X

Glenn Faden's Blog

  • July 7, 2008

Updated Laptop Configuration Instructions

Guest Author

The Laptop Instructions for Trusted Extensions have been revised to focus on the latest updates of Solaris 10 and Nevada. In Solaris 10 update 5 and Nevada, there is no longer a separate installation step, since Trusted Extensions is enabled as an SMF service. However, there are still some significant differences with respect to configuring a laptop using DHCP. The new instructions take advantage of the Network Auto-Magic project (NWAM). Included in the instructions is a tarball of shell scripts for specifying label-related behavior of the dynamically assigned address. These scripts conditionally assign the appropriate default network template, public or internal, based on the domain name returned by the DHCP server. For example, in my case, if the domain is sun.com, then the default template is internal. You can edit the INTERNAL_DOMAIN variable in the check-configuration file to specify your own internal domain.

These NWAM scripts also manage an additional logical interface using the physical interface that is currently in use. It is only visible in the global zone to support NFS file sharing, and is therefore called mynfs. To avoid conflicts with network assigned addressses, I used a private network address of 127.0.0.2 for mynfs, and use the all-zones DHCP assigned address to route NFS requests from labeled zones into the global zone. 

I prefer using an NFS server on my laptop, instead of relying on the cross-zone LOFS mounts of /export/home that are automatically created when zones are booted. The LOFS mechanism occasionally get out of sync with the automount daemon depending on the order in which the zones are booted. Furthermore, the NFS mechanism is more configurable and demonstrates some commonly misunderstood features of Trusted Extensions.

Instead of separate instances of /etc/dfs/dfstab for each zone, I am using the sharemgr tool. I created a sharemgr group for each zone, e.g.

# sharemgr create public

# sharemgr add /zone/public/root/export/home public

The actual sharing occurs when the zone is booted. There are two shell scripts in /usr/lib/zones that are called when zones are either booted or halted. I modified zoneshare to call

sharemgr enable $zonename

and similarly, I modified zoneunshare to call

sharemgr disable $zonename

Then I modified the file /etc/auto_home_public in each of the higher-level zones, as follows:

\*       mynfs:/zone/public/root/export/home/&

This works well for me unless my network connection changes while the NFS mount is active. That's because the underlying logical interface for mynfs is unplumbed and moved to a new logical interface when I switch between wired to wireless.



Join the discussion

Comments ( 9 )
  • laptop batteries Thursday, November 27, 2008

    I prefer using an NFS server on my laptop, instead of relying on the cross-zone LOFS mounts of /export/home that are automatically created when zones are booted. The LOFS mechanism occasionally get out of sync with the automount daemon depending on the order in which the zones are booted. Furthermore, the NFS mechanism is more configurable and demonstrates some commonly misunderstood features of Trusted Extensions.


  • Christoph Schuba Friday, January 9, 2009

    Hi Glenn,

    I assume the tx-nwam.tar tar ball (http://www.opensolaris.org/os/community/security/projects/tx/tx-laptop-install/tx-nwam.tar) gets untar'ed into /etc/nwam, right?

    # (cd /etc/nwam; tar xvf /tmp/tx-nwam.tar)

    -Christoph


  • kelebek Sunday, April 26, 2009

    thanks..


  • sikiş Saturday, May 30, 2009

    thxxxx


  • sevişme Saturday, May 30, 2009

    thank you admin


  • sohbet odaları Saturday, July 11, 2009

    thank you very much admın. very good site


  • fidancılık Monday, October 19, 2009

    thanks


  • fidan istanbul Monday, October 19, 2009

    thanks


  • jayakumar Wednesday, July 7, 2010

    nice explainations..


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.