Zones hardening | Sun Microsystems 10 specification

Version 3.1-enSolaris 10 Container Guide - 3.1 5. Cookbooks

Effective: 30/11/2009

5.1.15. Accelerated automatic creation of zones on a ZFS file system

[bf/ug] If a zone is configured on a ZFS file system, it can be duplicated very quickly by using ZFS snapshots. This procedure is described below by means of an example script. The script is available for download at http://blogs.sun.com/blogfinger/entry/how_to_create_a_lot.

In the first part of the script, the most important parameters for the zones are to be defined. These include for example:

∙Number of zones to be created

∙Network address range

∙Name of network interface

∙Net mask

∙Gateway

∙Base zone name (supplemented with number for the zone name)

∙Zone directory (supplemented with zone name)

∙Name of the zone that is used as the basis for cloning

∙Information for the sysidcfg file

∙Start status for the zone after installation

Once these settings have been made, the script can create the zones automatically and start in the configured state. More details on the script are available in the blog entry.

5.1.16. Zones hardening

[dd]To harden Solaris, the Solaris Security Toolkit is recommended as a general rule. Complete procedures and mechanisms can be found here:

http://www.sun.com/products-n-

solutions/hardware/docs/Software/enterprise_computing/systems_management/sst/index.html

Within the toolkit, the features that are required to harden sparse-root or whole-root zones are described. Details on this can be found here: http://www.sun.com/products-n-solutions/hardware/docs/html/819-1503-10/introduction.html#pgfId- 1001177

With Solaris 10 11/06, the feature "Secure by default" was introduced for network services which allows all network services except for sshd to be turned off or reconfigured by calling up netservices limited such that they will only react to requests by localhost. As a result, considerable safeguarding of zones in networks is possible using simple means.

80

Image 87

Sun Microsystems 10 manual Accelerated automatic creation of zones on a ZFS file system, Zones hardening

Contents

Solaris 10 Container Guide Table of contents III Network limitation IPQoS Duplicating zones with zoneadm detach/attach and zfs clone Disclaimer VII Introduction Overview Solaris Containers and Solaris Zones Ug Characteristics of Solaris 10 Zones Zones and software installation Zones and securityZones and privileges Fair share scheduler in a resource pool Zones and resource managementCPU resources Processor sets in a resource pool Network resource management IPQoS = IP Quality of Service Memory resource managementUser interfaces for zones Branded zones Linux and Solaris 8/Solaris 9 compatibility Zones and high availability Solaris container cluster aka zone cluster Virtualization technologies compared Domains/physical partitions App Server Dd Logical partitions Logical partitions Dd Container Solaris zones in an OS Containers Solaris zones in an OS Dd Consolidation in one computer Consolidation in one computer Summary of virtualization technologies Physical Logical Resource Virtualisation Management App Assessment SolutionGrid computing with isolation Requirement Small web servers Global Zone System Dd Use case Multi-network consolidation Multi-network consolidation Dd Use case Multi-network monitoring Multi-network monitoring Dd Use case Multi-network backup Multi-network backup Consolidation development/test/integration/production Dd Use case Consolidation of test systems Consolidation of test systems Requirements Training systems Dd Use case Server consolidation Server consolidation Dd Use case Confidentiality of data and processes Confidentiality of data and processes Dd Use case Developer test systems Test systems for developers Solaris 8 and Solaris 9 containers for development Solaris 8 and Solaris 9 containers as revision systems Dd Use case Hosting for different companies on one computer Hosting for several companies on one computer Da Use case SAP portals in Solaris containers SAP portals in Solaris containers Da Live upgrade Upgrade- and Patch-management in a virtual environment DC1 DC2 Flying zones Service-oriented Solaris server infrastructure Solaris Container Cluster aka zone cluster Whole-root zones ConceptsSparse-root zones − /lib − /platform − /sbin − /usr Comparison between sparse-root zones and whole-root zones Whole-root Var UsrPlatform ~3.6 GB Software in zones Software installation by the global zone usage in all zones Software installations in Solaris and zones Installation by the local zone usage in the local zone Program/application storage Data storage Root disk layout Opt/starofficeZFS within a zone Options for using ZFS in local zones Volume manager in local zonesNFS and local zones Ndd -set /dev/ip iprestrictinterzoneloopback Network concepts Introduction into networks and zonesNetwork address management for zones Shared IP instance and routing between zones Firewalls between zones IP filter Exclusive IP instancePlumb, snoop1M, dhcp5 or ipfilter5 is possible Interface = InterfacenameInstance + VLAN-ID Ipmp Zones and limitations in the network Dynamic configuration of devices Static configuration of devices Projects Separate name services in zonesServices Hosts database Applications in local zones only Paradigms Clustered containers One application per zone Client Solaris Container Cluster Configuration and administration Automatic configuration of zones by script Automated provisioning of servicesInstallation and administration of a branded zone Patching with live upgrade Lifecycle managementPatching a system with local zones Patching with upgrade server Patching with zoneadm attach -uMoving zones between architectures sun4u/sun4v ∙ create /zones/zone1 Backup and recovery of zones Migration of a zone to another system Backup of zones with ZFSUsing boot arguments in zones Management and monitoring Auditing operations in the zone Consolidating log information of zonesMonitoring zone workload Extended accounting with zones Global# dtrace -n iostart@zonename = count DTrace of processes within a zone General resource pools Resource managementTypes of resource management Capping of CPU time for a zone Projects, projadd, projmod, projdel Lightweight processes LWPFair share scheduler FSS Fair share scheduler in a zone Limiting virtual memory Limiting memory resourcesRcapstat Assessing memory requirements for global and local zones Privileges and resource management Limiting locked memoryNetwork limitation IPQoS IPC limits Semaphore, shared memory, message queues Dd Planning a Solaris container Solaris container navigator Dd Self-qualification of an application in a container 4zonecfgbrand=native Installation and configuration Configuration filesDd File /etc/zones/index Command Description Special commands for zones Command Description Metadb SwapVar Var/crash Configuring a sparse root zone required Actions Configuring a whole root zone required Actions Zone initialization with sysidcfg Zone installation Uninstalling a zone Optional settings Starting zones automaticallyChanging the set of privileges of a zone Storage within a zone Using a device in a local zone Zone1# ls /dev/dsk C1d0s0 Local zone mounts a UFS file system from a device User level NFS server in a local zone Using a DVD drive in the local zone Version 3.1-enSolaris 10 Container Guide 3.1 5. Cookbooks User attributes for ZFS within a zone Several zones share a file systemZFS in a zone Tank 30.2M 10G 18K None Tank/zone1 16.3M 983M Mnt − zonecfg -z zone -f file Configuring a zone by command file or templateAutomatic quick installation of zones With zonecfg -z zone export -f file of an existing zone Zones hardening Accelerated automatic creation of zones on a ZFS file system Network interfaces for exclusive IP instances Change network configuration for shared IP instancesSet default router for shared IP instance Network Set interceptloopback IP filter between shared IP zones on a system Implementation IP filter between exclusive IP zones on a systemZones, networks and routing Global and local zone with shared network NetworkNetwork Zone 1 /etc/hostname.bge1 Zone 2 /etc/hostname.bge2 Set defrouter=192.168.202.2 Zones in separate networks using the shared IP instanceIfconfig bge1 plumb down Zoneadm -z zone1 ready Zoneadm -z zone2 ready Zones in separate networks using exclusive IP instances Zonecfg set ip-type=exclusiveZone 1 /etc/hostname.bge1 Zone2 192.168.202.1 are now active 192.168.101.201 Zone 1 /etc/hostname.bge1 Zone1 192.168.201.1,192.168.200.1 and zone2192.168.202.1 Zoneadm -z zone1 boot, zoneadm -z zone2 boot Zone 1 /etc/hostname.bge3 /etc/defaultrouter Load Balancer Booting a zone Boot arguments in zonesRoot password for system maintenance control-d to bypass Software installation per mount Software installation with provisioning system Zone migration among systems∙ Detach the zone with zoneadm -z zone detach Global# zoneadm -z test halt Zone migration within a systemGlobal# zoneadm List -vc Global Running Native Shared Test Export/home/zone/test Duplicating zones with zoneadm clone Global Running Native Shared Test Installed Container/test 100 ID Name Status Path Brand 101 Duplicating zones with zoneadm detach/attach and zfs clone 102 Moving a zone between a sun4u and a sun4v system 103 Lumount s10-807+1 Using live upgrade to patch a system with local zonesShutting down a zone Lucreate -c s10-807 -n s10-807+1 -m //dev/dsk/c1t0d0s4ufs 105 Reboot Luactivate s10-807+1 init Zone audit DTrace in a local zoneZone1# dtrace -l tail +2 zone1# Zone accounting Resource pools with processor sets Limiting the /tmp-size within a zoneSwap Tmp Tmpfs Yes Size=250m Limiting the CPU usage of a zone CPU capping 108 Dynamic resource pools for zones Global # svcs dynamic109 110 Limiting the physical main memory consumption of a projectImplementing memory resource management for zones Rcapadm -z zone1 -m 40m Global # prctl -i zone zone1 Zone 22 zone1 Zone.max-swap Privileged 180MB Deny System 16.0EB Max111 112 Solaris Container in OpenSolarisOpenSolaris general Ipkg-Branded zones Cookbook Configuring an ipkg zone Cookbook Installing an ipkg zone113 114 References