Dave's Bit Bucket

Dave Walker's jottings - mostly pertaining to security

All | Cooking | General | Java | Networking | Security

« Previous day (Aug 11, 2007) | Main | Next day (Aug 12, 2007) »
20070812 Sunday August 12, 2007

TX Ranger: Update on Developments

"The day job" has kept me very seriously occupied for the last few weeks, so I've not had a great deal of opportunity to work on TX Ranger stuff.

However, last week, I had a bit of luck.

I've specced-up a couple of commands which ought to make the "heavy lifting" of enabling a label far more straightforward than it currently is, and Jeff Turner, Managing Director of Context-Switch (and one of the Sun Ed trainsers I spent a couple of days training-up on Trusted Extensions, last week) has very kindly offered to write them. While I'm still happy going down to state machine levels, it's been rather too long since I hung my coding gloves up, for me to realistically do it myself.

Anyway, while I gather that there's a bunch of Jumpstart scripts in development for TX which will do all this, I've been careful not to look at them yet, so that there will be no legal issues in having what Jeff writes, being posted to opensolaris.org. Jeff's also happy for his scripts to be open, bless him.

So, to whet the appetite while Jeff codes, here's what's coming:

Assumptions:

  • All IPv4, no IPv6
  • No LDAP integration (ie, local files only); folk will be able to do DNS integration, if they feel they need it, manually
  • VLANs are untagged
  • ZFS for zones (so we can have a scratch zone to hand in the default build, which we can then go a-cloning) - but we won't assume that our user has set up /zone as a zpool, just that /zone exists as a separate filesystem...
  • A richer "standard" label_encodings for users to select usable labels from - and potentially a script to clean out labels which aren't chosen
  • Ability to handle change requirements to SRSS config (ie, primary interface on the box is vni0)
Procedures to script in a nice meta-package:
  • Build and do basic config on a zone, give it a label and an IP address, and either a dedicated physical interface or an [interface]:[instance]
  • Delete a zone (ie, tear a zone down and destroy its config)
  • Change the global zone's IP address (and, if we include SRSS support, the IP address range for the Sun Rays, firmware server, etc etc)
Note that all our scripted procedures are to be run as root from within the global zone.

How we go about setting / changing zone parameters involves the runinzone script from the TX Developer's Guide...

So, what the TX-Ranger initial install procedure needs to do, is:

  • Install the TX packages, a la the Java wizard, from /cdrom/cdrom0/s0/Solaris_10/ExtraValue/CoBundled/Trusted-Extensions (or just pkgadd from the Packages subdir - I'll check with Darren to see if there's any installation ordering requirements now)
  • Copy our rich label_encodings (which I'll craft) to /etc/security/tsol/label_encodings
  • Copy a similarly-rich tnrhtp (which I'll craft) to /etc/security/tsol/tnrhtp
  • Ditto for a rich tnzonecfg
  • Search /etc/vfs/vfstab for the slice configured as /zone; comment it out, create the /zone zpool
  • Build our first zone (PUBLIC), for cloning - we want to halt the zone at the point where the packages are installed and SMF has imported its manifest, but before any sysidtool-related config has been entered
  • Reboot (or tell the user that they need to)
Note that I think we probably shouldn't look at automating the install of SRSS as part of TX Ranger - a JET module for it is being worked on :-).

Now, on to the things that the scripts need to do:

(Notation: *** = heading of procedure, ** = note on which zone changes need to be made to, * = procedural element)

*** Build and do basic config on a zone, give it a label and an IP address, and either a dedicated physical interface or an [interface]:[instance]

I think the command should look like:

# activate-label <label> <interface> <IP addr>

** In the global zone:

* Verify that there is no clashing IP addr in /etc/hosts, add an entry mapping the new address to the short version of the label name (which will also be the hostname of the new zone)
* Verify that /etc/hostname.[interface] exists and comprises "0.0.0.0"; create it if it doesn't
* Verify that the interface is plumbed; plumb it if it isn't
* Add two entries to /etc/security/tsol/tnrhdb:
Entry 1 is of the form "[IP addr]:cipso"
Entry 2 is of the form "[subnet base address associated with IP addr]:[label]
* Restart tnrhdb
* Use either Expect and zonecfg, or scriptably-hack the XML in /etc/zones (naughty as it's a private interface), to do the functional equivalent of:
# zonecfg -z [zone name]
> add net
> set physical=[interface] (and note that, in an [interface]:[instance] scenario, you always just specify [interface] and let the OS sort it out)
> set address=[IP addr]
> end
> commit
> exit
* Clone the zone from PUBLIC with zoneadm -z PUBLIC clone
* Make the tweaks necessary to avoid having to use sysidtool to set the zone up - I managed to find my old internal blog entry for doing this :-)
* Populate /zone/[label]/root/etc/hosts with:
127.0.0.1 loopback loghost
[IP addr] [label]
[IP addr of vni0] [nodename of the global zone]
* Populate /zone/[label]/root/etc/nsswitch.conf; set everything to point to files
* Insert the global zone root user's crypt+salted / MD5ed / sunmd5ed root passwd in /zone/[label]/root/etc/shadow - and, obviously, check /etc/default/policy to see what algorithm is in use and reflect it in /zone/[label]/root/etc/policy ...
* Insert "TZ=GB" into /zone/[label]/root/etc/default/init
* rm /zone/[label]/root/etc/.UNCONFIGURED
* touch /zone/[label]/root/etc/.NFS4inst_state.domain
* Ensure that /zone/[label]/root/etc/nodename is [label]
* Ensure that /zone/[label]/root/etc/hostname.[interface] is [label]
* Ensure that /zone/[label]/root/etc/hostname.vni0 is set to the global zone's nodename
Borrow liberally from the runinzone script to do the following: * zoneadm -z [label] boot

** in the new labelled zone:

* ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C root@`hostname` ; ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C root@`hostname`
* netservices limited
* svcadm disable auditd
* svcadm disable cde-login

...and we're done. Phew!

*** Delete a zone (ie, tear a zone down and destroy its config)
deactivate-label <label> feels like the right command syntax. ** In the global zone:

* zoneadm -z [label] halt (and watch that SMF doesn't try to start it up again - it usually does, requiring a second halt to actually halt the zone)
* zoneadm -z [label] uninstall -F
* Restart tnrhdb

...and we're done. User clearance management is Somebody Else's Problem, IMHO.

*** Change the global zone's IP address (and, if we include SRSS support, the IP address range for the Sun Rays, firmware server, etc etc)

I think I'll leave this for another day :-)

(2007-08-12 03:09:32.0) Permalink Comments [2]

Calendar

« August 2007 »
MonTueWedThuFriSatSun
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today

RSS Feeds

XML
All
/Cooking
/General
/Java
/Networking
/Security

Search

Links

Innovate on OpenSolaris

  Read via bloglines :
British Blog Directory.


Navigation


blogs.sun.com
Weblog
Login


Referers

Today's Page Hits: 771