Re: [zones-discuss] Future directions of Zones?
I thought thats the reason we have core or core + networking to begin with. also we have JeOS with open solaris. Both of these aproaches to install solaris are almost bare bones. Date: Mon, 20 Jun 2011 10:01:35 -0700 From: knatte_fnatte_tja...@yahoo.com To: zones-discuss@opensolaris.org Subject: [zones-discuss] Future directions of Zones? There are speculations that future Microsoft Windows OS, will only be a kernel. And each program will be installed in an individual VM created for that program. Hence, the kernel would be minimalistic and not bloated. Can not something similar be done to Solaris? For instance, small Kernel, and everything installed in separate zones? This requires that Solaris Zones can be very minimilastic, they read the system files from the Kernel install, and write in it's own filesystem. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
how can I ssh into a local zone if the global zone has no outside connection?? you have 2 options. 1. from the global you can simply use zlogin zonename and ur in. 2. you can add tcp wrappers to the non-global zone to only allow ssh connections from the global. Date: Fri, 26 Nov 2010 04:22:56 -0800 From: knatte_fnatte_tja...@yahoo.com To: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] Possible to use zones for hardening? Security? So you suspect there is no need to shut down the global NIC, if the zone uses exclusive IP and it is on a separate subnet and there is no routing between the zones? Ok, that is an interesting thought. What do you other people say? In that case a local zone can not ping (reach) the global zone? I was thinking that the only way to reach internet, would be through a local zone. The global zone should be completely isolated from the rest of the world (zones, internet) and have no working NIC. The question is, in that case, how can I ssh into a local zone if the global zone has no outside connection?? (BTW, I dont know how to do what you suggest, as I am a Solaris noob. I just planned to create exclusive-ip vnic and a vswitch and connect them - have I done what you described then? Are they on a separate subnet? Or do I need to do some additional configuration?) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] installing packages in global zone
Mike thanks for the quick response. It seems that it may be sufficient to add a read-only mount to each zone as you recommended. I'll give that a try. However, now I am curious to know why I dont get a value (true or false) when I run #pkgparam SOMEpackage. When I installed SOMEpackage in the Global i did NOT use the -G option. Based on what i read and your explanation below not having the -G option will automatically install SOMEpackage on all the non-global zones. Are you saying that the developer of SOMEpackage can opt out of entering true or false for SUNW_PKG_THISZONE? In which case that means that the default may be true (even though its not explicit) and thats why SOMEpackage is not propagating to the non-global zones? I apreciate the help and explanations Mike. p. Date: Fri, 15 Oct 2010 21:33:49 -0500 Subject: Re: installing packages in global zone From: mger...@gmail.com To: super_...@hotmail.com CC: zones-discuss@opensolaris.org This is probably better suited for zones-discuss than security-discuss. I've set the reply accordingly. On Fri, Oct 15, 2010 at 3:02 PM, Pete Chan super_...@hotmail.com wrote: hello, i am trying to figure out how to install a package in a global zone under /opt and be able to access the binaries of the package from a non-global zone. in other words the users of these package do not have access to the global zone and only have access to the non-global. How do I propagate this installation to the non-global zone? The answer varies depending on whether you are running Solaris 10 or OpenSolaris. I'll assume you are running Solaris 10 in my answer. When you run a command like pkgadd -d . SOMEpackage in the global zone, the default behavior is that the package will automatically be installed in all non-global zones as well. This behavior can be changed via the -G option to pkgadd, which will cause it to install only in the global zone. If the developer that created SOMEpackage put SUNW_PKG_THIS_ZONE=true in the pkginfo file (SOMEpackage/pkginfo), then it will not automatically be installed in all of the non-global zones. In such a case, you will need to install the package in each zone individually. It may be sufficient to add a read-only lofs mount to each zone instead of installing it in all zones. That is, zonecfg -z zone1 add fs set special=/opt/SOMEpackage set dir=/opt/SOMEpackage set options=ro end verify commit exit Then reboot the zone or issue the appropriate mkdir and mount -F lofs -o ro ... commands to create the lofs mounts without rebooting. If you are on OpenSolaris (with the pkg command, not ancient SXCE which will act like Solaris 10) you will need to install the software in all zones that require it. The new way of doing things breaks the strong ties between software selection in the global zone and all non-global zones. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
when you create your zone1 it will be bound to e1000:1 and that interface is not disabled hence it will have access to the web. you may do the same thing with 2 interfaces. one can be dedicated to global and the other bound to e1000:1, etc. Date: Sat, 25 Sep 2010 12:32:55 -0700 From: knatte_fnatte_tja...@yahoo.com To: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] Possible to use zones for hardening? Security? Is it that simple?! I just disable my interface. Maybe with something similar to # ifconfig e1000 down or something. I have to check the syntax. And then everything is done? But, my zones, how can they reach internet if the global interface is disabled? I dont get it. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
