris non-global zone for the changes to take effect. 
    # zoneadm -z zone_name boot
Copyright © 2020, Oracle and/or its affiliates.  
Previous
Next