How to Control Access to All Domain Consoles by Using Roles - Oracle® VM Server for SPARC 3.3 Administration Guide

Oracle^® VM Server for SPARC 3.3 Administration Guide

Exit Print View

» ...Documentation Home » Oracle VM Server for SPARC 3.3 Documentation ... » Oracle^® VM Server for SPARC 3.3 ... » Oracle VM Server for SPARC 3.3 Software » Oracle VM Server for SPARC Security » Controlling Access to a Domain Console by ... » How to Control Access to All Domain Consoles ...

Updated: October 2015

Oracle^® VM Server for SPARC 3.3 Administration Guide

Document Information

Using This Documentation

Part I Oracle VM Server for SPARC 3.3 Software

Chapter 1 Overview of the Oracle VM Server for SPARC Software

About Oracle VM Server for SPARC and Oracle Solaris OS Versions

Hypervisor and Logical Domains

Logical Domains Manager

Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool

Oracle VM Server for SPARC Management Information Base

Oracle VM Server for SPARC Troubleshooting

Chapter 2 Oracle VM Server for SPARC Security

Delegating the Management of Logical Domains by Using Rights

Using Rights Profiles and Roles

Logical Domains Manager Profile Contents

Controlling Access to a Domain Console by Using Rights

How to Control Access to All Domain Consoles by Using Roles

How to Control Access to All Domain Consoles by Using Rights Profiles

How to Control Access to a Single Console by Using Roles

How to Control Access to a Single Console by Using Rights Profiles

Enabling and Using Logical Domains Manager Auditing

How to Enable Logical Domains Manager Auditing

How to Disable Logical Domains Manager Auditing

How to Review Audit Records

Using Domain Console Logging

How to Enable or Disable Console Logging

Service Domain Requirements for Domain Console Logging

Chapter 3 Setting Up Services and the Control Domain

Output Messages

Creating Default Services

Initial Configuration of the Control Domain

Rebooting to Use Domains

Enabling Networking Between the Oracle Solaris 10 Service Domain and Other Domains

Enabling the Virtual Network Terminal Server Daemon

Verifying That the ILOM Interconnect Is Enabled

Chapter 4 Setting Up Guest Domains

Creating and Starting a Guest Domain

Installing Oracle Solaris OS on a Guest Domain

Chapter 5 Configuring I/O Domains

I/O Domain Overview

General Guidelines for Creating an I/O Domain

Chapter 6 Creating a Root Domain by Assigning PCIe Buses

Creating a Root Domain by Assigning PCIe Buses

Chapter 7 Creating an I/O Domain by Using PCIe SR-IOV Virtual Functions

SR-IOV Overview

SR-IOV Hardware and Software Requirements

Current SR-IOV Feature Limitations

Enabling I/O Virtualization

Planning for the Use of PCIe SR-IOV Virtual Functions

Using Ethernet SR-IOV Virtual Functions

Using InfiniBand SR-IOV Virtual Functions

Using Fibre Channel SR-IOV Virtual Functions

I/O Domain Resiliency

Rebooting the Root Domain With Non-Resilient I/O Domains Configured

Chapter 8 Creating an I/O Domain by Using Direct I/O

Creating an I/O Domain by Assigning PCIe Endpoint Devices

Direct I/O Hardware and Software Requirements

Current Direct I/O Feature Limitations

Planning PCIe Endpoint Device Configuration

Rebooting the Root Domain With PCIe Endpoints Configured

Making PCIe Hardware Changes

Creating an I/O Domain by Assigning a PCIe Endpoint Device

Chapter 9 Using Non-primary Root Domains

Non-primary Root Domains Overview

Non-primary Root Domain Requirements

Non-primary Root Domain Limitations

Non-primary Root Domain Examples

Chapter 10 Using Virtual Disks

Introduction to Virtual Disks

Virtual Disk Identifier and Device Name

Managing Virtual Disks

Virtual Disk Appearance

Virtual Disk Back End Options

Virtual Disk Back End

Configuring Virtual Disk Multipathing

CD, DVD and ISO Images

Virtual Disk Timeout

Virtual Disk and SCSI

Virtual Disk and the format Command

Using ZFS With Virtual Disks

Using Volume Managers in an Oracle VM Server for SPARC Environment

Virtual Disk Issues

Chapter 11 Using Virtual SCSI Host Bus Adapters

Introduction to Virtual SCSI Host Bus Adapters

Operational Model for Virtual SCSI HBAs

Virtual SCSI HBA Identifier and Device Name

Managing Virtual SCSI HBAs

Appearance of Virtual LUNs in a Guest Domain

Virtual SCSI HBA and Virtual SAN Configurations

Configuring Virtual SCSI HBA Multipathing

Booting From SCSI Devices

Installing a Virtual LUN

Virtual SCSI HBA Timeout

Virtual SCSI HBA and SCSI

Supporting Highly Fragmented I/O Buffers in the Guest Domain

Chapter 12 Using Virtual Networks

Introduction to a Virtual Network

Oracle Solaris 11 Networking Overview

Oracle Solaris 10 Networking Overview

Maximizing Virtual Network Performance

Virtual Network Device

Viewing Network Device Configurations and Statistics

Controlling the Amount of Physical Network Bandwidth That Is Consumed by a Virtual Network Device

Virtual Device Identifier and Network Interface Name

Assigning MAC Addresses Automatically or Manually

Using Network Adapters With Domains That Run Oracle Solaris 10

Configuring a Virtual Switch and the Service Domain for NAT and Routing

Configuring IPMP in an Oracle VM Server for SPARC Environment

Using VLAN Tagging

Using Private VLANs

Tuning Packet Throughput Performance

Using NIU Hybrid I/O

Using Link Aggregation With a Virtual Switch

Configuring Jumbo Frames

Oracle Solaris 11 Networking-Specific Feature Differences

Using Virtual NICs on Virtual Networks

Chapter 13 Migrating Domains

Introduction to Domain Migration

Overview of a Migration Operation

Software Compatibility

Security for Migration Operations

FIPS 140-2 Mode for Domain Migration

Domain Migration Restrictions

Migrating a Domain

Migrating an Active Domain

Migrating Bound or Inactive Domains

Monitoring a Migration in Progress

Canceling a Migration in Progress

Recovering From a Failed Migration

Migration Examples

Chapter 14 Managing Resources

Resource Reconfiguration

Resource Allocation

Configuring the System With Hard Partitions

Assigning Physical Resources to Domains

Using Memory Dynamic Reconfiguration

Using Resource Groups

Using Power Management

Using Dynamic Resource Management

Listing Domain Resources

Using Perf-Counter Properties

Chapter 15 Managing Domain Configurations

Managing Domain Configurations

Available Configuration Recovery Methods

Addressing Service Processor Connection Problems

Chapter 16 Handling Hardware Errors

Hardware Error-Handling Overview

Using FMA to Blacklist or Unconfigure Faulty Resources

Recovering Domains After Detecting Faulty or Missing Resources

Marking Domains as Degraded

Marking I/O Resources as Evacuated

Chapter 17 Performing Other Administration Tasks

Entering Names in the CLI

Updating Property Values in the /etc/system File

Connecting to a Guest Console Over the Network

Using Console Groups

Stopping a Heavily Loaded Domain Can Time Out

Operating the Oracle Solaris OS With Oracle VM Server for SPARC

Using Oracle VM Server for SPARC With the Service Processor

Configuring Domain Dependencies

Determining Where Errors Occur by Mapping CPU and Memory Addresses

Using Universally Unique Identifiers

Virtual Domain Information Command and API

Using Logical Domain Channels

Booting a Large Number of Domains

Cleanly Shutting Down and Power Cycling an Oracle VM Server for SPARC System

Logical Domains Variable Persistence

Adjusting the Interrupt Limit

Listing Domain I/O Dependencies

Enabling the Logical Domains Manager Daemon

Saving and Restoring Autosave Configuration Data

Factory Default Configuration and Disabling Domains

Part II Optional Oracle VM Server for SPARC Software

Language:

How to Control Access to All Domain Consoles by Using Roles

Restrict access to a domain console by enabling console authorization checking.

primary# svccfg -s vntsd setprop vntsd/authorization = true
primary# svcadm refresh vntsd
primary# svcadm restart vntsd

Create a role that has the solaris.vntsd.consoles authorization, which permits access to all domain consoles.
```
primary# roleadd -A solaris.vntsd.consoles role-name
primary# passwd role-name
```
Assign the new role to a user.
```
primary# usermod -R role-name username
```

Example 2 Controlling Access to All Domain Consoles by Using Roles

First, enable console authorization checking to restrict access to a domain console.

primary# svccfg -s vntsd setprop vntsd/authorization = true
primary# svcadm refresh vntsd
primary# svcadm restart vntsd
primary# ldm ls
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active     -n-cv-  UART    8     16G      0.2%  47m
ldg1             active     -n--v-  5000    2     1G       0.1%  17h 50m
ldg2             active     -t----  5001    4     2G        25%  11s

The following example shows how to create the all_cons role with the solaris.vntsd.consoles authorization, which permits access to all domain consoles.

primary# roleadd -A solaris.vntsd.consoles all_cons
primary# passwd all_cons
New Password:
Re-enter new Password:
passwd: password successfully changed for all_cons

This command assigns the all_cons role to the sam user.

primary# usermod -R all_cons sam

User sam assumes the all_cons role and can access any console. For example:

$ id
uid=700299(sam) gid=1(other)
$ su all_cons
Password:
$ telnet localhost 5000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.

Connecting to console "ldg1" in group "ldg1" ....
Press ~? for control options ..

$ telnet localhost 5001
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.

Connecting to console "ldg2" in group "ldg2" ....
Press ~? for control options ..

This example shows what happens when an unauthorized user, dana, attempts to access a domain console:

$ id
uid=702048(dana) gid=1(other)
$ telnet localhost 5000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection to 0 closed by foreign host.

Copyright © 2007, 2015, Oracle and/or its affiliates. All rights reserved. Legal Notices