Solaris Trusted Extensions Installation and Configuration
Previous Next

Creating Labeled Zones

The txzonemgr script steps you through all the following tasks that configure labeled zones.


Caution - You must be running the Solaris 10 8/07 release of Trusted Extensions to use the txzonemgr procedures. Or, you must install all patches for this release.


The instructions in this section configure labeled zones on a system that has been assigned at most two IP addresses. For other configurations, see the configuration options in Task Map: Preparing For and Installing Trusted Extensions.

Task

Description

For Instructions

1. Run the txzonemgr script.

The txzonemgr script creates a GUI that presents the appropriate tasks as you configure your zones.

Run the txzonemgr Script

2. Manage network interfaces in the global zone.

Configure interfaces in the global zone, or create logical interfaces and configure them in the global zone.

Configure the Network Interfaces in Trusted Extensions

3. Name and label the zone.

Name the zone with a version of its label, and assign the label.

Name and Label the Zone

4. Install and boot the zone.

Install the packages in the zone. Configure services in the zone. A Zone Terminal Console enables you to view the activity in the zone.

Install the Labeled Zone

Boot the Labeled Zone

5. Verify the status of the zone.

Verify that the labeled zone is running, and that the zone can communicate with the global zone.

Verify the Status of the Zone

6. Customize the zone.

Remove unwanted services from the zone.

If the zone is going to be used to create other zones, remove information that is specific to this zone only.

Customize the Labeled Zone

7. Create the rest of the zones.

Use the method that you have chosen to create your second zone. For a discussion of zone creation methods, see Planning for Zones in Trusted Extensions.

Create Another Zone in Trusted Extensions

8. (Optional) Add zone-specific network interfaces.

To effect network isolation, add one or more network interfaces to a labeled zone. Typically, this configuration is used to isolate labeled subnets.

Add a Network Interface to an Existing Labeled Zone

Run the txzonemgr Script

This script steps you through the tasks to properly configure, install, initialize, and boot labeled zones. In the script, you name each zone, associate the name with a label, install the packages to create a virtual OS, and then boot the zone to start services in that zone. The script includes copy zone and clone zone tasks. You can also halt a zone, change the state of a zone, and add zone-specific network interfaces.

This script presents a dynamically-determined menu that displays only valid choices for the current circumstances. For instance, if the status of a zone is configured, the Install zone menu item is not displayed. Tasks that are completed do not display in the list.

Before You Begin

You are superuser.

If you plan to clone zones, you have completed the preparation for cloning zones. If you plan to use your own security templates, you have created the templates.

  1. Open a terminal window in the global zone.
  2. Run the txzonemgr script.
    # /usr/sbin/txzonemgr

    The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your installation.

    To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.

Configure the Network Interfaces in Trusted Extensions


Note - If you are configuring your system to use DHCP or to prevent networks from contacting the global zone, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.


In this task, you configure the networking in the global zone. You must create exactly one all-zones interface. An all-zones interface is shared by the labeled zones and the global zone. The shared interface is used to route traffic between the labeled zones and the global zone. To configure this interface, do one of the following:

  • Create a logical interface from a physical interface, then share the physical interface.

    This configuration is the simplest to administer. Choose this configuration when your system has been assigned two IP addresses. In this procedure, the logical interface becomes the global zone's specific address, and the physical interface is shared between the global zone and the labeled zones.

  • Share a physical interface

    Choose this configuration when your system has been assigned one IP address. In this configuration, the physical interface is shared between the global zone and the labeled zones.

  • Share a virtual network interface, vni0

    Choose this configuration when you are configuring DHCP, or when each subnetwork is at a different label. For a sample procedure, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.

To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to an Existing Labeled Zone.

Before You Begin

You are superuser in the global zone.

The Labeled Zone Manager is displayed. To open this GUI, see Run the txzonemgr Script.

  1. In the Labeled Zone Manager, select Manage Network Interfaces and click OK.

    A list of interfaces is displayed.


    Note - In this example, the physical interface was assigned a host name and an IP address during installation.


  2. Select the physical interface.

    A system with one interface displays a menu similar to the following. The annotation is added for assistance:

    vni0                        DownVirtual Network Interface
    eri0 global 10.10.9.9 cipso Up Physical Interface
    1. Select the eri0 interface.
    2. Click OK
  3. Select the appropriate task for this network interface.

    You are offered three options:

    View Template Assign a label to the interface
    Share Enable the global zone and labeled zones to use this interface
    Create Logical Interface Create an interface to use for sharing
    • If your system has one IP address, go to Step 4.
    • If your system has two IP addresses, go to Step 6.
  4. On a system with one IP address, share the physical interface.

    In this configuration, the host's IP address applies to all zones. Therefore, the host's address is the all-zones address. This host cannot be used as a multilevel server. For example, users cannot share files from this system. The system cannot be an LDAP proxy server, an NFS home directory server, or a print server.

    1. Select Share and click OK.
    2. At the prompt, accept the host name.
    3. Dismiss the dialog box that displays the netmask.
      eri0  all-zones  10.10.9.8  cipso  Up
  5. Skip the next step.

    You are successful when the physical interface is an all-zones interface.

  6. On a system with two IP addresses, create a logical interface.

    Then, share the physical interface.

    This is the simplest Trusted Extensions network configuration. In this configuration, the main IP address can be used by other systems to reach any zone on this system, and the logical interface is zone-specific to the global zone. The global zone can be used as a multilevel server.

    1. Select Create Logical Interface and click OK.

      Dismiss the dialog box that confirms the creation of a new logical interface.

    2. Select Set IP address and click OK.
    3. At the prompt, specify the host name for the logical interface and click OK.

      For example, specify machine1-services as the host name for the logical interface. The name indicates that this host offers multilevel services.

    4. At the prompt, specify the IP address for the logical interface and click OK.

      For example, specify 10.10.9.2 as the IP address for the logical interface.

    5. Select the logical interface again and click OK.
    6. Select Bring Up and click OK.

      The interface is displayed as Up.

      eri0    global       10.10.9.1   cipso   Up
      eri0:1  global       10.10.9.2   cipso   Up
    7. Share the physical interface.
      1. Select the physical interface and click OK.
      2. Select Share and click OK.
        eri0    all-zones    10.10.9.1   cipso   Up
        eri0:1  global       10.10.9.2   cipso   Up

    You are successful when at least one interface is an all-zones interface.

Example 4-2 Viewing the /etc/hosts File on a System With a Shared Logical Interface

On a system where the global zone has a unique interface and labeled zones share a second interface with the global zone, the /etc/hosts file appears similar to the following:

# cat /etc/hosts
...
127.0.0.1  localhost
192.168.0.11 machine1 loghost
192.168.0.12 machine1-services 

In the default configuration, the tnrhdb file appears similar to the following:

# cat /etc/security/tsol/tnrhdb
...
127.0.0.1:cipso
192.168.0.11:cipso
192.168.0.12:cipso
0.0.0.0:admin_low

If the all-zones interface is not in the tnrhdb file, the interface defaults to cipso.

Example 4-3 Displaying the Shared Interface on a Trusted Extensions System With One IP Address

In this example, the administrator is not planning to use the system as a multilevel server. To conserve IP addresses, the global zone is configured to share its IP address with every labeled zone.

The administrator selects Share for the hme0 interface on the system. The software configures all zones to have logical NICs. These logical NICs share a single physical NIC in the global zone.

The administrator runs the ifconfig -a command to verify that the physical interface hme0 on network interface 192.168.0.11 is shared. The value all-zones is displayed:

 lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         all-zones
         inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255

The administrator also examines the contents of the /etc/hostname.hme0 file:

192.168.0.11 all-zones

Name and Label the Zone

You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system.

Before You Begin

You are superuser in the global zone. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script. You have configured the network interfaces in the global zone.

You have created any security templates that you need. A security template defines, among other attributes, the label range that can be assigned to a network interface. The default security templates might satisfy your needs.

  1. In the Labeled Zone Manager, select Create a new zone and click OK.

    You are prompted for a name.

    1. Type the name for the zone.

      Tip - Give the zone a name that is similar to the zone's label. For example, the name of a zone whose label is CONFIDENTIAL: RESTRICTED would be restricted.


      For example, the default label_encodings file contains the following labels:

      PUBLIC
      CONFIDENTIAL: INTERNAL USE ONLY
      CONFIDENTIAL: NEED TO KNOW
      CONFIDENTIAL: RESTRICTED
      SANDBOX: PLAYGROUND
      MAX LABEL

      Although you could create one zone per label, consider creating the following zones:

      • On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels.

      • On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label.

      • Do not create a zone for the MAX LABEL label, which is defined to be a clearance.

    2. Click OK.

      The dialog box displays zone-name:configured above a list of tasks.

  2. To label the zone, choose one of the following:
    • If you are using a customized label_encodings file, label the zone by using the Trusted Network Zones tool.
      1. Open the Trusted Network Zones tool in the Solaris Management Console.
        1. Start the Solaris Management Console.
          # /usr/sbin/smc &
        2. Open the Trusted Extensions toolbox for the local system.
          1. Choose Console → Open Toolbox.
          2. Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL).
          3. Click Open.
        3. Under System Configuration, navigate to Computers and Networks.

          Provide a password when prompted.

        4. Double-click the Trusted Network Zones tool.
      2. For each zone, associate the appropriate label with the zone name.
        1. Choose Action → Add Zone Configuration.

          The dialog box displays the name of a zone that does not have an assigned label.

        2. Look at the zone name, then click Edit.
        3. In the Label Builder, click the appropriate label for the zone name.

          If you click the wrong label, click the label again to deselect it, then click the correct label.

        4. Save the assignment.

          Click OK in the Label Builder, then click OK in the Trusted Network Zones Properties dialog box.

        You are finished when every zone that you want is listed in the panel, or the Add Zone Configuration menu item opens a dialog box that does not have a value for Zone Name.

    • If you are using the default label_encodings file, use the Labeled Zone Manager.

      Click Select Label menu item and OK to display the list of available labels.

      1. Select the label for the zone.

        For a zone that is named public, you would select the label PUBLIC from the list.

      2. Click OK.

        A list of tasks is displayed.

Install the Labeled Zone

Before You Begin

You are superuser in the global zone. The zone is installed, and has an assigned a network interface.

The Labeled Zone Manager dialog box is displayed with the subtitle zone-name:configured. To open this GUI, see Run the txzonemgr Script.

  1. From the Labeled Zone Manager, select Install and click OK.

    Caution - This process takes some time to finish. Do not perform other tasks while this task is completing.


    The system copies packages from the global zone to the non-global zone. This task installs a labeled virtual operating system in the zone. To continue the example, this task installs the public zone. The GUI displays output similar to the following.

    # Labeled Zone Manager: Installing zone-name zone
    Preparing to install zone <zonename>
    Creating list of files to copy from the global zone
    Copying <total> files to the zone
    Initializing zone product registry
    Determining zone package initialization order.
    Preparing to initialize <subtotal> packages on the zone.
    Initializing package <number> of <subtotal>: percent complete: percent
    
    Initialized <subtotal> packages on zone.
    Zone <zonename> is initialized.
    The file /zone/internal/root/var/sadm/system/logs/install_log 
    contains a log of the zone installation.

    When the installation is complete, you are prompted for the name of the host. A name is supplied.

  2. Accept the name of the host.

    The dialog box displays zone-name:installed above a list of tasks.

Troubleshooting

If warnings that are similar to the following are displayed: Installation of these packages generated errors: SUNWpkgname, read the install log and finish installing the packages.

Boot the Labeled Zone

Before You Begin

You are superuser in the global zone. The zone is installed, and has an assigned a network interface.

The Labeled Zone Manager dialog box is displayed with the subtitle zone-name:installed. To open this GUI, see Run the txzonemgr Script.

  1. In the Labeled Zone manager, select Zone Console and click OK.

    A separate console window appears for the current labeled zone.

  2. Select Boot.

    The Zone Terminal Console tracks the progress of booting the zone. If the zone is created from scratch, messages that are similar to the following appear in the console:

    [Connected to zone 'public' console]
    
    [NOTICE: Zone booting up]
    ...
    Hostname: zone-name
    Loading smf(5) service descriptions: number/total
    Creating new rsa public/private host key pair
    Creating new dsa public/private host key pair
    
    rebooting system due to change(s) in /etc/default/init
    
    [NOTICE: Zone rebooting]

    Caution - Do not perform other tasks while this task is completing.


Troubleshooting

Sometimes, error messages are displayed and the zone does not reboot. In the Zone Terminal Console, press the Return key. If you are prompted to type y to reboot, type y and press the Return key. The zone reboots.

Next Steps

If this zone was copied or cloned from another zone, continue with Verify the Status of the Zone.

If this zone is the first zone, continue with Customize the Labeled Zone.

Verify the Status of the Zone


Note - The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use the X server. Therefore, zone networking must work before a zone can be used. For background information, see Planning for Multilevel Access.


  1. Verify that the zone has been completely started.
    1. In the zone-name: Zone Terminal Console, log in as root.
      hostname console login: root
      Password: Type root password
    2. In the Zone Terminal Console, verify that critical services are running.
      # svcs -xv
      svc:/application/print/server:default (LP print server)
       State: disabled since Tue Oct 10 10:10:10 2006
      Reason: Disabled by an administrator.
         See: http://sun.com/msg/SMF-8000-05
         See: lpsched(1M)
      ...

      The sendmail and print services are not critical services.

    3. Verify that the zone has a valid IP address.
      # ifconfig -a

      For example, the following output shows an IP address for the hme0 interface.

      # ...
       hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
               all-zones
               inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255
    4. (Optional) Verify that the zone can communicate with the global zone.
      1. Set the DISPLAY variable to point to the X server
        # DISPLAY=global-zone-hostname:n.n
        # export DISPLAY
      2. From the terminal window, display a GUI.

        For example, display a clock.

        # /usr/openwin/bin/xclock

        If the clock at the label of the zone does not appear, the zone networking has not been configured correctly. For debugging suggestions, see Labeled Zone Is Unable to Access the X Server.

      3. Close the GUI before continuing.
  2. From the global zone, check the status of the labeled zones.
    # zoneadm list -v
    ID NAME         STATUS         PATH                BRAND   IP
     0 global       running        /                   native  shared
     3 internal     running        /zone/internal      native  shared
     4 needtoknow   running        /zone/needtoknow    native  shared
     5 restricted   running        /zone/restricted    native  shared
     

Customize the Labeled Zone

If you are going to clone zones or copy zones, this procedure configures a zone to be a template for other zones. In addition, this procedure configures a zone that has not been created from a template for use.

Before You Begin

You are superuser in the global zone. You have completed Verify the Status of the Zone.

  1. In the Zone Terminal Console, disable services that are unnecessary in a labeled zone.

    If you are copying or cloning this zone, the services that you disable are disabled in the new zones. The services that are online on your system depend on the service manifest for the zone. Use the netservices limited command to turn off services that labeled zones do not need.

    1. Remove many unnecessary services.
      # netservices limited
    2. List the remaining services.
      # svcs
      ...
      STATE        STIME      FMRI
      online       13:05:00   svc:/application/graphical-login/cde-login:default
      ...
    3. Disable graphical login.
      # svcadm disable svc:/application/graphical-login/cde-login
      # svcs cde-login
      STATE        STIME      FMRI
      disabled     13:06:22   svc:/application/graphical-login/cde-login:default

    For information about the service management framework, see the smf(5) man page.

  2. In the Labeled Zone Manager, select Halt to halt the zone.
  3. Before continuing, verify that the zone is shut down.

    In the zone-name: Zone Terminal Console, the following message indicates that the zone is shut down.

    [ NOTICE: Zone halted]

    If you are not copying or cloning this zone, create the remaining zones in the way that you created this first zone. Otherwise, continue with the next step.

  4. If you are using this zone as a template for other zones, do the following:
    1. Remove the auto_home_zone-name file.

      In a terminal window in the global zone, remove this file from the zone-name zone.

      # cd /zone/zone-name/root/etc
      # ls auto_home*
      auto_home  auto_home_zone-name
      # rm auto_home_zone-name

      For example, if the public zone is the template for cloning other zones, remove the auto_home_public file:

      # cd /zone/public/root/etc
      # rm auto_home_public
    2. If you plan to clone this zone, create the ZFS snapshot in the next step, then continue with Create Another Zone in Trusted Extensions.
    3. If you plan to copy this zone, complete Step 6, then continue with Create Another Zone in Trusted Extensions.
  5. To create a zone template for cloning the remaining zones, select Create Snapshot and click OK.

    Caution - The zone for the snapshot must be in a ZFS file system. You created a ZFS file system for the zone in Create ZFS Pool for Cloning Zones.


  6. To verify that the customized zone is still usable, select Boot from the Labeled Zone Manager.

    The Zone Terminal Console tracks the progress of booting the zone. Messages that are similar to the following appear in the console:

    [Connected to zone 'public' console]
    
    [NOTICE: Zone booting up]
    ...
    Hostname: zonename

    Press the Return key for a login prompt. You can log in as root.

Create Another Zone in Trusted Extensions

You have three options:

  • You can copy the first zone.

  • You can repeat the steps that you used to create the first zone.

  • You can clone the first zone.

Before You Begin

You have completed Customize the Labeled Zone.

The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.

  1. Name and label the zone.

    For details, see Name and Label the Zone.

  2. Continue with your zone creation strategy by choosing one of the following methods:

    You will repeat these steps for every new zone.

    • Create every zone from scratch.
      1. Complete Install the Labeled Zone.
      2. Complete Boot the Labeled Zone.
      3. Complete Verify the Status of the Zone.
      4. Complete Customize the Labeled Zone.
    • Copy the zone that you just labeled.
      1. In the Labeled Zone Manager, select Copy and click OK.
      2. Select the zone template and click OK.

        A window displays the copying process. When the process completes, the zone is installed.

        If the Labeled Zone Manager displays zone-name:configured, continue with the next step. Otherwise, continue with Step e.

      3. Select the menu item Select another zone, and click OK.
      4. Select the newly installed zone and click OK.
      5. Complete Boot the Labeled Zone.
      6. Complete Verify the Status of the Zone.
    • Clone the zone that you just labeled.
      1. In the Labeled Zone Manager, select Clone and click OK.
      2. Select a ZFS snapshot from the list and click OK.

        For example, if you created a snapshot from public, select the zone/public@snapshot.

        When the cloning process completes, the zone is installed. If the Labeled Zone Manager displays zone-name:configured, continue with the next step. Otherwise, continue with Step e.

      3. Select the menu item Select another zone, and click OK.
      4. Select the newly installed zone and click OK.
      5. Complete Boot the Labeled Zone.
      6. Complete Verify the Status of the Zone.
Next Steps

Add a Network Interface to an Existing Labeled Zone

This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each zone is connected to a separate physical network.


Note - The global zone must configure an IP address for every subnet in which a non-global zone address is configured.


Before You Begin

You are superuser in the global zone. You have successfully completed Verify the Status of the Zone.

  1. In the global zone, type the IP addresses and hostnames for the additional network interfaces into the /etc/hosts file.

    Use a standard naming convention, such as adding -zone-name to the name of the host.

    ## /etc/hosts in global zone
    10.10.8.2   hostname-zone-name1
    10.10.8.3   hostname-global-name1
    10.10.9.2   hostname-zone-name2
    10.10.9.3   hostname-global-name2
  2. For the network for each interface, add entries to the /etc/netmasks file.
    ## /etc/netmasks in global zone
    10.10.8.0 255.255.255.0
    10.10.9.0 255.255.255.0

    For more information, see the netmasks(4) man page.

  3. In the global zone, plumb the zone-specific physical interfaces.
    1. Identify the physical interfaces that are already plumbed.
      # ifconfig -a
    2. Configure the global zone addresses on each interface.
      # ifconfig interface-nameN1 plumb
      # ifconfig interface-nameN1 10.10.8.3 up
      # ifconfig interface-nameN2 plumb
      # ifconfig interface-nameN2 10.10.9.3 up
    3. For each global zone address, create a hostname.interface-nameN file.
      # /etc/hostname.interface-nameN1
      10.10.8.3
      # /etc/hostname.interface-nameN2
      10.10.9.3

    The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.

  4. Assign a security template to each zone-specific network interface.

    If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.

    You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map) in Solaris Trusted Extensions Administrator’s Procedures.

  5. Halt every labeled zone to which you plan to add a zone-specific interface.
    # zoneadm -z zone-name halt
  6. Start the Labeled Zone Manager.
    # /usr/sbin/txzonemgr
  7. For each zone where you want to add a zone-specific interface, do the following:
    1. Select the zone.
    2. Select Add Network.
    3. Name the network interface.
    4. Type the IP address of the interface.
  8. In the Labeled Zone Manager for every completed zone, select Zone Console.
  9. Select Boot.
  10. In the Zone Console, verify that the interfaces have been created.
    # ifconfig -a
  11. Verify that the zone has a route to the gateway for the subnet.
    # netstat -rn
Troubleshooting

To debug zone configuration, see the following:

Previous Next