Disabling the global zone ?

Similar Messages

• Non-Global Zones - how can I tell what the Global Zone is

  Hi,
  I have a host that I know is a non-global zone (ngz). I can ssh to the ngz as root or a non-privileged user.
  But once there how do I know what the host name for the global zone is?
  I could probably run a script from all global zones to report all running zones and so I'd know that way but I have a specific need to know from inside the ngz.
  Thanks!
  Brian

  bdunbar wrote:
  That's a built-in security feature; and I know of no way to circumvent this mechanism.
  I had some hope that there was a way to 'see' at least the global-zone information from the zone. From the shell the 'zone' commands are available ..
  :# zoneadm list -cv
  ID NAME             STATUS         PATH                         
  48 hostname_svn   running        /  So it's at least aware that it is a zone, even if it can't tell me anything else about itself. I can still go the long way around to get the information for my need, thanks.
  The global zone is the only thing that can see everything. The non-global zones can only see information specific to their zone.
  This is by design and it really is a security mechanism. You don't want the zones running outside of their boundaries and information about the global zone (or any other zone) is outside the boundaries of a non-global zone.
  Cheers,

• Ssh takes me to the global zone instead of the non-global zone

  I have set up my first Solaris 10 server with a new zone. The ce device is set up on the zone as well as the global zone.
  Output from ifconfig on the global zone:
  # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 172.16.1.217 netmask ffffff00 broadcast 172.16.1.255
  ether 0:3:ba:f2:a1:54
  ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  inet 172.16.1.199 netmask ffffff00 broadcast 172.16.1.255
  ether 0:3:ba:f2:a1:54
  Output from the non-global zone:
  # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 172.16.1.199 netmask ffff0000 broadcast 172.16.255.255
  ether 0:3:ba:f2:a1:54
  When I ssh into the non-global zone, I end up in the global zone? Can I ssh straight into the non-global zone? Am I missing something in the zone setup that keeps me from being able to ssh into the non-global zone?
  Any help is appreciated. I have been racking my brain on this for several hours.
  Thanks ahead of time.

  TAdriver wrote:
  The one thing I have found in the documentation is that if you set the network as an exclusive IP, you can only assign the physical name using zonecfg. You can't set the IP address or the default router. In fact, if you try to set either of those, you get an error saying you can't set those using an exclusive IP type.Correct. When doing a shared-IP zone, the zone has no privileges to do IP-level things. So the global zone (via the zone configuration) creates the virtual interface and sets the IP address. Then when the zone is booted, the interface is given to it.
  With an exclusive-IP zone, the zone can do all this work itself. From its perspective, it's handed an interface like a regular machine. So the IP settings are done within the zone (/etc/hosts, /etc/hostname.XXX, /etc/netmasks).
  Darren

• To break out of a non-global zone and become root user in the global zone

  Hi folks
  "to break out of a non-global zone and become root user in the global zone through a kernel bug exploit"
  Is this possible and has SUN allready a fix/workaround/patch for that?
  Cheers

  Is it possible there's a bug in the kernel? Sure.
  Someone would need to find and identify such a bug before it could be fixed. I've not heard of the discovery of a bug like this. You could check the bug database at www.opensolaris.org.
  Darren

• How do you create a new local zone w/o all the global zone packages

  I have serveral servers with hundreds of packages added w/o the pkgadd -G option. Everytime I create a new local zone, the local zone inherits all the global zone packages. Is there a way to modify maybe the packaging DB to stop the automatic inhertitance of packages to create new empty local zone ?
  Edited by: cslew on Feb 4, 2008 8:02 PM

  Not really.
  If we're talking about sparse zones, they share the root partition with the global zone anyway, so regardless of whether the packages were 'registered' with the zones, they would get the software anyway.
  Of course, not registering the packages would speed up the patching process as it wouldnt have to futz around updating all the local package repositories.
  So it would be an advantage in some respects.
  If we're talking about a full root zone, then it ought to be possible in theory.
  But I'm not aware of a way to do it in practice.

• FSS shares and the global zone

  zonecfg allows me to set an RCTL on the number of FSS shares a zone can use.
  How do I set the total number of FSS shares that are available to all the processes in the global zone.
  For instance if I have a machine with the global zone and two non-global zones how do I configure the CPU shares so that all the zones get an equal amount of the CPU.
  I can balence the two non-global zone equally but how do I balence the non-global zones against the global zone?

  zonecfg allows me to set an RCTL on the number of FSS shares a zone can use.
  How do I set the total number of FSS shares that are available to all the processes in the global zone.You can use the prctl(1M) utility for now, although you'll need to renew the setting each time you
  reboot the system. In the future we hope to have a nicer user interface for this.
  For instance if I have a machine with the global zone and two non-global zones how do I configure
  the CPU shares so that all the zones get an equal amount of the CPU.Well, that one is easy-- give each zone one share. Then the machine will divide up 1/3, 1/3, 1/3.
  Or, use prctl(1M) to give the global zone 2 shares; the machine will divide up 1/2, 1/4, 1/4.
  Does that help? Please note also that prctl has some problems with setting zone resource controls;
  these are fixed in build 59, which should appear as Solaris 10, Beta5, in another month or so.
  Anyway, the incantation which works for me is:
  prctl -n zone.cpu-shares -r -v 2 -i process 1
  That means: "change zone.cpu-shares, replacing the current value with the new value, 2, and
  apply the change to process 1 (init). This is slightly a hack-- and works because the zone.cpu-shares
  resource control is shared across all processes in the given zone-- so I've chosen PID 1 as a "representative" of the global zone.
  When the aforementioned bug is fixed in build 59, you will be able to instead say:
  prctl -n zone.cpu-shares -r -v 2 -i zone global
  Which is a little more sensible.
  Please accept my apologies for our excessively long delay in answering these questions!

• HowTo mount the home dirs in the global zone to many zones?

  I tried it with loopback mounts.
  global zone /export/home is loopback mounted to /export/zones/zone1/root/export/home
  and to /export/zones/zone2/root/export/home
  with the zonecfg command. Now booting zone1 works, zone2 exits with zoneadm: zone 'zone2': "/usr/lib/fs/lofs/mount /export/home /export/zones/zone2/root/export/home" failed with exit code 33
  zoneadm: zone 'testserver': call to zoneadmd failedThanks in advance

  Forget it. There was a shell with this directory as working directory...
  Sorry.

• Adding routes not on the Global Zone

  Is it possible to add a route to a non global zone? if not, is there a way to manipulate the route coming from non global zone?

  I don't think so. There's only one kernel and only one routing table. There might be some workarounds though.
  Can you describe a little more of what you're trying to do? It might be possible to think up some workarounds. For instance, ipnat might be able to do useful rewrites.
  Darren

• Disable the global address book from email app?

  I am syncing with Exchange, and when I go to type an address in the email application it first shows me the result from my contacts before flooding the suggestion list with crap from the GAL.
  i.e. If I type "t" into the "TO" box it first shows a few results, my friend Tim, my other friend last name Thompson etc. Then after a second or 2, the list is flooded with any of the thousands of people in the GAL.
  Is there no way to disable this? I never want to use the GAL really, but I do need to sync my contacts with Exchange.

  Hi,
  Please try the following commands:
  $filter = (Get-GlobalAddressList 'Default Global Address List').RecipientFilter
  Get-Recipient -RecipientPreviewFilter $filter | Where-Object {$_.HiddenFromAddressListsEnabled -ne $false} | Select-Object Name,PrimarySmtpAddress | Export-CSV c:\GAL.csv -NoTypeInformation
  Thanks,
  Winnie Liang
  TechNet Community Support

• StarOffice8 Solaris 10 sparc: how to install only in the global zone?

  hello all,
  i have installed SO8 on T2000 Solaris 10 according this doc:
  [http://notallmicrosoft.blogspot.com/2005/10/installing-staroffice-8-on-solaris-nfs.html|http://notallmicrosoft.blogspot.com/2005/10/installing-staroffice-8-on-solaris-nfs.html]
  everyhing works fine except that now, i have to setup zones on my nfs server, and because the staroffice installer isn't aware of zones, and doesn't permit to do:
  pkgadd -G ...
  all the zones created are very big due to staroffice (800Mb instead of 100Mb!)
  so i tried the following method:
  - launch the installer so-8-ga-bin-solsparc-en-US_fr.sh without DISPLAY for example
  - go into /var/tmp/unpack_staroffice/packages
  - install all the packages manually:
  pkgadd -G -d . SUNWstaroffice-* (this method is already used by OpenOffice!)
  This method works well if i use soffice on the nfs server.
  But on nfs client, that mount /opt/staroffice8, i got this error:
  mimosa-henry% soffice
  The application cannot be started.
  The component manager is not available.How can i deal with it? Is it possible to modify some scripts to add "-G" option to pkgadd without breaking the installation? What is the component manager? What package is concerned?
  Thanks in advance for help,

  ok, the solution is here:
  http://blogs.sun.com/thaniwa/entry/en_diskless_solaris_x86_p5
  and particularly here:
  http://docs.sun.com/app/docs/doc/817-7496/6mmqgehgl?a=view

• Network traffic between zones in the same Global zone

  Hi,
  I would like to know if the traffic between different zones that shares the same nic within the global zone goes to the switch they are are connected to and comes back, or remains within the global zone?
  Example:
  Local zone apache IP 10.0.0.2
  Local zone oracle IP 10.0.0.3
  Global zone IP 10.0.0.4
  When Local zone apache contact Local zone oracle does the traffic go to the switch and then to Local zone oracle or just remains internal the Global zone?
  Regards,
  Younis

  s-wilson wrote:
  If the zone is on a different subnet from the global, the traffic would have to be routed back.That's not correct. As long as it is a shared-ip zone, traffic does not leave the box.
  This is no different that a single-zone host that has interfaces on two subnets.
  Darren

• What options do I have to patch the recommended patchset on Solaris 10 with a bunch of non-global zones?

  With the standard patching process(installcluster), it takes a looong time since each zone needs veridated. Any option that I can apply the patchset to the global zone only, then later upgrade the non-global zones?
  If possible, I'd like to use LU.

  You can use LU but it will depend of your system config. There are instructions in the README of the patchset to install it on an alternate boot environment (previously created using lucreate).
  If you plan to use LU, read the following docs first to avoid common issues:
  Solaris Live Upgrade Software Patch Requirements(Doc ID 1004881.1)
  List of currently unsupported Live Upgrade (LU) configurations (Doc ID 1396382.1)
  You can also use Parallel Patching feature to improve performance :
  https://blogs.oracle.com/patch/entry/zones_parallel_patching_feature_now
  Solaris 10 10/09: Zones Parallel Patching to ReducePatching Time (System Administration Guide: Oracle Solaris Containers…
  What you can't do is patch the global zone only and the non-global zones later (unless the zones are detached). It's a requirement that the global and non-global stay synchronize at all time (considering that they are sharing the same kernel).

• How to configure a audit in global zone that will audit all the zone

  Hi everyone,
  Please i want you guy to help me out on how i can configure an audit for my global zone that we audit all the zones that i have in global zone.
  I have a global zone , and i have like four zones under it, so i dont know how to configure a BSM audit for the global zone that we audit for all the zones.
  I will appreciate your swift response.
  Thanks and Regards.
  Ladi

  Most of the time each zone is treated as a separate server. This is my experience others might do it differently. All logs can then be sent to a log server and you will know that about the zone errors because the zone has a zone and/or host name. You can also login to the zone and check the logs there as well.
  The link below is for book from a guy who is much smarter then me. Read the security chapter.
  http://www.c0t0d0s0.org/pages/lksfbook.html

• Management Access Rights from non global Zone

  We have a Sun Cluster 3.2 on Solaris 10. The Managed Resources are Solaris Zones:
  e.g Resgroup xx
  - xx-hasp (Storage for the Zone Root)
  - xx-lh (the Service Address for the zone)
  - xx-sczbt (the Zone boot Resource)
  - xx-sczsmf (a managed SMF Service in the Zone)
  How do i allow an arbitrary non root user or group inside the zone xx allow to disable the monitor of the resource xx-sczsmf so he can for example perform maintenance on it?
  I have a few restrictions:
  - the user has no account in the global zone
  - the user may be allowed to manage all resources which belong to his zone
  - the user is not allowed to manage any resource of another zone.
  I guess solaris.cluster.resource.admin will not do the trick :-(
  Fritz

  Well, seems I have to use the same 'hack' i used for a SC 3.1.
  Create a user in the global zone which has exactly the allowed rights (with a Role)
  Assign it a public key
  Give the users which are allowed to perform this operation the matching private key, so they can execute the command over ssh in the global zone.
  Not very elegant, but fulfills all my requirements.

• How to retrieve #  on-line procs in a non-global zone with resource pool

  Is there any way to retrieve the #of on line processors of the machine running in a non global zone with resource pool ?
  sysconf does not return this value. In fact this is an excerpt of the man:
  "If the caller is in a non-global zone and the pools facility is active, sysconf(_SC_NPROCESSORS_CONF) and sysconf_SC_NPROCESSORS_ONLN) return the number of processors in the processor set of the pool to which the zone is bound."

  So, from within a local zone that's in a pool (i.e. in a pool with 8 CPUs) , you want to query how many CPUs really exist in the global zone (i.e. the global zone may actually have 16 CPUs)? I don't think that's possible: in fact for security reasons it's probably intentionally disabled.
  A quick workaround would be a script/cron-job in the global zone that writes a small file in the filesystem of the local zone... then from within that zone you could read the CPU count.
  I'm interested though: what are you trying to set up?
  Regards,
  [email protected]