Command restriction in zones

Similar Messages

• Restrict DNS zone transfers to specific hosts?

  Is it possible within Server Admin to restrict DNS zone transfers to specific hosts? If not, can the allow-transfer statement be added to /etc/named.conf without breaking the ability to use Server Admin to administer DNS?
  Thanks,
  Bob
  XServe Dual Processor Xeon server   Mac OS X (10.4.8)  

  you can add the statement... it should not break Server Admin.
  While you are there, you may want to add forwarders for efficiency.
  Add the bold code
  options {
  directory "/var/named";
  forwarders {
  0.0.0.0;
  0.0.0.0;
  forward first;
  recursion true;
  replace 0.0.0.0 with your ISPs name servers
  Jeff

• Running a command from local zone in global zone

  hi,
  Does anyone have a document on how I can tunnel into the global zone, run a command and receive the return value in the global zone? I am sure that there should be a mechanism for that but couldn't find any.
  Thanks,
  Babak

  That's the opposite of what you asked in your first post. The global zone can run commands in non-global zones with zlogin.
  global# zlogin zone-a /path/to/command" | ...
  global# zlogin zone1 zonename
  zone1
  global# zonename
  global{code}
  Darren                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Cannot get restricted command set to work with ACS 5.5 and HP Procurve switches - Can anyone assist?

  I have AAA authentication working with no restrictions and I have TACACS working with command restrictions for my Cisco gear.

  Hi... I have created a shell profile in Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles which has a assigned privilege level of 15 and a max privilege level of 15.  Further to this I have added a new commands set via Policy Elements -> Authorization and Permissions -> Device Administration -> commands sets. 
  I have referenced the shell profile via Access Policies -> Access Services -> Default Device Admin -> Authorization. And this part of it seems to work fine, but the command set I am using to restrict the commands allowed is not being used...do I need to reference the command set somewhere else within the ACS platform as well?  The configuration I have added on to the Network Device is as follows: -
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ none
  Can you advise what it is I am missing?

• Remove Old Name Servers from reverse lookup zones in DNS- PowerShell

  Hello Scripting Guys,
  I'm a long-time fan. Please let me know if I have included enough information for you to provide some guidance. Thank
  you!
  Here is what I am attempting to do:
  import a .csv file which contains
  zoneName,hostname,RecordType
  and then delete the name server entries from the reverse lookup zones.
  Why:
  There are hundreds of zones and 80+ name servers in each for a total of about 25,000 records to be removed. I
  have the list of zones and the list of name servers which I want to remove from the zones.
  Environment:
  I am running PowerShell as a Domain Admin with access to DNS. Zones allow secure updates only (if that matters here).
  I am running it from a Server 2012 R2 server with the DNS admin tools installed against Server 2008 R2 DNS servers. Current AD functional level Windows Server 2003. All DC are DNS server and GC's.
  What I have tried:
  The following
  works to return all the Name Server records in a zone:
  .csv file format
  zoneName,hostname,RecordType
  1.112.170.in-addr.arpa,nameserver1.contoso.com.,Ns
  1.112.170.in-addr.arpa,nameserver2.contoso.com.,Ns
  1.112.170.in-addr.arpa,nameserver3.contoso.com.,Ns
  2.112.170.in-addr.arpa,nameserver1.contoso.com.,Ns
  2.112.170.in-addr.arpa,nameserver2.contoso.com.,Ns
  2.112.170.in-addr.arpa,nameserver3.contoso.com.,Ns
  Script\Command:
  Import-Module DnsServer
  $PDCE = Get-ADDomainController -Discover -Service PrimaryDC
  import-csv c:\temp\OldNSrecords-test.csv | foreach {
  Get-DnsServerResourceRecord -ZoneName $_.zoneName -RRType "Ns" -computerName $PDCE
  -Node
  OutPut to screen:
  HostName RecordType Timestamp TimeToLive RecordData
  @ NS 0 1:00:00 Nameserver1.contoso.com
  @ NS 0 1:00:00 Nameserver2.contoso.com
  However, replacing the business line (in green above after foreach) with the remove command (in red below)
  does not work to delete the specific record listed in the .csv, even though it follows the
  pattern from MS TechNet:
  Remove-DnsServerResourceRecord -ZoneName $_.zoneName -RRType "Ns" -name $_.hostname -computerName
  $PDCE
  Error:
  PS C:\Windows\system32> C:\Temp\OldNSCleanup.ps1
  Remove-DnsServerResourceRecord : Failed to get nameserver1.contoso.com. record in
  1.112.170.in-addr.arpa zone on PDCE server.
  At C:\Temp\OldNSCleanup.ps1:4 char:1
  + Remove-DnsServerResourceRecord -ZoneName $_.zoneName -RRType "Ns" -name $_.name ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : ObjectNotFound: (PDCE:root/Microsoft/...rResourceRecord) [Remove-
  DnsServerResourceRecord], CimException
  + FullyQualifiedErrorId : WIN32 9714,Remove-DnsServerResourceRecord​
  When I remove the use of the .csv and put the names of the zone and server in the command, I get the same results.
  Fail.
  It's as if the record does not exist, but I can browse to it in the GUI. I found
  this about Missing Glue records, but it does not seem to apply to reverse lookup NS records. I'm thinking that I need to first load each zone into an assembly and then do the removal,
  but I'm not sure how to do that in PowerShell. I tried piping the get command for the zone to the remove command, but that did not work or I did not have the correct syntax.
  I have attempted to use DNSCMD to do the same and that command appears to work, but then fails to actually remove
  the record.
  Here is an example of that command:
  import-csv C:\Temp\OldNSrecords-test.csv | foreach {dnscmd.exe "DNSServer.contoso.com" /Recorddelete $_.ZoneName
  $_.hostname $_.recordType /f}
  Output:
  Deleted Ns record(s) at 1.112.170.in-addr.arpa
  Command completed successfully. [But not really, the NS record is still there]
  I have researched several sites including the suggest one here, but this does not fit my requirement.
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/97070ff2-59e2-4f34-9c39-054048e008af/automatically-delete-removed-dcname-servers-and-automatically-add-new-dcname-servers-in-reverse?forum=winserverDS
  http://technet.microsoft.com/en-us/library/jj649872.aspx

  Here is a backing store for the root servers in the DNS format:
  ; formerly NS.INTERNIC.NET
  . 3600000 IN NS A.ROOT-SERVERS.NET.
  A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
  ; formerly NS1.ISI.EDU
  . 3600000 NS B.ROOT-SERVERS.NET.
  B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
  ; formerly C.PSI.NET
  . 3600000 NS C.ROOT-SERVERS.NET.
  C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
  ; formerly TERP.UMD.EDU
  . 3600000 NS D.ROOT-SERVERS.NET.
  D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
  ; formerly NS.NASA.GOV
  . 3600000 NS E.ROOT-SERVERS.NET.
  E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
  ; formerly NS.ISC.ORG
  . 3600000 NS F.ROOT-SERVERS.NET.
  F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
  ; formerly NS.NIC.DDN.MIL
  . 3600000 NS G.ROOT-SERVERS.NET.
  G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
  ; formerly AOS.ARL.ARMY.MIL
  . 3600000 NS H.ROOT-SERVERS.NE
  Notice that each is a pair.
  One is the NS and the secon is the A record.
  .                        3600000      NS    G.ROOT-SERVERS.NET.
  G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
  In this case the dot represents the self reference to the A record.  These are the records that bootstrap all of the Internet.  Remove them and you ae lost.
  The CSV uses the @ to anchor the local domain.  Perhaps the DNS CmdLets prefer the dot.  The @ is what appears on the screen when we use the GUI. Note the dot at the end of the FQDN.  It is required.  Even browser use
  it but they add it if you forget.
  ¯\_(ツ)_/¯

• Add tape device to non-global zone

  Hi,
  I have a SCSI attached Ultrium tape device attached and configured against the global zone.
  The /dev/rmt/0* definitions in the global zone are links to ../../devices/pci@2*
  I need to be able to use this tape device from the non-global zones.
  To enable this, I have done the following:
  zonecfg -z <zone name>
  add device
  set match=/dev/rmt/0
  end
  verify
  commit
  exit
  I repeated the above for /dev/rmt/0m and /dev/rmt/0mn
  Then I restarted the zone with the command:
  zoneadm -z <zone name> reboot
  After the reboot, I can see the device when using "mt -f /dev/rmt/0 status", but whenever I try to write a SAP brbackup to the new (initialised and not write protected) tape within the drive I get the following error:
  BR0278E Command output of 'LANG=C cd /oracle/<SID>/sapbackup && /usr/sap/<SID>/SYS/exe/run/brtools -f detach LANG=C cpio -iuvB .tape
  sh: /dev/rmt/0mn: cannot open
  BR0280I BRBACKUP time stamp: 2012-04-04 08.21.41
  BR0279E Return code from 'LANG=C cd /oracle/<SID>/sapbackup && /usr/sap/<SID>/SYS/exe/run/brtools -f detach LANG=C cpio -iuvB .tape.
  BR0359E Restore of /oracle/<SID>/sapbackup/.tape.hdr0 from /dev/rmt/0mn failed due to previous errors
  Have I created the device incorrectly, or does anyone have any ideas what could be the reason the write fails?
  Any help appreciated.
  Edited by: user11329299 on 04-Apr-2012 01:09

  Hi,
  Just to bring you up to speed, I have now fixed the issue.
  The resolution was all within the iniSID.sap file that the backup is using. I have changed a number of parameters within this file:
  1.     tape_copy_cmd = dd (was cpio)
  2.     rewind = "mt     -f $ rew; sleep 30" (was " mt -f $ rew")
  3.     rewind_offline = "mt -f $ offline; sleep 30" (was "mt -f $ offline")
  4.     tape_pos_cmd = "mt -f $ fsf $: sleep 30" (was "mt -f $ fsf $")
  5.     tape_size = 500G (was 18000M)
  After making those changes, the backup started from within DB13. I believe that the main culprit was the tape_copy_cmd, but the others were changed to allow the tape drive time to become online again after any query.

• Setting Security in Internet Zone to High affects Trusted Sites

  In response to the recent Security Advisory, we recommended our users set the Internet Zone security to High.
  However, this is causing our local Intranet site which is in every users Trusted Sites Zone (set at Medium-Low) to not function.
  I was under the impression that Trusted Sites are treated different than Internet Sites.
  What security settings do they share that would be affected by setting the Internet Zone to High?
  Thank you.
  Jeremy Leigh

  Hi
  f12>Console tab, refresh the page to show suppressed error messages, warnings, blocked content warnings.
  A 'High' security zone settings is equivalent to the Restricted Zones default setting.
  by default Active Scripting, scripting of ActiveX and applets and xss is disabled in the Restricted Zone.... basically domains mapped to the Restricted sites zone will be useless without active scripting.
  Rob^_^

• Moving a zone in Solaris 10 3/05

  What is the proper procedure for moving a zone in Solaris 3/05 (which does not have the 'zoneadm -z <zone> move <path>' command)?

  The zones stuff is tightly integrated with much of the other OS infrastructure eg kernel, libraries etc.
  Its not possible to upgrade just the zones stuff by installing packages.
  You could upgrade the zones stuff by applying patches, but it will drag a lot of other stuff in as preqrequisites.
  Just installing a recommended patch set should accomplish this.
  But it may be simpler to just upgrade to 5/08 and be done with it. Liveupgade or upgrade install should work.

• PS script that fills security zones in IE

  This script fills the IE security zones. The idea is for it to be added as a logon script. I reworked it from the original script from David Wyatt on https://social.technet.microsoft.com/Forums/windowsserver/en-US/84434209-0b35-49f1-91f7-0e041ca656da/powershell-add-url-to-intranet-zone?forum=winserverpowershell
  The script was tested on PowerShell 4.0.
  Each IE security zone has an array of domains.
  It goes like this :
  #Script for adding domains to diferent zones
  #Define zone arrays and zone values
  $LocalArray=@("firstlocal.com", "secondlocal.com")
  $TrustedArray=@("firsttrusted.com", "secondtrusted.com")
  $RestrictedArray=@("firstrestricted.com", "secondrestricted.com")
  $LocalValue=(1)
  $TrustedValue=(2)
  $RestrictedValue=(4)
  #Add array elements to Local intranet zone
  ForEach ($element in $LocalArray)
  #Add to Domains
  $Path=("HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" + $element)
  if (-not (Test-Path -Path $Path))
  New-Item -Path $Path
  Set-ItemProperty -Path $Path -Name http -Value $LocalValue -Type DWord
  Set-ItemProperty -Path $Path -Name https -Value $LocalValue -Type DWord
  #Add to EscDomains
  $Path=("HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" + $element)
  if (-not (Test-Path -Path $Path))
  New-Item -Path $Path
  Set-ItemProperty -Path $Path -Name http -Value $LocalValue -Type DWord
  Set-ItemProperty -Path $Path -Name https -Value $LocalValue -Type DWord
  #Add array elements to Trusted intranet zone
  ForEach ($element in $TrustedArray)
  #Add to Domains
  $Path=("HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" + $element)
  if (-not (Test-Path -Path $Path))
  New-Item -Path $Path
  Set-ItemProperty -Path $Path -Name http -Value $TrustedValue -Type DWord
  Set-ItemProperty -Path $Path -Name https -Value $TrustedValue -Type DWord
  #Add to EscDomains
  $Path=("HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" + $element)
  if (-not (Test-Path -Path $Path))
  New-Item -Path $Path
  Set-ItemProperty -Path $Path -Name http -Value $TrustedValue -Type DWord
  Set-ItemProperty -Path $Path -Name https -Value $TrustedValue -Type DWord
  #Add array elements to Restricted intranet zone
  ForEach ($element in $RestrictedArray)
  #Add to Domains
  $Path=("HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" + $element)
  if (-not (Test-Path -Path $Path))
  New-Item -Path $Path
  Set-ItemProperty -Path $Path -Name http -Value $RestrictedValue -Type DWord
  Set-ItemProperty -Path $Path -Name https -Value $RestrictedValue -Type DWord
  #Add to EscDomains
  $Path=("HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\" + $element)
  if (-not (Test-Path -Path $Path))
  New-Item -Path $Path
  Set-ItemProperty -Path $Path -Name http -Value $RestrictedValue -Type DWord
  Set-ItemProperty -Path $Path -Name https -Value $RestrictedValue -Type DWord
  The script is ugly and long. It repeats for each of the three zones.
  Any idea how to add a second loop that would shorten it?
  Newb

  Your request doesn't make any sense.  You have three sets of unrelated things.  You need three loops.
  ¯\_(ツ)_/¯

• Best way to give restricted execute access on pssession to remote user on a server

  we have some windows 2008 R2 development environment servers. On these servers we are planning to provide access to developers via PSremoting. We want to restrict the users in such a way that they can only run .bat files present in a certain UNC path. What
  is the best way to achieve the same. Can we create a PSSession Configuration for this?
  Please note that we are planning to enable WSmanCredSSP on client (it is already enabled on server).
  Also, is it possible to give such an access where user can only login to server using powershell's PSsession and not through interactive remote desktop connection.
  ApoorvaW

  Hi  ApoorvaW,
  If you want to setup a restricted pssession, please try to set the session configuration with the cmdlet:
  Register-PSSessionConfiguration
  Securing Session Configurations
  You can assign session configurations to users automatically. For example, you may want to restrict the commands in a session that are available to some users. This is done in a two-step-process:
  1. Create a new session configuration that restricts the session to only a subset of commands.
  2. Change security access permissions so that the intended users can only access the new session configuration.
  For more detailed information about restricted session and paremoting security, please refer to these articles:
  PowerShell Remoting: How to Restrict User Commands
  Restrict Session
  If there is anything else regarding ths issue, please feel free to pst back.
  Best Regards,
  Anna Wang

• Do we need to create two zones for Two HBA for a host connected with SAN ?

  Hi,While creating Zone , Do we need to create two zones for Two HBA for a host connected with SAN ? Or a zone is enough for
  a host which having Two HBAs...We have two 9124s for our SAN fabric...
  As I found like one zone  below, I little bit confused that , if a host having two HBA connected with SAN, should I expect two zones for every Host?
  from the zone set, I gave the command show zoneset
  zone name SQLSVR-X-NNN_CX4 vsan 1
      pwwn 50:06:NN:NN:NN:NN:NN:NN
      pwwn 50:06:NN:NN:NN:NN:NN:NN
            pwwn 10:00:NN:NN:NN:NN:NN:NN
  But I found only one zone for the server's HBA2:by the same time in the fabric I found switches A & B showing the WWNs of those HBAs on its
  connected N port...Its not only for this server alone, but for all hosts..Can you help me to clarify on this please..that should we need to create one zone for
  one HBA?

  if u have two independent fabrics between hosts and storage, i think the below confs are recommended.
  Scenario 1:  2 HBAs single port each ( redundancy across HBA / Storage port )
  HBA1 - port 0 ---------> Fabric A ----------> Storage port ( FAx/CLx )
  HBA2 - port 0 ---------> Fabirc B ----------> Storage port ( FAy/CLy )
  Scenario 2: 2 HBAs of dual port each
  HBA1 - port 0 -------> Fabric A ---------> Storage port ( FAx/CLx )
  HBA2 - port0 ---------> Fabric A ---------> Storage port ( FAs/CLs )
  HBA1 - port 1 --------> Fabric A --------> Storage port ( FAy/CLy )
  HBA2 - port 1 ---------> Fabric B --------> Storage port ( FAt/CLt )
  the zone which is in your output is VSAN 1. if its a production VSAN, Cisco doesn't recomends to use VSAN 1 ( default vsan ) for production.

• Question about "no ip gratuitous-arp" command in IOS

  Does the "no ip gratuitous-arp" command affect gratuitous arps sent by the router (for example, when hsrp causes a secondary router to assume role of primary) or does it affect gratuitous arps received by the router (for example, gratuitous arps with the spoofed IP address of the router).

  I do not have direct experience with this command. But I think that the documentation is clear that the command restricts the router sending gratuitous arp and does not affect the router receiving gratiutous arp.
  The documentation is fairly clear that its restriction on gratiutous arp is a restriction on sending gratiutous arp when a remote client has learned an IP address via PPP negotiation and the address is in a local address pool. Assuming that this part of the documentation is accurate it would have no affect on the router sending gratiutous arp in HSRP takeover situations.
  HTH
  Rick

• SmartScreen Filter in Internet Zone - Use it or not?

  The SCM 3.0 recommends that SmartScreen filter be enabled for:
  Locked-Down Trusted Sites Zone
  Locked-Down Intranet Zone
  Locked-Down Internet Zone
  Locked-Down Restricted Sites Zone
  Locked-Down Local Machine Zone
  Local Machine Zone
  I do not find a recommendation to enable SmartScreen filter for the Internet zone. Is this an oversight or is there something I am missing?
  Charlie Newman

  Nancy O. wrote:
  HTML 5.0 takes some strange turns.  Revives <marquee>, finally supports <embed> but then deprecates <acronym>.  What will the Wiki sites do?
  Once IE6 disappears from the scene, <acronym> becomes unnecessary. The correct tag is <abbr>. The problem is that some illiterate person at Microsoft thought acronym was the same as abbreviation. Wrong. All acronyms are abbreviations, but not all abbreviations are acronyms. An acronym is a new word made from the initial letters of existing words, e.g., radar (RAdio Detection And Ranging).
  And so the dreaded "blink" continues...
  Well, that's part of CSS2.1, not HTML5. The HTML5 draft spec says the <blink> tag is obsolete, and must not be used. Even the CSS2.1 spec gives blink short shrift, saying: "Conforming user agents may simply not blink the text. Note that not blinking the text  is one technique to satisfy  checkpoint 3.3 of WAI-UAAG." (http://www.w3.org/TR/CSS21/text.html#propdef-text-decoration)

• Exlusive-IP zone not plumbing all intfcs on system reboot

  Hi:
  I set up an exclusive ip zone with 2 network interfaces and 2 different ips.
  They are bge1 - 192.168.2.12
  and bge2 - 192.168.1.116
  I also have the hostname.bge1 and hostname.bge2 files set up with the respective host names from the /etc/hosts file in the zone.
  Interestingly, when the system is rebooted (init 6, e.g.) only the bge1 interface is plumbed in the non-global zone when it is started
  From the global zone, however, I am able to reboot the zone with the zoneadm command: zoneadm -z zone reboot
  and now both the interfaces are plumbed.
  Is this a bug in the exclusive-ip zones ? or am I forgetting something? I would prefer it if both the interfaces were plumbed upon system start-up.
  Thanks in advance!

  Did you managed to answer this question since I have just noticed the same problem - day before I go on leave.
  I have a zone with an exclusive IP and when ever I reboot the Hardware (global zone) the zone comes up with out a network. At the moment I fix the problem my rebooting the zone. The problem does not seem to be reported with sun before.
  Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
  State of current zones:
  ID NAME             STATUS     PATH                           BRAND    IP   
    0 global           running    /                              native   shared
    2 ldap             running    /zone/ldap                     native   shared
    3 smtp             running    /zone/smtp                     native   excl 
  $ su
  $ Password: root password
  # zlogin -C -e\@  smtp
  [Connected to zone 'smtp' console]
  smtp console login: root
  Password:
  Last login: Fri Jul 11 10:56:51 on console
  Jul 11 11:08:04 smtp login: ROOT LOGIN /dev/console
  Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
  # ifconfig -a
  # lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
  # init 6
  smtp console login: root
  Password:
  Last login: Fri Jul 11 10:56:51 on console
  Jul 11 11:08:04 smtp login: ROOT LOGIN /dev/console
  Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
  # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
  e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         inet 193.61.29.3 netmask ffffff00 broadcast 193.61.29.255
         ether 0:1e:68:1e:1b:b
  # cat /var/svc/log/network-physical:default.log
  [ Jul 11 10:55:23 Leaving maintenance because clear requested. ]
  [ Jul 11 10:55:23 Enabled. ]
  [ Jul 11 10:55:23 Executing start method ("/lib/svc/method/net-physical") ]
  [ Jul 11 10:55:23 Timeout override by svc.startd.  Using infinite timeout ]
  ifconfig: plumb: e1000g1: No such file or directory
  moving addresses from failed IPv4 interfaces: e1000g1 (couldn't move, no alternative interface).
  add net default: gateway 193.61.29.245: Network is unreachable
  [ Jul 11 10:55:23 Method "start" exited with status 96 ]
  [ Jul 11 10:56:39 Enabled. ]
  [ Jul 11 10:56:40 Executing start method ("/lib/svc/method/net-physical") ]
  [ Jul 11 10:56:40 Timeout override by svc.startd.  Using infinite timeout ]
  configuring IPv4 interfaces: e1000g1.
  add net default: gateway 193.61.29.245
  [ Jul 11 10:56:41 Method "start" exited with status 0 ]Any ideas.
  I will take this up with Sun at a later date.

• Patching and Zones

  1.     How to identify the patch as a Global patch or local patch?
  The SUNW_PKG_ALLZONES flag in the pkginfo is applicable to individual packages inside a patch.
  2.     Is it sufficient to execute patchadd (without any parameters) on global zone?
  Online Doc says the patchadd command on global zone propagates the patch installation on all local zones automatically)
  3.     Will there be any patches applicable to local zones? If yes do we need to install them individually on localzones?
  The online doc says we need not to patch the local zones. That will be taken care by global zone patch installation. How far this is true?
  4.     There are some global zone patches require reboot, do we need to shutting down all the local zones gracefully before we do reboot container?
  The patchadd command takes care of propagating the patch installation to all the local zones, so will reboot command implicitly shutdown machines gracefully?

  First, these comments apply to native zones on Solaris 10 which is what I think you're asking about based on the nature of your questions. They do not apply to other kinds of zones (such as ipkg zones on Solaris 11 Express). I not sure about your first question so I wont try to answer it.
  2. In general, it is sufficient to apply the patches using patchadd in the global zone. The patching process will figure out what needs to be done in the non-global zones and will do it automatically. You can check this using "showrev -p" or "patchadd -p" in the zones to see what patches were applied to the zones and what patches were not.
  3. I can't answer give a definitive answer to this question. I can imagine a situation where packages are installed in a non-global zone which do not exist in the global zone. In that case, I don't know whether applying the patch in the global zone would work or not. If patching from the global zones fails in that case, you might have to apply the patch in the non-global zone. However, in general patching in the global zone works fine.
  4. The reboot command appears to shut the zones down gracefully but I'm not authoritative with respect to this point. I usually use shutdown to send notices to users in shutting down zones before rebooting the machine but if no notices are required I just reboot the global machine.
  Hope this is helpful.