1. Installing and Configuring an Oracle Solaris Cluster 4.4 Environment
  2. Creating Zone Clusters
  3. Creating and Configuring a Zone Cluster
  4. Creating a Zone Cluster
  5. How to Configure a Zone Cluster to Be Immutable

How to Configure a Zone Cluster to Be Immutable

Oracle Solaris Cluster 4.4 supports the use of immutable zone clusters, which are zone clusters with read-only roots. A read-only zone cluster can be configured by setting the file-mac-profile property. Using a read-only zone cluster root expands the secure runtime boundary.

Several values for file-mac-profile restrict access to all or part of the runtime environment from inside the zone. All of the profiles except none will cause the /var/pkg directory and its contents to be read-only from inside the zone. With zone clusters, the following options are available:

  • fixed-configuration – Permits updates to /var/*directories, with the exception of directories that contain system configuration components. IPS packages, including new packages, cannot be installed. Persistently enabled SMF services are fixed. SMF manifests cannot be added from the default locations. Logging and auditing configuration files can be local. syslog and audit configuration are fixed.

  • flexible-configuration – Permits modification of files in /etc/* directories, changes to root's home directory, and updates to /var/* directories. IPS packages, including new packages, cannot be installed. Persistently enabled SMF services are fixed. SMF manifests cannot be added from the default locations. Logging and auditing configuration files can be local. syslog and audit configuration can be changed.

  • none – This option is equivalent to an unset MWAC security policy.

By default, the file-mac-profile property is not set and the zone has a writable root dataset.

  1. To change the file-mac-profile property, choose one of the following options:

    • To change the zone cluster to a fixed-configuration, type: 

      root@dev1403:~# clzc configure zc1
clzc:zc1> info file-mac-profile
file-mac-profile:none
clzc:zc1> set file-mac-profile=fixed-configuration
clzc:zc1> info file-mac-profile
file-mac-profile:fixed-configuration

    • To change the zone cluster to a flexible-configuration, type: 

      root@dev1403:~# clzc configure zc1
clzc:zc1> info file-mac-profile
file-mac-profile:none
clzc:zc1> set file-mac-profile=flexible-configuration
clzc:zc1> info file-mac-profile
file-mac-profile:flexible-configuration

    • To change the zone cluster to a none, type: 

      clzc:zc1> set file-mac-profile=none
clzc:zc1> info file-mac-profile
file-mac-profile:none
  2. To perform administration on immutable zone clusters, see Administering an Immutable Zone Cluster by Making It Writable in Administering an Oracle Solaris Cluster 4.4 Configuration.