Wednesday Jun 08, 2016

Using an https Keystore for ZFS Encryption

Overview

Recently I wrote about how to enable ZFS encryption for your home directory, in a way that accepts the wrapping key when first logging into the system. This works when it is your home directory. But what about other file systems or pools that you want to encrypt and you want to mount without intervention after a system reboot?

This discussion is about how to provide a wrapping key using an HTTPS service. For more details look at zfs_encrypt(1M).

As I often do, these examples use Solaris Zones. I am running Solaris 11.3 SRU 07. One Zone is the HTTPS server, and the second Zone is where I create the ZFS File Systems.

Configuring the HTTPS Service

Installing the Apache Web Server

The first step is to install the Apache web server package. Zones use the package group solaris-small-server by default, which does not include the Apache web server package.
root@myhttps:~# pkg install apache-22 
           Packages to install:  7
           Mediators to change:  3
            Services to change:  2
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                7/7     1035/1035      9.7/9.7 28.1M/s

PHASE                                          ITEMS
Installing new actions                     1241/1241
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           3/3 
root@myhttps:~# 

Configuring SSL in Apache httpd.conf

I must extend the default HTTP configuration to enable the SSL service. A good configuration file is in the "sample-conf.d" directory.
root@myhttps:~# cd /etc/apache2/2.2/ 
root@myhttps:/etc/apache2/2.2# ls 
conf.d          envvars         httpd.conf      magic           
mime.types      original        samples-conf.d
root@myhttps:/etc/apache2/2.2# 
I like to save the original, especially if I want to show the differences easily. And I will append some comments to see where "ssl.conf" starts.
root@myhttps:/etc/apache2/2.2# cp -p httpd.conf Httpd.conf.orig 
root@myhttps:/etc/apache2/2.2# 

root@myhttps:/etc/apache2/2.2# echo "###
> ### End of Original httpd.conf
> ###
> " >> httpd.conf 
root@myhttps:/etc/apache2/2.2# 

root@myhttps:/etc/apache2/2.2# cat samples-conf.d/ssl.conf >> httpd.conf 
root@myhttps:/etc/apache2/2.2# 

root@myhttps:/etc/apache2/2.2# cp -p httpd.conf Httpd.conf.ssl.orig 
root@myhttps:/etc/apache2/2.2# 
After modifying for my configuration here are the differences.
root@myhttps:/etc/apache2/2.2# diff httpd.conf Httpd.conf.ssl.orig  
47c47
< #Listen 80 
---
> Listen 80
107c107
< ServerName 192.168.1.180 
---
> ServerName 127.0.0.1
533,534c533
< #ServerName 127.0.0.1:443
< ServerName 192.168.1.180:443 
---
> ServerName 127.0.0.1:443
553,554c552
< #SSLCertificateFile "/etc/apache2/2.2/server.crt"
< SSLCertificateFile "/etc/apache2/2.2/host180.crt" 
---
> SSLCertificateFile "/etc/apache2/2.2/server.crt"
564,565c562
< #SSLCertificateKeyFile "/etc/apache2/2.2/server.key"
< SSLCertificateKeyFile "/etc/apache2/2.2/host180.key" 
---
> SSLCertificateKeyFile "/etc/apache2/2.2/server.key"
root@myhttps:/etc/apache2/2.2# 
I replaced "server." with "host180." because I want to make managing my files easier. You can leave the "server" version and update the file names below. I also turned off port 80, for http access, to prevent sending data in clear text.

Creating the Self Signed Root Certificate

First step is to create a Root Certificate. I am putting the files into the "CA.d" directory I create so I can easily see the difference between the CA files and later web server certificate(s). I am using the prefix "host180CA" to identify anything having to do the the Root Certificate.
root@myhttps:/etc/apache2/2.2# mkdir CA.d 
root@myhttps:/etc/apache2/2.2# 
root@myhttps:/etc/apache2/2.2# openssl genrsa -des3 -out CA.d/host180CA.key 2048 
Generating RSA private key, 2048 bit long modulus
.................+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for CA.d/host180CA.key: XXX 
Verifying - Enter pass phrase for CA.d/host180CA.key: XXX 
root@myhttps:/etc/apache2/2.2# 

root@myhttps:/etc/apache2/2.2# openssl req -x509 -new -nodes -key CA.d/host180CA.key \
-sha256 -days 1024 -out CA.d/host180CA.pem 
Enter pass phrase for CA.d/host180CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US 
State or Province Name (full name) []:NJ 
Locality Name (eg, city) []:MyTown 
Organization Name (eg, company) []:Oracle 
Organizational Unit Name (eg, section) []:SE 
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.180 
Email Address []:steffen@steffen.steffen 
root@myhttps:/etc/apache2/2.2# 

Creating the Server Certificate

Now I create the certificates for this web server. I will be referencing the CA.d files from above. The server Certificates have the prefix "host180" because my IP address is 192.168.1.180. I am doing this to make it easier to recognize files.
root@myhttps:/etc/apache2/2.2# openssl genrsa -out host180.key 2048 
Generating RSA private key, 2048 bit long modulus
........................+++
...........................................+++
e is 65537 (0x10001)
root@myhttps:/etc/apache2/2.2# 
root@myhttps:/etc/apache2/2.2# openssl req -new -key host180.key -out host180.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US 
State or Province Name (full name) []:NJ 
Locality Name (eg, city) []:MyHost180 
Organization Name (eg, company) []:Oracle 
Organizational Unit Name (eg, section) []:SEweb 
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.180 
Email Address []:host180@steffen.steffen 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@myhttps:/etc/apache2/2.2# 

root@myhttps:/etc/apache2/2.2# openssl x509 -req -in host180.csr -CA CA.d/host180CA.pem \
-CAkey CA.d/host180CA.key -CAcreateserial -out host180.crt -days 1000 -sha256 
Signature ok
subject=/C=US/ST=NJ/L=MyHost180/O=Oracle/OU=SEweb/CN=192.168.1.180/emailAddress=host180@steffen.steffen
Getting CA Private Key
Enter pass phrase for CA.d/host180CA.key: XXX 
root@myhttps:/etc/apache2/2.2# 
Here are all the files that end up getting created.
root@myhttps:/etc/apache2/2.2# ls -l 
total 398
drwxr-xr-x   2 root     root           4 Jun  8 17:33 CA.d
-rw-r--r--   1 root     root          17 Jun  8 17:39 CA.srl
drwxr-xr-x   2 root     sys            4 Jun  8 17:20 conf.d
-rw-r--r--   1 root     bin          896 Jun  8 17:20 envvars
-rw-r--r--   1 root     root        1306 Jun  8 17:39 host180.crt
-rw-r--r--   1 root     root        1058 Jun  8 17:37 host180.csr
-rw-r--r--   1 root     root        1675 Jun  8 17:36 host180.key
-rw-r--r--   1 root     bin        26114 Jun  8 17:29 httpd.conf
-rw-r--r--   1 root     bin        13673 Jun  8 17:20 Httpd.conf.orig
-rw-r--r--   1 root     bin        25975 Jun  8 17:26 Httpd.conf.ssl.orig
-rw-r--r--   1 root     bin        12958 Jun  8 17:20 magic
-rw-r--r--   1 root     bin        53011 Jun  8 17:20 mime.types
drwxr-xr-x   2 root     sys            3 Jun  8 17:20 original
drwxr-xr-x   2 root     sys           15 Jun  8 17:20 samples-conf.d
root@myhttps:/etc/apache2/2.2# ls CA.d/ 
host180CA.key  host180CA.pem
root@myhttps:/etc/apache2/2.2# 

Creating the ZFS Encryption Wrapping Key

I need a key that ZFS will use as the wrapping key. This is a short one. You may have some mechanism to create a longer one.
root@myhttps:/etc/apache2/2.2# pktool genkey keystore=file \
outkey=/var/apache2/2.2/htdocs/zfs-aes-256.key keytype=aes keylen=256 
root@myhttps:/etc/apache2/2.2# 
root@myhttps:/etc/apache2/2.2# chmod +r /var/apache2/2.2/htdocs/zfs-aes-256.key 
root@myhttps:/etc/apache2/2.2# ls -l /var/apache2/2.2/htdocs/zfs-aes-256.key 
-r--r--r--   1 root     root          32 Jun  8 17:41 /var/apache2/2.2/htdocs/zfs-aes-256.key
root@myhttps:/etc/apache2/2.2# 
By default the key is readable only by the user that creates it, in this case "root". If you don't make it readable by all, since Apache runs as "daemon" by default, you will not be able to access it over HTTP/HTTPS.

Starting the Web Server

Now that I have done all my configurations, lets start it up.
root@myhttps:/etc/apache2/2.2# svcs *apache* 
STATE          STIME    FMRI
disabled       17:20:17 svc:/network/http:apache22
root@myhttps:/etc/apache2/2.2# 
root@myhttps:/etc/apache2/2.2# svcadm enable apache22 
root@myhttps:/etc/apache2/2.2# 
root@myhttps:/etc/apache2/2.2# svcs *apache* 
STATE          STIME    FMRI
online         17:44:01 svc:/network/http:apache22
root@myhttps:/etc/apache2/2.2# 
One final check to make sure all services are running fine.
root@myhttps:/etc/apache2/2.2# svcs -x 
root@myhttps:/etc/apache2/2.2# 

root@myhttps:/etc/apache2/2.2# netstat -anf inet 
...
TCP: IPv4
   Local Address        Remote Address     Swind  Send-Q  Rwind  Recv-Q    State
-------------------- -------------------- ------- ------ ------- ------ -----------
127.0.0.1.5999             *.*                  0      0  128000      0 LISTEN
      *.111                *.*                  0      0  128000      0 LISTEN
      *.*                  *.*                  0      0  128000      0 IDLE
      *.111                *.*                  0      0  128000      0 LISTEN
      *.*                  *.*                  0      0  128000      0 IDLE
      *.22                 *.*                  0      0  128000      0 LISTEN
      *.22                 *.*                  0      0  128000      0 LISTEN
127.0.0.1.4999             *.*                  0      0  128000      0 LISTEN
127.0.0.1.25               *.*                  0      0  128000      0 LISTEN
127.0.0.1.587              *.*                  0      0  128000      0 LISTEN
      *.*                  *.*                  0      0  128000      0 IDLE
      *.443                *.*                  0      0  128000      0 LISTEN
      *.*                  *.*                  0      0  128000      0 IDLE
root@myhttps:/etc/apache2/2.2# 
Everything looks good. On to the Zone where I will do the ZFS work.

Creating an Encrypted File System using a Keystore via HTTPS

Adding Self Signed Certificate to an HTTPS Client

I need to do two steps to be able to access the https service. First, I need to load the certificate for the web server into the local CA directory. I get this certificate using the "openssl" command.

Here is the complete output. To end the command, enter " D". (It doesn't show up in the output.)

root@ezfs:~# openssl s_client -connect 192.168.1.180:443 
CONNECTED(00000003)
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=NJ/L=MyHost180/O=Oracle/OU=SEweb/CN=192.168.1.180/emailAddress=host180@steffen.steffen
   i:/C=US/ST=NJ/L=MyTown/O=Oracle/OU=SE/CN=192.168.1.180/emailAddress=steffen@steffen.steffen
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDljCCAn4CCQCfpX0OhjSiMTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAk5KMQ8wDQYDVQQHDAZNeVRvd24xDzANBgNVBAoMBk9yYWNs
ZTELMAkGA1UECwwCU0UxFjAUBgNVBAMMDTE5Mi4xNjguMS4xODAxJjAkBgkqhkiG
9w0BCQEWF3N0ZWZmZW5Ac3RlZmZlbi5zdGVmZmVuMB4XDTE2MDYwODIxMzkwNloX
DTE5MDMwNTIxMzkwNlowgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjESMBAG
A1UEBwwJTXlIb3N0MTgwMQ8wDQYDVQQKDAZPcmFjbGUxDjAMBgNVBAsMBVNFd2Vi
MRYwFAYDVQQDDA0xOTIuMTY4LjEuMTgwMSYwJAYJKoZIhvcNAQkBFhdob3N0MTgw
QHN0ZWZmZW4uc3RlZmZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM4wzBQRsqz2lwH1sauTSnx6fpig40EBaFHRLCblvWgAYLgTY1ccV39X2zryjKIM
u0vDnBALQOu4/IMZ+7tcZNnSBPrKhqC/YgwWmY0GINvbFG0AQ1aIm/KEqeHLzVhu
EAjGc1tUvhWT1MxvooHshtR1KGzZv9gq6fnBprqOz0Es6VNWPLX3rmkryFhlE+tY
HOhEgBAMEhiQ6Ait/pORMGG5XRaLkXsXNjrEHD8YXD4VbvPl8GoMQCwSZ9M3DFA1
8IfpDaB5ByUihhFWV2NxcBBfCqCBd6v0bdh1nyAJ5zhZGmEHYztt13WqiJ315pgy
yhXnAne0SDycdRQrxpPs21ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAY+2RTjLy
lWaaHO4xDYGuDW8k2XkxsH+BkRcDtRM0g1iliHgQLSxGqdsKr4fK4WWC7Vbfm0Cb
l47T3ny+rNvyT6ac/VhfwI/GDIOGwV+mzoVio5QlZh601gclDv5M4j8633Wr/SCc
c8ZFB6FOAfqaLDtZryfHCUbppL2AnSPY6JFQG4Cv5Uo/nTTs4vyL4JwRl/cQNLXY
6GCQRMjAwrfdjj2wBczrbEK1qzu0gD4crkB/XpyJFZq32RSvWtE3nVV9GU93ErLY
C1BxQHvrYYWVlIv59sIQ4DYec0b/mxs9HnjHVA4sveTg1CjUXRY+eYpPF7OlHa9v
2EV4l7T2IB0ZLg==
-----END CERTIFICATE----- 
subject=/C=US/ST=NJ/L=MyHost180/O=Oracle/OU=SEweb/CN=192.168.1.180/emailAddress=host180@steffen.steffen
issuer=/C=US/ST=NJ/L=MyTown/O=Oracle/OU=SE/CN=192.168.1.180/emailAddress=steffen@steffen.steffen
---
No client certificate CA names sent
---
SSL handshake has read 2055 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 552375FF9881568181BC0DCEBBD238D913DCB55381FD9A2ADED7413B00AC9078
    Session-ID-ctx: 
    Master-Key: F8D5B3E7C4FF7B8396FAEC8FAEBA0865E8790335E1A09B9703F217125C5D3EB7220D79E24F4510C35F8E500DFFC1C06D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c1 35 38 cb eb 88 92 85-28 50 7e c5 cc 4f f8 4d   .58.....(P~..O.M
    0010 - 64 a7 61 7f 8f bb 09 8b-c3 b6 0b fe a4 1f 50 ce   d.a...........P.
    0020 - d5 b2 0c 82 97 9a 86 69-d2 76 ea d1 19 f3 40 fb   .......i.v....@.
    0030 - 0e 95 6b cd 9d e2 09 f5-de 52 bb 14 c7 f9 fc 6f   ..k......R.....o
    0040 - 1c 39 7f e3 3b 9a 9b 95-be 79 df 39 19 fc f3 6f   .9..;....y.9...o
    0050 - 6a 12 7a 5b b5 ea 1e 03-6f 44 01 b5 74 8b 7c 4f   j.z[....oD..t.|O
    0060 - 7a 61 8a d0 39 bb 7f 72-f1 99 81 57 57 2d b3 e1   za..9..r...WW-..
    0070 - 70 82 1b 87 33 35 95 15-62 05 07 46 bc 6f ab f1   p...35..b..F.o..
    0080 - c6 06 5a c3 4d 86 9d d0-db 2f 9a d4 70 97 98 9b   ..Z.M..../..p...
    0090 - 41 74 bb dd 03 33 7c dd-c2 20 ad bc ac c1 29 ad   At...3|.. ....).
    00a0 - de dd 72 8a 8b 32 74 10-8d 9b 45 38 f5 27 a3 d3   ..r..2t...E8.'..
    00b0 - e1 f6 d1 d6 0b 07 6e 08-cf 76 2c 7a 51 25 c6 b3   ......n..v,zQ%..

    Start Time: 1465422516
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE
root@ezfs:~# 
I need the text between the "BEGIN" and "END CERTIFICATE" lines, including those lines. I send the output to a file, and then remove the content except the "CERTIFICATE" part.
root@ezfs:~# openssl s_client -connect 192.168.1.180:443 > /tmp/host180.pem 
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
root@ezfs:~# 

root@ezfs:~# vi /tmp/host180.pem 
root@ezfs:~# 
root@ezfs:~# cat /tmp/host180.pem 
-----BEGIN CERTIFICATE-----
MIIDljCCAn4CCQCfpX0OhjSiMTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAk5KMQ8wDQYDVQQHDAZNeVRvd24xDzANBgNVBAoMBk9yYWNs
ZTELMAkGA1UECwwCU0UxFjAUBgNVBAMMDTE5Mi4xNjguMS4xODAxJjAkBgkqhkiG
9w0BCQEWF3N0ZWZmZW5Ac3RlZmZlbi5zdGVmZmVuMB4XDTE2MDYwODIxMzkwNloX
DTE5MDMwNTIxMzkwNlowgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjESMBAG
A1UEBwwJTXlIb3N0MTgwMQ8wDQYDVQQKDAZPcmFjbGUxDjAMBgNVBAsMBVNFd2Vi
MRYwFAYDVQQDDA0xOTIuMTY4LjEuMTgwMSYwJAYJKoZIhvcNAQkBFhdob3N0MTgw
QHN0ZWZmZW4uc3RlZmZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM4wzBQRsqz2lwH1sauTSnx6fpig40EBaFHRLCblvWgAYLgTY1ccV39X2zryjKIM
u0vDnBALQOu4/IMZ+7tcZNnSBPrKhqC/YgwWmY0GINvbFG0AQ1aIm/KEqeHLzVhu
EAjGc1tUvhWT1MxvooHshtR1KGzZv9gq6fnBprqOz0Es6VNWPLX3rmkryFhlE+tY
HOhEgBAMEhiQ6Ait/pORMGG5XRaLkXsXNjrEHD8YXD4VbvPl8GoMQCwSZ9M3DFA1
8IfpDaB5ByUihhFWV2NxcBBfCqCBd6v0bdh1nyAJ5zhZGmEHYztt13WqiJ315pgy
yhXnAne0SDycdRQrxpPs21ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAY+2RTjLy
lWaaHO4xDYGuDW8k2XkxsH+BkRcDtRM0g1iliHgQLSxGqdsKr4fK4WWC7Vbfm0Cb
l47T3ny+rNvyT6ac/VhfwI/GDIOGwV+mzoVio5QlZh601gclDv5M4j8633Wr/SCc
c8ZFB6FOAfqaLDtZryfHCUbppL2AnSPY6JFQG4Cv5Uo/nTTs4vyL4JwRl/cQNLXY
6GCQRMjAwrfdjj2wBczrbEK1qzu0gD4crkB/XpyJFZq32RSvWtE3nVV9GU93ErLY
C1BxQHvrYYWVlIv59sIQ4DYec0b/mxs9HnjHVA4sveTg1CjUXRY+eYpPF7OlHa9v
2EV4l7T2IB0ZLg==
-----END CERTIFICATE-----
root@ezfs:~# 
I copy the file into the Certificate Authority directory.
root@ezfs:~# cp /tmp/host180.pem /etc/certs/CA/ 
root@ezfs:~# 
Because this is a Self Signed Certificate, I also need the file I use to sign certificates. That is on the web server.
root@ezfs:~# scp guest@192.168.1.180:/etc/apache2/2.2/CA.d/host180CA.pem /tmp 
The authenticity of host '192.168.1.180 (192.168.1.180)' can't be established.
RSA key fingerprint is 1b:62:9b:5c:42:f9:44:c9:d1:81:99:c4:e3:c0:3f:0f.
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '192.168.1.180' (RSA) to the list of known hosts.
Password: XXX 
host180CA.pem        100% |**********************************************|  1415       00:00    
root@ezfs:~# 

root@ezfs:~# cp /tmp/host180CA.pem /etc/certs/CA/ 
root@ezfs:~# 
With both files in the directory, I have the CA service refresh to read the files.
root@ezfs:~# svcs *cert* 
STATE          STIME    FMRI
online         17:01:51 svc:/system/ca-certificates:default
root@ezfs:~# 

root@ezfs:~# svcadm refresh ca-certificates 
root@ezfs:~# 

root@ezfs:~# svcs *cert* 
STATE          STIME    FMRI
online         17:53:56 svc:/system/ca-certificates:default
root@ezfs:~# 
Any easy way I found to verify that this works is the "wget(1)" command. Its output is useful in understanding when my certificates are not working as well.
root@ezfs:~# (cd /tmp ; wget https://192.168.1.180/zfs-aes-256.key ) 
--2016-06-08 17:54:10--  https://192.168.1.180/zfs-aes-256.key
Connecting to 192.168.1.180:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32 [text/plain]
Saving to: ‘zfs-aes-256.key’

zfs-aes-256.key          100%[=================================>]      32  --.-KB/s   in 0s     

2016-06-08 17:54:10 (3.57 MB/s) - ‘zfs-aes-256.key’ saved [32/32]

root@ezfs:~# 
root@ezfs:~# rm /tmp/zfs-aes-256.key 
root@ezfs:~# 
I delete the file right away as I only want it accessible via https.

Create the ZFS File Systems

Now to the real tack at hand, creating a ZFS file system with encryption and the wrapping key accessed using https. I also create one that requires manual input to show the difference. I am using the "rpool/export" directory as my base.
root@ezfs:~# zfs list 
NAME                              USED  AVAIL  REFER  MOUNTPOINT
rpool                            61.6M   156G   144K  /rpool
rpool/ROOT                       58.1M   156G   144K  legacy
rpool/ROOT/solaris-0             58.1M   156G  1.48G  /
rpool/ROOT/solaris-0/var         2.60M   156G   174M  /var
rpool/VARSHARE                      3M   156G  2.76M  /var/share
rpool/VARSHARE/pkg                296K   156G   152K  /var/share/pkg
rpool/VARSHARE/pkg/repositories   144K   156G   144K  /var/share/pkg/repositories
rpool/export                      360K   156G   152K  /export 
rpool/export/home                 256K   156G   152K  /export/home
rpool/export/home/guest           152K   156G   152K  /export/home/guest
root@ezfs:~# 

root@ezfs:~# zfs create -o encryption=on \
-o keysource=passphrase,prompt rpool/export/prompt 
Enter passphrase for 'rpool/export/prompt': XXX 
Enter again: XXX 
root@ezfs:~# 

root@ezfs:~# zfs create -o encryption=on \
-o keysource=raw,https://192.168.1.180:443/zfs-aes-256.key rpool/export/https 
root@ezfs:~# 
I put some data into the two file system to test with later.
root@ezfs:~# date > /export/https/date 
root@ezfs:~# date > /export/prompt/date 
root@ezfs:~# 
root@ezfs:~# ls /export/* 
/export/home:
guest

/export/https:
date 

/export/prompt:
date 
root@ezfs:~# more /export/*/date 
::::::::::::::
/export/https/date
::::::::::::::
Wednesday, June  8, 2016 05:59:59 PM EDT
::::::::::::::
/export/prompt/date
::::::::::::::
Wednesday, June  8, 2016 06:00:07 PM EDT
root@ezfs:~# 

root@ezfs:~# zfs list 
NAME                              USED  AVAIL  REFER  MOUNTPOINT
rpool                            61.9M   156G   144K  /rpool
rpool/ROOT                       58.1M   156G   144K  legacy
rpool/ROOT/solaris-0             58.1M   156G  1.48G  /
rpool/ROOT/solaris-0/var         2.60M   156G   174M  /var
rpool/VARSHARE                      3M   156G  2.76M  /var/share
rpool/VARSHARE/pkg                296K   156G   152K  /var/share/pkg
rpool/VARSHARE/pkg/repositories   144K   156G   144K  /var/share/pkg/repositories
rpool/export                      720K   156G   168K  /export
rpool/export/home                 256K   156G   152K  /export/home
rpool/export/home/guest           152K   156G   152K  /export/home/guest
rpool/export/https                172K   156G   172K  /export/https
rpool/export/prompt               172K   156G   172K  /export/prompt 
root@ezfs:~# 
root@ezfs:~# halt 

[Connection to zone 'ezfs' pts/10 closed]

Validating Hands-Free Operation After a Reboot

The keys for encrypted ZFS file system are only required when they are first accessed. I am using Solaris Zones, and don't want to reboot my system. So to simulate a reboot I "unload" the keys for all the file system in the zone. (There is only one file system with a key, however, this would do all if there were more than one.)
root@global# zfs key -u -r pool1/zones/ezfs 
root@global# 
root@global# zoneadm -z ezfs boot 
root@global# 

Test and Manually Mount the "prompt" File System

Once the zone boots, lets check what data is available.
root@global# zlogin ezfs 
[Connected to zone 'ezfs' pts/10]
Last login: Wed Jun  8 17:05:53 2016 on pts/10
Oracle Corporation      SunOS 5.11      11.3    March 2016
root@ezfs:~# 
root@ezfs:~# ls /export/* 
/export/home:
guest

/export/https:
date 

/export/prompt:
root@ezfs:~# 
root@ezfs:~# more /export/*/date 
Wednesday, June  8, 2016 05:59:59 PM EDT
root@ezfs:~# 
As you can see, only the "https" directory shows the "date" file. I manually mount the "prompt" file system.
root@ezfs:~# zfs mount rpool/export/prompt 
Enter passphrase for 'rpool/export/prompt': XXX  
root@ezfs:~# 
root@ezfs:~# more /export/*/date 
::::::::::::::
/export/https/date
::::::::::::::
Wednesday, June  8, 2016 05:59:59 PM EDT
::::::::::::::
/export/prompt/date
::::::::::::::
Wednesday, June  8, 2016 06:00:07 PM EDT
root@ezfs:~# 
Now both "date" files are available.

Summary

This was a quick and simple walk through of the steps to automatically mount an encrypted file system without using a local keysource file. Thank you and good luck with you ZFS experiences!

Steffen

Appreciations

Thanks to DarrenM for his repeated replies to my email requests for help, and to BartS for his quick reply as well.

Thank you to "The Data Center Overlords" for the high level steps that got me started on how to set up my own Certificate Authority and server certificates.

Revision History

(Other than minor typographical changes)

2016.06.08: Posted

2016.06.08: Created

Thursday May 05, 2016

Encrypting my Home Directory on ZFS

Overview

I like to run Solaris on my work desktops because I have all the Solaris features at my fingertips. This included the manual pages, Solaris Zones, Solaris networking including VNICs, and I just find the Solaris GNOME desktop to the most easy for me to use for basic email, browsing, terminal windows, and the like.

Because I might be putting some information on my desktop that I'd rather not leave when the disk drive leaves, I make an effort to encrypt my home directory. Because I do this relatively infrequently, I don't remember the steps, so search for and I reference Darren Moffat's blog. Unfortunately, it was written in 2011 when Solaris 11 11/11 delivered ZFS encryption, and it seems some files have changed slightly.

To make it easier for me to reference, and to add some additional features, I did some repeated testing of modification of the PAM module and am posting the steps in this blog entry. I make no effort to explain PAM, as I am not that versed in it.

The Default Configuration

I am using one of my desktops to write this, and I will use as Solaris Zone to show what a fresh installation looks like. Darren's example shows how to enable encryption with the GNOME Display Manager (GDM.) I will extend this to work with console or ssh login. Testing the GDM configuration does require me to log out of my desktop, and is a bit more intrusive for me to test and show. Testing and documenting console and ssh logins are easy with a Zone.

root@pamzone:~# cd /etc/pam.d 
root@pamzone:/etc/pam.d# 
root@pamzone:/etc/pam.d# ls 
cron           gdm-autologin  other          pfexec
cups           login          passwd         tpdlogin
root@pamzone:/etc/pam.d# 
Here are default files in a Solaris 11.3 default installation using the Live Media. I highlight the files I will be changes. In addition, I will be adding a gdm file that is not yet there.

Modifying the Configuration

Because I am a bit conservative, even though this is a Zone, I will make a best effort to be able to revert to the original configuration. Also, I can highlight differences.
root@pamzone:/etc/pam.d# beadm create initial 
root@pamzone:/etc/pam.d# 
root@pamzone:/etc/pam.d# cp -p login login.orig 
root@pamzone:/etc/pam.d# cp -p other other.orig 
root@pamzone:/etc/pam.d# 
I modify the "login" and "other" files based on the changes Darren put into the "/etc/pam.conf" file. The GDM specific entries go into "gdm".
root@pamzone:/etc/pam.d# diff login login.orig 
14,16d13
< # 2016.05.04 Added for encrypting user's home directory
< #            Create a new home directory if it does not exist
< auth required         pam_zfs_key.so.1 create homes=rpool/export/home 
root@pamzone:/etc/pam.d# 
root@pamzone:/etc/pam.d# diff other other.orig 
14,16d13
< # 2016.05.04 Added for encrypting user's home directory
< #            This allows new account without coming in on console
< auth required         pam_zfs_key.so.1 create homes=rpool/export/home
49,51d45
< # 2016.05.04 Added for encrypting user's home directory
< #            Update the ZFS encryption wrapping key when the user changes their password
< password requisite    pam_zfs_key.so.1 homes=rpool/export/home 
root@pamzone:/etc/pam.d# 
root@pamzone:/etc/pam.d# cat gdm 
# 2016.05.04 Created based on https://blogs.oracle.com/darren/entry/user_user_home_directory_encryption
auth requisite          pam_authtok_get.so.1
auth required           pam_unix_cred.so.1
auth required           pam_unix_auth.so.1
# 2016.05.04 Added for encrypting user's home directory
#            Create a new home directory if it does not exist
auth required           pam_zfs_key.so.1 create homes=rpool/export/home
# 2016.05.04 End of ZFS encrytion changes
auth required           pam_unix_auth.so.1 
While Darren shows putting the ZFS encryption features into "/etc/pam.conf" I am putting them into the per-service files in "/etc/pam.d/" as the /etc/pam.conf comments recommend. This has required some testing and retesting for me to get this fully working, which is why I am creating this blog.

Modifying the Configuration

The way to test this is to create a new user. Since I am doing this in a Solaris Zone I can only test text console and network logins. I will demonstrate both, and come back later to show GDM.

First steps are to create the users and to force them to enter a new password when they first log in.

root@pamzone:~# useradd -g 10 -c "user1" -d /export/home/user1 user1 
root@pamzone:~# useradd -g 10 -c "user2" -d /export/home/user2 user2 
root@pamzone:~# 
root@pamzone:~# passwd user1 
New Password: xxx
Re-enter new Password: xxx
passwd: password successfully changed for user1
root@pamzone:~# passwd user2 
New Password: xxx
Re-enter new Password: xxx
passwd: password successfully changed for user2
root@pamzone:~# 
root@pamzone:~# passwd -f user1 
passwd: password information changed for user1
root@pamzone:~# passwd -f user2 
passwd: password information changed for user2
root@pamzone:~# 
The "-f" option forces the user to enter a new password on their next login by expiring it. Thus only the user knows the password for the wrapping key.

Testing the New Users

Now I will log into the Zone's console from the Global Zone to show the console login step.
admin@global:~$ pfexec zlogin -C pamzone 
[Connected to zone 'pamzone' console]

pamzone console login: user1 
Password: xxx
Choose a new password.
New Password: xxx
Re-enter new Password: xxx
login: password successfully changed for user1
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Oracle Corporation      SunOS 5.11      11.3    February 2016
-bash-4.1$ 
-bash-4.1$ pwd 
/export/home/user1
-bash-4.1$ /usr/sbin/zfs get encryption rpool/export/home/user1 
NAME                     PROPERTY    VALUE  SOURCE
rpool/export/home/user1  encryption  on     local 
-bash-4.1$ 
As you can see, a home directory is created automatically, and encryption is set to "on".

The second test is to login in remotely. I am simulating that by going to localhost just for convenience.

root@pamzone:~# ssh user2@localhost 
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 1d:e5:ff:2d:1f:b2:db:a0:0a:ff:3b:53:db:e6:3c:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password: xxx
Warning: Your password has expired, please change it now.
New Password: xxx
Re-enter new Password: xxx
sshd-kbdint: password successfully changed for user2
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Oracle Corporation      SunOS 5.11      11.3    February 2016
-bash-4.1$ 
-bash-4.1$ pwd 
/export/home/user2 
-bash-4.1$ /usr/sbin/zfs get encryption rpool/export/home/user1 
NAME                     PROPERTY    VALUE  SOURCE
rpool/export/home/user1  encryption  on     local 
-bash-4.1$ 
Again, the ZFS encryption property validates that encryption is on.

Changing a Password

It is good to know I can have my home directory encrypted automatically when I log in the first time. What happens when it is time for me to change my password? Let's see.
-bash-4.1$ passwd 
passwd: Changing password for user2
Enter existing login password: xxx
New Password: xxx
Re-enter new Password: xxx
passwd: password successfully changed for user2
ZFS Key change for rpool/export/home/user2 successful 
-bash-4.1$ 
As you can see, the ZFS wrapping key is updated when I run the "passwd(1)" command.

Mounting an Encrypted File System/Home Directory on Reboot

The above steps created and mounted the users' home directories. Let us take a look what happens on a reboot. The experience is different in a Zone reboot than it is on a system reboot.
root@auth:~# zfs get -r encryption rpool/export/home 
NAME                     PROPERTY    VALUE  SOURCE
rpool/export/home        encryption  off    -
rpool/export/home/guest  encryption  off    -
rpool/export/home/user1  encryption  on     local
rpool/export/home/user2  encryption  on     local
root@auth:~# 
root@auth:~# ls /export/home/*/ 
/export/home/guest/:

/export/home/user1/:
test1

/export/home/user2/:
test2
root@auth:~# 
root@auth:~# reboot 

[Connection to zone 'auth' pts/3 closed]
root@global:~# 
...
root@global:~# zlogin auth 
[Connected to zone 'auth' pts/3]
Oracle Corporation	SunOS 5.11	11.3	February 2016
root@auth:~# 
root@auth:~# ls /export/home/*/ 
/export/home/guest/:

/export/home/user1/:
test1

/export/home/user2/:
test2 
root@auth:~# 
root@auth:~# ls /export/home/*/test* 
/export/home/user1/test1  /export/home/user2/test2 
root@auth:~# 
Though the Zone was rebooted, it is not necessary to provide wrapping keys for the encrypted file systems. Now let's see what happens when the system reboots.
root@auth:~# ls /export/home/*/test* 
/export/home/*/test*: No such file or directory 
root@auth:~# 
root@auth:~# ssh user1@localhost 
Password: xxx
Oracle Corporation      SunOS 5.11      11.3    February 2016
-bash-4.1$ ls 
test1 
-bash-4.1$ exit 
logout
Connection to localhost closed.
root@auth:~# 
root@auth:~# ls /export/home/*/test* 
/export/home/user1/test1 
root@auth:~# 
root@auth:~# zfs mount rpool/export/home/user2 
Enter passphrase for 'rpool/export/home/user2': xxx
root@auth:~# 
root@auth:~# ls /export/home/*/test* 
/export/home/user1/test1  /export/home/user2/test2 
root@auth:~# 
Upon a system reboot it is necessary to provide the wrapping key. With the custom PAM setup, when user1 logs in, the key is provided to mount user1's home directory. A second way of providing the key is when performing a "zfs mount" operation. In the second case, the user with the privileges to run the command must know the wrapping key. I have done that when I access my system remotely after a reboot, and before I added the extra option to mount on remote access.

Testing the Configuration when Logging In on a Desktop

In order to capture the desktop login experience, I need to enable remote GNOME login. I followed the steps at Setting Up Remote Desktop Access Using VNC in the Solaris 11.3 Desktop Admiminstrator's Guide and tips on Calkins' Blog.

Because desktops need to access devices not available in a Solaris Zone, I created another user user3 in the Global Zone on the system. (First I create a new Boot Environment and reboot into that, so I can delete the changes to the Global Zone.)

Once all set up, I log in.

User Login

Because I force the user to enter a new password, I am prompted to do so.

Expired Password

I enter it (twice.)

Enter New Password

I am told it is successful.

Password Change Successful

As with on the console or a network connection, the system tells me that I have successfully encrypted.

Encryption is On with Login Password

And I can verify that by looking at the ZFS encryption attribute. It is on!

ZFS Encryption is On

So this shows the GNOME version of first login and changing the password to set the ZFS encryption wrapping key.

In Summary

Now you can encrypt your home directory and make sure the wrapping key is up to date whenever you change your password.

I will add one small item since we are changing the PAM configuration files. In Solaris 11.3, when the system is rebooted for any reason, a new feature asked for by some customers is to remind the user of the last login in. This display disappears after ten second or so. To get rid of it quicker you might have to click on OK. AlanC at The Observatory writes how to get rid of that. Here is how do that.

root@global:~# grep nowarn /etc/pam.d/gdm 
session required	pam_unix_session.so.1	nowarn 
root@global:~# 
Hopefully this all makes someone's life a bit easier and more secure.

Steffen

Revision History

(Other than minor typographical changes)

2016.05.10: Corrected "other" to "gdm" in how to avoid last login warnings

2016.05.06: Small changes to my comments and descriptions

2016.05.05: Posted

2016.05.03: Created

Monday Sep 21, 2015

Configuring Secure NFS in Solaris 11

This entry goes through the steps to build a Secure NFS server and client configuration. This includes the necessary DNS server configuration, creating a single Kerberos Key Distribution Center, and configuring NFS server and client to force access using Secure NFS.[Read More]

Secure NFS: Step O, as in Optional--NTP and DNS

Optional Network Time Protocol and Domain Name System Setup for Kerberos

Kerberos requires in-sync system time across all systems utilizing the service. Solaris Kerberos also requires direct access to DNS, as it does not use the local name service switch to select host name resolution. Thus I start with the steps to set up NTP and DNS, should you need either or both.

NTP

Since my setup is using Solaris Zones on a single system, they share the Global Zone's clock, and thus all the Zones' times are in sync. When using Kerberos across multiple systems, it is suggested to keep clock skew at a minimum. You may be doing this already for other reasons. If not, here is a simple Network Time Protocol configuration. Your routers may be valid NTP servers.

I add several server references in /etc/inet/ntp.conf, which I base off of the provided /etc/inet/ntp.client file.

global# diff /etc/inet/ntp.conf /etc/inet/ntp.client
49,53d48
< server 0.us.pool.ntp.org iburst
< server 1.us.pool.ntp.org iburst
< server 2.us.pool.ntp.org iburst
< server 3.us.pool.ntp.org iburst
global#

Replace the "x.us.pool.ntp.org" with your NTP servers' IP addresses or hostnames.

DNS

DNS infrastructure is required for Kerberos. Solaris' Kerberos is compiled to use DNS to do hostname lookups. See Kerberos, DNS, and the Naming Service.

If you have DNS servers you can update or even just reference for the nodes you need, please use them. I you don't have that or don't want to use them, here are steps to set up your own DNS service. This will include a single DNS server. More available DNS is out of the scope of this entry.

Create the DNS server Solaris Zone

My Zone configuration file is as follows.

global# cat dns.cfg
create -b
set brand=solaris
set zonepath=/zones/dns
set autoboot=false
set autoshutdown=shutdown
set ip-type=exclusive
add anet
set linkname=net0
set lower-link=net1
set configure-allowed-address=true
set link-protection=mac-nospoof
set mac-address=random
set vlan-id=17
end
add anet
set linkname=net1
set lower-link=net0
set configure-allowed-address=true
set link-protection=mac-nospoof
set mac-address=random
end
add admin
set user=steffen
set auths=login,manage,config
end
global#

The Zone has two network interfaces. The first (linkname=net0) is on VLAN ID 17 and is for this Secure NFS setup. The second network interface (linkname=net1) ties into my local network, and also my local DNS server (my broadband router at home, or my office network's DNS server--that I can't get modified for my hostnames.)

I also set the Zone up so that I can administer it without becoming root, though all the examples here are as root.

I configure the zone using the dns.cfg configuration file as input.

global# zonecfg -z dns -f dns.cfg
UX: /usr/sbin/usermod: steffen is currently logged in, some changes may not take effect until next login.
global#

Then to speed things up I clone the Zone from a "master" zone I created in advance. On my system a clone takes less than 20 seconds, while an install, with a local IPS repository, takes about 90 seconds. Your times will vary based on your system, type of storage, and the network connection to the IPS repository you use.

global# zoneadm -z dns clone -c dns_profile.xml kdcmaster
The following ZFS file system(s) have been created:
    pool1/zones/dns
Progress being logged to /var/log/zones/zoneadm.20150901T012022Z.dns.clone
Log saved in non-global zone as /zones/dns/root/var/log/zones/zoneadm.20150901T012022Z.dns.clone
global#

Lets boot the Zone.

global# zoneadm -z dns boot
global#

Once the Zone is up and running, I like to create a new boot environment, so that I if have to revert the changes I made, I can just reboot into the existing new Zone. While creating a new Zone is fast, this save some work, and it is also convenient later on to test additional changes.

global# zlogin dns
[Connected to zone 'dns' pts/8]
Oracle Corporation	SunOS 5.11	11.2	July 2015
root@dns:~#

root@dns:~# beadm create dns
root@dns:~# beadm activate dns
root@dns:~# reboot

[Connection to zone 'dns' pts/8 closed]
global#

Install the DNS server in the Solaris Zone

The DNS server package service/network/dns/bind is not installed by default, so we have to install it. We can verify it is not there by testing for the service.

global# zlogin dns
[Connected to zone 'dns' pts/8]
Oracle Corporation	SunOS 5.11	11.2	July 2015
root@dns:~#

root@dns:~# svcs *dns*
STATE          STIME    FMRI
disabled       21:26:25 svc:/network/dns/multicast:default
online         21:26:29 svc:/network/dns/client:default
root@dns:~#

root@dns:~# pkg install pkg:/service/network/dns/bind
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         38/38      1.4/1.4  9.2M/s

PHASE                                          ITEMS
Installing new actions                         74/74
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           2/2
root@dns:~#

root@dns:~# svcs *dns*
STATE          STIME    FMRI
disabled       21:26:25 svc:/network/dns/multicast:default
disabled       21:27:17 svc:/network/dns/server:default
online         21:26:29 svc:/network/dns/client:default
root@dns:~#

Configured the DNS server

With the DNS server package installed, it is time to create a basic DNS server configuration. I am using network 172.17.0.0/22 for some historical reasons. You can adjust to meet your own preferences or local requirements.

Some preliminary work for my configuration. My Zone configuration, if you remember, has two networks. The syconfig profile configured net0 for my private network. I still need to configure net1 on my standard network. I will use DHCP to get an address.

root@dns:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                vnic      1500   up       ?
net1                vnic      1500   up       ?
root@dns:~#
root@dns:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           172.17.0.250/22
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::8:20ff:fe90:a16e/10
root@dns:~#
root@dns:~# ipadm create-ip net1
root@dns:~#
root@dns:~# ipadm create-addr -T dhcp net1
net1/v4
root@dns:~#
root@dns:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           172.17.0.250/22
net1/v4           dhcp     ok           192.168.1.112/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::8:20ff:fe90:a16e/10
root@dns:~#

It is time to create the master DNS file in /etc/named.conf. Some items of note include:

  • My two subnets, 172.17.0.0/22 and 192.168.1.0/24
  • I have ACLs to allow access from my two subnets
  • I set a forward to my local DNS server (my local router or my office network's DNS servers.)
  • I listen on the two networks listed in the ipadm output above.
  • This is set up for additional slave DNS servers, though I will not be showing the setup of that here.

Here is my final /etc/named.conf file.

root@dns:~# cat /etc/named.conf
//
// sample BIND configuration file
// taken from http://www.madboa.com/geek/soho-bind/
//

// Added acl per DNS setup at
// https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
//
acl goodclients {
  172.17.0.0/22;
  192.168.1.0/24;
  localhost;
};

options {
  // tell named where to find files mentioned below
  directory "/var/named";
  // on a multi-homed host, you might want to tell named
  // to listen for queries only on certain interfaces
  listen-on { 127.0.0.1; 172.17.0.250/22; 192.168.1.112/24; };
  allow-query { goodclients; };
  forwarders { 192.168.1.1; };
};

// The single dot (.) is the root of all DNS namespace, so
// this zone tells named where to start looking for any
// name on the Internet
zone "." IN {
  // a hint type means that we've got to look elsewhere
  // for authoritative information
  type hint;
  file "named.root";
};

// Where the localhost hostname is defined
zone "localhost" IN {
  // a master type means that this server needn't look
  // anywhere else for information; the localhost buck
  // stops here.
  type master;
  file "zone.localhost";
  // don't allow dynamic DNS clients to update info
  // about the localhost zone
  allow-update { none; };
};

// Where the 127.0.0.0 network is defined
zone "0.0.127.in-addr.arpa" IN {
  type master;
  file "revp.127.0.0";
  allow-update { none; };
};

zone "steffentw.com" IN {
  // this is the authoritative server for
  // steffentw.com info
  type master;
  file "zone.com.steffentw";
  also-notify { 172.17.0.251; 172.17.0.252; };
};

zone "0.17.172.in-addr.arpa" {
  // this is the authoritative server for
  // the 172.17.0.0/22 network
  type master;
  file "revp.172.17.0.0";
  also-notify { 172.17.0.251; 172.17.0.252; };
};
root@dns:~#

Now I have to create or update the files pointed to be /etc/named.conf with my local hostnames.

root@dns:~# cd /var/named
root@dns:/var/named# ls
named.root        revp.172.17.0.0   zone.localhost
revp.127.0.0      zone.com.steffentw
root@dns:/var/named#
root@dns:/var/named# cat zone.com.steffentw
;
; dns zone for for steffentw.com
;
; 20150827	Hide _nfsv4idmapdomain to test domainname(1M) response
; 20150824	Removed CNAME for kdc to see if this is required
;
$ORIGIN steffentw.com.
$TTL 1M				; set to 1M for testing, was 1D
; any time you make a change to the domain, bump the
; "serial" setting below. the format is easy:
; YYYYMMDDI, with the I being an iterator in case you
; make more than one change during any one day
@	IN SOA   dns hostmaster (
			201508311 ; serial
			8H        ; refresh
			4M        ; retry
			1H        ; expire
			1D        ; minimum
			)
; dns.steffentw.com serves this domain as both the
; name server (NS) and mail exchange (MX)
		NS	dns
		MX	10 dns
; define domain functions with CNAMEs
depot           CNAME   dns
www             CNAME   dns
; for NFSv4 (2015.08.12)
;_nfsv4idmapdomain	IN TXT	"steffentw.com"
; just in case someone asks for localhost.steffentw.com
localhost	A	127.0.0.1
;
;	172.17.0.0/22 Infrastructure Administration Network
;
host1		A	172.17.0.101
host2		A	172.17.0.102
host3		A	172.17.0.103
host4		A	172.17.0.104
host5		A	172.17.0.105
host6		A	172.17.0.106
host7		A	172.17.0.107
host8		A	172.17.0.108
host9		A	172.17.0.109
zfs1		A	172.17.0.201
zfs2		A	172.17.0.202
zfs3		A	172.17.0.203
dns		A	172.17.0.250
kdc1		A	172.17.0.251
kdc2		A	172.17.0.252
kdc3		A	172.17.0.253
root@dns:/var/named#
root@dns:/var/named# cat revp.172.17.0.0
;
; reverse pointers for 172.17.0.0 subnet
;
$ORIGIN 0.16.172.in-addr.arpa.
$TTL 1D
@	IN SOA  dns.steffentw.com. hostmaster.steffentw.com. (
		201508311  ; serial
		28800      ; refresh (8 hours)
		14400      ; retry (4 hours)
		2419200    ; expire (4 weeks)
		86400      ; minimum (1 day)
		)
; define the authoritative name server
		NS	dns.steffentw.com.
;		NS	dns1.steffentw.com.
;		NS	dns2.steffentw.com.
;
;       172.17.0.0/22 Infrastructure Administration Network
;
101	PTR	host1.steffentw.com.
102	PTR	host2.steffentw.com.
103	PTR	host3.steffentw.com.
104	PTR	host4.steffentw.com.
105	PTR	host5.steffentw.com.
106	PTR	host6.steffentw.com.
107	PTR	host7.steffentw.com.
108	PTR	host8.steffentw.com.
109	PTR	host9.steffentw.com.
;
201	PTR	zfs1.steffentw.com.
202	PTR	zfs2.steffentw.com.
203	PTR	zfs3.steffentw.com.
;
250	PTR	dns.steffentw.com.
251	PTR	kdc1.steffentw.com.
252	PTR	kdc2.steffentw.com.
253	PTR	kdc3.steffentw.com.
root@dns:/var/named#

With those files created it is time to enable the DNS server. Keep an eye out on the console of the Zone in case you have errors.

root@dns:/var/named# svcs *dns*
STATE          STIME    FMRI
disabled       21:26:25 svc:/network/dns/multicast:default
disabled       21:27:17 svc:/network/dns/server:default
online         21:26:29 svc:/network/dns/client:default
root@dns:/var/named#
root@dns:/var/named# svcadm enable dns/server
root@dns:/var/named#
root@dns:/var/named# svcs *dns*
STATE          STIME    FMRI
disabled       21:26:25 svc:/network/dns/multicast:default
online         21:26:29 svc:/network/dns/client:default
online         21:44:31 svc:/network/dns/server:default
root@dns:/var/named#

Test the DNS server

Let us see if DNS really works.

root@dns:~# getent hosts kdc1
172.17.0.251	kdc1.steffentw.com
root@dns:~# getent hosts host1
172.17.0.101	host1.steffentw.com
root@dns:~#

A quick test to see if this Zone can do a DNS lookup for an external name.

root@dns:~# nslookup www.oracle.com
Server:		172.17.0.250
Address:	172.17.0.250#53

Non-authoritative answer:
www.oracle.com	canonical name = www.oracle.com.edgekey.net.
www.oracle.com.edgekey.net	canonical name = e7075.x.akamaiedge.net.
Name:	e7075.x.akamaiedge.net
Address: 23.66.214.140

root@dns:~#
root@dns:~# getent hosts www.oracle.com
23.66.214.140	e7075.x.akamaiedge.net www.oracle.com www.oracle.com.edgekey.net
root@dns:~#

Summary and Next Step

With NTP and DNS working, the next step is to build the Key Distribution Server. Either go to KDC setup or back to the introduction.

Secure NFS: Step 1--Setting Up the Kerberos KDC

Kerberos KDC

With DNS set up, the next service to configure is the Key Distribution Center. It will need to access DNS services.

Creating the KDC Zone

The Zone configuration is similar to the DNS server, with the interface using VLAN ID 17 in my setup.

global# cat kdc1.cfg
create -b
set brand=solaris
set zonepath=/zones/kdc1
set autoboot=false
set autoshutdown=shutdown
set ip-type=exclusive
add anet
set linkname=net0
set lower-link=net1
set configure-allowed-address=true
set link-protection=mac-nospoof
set mac-address=random
set vlan-id=17
end
add admin
set user=steffen
set auths=login,manage,config
end
global#

Since the KDC must use DNS, lets put that into the sysconfig profile.

global# more kdc1_profile.xml
...
  <service version="1" type="service" name="network/install">
    <instance enabled="true" name="default">
      <property_group type="application" name="install_ipv6_interface">
        <propval type="astring" name="stateful" value="yes"/>
        <propval type="astring" name="address_type" value="addrconf"/>
        <propval type="astring" name="name" value="net0/v6"/>
        <propval type="astring" name="stateless" value="yes"/>
      </property_group>
      <property_group type="application" name="install_ipv4_interface">
        <propval type="net_address_v4" name="static_address" value="172.17.0.251 /24"/>
        <propval type="astring" name="name" value="net0/v4"/>
        <propval type="astring" name="address_type" value="static"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="network/physical">
    <instance enabled="true" name="default">
      <property_group type="application" name="netcfg">
        <propval type="astring" name="active_ncp" value="DefaultFixed"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/name-service/switch">
    <property_group type="application" name="config">
      <propval type="astring" name="default" value="files"/>
      <propval type="astring" name="host" value="files dns"/>
    </property_group>
    <instance enabled="true" name="default"/>
  </service>
  <service version="1" type="service" name="network/dns/client">
    <property_group type="application" name="config">
      <property type="net_address" name="nameserver">
        <net_address_list>
          <value_node value="172.17.0.250"/>
        </net_address_list>
      </property>
      <property type="astring" name="search">
        <astring_list>
          <value_node value="steffentw.com"/>
        </astring_list>
      </property>
    </property_group>
    <instance enabled="true" name="default"/>
  </service>
  ...
global#

Configure and clone the KDC Zone.

global# zonecfg -z kdc1 -f kdc1.cfg
UX: /usr/sbin/usermod: steffen is currently logged in, some changes may not take effect until next login.
global#
global#
global# zoneadm -z kdc1 clone -c kdc1_profile.xml kdcmaster
The following ZFS file system(s) have been created:
    pool1/zones/kdc1
Progress being logged to /var/log/zones/zoneadm.20150901T204046Z.kdc1.clone
Log saved in non-global zone as /zones/kdc1/root/var/log/zones/zoneadm.20150901T204046Z.kdc1.clone
global#
global# zoneadm -z kdc1 boot
global#

After logging into the KDC Zones, first verify that DNS is configured properly.

global#
global# zlogin kdc1
[Connected to zone 'kdc1' pts/8]
Oracle Corporation	SunOS 5.11	11.2	July 2015
root@kdc1:~#
root@kdc1:~# getent hosts host1
172.17.0.101	host1.steffentw.com
root@kdc1:~#

Installing the Kerberos Server Software

The necessary KDC package is not installed by default.

root@kdc1:~# svcs *krb5* ; svcs *kerb*
STATE          STIME    FMRI
STATE          STIME    FMRI
disabled       16:41:20 svc:/system/kerberos/install:default
root@kdc1:~#

Again I prefer to create an alternate boot environment. This time I will do it as part of the package installation.

root@kdc1:~# pkg install --be-name kdc system/security/kerberos-5
           Packages to install:   1
       Create boot environment: Yes
Create backup boot environment:  No
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         41/41      0.7/0.7 27.9M/s

PHASE                                          ITEMS
Installing new actions                         90/90
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           2/2

A clone of solaris-0 exists and has been updated and activated.
On the next boot the Boot Environment kdc will be
mounted on '/'.  Reboot when ready to switch to this updated BE.

Updating package cache                           2/2
root@kdc1:~#

A quick check on the BE, and then boot into it.

root@kdc1:~# beadm list
BE        Flags Mountpoint Space  Policy Created         
--        ----- ---------- -----  ------ -------         
kdc       R     -          95.45M static 2015-09-01 16:47
solaris-0 N     /          6.29M  static 2015-09-01 16:40
root@kdc1:~#
root@kdc1:~# reboot

[Connection to zone 'kdc1' pts/8 closed]
global#

First lets confirm the necessary services are there.

global# zlogin kdc1
[Connected to zone 'kdc1' pts/8]
Oracle Corporation	SunOS 5.11	11.2	July 2015
root@kdc1:~#
root@kdc1:~# svcs *krb5* ; svcs *kerb*
STATE          STIME    FMRI
disabled       16:48:22 svc:/network/security/krb5_prop:default
disabled       16:48:22 svc:/network/security/krb5kdc:default
STATE          STIME    FMRI
disabled       16:48:21 svc:/system/kerberos/install:default
root@kdc1:~#

Configuring the KDC

The first configuration step is to modify two files. I make a copy for backups and to compare the new to the original here.

root@kdc1:~# cd /etc/krb5/
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# cp -p kdc.conf kdc.conf.orig
root@kdc1:/etc/krb5# cp -p krb5.conf krb5.conf.orig
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# vi kdc.conf
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# cat kdc.conf
#
#
# Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
#

[kdcdefaults]
	kdc_ports = 88,750

[realms]
	___default_realm___ = {
		profile = /etc/krb5/krb5.conf
		database_name = /var/krb5/principal
		acl_file = /etc/krb5/kadm5.acl
		kadmind_port = 749
		max_life = 8h 0m 0s
		max_renewable_life = 7d 0h 0m 0s
		default_principal_flags = +preauth
 		master_key_type = des3-cbc-sha1-kd
 		supported_enctypes = des3-cbc-sha1-kd:normal
	}
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# diff kdc.conf*
18,19d17
<  		master_key_type = des3-cbc-sha1-kd
<  		supported_enctypes = des3-cbc-sha1-kd:normal
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# vi krb5.conf
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# head -20 krb5.conf
#
#
# Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved.
#

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the ____ placeholders
# with appropriate values for your network and uncomment the
# appropriate entries.
#
[libdefaults]
#        default_realm = ___default_realm___
 	default_tgs_enctypes = des3-cbc-sha1-kd
 	default_tkt_enctypes = des3-cbc-sha1-kd
 	permitted_enctypes = des3-cbc-sha1-kd
 	allow_weak_enctypes = false


[realms]
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# diff krb5.conf*
14,17d13
<  	default_tgs_enctypes = des3-cbc-sha1-kd
<  	default_tkt_enctypes = des3-cbc-sha1-kd
<  	permitted_enctypes = des3-cbc-sha1-kd
<  	allow_weak_enctypes = false
19d14
<
root@kdc1:/etc/krb5#

Since my sample domain name is steffentw.com, my Kerberos realm is STEFFENTW.COM. Here I create the master KDC. It will prompt for two sets of password, make sure the remember them. The admin password will be required on all the clients.

root@kdc1:/etc/krb5# kdcmgr -a kws/admin -r STEFFENTW.COM create master

Starting server setup
---------------------------------------------------

Setting up /etc/krb5/kdc.conf.

Setting up /etc/krb5/krb5.conf.

Initializing database '/var/krb5/principal' for realm 'STEFFENTW.COM',
master key name 'K/M@STEFFENTW.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: enter master password here
Re-enter KDC database master key to verify: enter master password here

Authenticating as principal root/admin@STEFFENTW.COM with password.
WARNING: no policy specified for kws/admin@STEFFENTW.COM; defaulting to no policy
Enter password for principal "kws/admin@STEFFENTW.COM": enter admin password here
Re-enter password for principal "kws/admin@STEFFENTW.COM": enter admin password here
Principal "kws/admin@STEFFENTW.COM" created.

Setting up /etc/krb5/kadm5.acl.

---------------------------------------------------
Setup COMPLETE.

root@kdc1:/etc/krb5#

Once the configuration is complete, I quickly check to make sure it looks OK. I especially look for kadmin:default to be online.

root@kdc1:/etc/krb5# kdcmgr status

KDC Status Information
--------------------------------------------
svc:/network/security/krb5kdc:default (Kerberos key distribution center)
 State: online since September  1, 2015 04:51:06 PM EDT
   See: man -M /usr/share/man -s 1M krb5kdc
   See: /var/svc/log/network-security-krb5kdc:default.log
Impact: None.

KDC Master Status Information
--------------------------------------------
svc:/network/security/kadmin:default (Kerberos administration daemon)
 State: online since September  1, 2015 04:51:07 PM EDT
   See: man -M /usr/share/man -s 1M kadmind
   See: /var/svc/log/network-security-kadmin:default.log
Impact: None.

Transaction Log Information
--------------------------------------------

Kerberos update log (/var/krb5/principal.ulog)
Update log dump :
	Log version # : 1
	Log state : Stable
	Entry block size : 2048
	Number of entries : 3
	First serial # : 1
	Last serial # : 3
	First time stamp : Tue Sep  1 16:51:06 2015
	Last time stamp : Tue Sep  1 16:51:06 2015


Kerberos Related File Information
--------------------------------------------
(will display any missing files below)

root@kdc1:/etc/krb5#

Enabling Kerberos Client Configuration

With the KDC set up, the next step is to make is easier to configure the Kerberos clients. Two files are required, and by putting them into a location that is shared via NFS, setting up the clients will be very easy.

Step 1 is to create a mountpoint.

root@kdc1:/etc/krb5# zfs create -o mountpoint=/share -o share.nfs=on rpool/share
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# share
rpool_share	/share	nfs	sec=sys,rw	
root@kdc1:/etc/krb5#

Step 2 is to create the file kcprofile

root@kdc1:/etc/krb5# mkdir /share/krb5
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# vi /share/krb5/kcprofile
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# cat /share/krb5/kcprofile
REALM STEFFENTW.COM
KDC kdc1.steffentw.com
ADMIN kws
FILEPATH /net/kdc1.steffentw.com/share/krb5/krb5.conf
NFS 1
DNSLOOKUP none
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# cp /etc/krb5/krb5.conf /share/krb5/
root@kdc1:/etc/krb5#
root@kdc1:/etc/krb5# cat /share/krb5/krb5.conf 
[libdefaults]
	default_realm = STEFFENTW.COM

[realms]
	STEFFENTW.COM = {
		kdc = kdc1.steffentw.com
		admin_server = kdc1.steffentw.com
	}

[domain_realm]
	.steffentw.com = STEFFENTW.COM

[logging]
	default = FILE:/var/krb5/kdc.log
	kdc = FILE:/var/krb5/kdc.log
	kdc_rotate = {
		period = 1d
		versions = 10
	}

[appdefaults]
	kinit = {
		renewable = true
		forwardable = true
	}
root@kdc1:/etc/krb5#

Summary and Next Step

With the KDC set up, the next step is to create the first client and configure secure NFS. Either go to NFS Server Setup or back to the introduction.

Secure NFS: Step 2--First Keberos Client--NFS Server

Secure NFS Server

With our Kerberos KDC set up, it is time to build the NFS server. First step is creating another Solaris Zone similar to the previous ones.

Creating a NFS Server Zone

global# cat zfs1.cfg
create -b
set brand=solaris
set zonepath=/zones/zfs1
set autoboot=false
set autoshutdown=shutdown
set ip-type=exclusive
add anet
set linkname=net0
set lower-link=net2
set configure-allowed-address=true
set link-protection=mac-nospoof
set mac-address=random
set vlan-id=17
end
add admin
set user=steffen
set auths=login,manage,config
end
global#
global# zonecfg -z zfs1 -f zfs1.cfg
UX: /usr/sbin/usermod: steffen is currently logged in, some changes may not take effect until next login.
global#
global# zoneadm -z zfs1 clone -c zfs1_profile.xml kdcmaster
The following ZFS file system(s) have been created:
    pool1/zones/zfs1
Progress being logged to /var/log/zones/zoneadm.20150901T210134Z.zfs1.clone
Log saved in non-global zone as /zones/zfs1/root/var/log/zones/zoneadm.20150901T210134Z.zfs1.clone
global#
global# zoneadm -z zfs1 boot
global#

Configuring the Zone as a Kerberos Client

We also follow the same steps as for the previous KDC client.

global# zlogin zfs1
[Connected to zone 'zfs1' pts/10]
Oracle Corporation	SunOS 5.11	11.2	July 2015
root@zfs1:~#
root@zfs1:~# ping kdc1
kdc1 is alive
root@zfs1:~#
root@zfs1:~# cat /net/kdc1/share/krb5/kcprofile
REALM STEFFENTW.COM
KDC kdc1.steffentw.com
ADMIN kws
FILEPATH /net/kdc1.steffentw.com/share/krb5/krb5.conf
NFS 1
DNSLOOKUP none
root@zfs1:~#
root@zfs1:~# head -5 /net/kdc1.steffentw.com/share/krb5/krb5.conf
[libdefaults]
	default_realm = STEFFENTW.COM

[realms]
	STEFFENTW.COM = {
root@zfs1:~#
root@zfs1:~# kclient -p /net/kdc1/share/krb5/kcprofile

Starting client setup

---------------------------------------------------

Setting up /etc/krb5/krb5.conf.

Copied /net/kdc1.steffentw.com/share/krb5/krb5.conf to /system/volatile/kclient/kclient-krb5conf.MYaafI.
Obtaining TGT for kws/admin ...
Password for kws/admin@STEFFENTW.COM: enter admin password here
kinit:  no ktkt_warnd warning possible

nfs/zfs1.steffentw.com entry ADDED to KDC database.
nfs/zfs1.steffentw.com entry ADDED to keytab.

host/zfs1.steffentw.com entry ADDED to KDC database.
host/zfs1.steffentw.com entry ADDED to keytab.

---------------------------------------------------
Setup COMPLETE.

root@zfs1:~#
root@zfs1:~# klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/zfs1.steffentw.com@STEFFENTW.COM
   2 nfs/zfs1.steffentw.com@STEFFENTW.COM
   2 nfs/zfs1.steffentw.com@STEFFENTW.COM
   2 nfs/zfs1.steffentw.com@STEFFENTW.COM
   2 host/zfs1.steffentw.com@STEFFENTW.COM
   2 host/zfs1.steffentw.com@STEFFENTW.COM
   2 host/zfs1.steffentw.com@STEFFENTW.COM
   2 host/zfs1.steffentw.com@STEFFENTW.COM
root@zfs1:~#

Configuring the NFS Server File System

With the NFS server a Kerberos client, now create a ZFS file system that is exported as an NFS share requiring Kerberos privacy settings (the "krb5p" setting.)

root@zfs1:~# zfs create -o mountpoint=/secure -o share.nfs=on -o share.nfs.sec=krb5p rpool/secure
root@zfs1:~# share
rpool_secure	/secure	nfs	sec=krb5p,rw	
root@zfs1:~#

Then create a file with some easily recognized content.

root@zfs1:~# echo "The quick brown fox jumps over the lazy dog." > /secure/fox.txt
root@zfs1:~#
root@host1:~# cat /secure/fox.txt
The quick brown fox jumps over the lazy dog.
root@zfs1:~#

Summary and Next Step

With the NFS server running, the next step is to create an NFS client. Either go to NFS Client Setup or back to the introduction.

Secure NFS: Step 3--The Secure NFS Client

Secure NFS Client

We are getting close to a fully completed configuration. The next item is the client.

Build the NFS Client Zone as a KDC Client

global# cat host1.cfg
create -b
set brand=solaris
set zonepath=/zones/host1
set autoboot=false
set autoshutdown=shutdown
set ip-type=exclusive
add anet
set linkname=net0
set lower-link=net2
set configure-allowed-address=true
set link-protection=mac-nospoof
set mac-address=random
set vlan-id=17
end
add admin
set user=steffen
set auths=login,manage,config
end
global#
global# zoneadm -z host1 clone -c host1_profile.xml kdcmaster
The following ZFS file system(s) have been created:
    pool1/zones/host1
Progress being logged to /var/log/zones/zoneadm.20150901T213207Z.host1.clone
Log saved in non-global zone as /zones/host1/root/var/log/zones/zoneadm.20150901T213207Z.host1.clone
global#
global# zlogin host1
[Connected to zone 'host1' pts/8]
Oracle Corporation	SunOS 5.11	11.2	July 2015
root@host1:~#
root@host1:~# ping kdc1
kdc1 is alive
root@host1:~#
root@host1:~# cat /net/kdc1/share/krb5/kcprofile
REALM STEFFENTW.COM
KDC kdc1.steffentw.com
ADMIN kws
FILEPATH /net/kdc1.steffentw.com/share/krb5/krb5.conf
NFS 1
DNSLOOKUP none
root@host1:~#
root@host1:~# kclient -p /net/kdc1/share/krb5/kcprofile

Starting client setup

---------------------------------------------------

Setting up /etc/krb5/krb5.conf.

Copied /net/kdc1.steffentw.com/share/krb5/krb5.conf to /system/volatile/kclient/kclient-krb5conf.ToaOPV.
Obtaining TGT for kws/admin ...
Password for kws/admin@STEFFENTW.COM: enter admin password here
kinit:  no ktkt_warnd warning possible

nfs/host1.steffentw.com entry ADDED to KDC database.
nfs/host1.steffentw.com entry ADDED to keytab.

host/host1.steffentw.com entry ADDED to KDC database.
host/host1.steffentw.com entry ADDED to keytab.

---------------------------------------------------
Setup COMPLETE.

root@host1:~#

Demonstrate the NFS Client Working

The simples test is to just navigate to the /net/<server name> location.

root@host1:~# cat /net/zfs1/secure/fox.txt
The quick brown fox jumps over the lazy dog.
root@host1:~#

However, was this really an encrypted data transfer? One way to check is with snoop(1M).

root@host1:~# snoop -d net0 -r host zfs1 &
[1] 21547
root@host1:~# Using device net0 (promiscuous mode)

root@host1:~# cat /net/zfs1/secure/fox.txt
The quick brown fox jumps over the lazy dog.
root@host1:~# 172.17.0.101 -> 172.17.0.201 TCP D=2049 S=1023 Syn Seq=1000276621 Len=0 Win=32804 Options=<mss 1460,sackOK,tstamp 129311831 0,nop,wscale 5>
172.17.0.201 -> 172.17.0.101 TCP D=1023 S=2049 Syn Ack=1000276622 Seq=576217546 Len=0 Win=32806 Options=<sackOK,tstamp 129311831 129311831,mss 1460,nop,wscale 5>
172.17.0.101 -> 172.17.0.201 TCP D=2049 S=1023 Ack=576217547 Seq=1000276622 Len=0 Win=32806 Options=<nop,nop,tstamp 129311831 129311831>
...
172.17.0.101 -> 172.17.0.201 RPC RPCSEC_GSS C NFS ver(4) proc(1) (data encrypted)
172.17.0.201 -> 172.17.0.101 TCP D=1023 S=2049 Ack=1000276950 Seq=576217547 Len=0 Win=32796 Options=<nop,nop,tstamp 129311831 129311831>
172.17.0.201 -> 172.17.0.101 RPC RPCSEC_GSS R NFS ver(4) proc(1) (data encrypted)
172.17.0.101 -> 172.17.0.201 TCP D=2049 S=1023 Ack=576217959 Seq=1000276950 Len=0 Win=32806 Options=<nop,nop,tstamp 129311832 129311832>
...
172.17.0.101 -> 172.17.0.201 RPC RPCSEC_GSS C NFS ver(4) proc(1) (data encrypted)
172.17.0.201 -> 172.17.0.101 RPC RPCSEC_GSS R NFS ver(4) proc(1) (data encrypted)
...
root@host1:~# kill %1
root@host1:~#

To see the difference, lets create a second share that does not require Kerberos.

root@zfs1:~# zfs create -o mountpoint=/clear -o share.nfs=on rpool/clear
root@zfs1:~#
root@zfs1:~# share
rpool_secure	/secure	nfs	sec=krb5p,rw	
rpool_clear	/clear	nfs	sec=sys,rw	
root@zfs1:~#
root@zfs1:~# cp /secure/fox.txt /clear/
root@zfs1:~#

And run snoop with the option to dump all the data in each Ethernet frame. I like to use -x 0.

First using encrypted mountpoint.

root@host1:~# snoop -d net0 -r -x 0 host zfs1 &
[1] 21591
root@host1:~# Using device net0 (promiscuous mode)

root@host1:~# cat /net/zfs1/secure/fox.txt
The quick brown fox jumps over the lazy dog.
root@host1:~# 172.17.0.101 -> 172.17.0.201 TCP D=2049 S=48428 Syn Seq=788443968 Len=0 Win=64240 Options=<mss 1460,sackOK,tstamp 129469208 0,nop,wscale 1>

	   0: 0208 20e4 7813 0208 20ea 4c3d 0800 4500    .. .x... .L=..E.
	  16: 003c ea59 4000 4006 0000 ac11 0065 ac11    .<.Y@.@......e..
	  32: 00c9 bd2c 0801 2efe b340 0000 0000 a002    ...,.....@......
	  48: faf0 597f 0000 0204 05b4 0402 080a 07b7    ..Y.............
	  64: 8b18 0000 0000 0103 0301                   ..........

172.17.0.201 -> 172.17.0.101 TCP D=48428 S=2049 Syn Ack=788443969 Seq=2268877688 Len=0 Win=32806 Options=<sackOK,tstamp 129469208 129469208,mss 1460,nop,wscale 5>

	   0: 0208 20ea 4c3d 0208 20e4 7813 0800 4500    .. .L=.. .x...E.
	  16: 003c f568 4000 4006 ec02 ac11 00c9 ac11    .<.h@.@.........
	  32: 0065 0801 bd2c 873c 5378 2efe b341 a012    .e...,.<Sx...A..
	  48: 8026 c6b9 0000 0402 080a 07b7 8b18 07b7    .&..............
	  64: 8b18 0204 05b4 0103 0305                   ..........

172.17.0.101 -> 172.17.0.201 TCP D=2049 S=48428 Ack=2268877689 Seq=788443969 Len=0 Win=64436 Options=<nop,nop,tstamp 129469208 129469208>

	   0: 0208 20e4 7813 0208 20ea 4c3d 0800 4500    .. .x... .L=..E.
	  16: 0034 ea5a 4000 4006 0000 ac11 0065 ac11    .4.Z@.@......e..
	  32: 00c9 bd2c 0801 2efe b341 873c 5379 8010    ...,.....A.<Sy..
	  48: fbb4 5977 0000 0101 080a 07b7 8b18 07b7    ..Yw............
	  64: 8b18                                       ..

...

172.17.0.101 -> 172.17.0.201 RPC RPCSEC_GSS C NFS ver(4) proc(1) (data encrypted)

	   0: 0208 20e4 7813 0208 20ea 4c3d 0800 4500    .. .x... .L=..E.
	  16: 017c ea70 4000 4006 0000 ac11 0065 ac11    .|.p@.@......e..
	  32: 00c9 03ff 0801 4667 92c6 2d1f 25fc 8018    ......Fg..-.%...
	  48: 8026 5abf 0000 0101 080a 07b7 8b1b 07b7    .&Z.............
	  64: 8b1b 8000 0144 6e7d 0f68 0000 0000 0000    .....Dn}.h......
	  80: 0002 0001 86a3 0000 0004 0000 0001 0000    ................
	  96: 0006 0000 0018 0000 0001 0000 0000 0000    ................
	 112: 0002 0000 0003 0000 0004 1e00 0000 0000    ................
	 128: 0006 0000 001c 0404 04ff ffff ffff 0000    ................
	 144: 0000 15d8 2a96 8cb9 33d6 91df d5de 4ee1    ....*...3.....N.
	 160: d51a 0000 00e4 0504 06ff 0000 0000 0000    ................
	 176: 0000 15d8 2a97 61c4 fa98 3b63 14d0 c5cb    ....*.a...;c....
	 192: 59ee 8848 1638 12bc 486e d73a 8b1e d704    Y..H.8..Hn.:....
	 208: 74e2 65e6 e036 6847 32e8 d2c8 a100 655b    t.e..6hG2.....e[
	 224: df06 73df 78d2 af8a 7850 193c a0bc 2147    ..s.x...xP.<..!G
	 240: 6073 7dcf 3038 cfbb 95d4 5f35 489c 65eb    `s}.08...._5H.e.
	 256: 1e54 3572 60c8 9b1e 78c8 f47a ac25 e8be    .T5r`...x..z.%..
	 272: ddd5 c104 8067 cf6a ca03 1327 c14d e5dd    .....g.j...'.M..
	 288: 0f06 2dac bac9 d689 7536 e391 0e3f 14dd    ..-.....u6...?..
	 304: 2f7b 33d1 231e 3b7b 0de5 5ee2 c28f cb54    /{3.#.;{..^....T
	 320: a2e0 2456 1ffa ddf0 c37f 42bf 252b 1667    ..$V......B.%+.g
	 336: 02c2 1fe3 b19d 0d7b 94a2 4e50 748b 5935    .......{..NPt.Y5
	 352: 890b 746c deb2 5744 97a4 4c07 83e4 5377    ..tl..WD..L...Sw
	 368: 4ca4 75e4 8081 f196 6f01 63fd 4e56 bee9    L.u.....o.c.NV..
	 384: 5510 c21a 6b6a 2d63 c326                   U...kj-c.&

172.17.0.201 -> 172.17.0.101 RPC RPCSEC_GSS R NFS ver(4) proc(1) (data encrypted)

	   0: 0208 20ea 4c3d 0208 20e4 7813 0800 4500    .. .L=.. .x...E.
	  16: 01d0 f57e 4000 4006 ea58 ac11 00c9 ac11    ...~@.@..X......
	  32: 0065 0801 03ff 2d1f 25fc 4667 940e 8018    .e....-.%.Fg....
	  48: 8026 8344 0000 0101 080a 07b7 8b1b 07b7    .&.D............
	  64: 8b1b 8000 0198 6e7d 0f68 0000 0001 0000    ......n}.h......
	  80: 0000 0000 0006 0000 001c 0404 05ff ffff    ................
	  96: ffff 0000 0000 22a9 1433 c781 6e9e 8ed8    ......"..3..n...
	 112: e6cc aa86 e4d9 0000 0000 0000 0160 0504    .............`..
	 128: 07ff 0000 0000 0000 0000 22a9 1434 68c0    .........."..4h.
	 144: e008 d7e8 cca4 af88 da90 2b45 dc13 57b9    ..........+E..W.
	 160: 3a0a e3f8 5a98 fddb 5039 62bc 1858 ecd5    :...Z...P9b..X..
	 176: 0f5c fcd6 a150 7bf0 0782 d337 8cf6 8de1    .\...P{....7....
	 192: 5e81 481f b921 9054 d74a 0160 e9a4 0522    ^.H..!.T.J.`..."
	 208: 8d85 f55d 9576 f819 6515 c010 8d22 d0a4    ...].v..e...."..
	 224: e685 0b00 ebd9 cb9b 4079 dcd1 1195 5690    ........@y....V.
	 240: 9d07 846b a8e0 f022 c33d 7412 5065 3bc5    ...k...".=t.Pe;.
	 256: 0be5 7f98 9cb5 f5cb 8452 aa0a dfa7 cfb3    .........R......
	 272: e9eb a607 03a8 59c9 dc62 903c b289 dd13    ......Y..b.<....
	 288: b20f 612d 1603 c335 2705 61ce af13 b792    ..a-...5'.a.....
	 304: 442e 5a19 59fb d867 377e 34f3 b43d f8e3    D.Z.Y..g7~4..=..
	 320: ff0a 2937 d04c 1b22 0213 5227 57f1 ba26    ..)7.L."..R'W..&
	 336: 44e0 5e52 2f79 41d9 a494 cee6 bd76 f8e0    D.^R/yA......v..
	 352: ecd1 4b98 0e91 7b09 321e 97b1 26ef 3cdc    ..K...{.2...&.<.
	 368: 7211 7ae3 b71c 3bb0 c1b0 2e91 93e2 2b37    r.z...;.......+7
	 384: a1de 76ca f736 70c4 4987 b39f 71e9 736f    ..v..6p.I...q.so
	 400: fc6e 433e 5f2f f283 06b6 cf1b 96f8 b447    .nC>_/.........G
	 416: af39 1d95 6fe7 4173 e554 2d77 c9b8 df88    .9..o.As.T-w....
	 432: 48d2 843e 67cb 54a2 93c8 8bad b24c 1e40    H..>g.T......L.@
	 448: 64aa 7f75 5fec a0c6 4d58 de19 ec68 25d3    d..u_...MX...h%.
	 464: af93 6f26 e12f 180b f0c0 87b6 7df6         ..o&./......}.

...

172.17.0.101 -> 172.17.0.201 NFS R CB_NULL

	   0: 0208 20e4 7813 0208 20ea 4c3d 0800 4500    .. .x... .L=..E.
	  16: 0050 ea7c 4000 4006 0000 ac11 0065 ac11    .P.|@.@......e..
	  32: 00c9 b385 ed12 c833 5144 9614 5a3c 8018    .......3QD..Z<..
	  48: 8026 5993 0000 0101 080a 07b7 8b1d 07b7    .&Y.............
	  64: 8b1a 8000 0018 627d 0f68 0000 0001 0000    ......b}.h......
	  80: 0000 0000 0000 0000 0000 0000 0000         ..............

172.17.0.201 -> 172.17.0.101 TCP D=45957 S=60690 Ack=3358806368 Seq=2517916220 Len=0 Win=32806 Options=<nop,nop,tstamp 129469213 129469213>

	   0: 0208 20ea 4c3d 0208 20e4 7813 0800 4500    .. .L=.. .x...E.
	  16: 0034 f58a 4000 4006 ebe8 ac11 00c9 ac11    .4..@.@.........
	  32: 0065 ed12 b385 9614 5a3c c833 5160 8010    .e......Z<.3Q`..
	  48: 8026 cd1f 0000 0101 080a 07b7 8b1d 07b7    .&..............
	  64: 8b1d                                       ..

172.17.0.101 -> 172.17.0.201 TCP D=2049 S=1023 Ack=757019588 Seq=1181196406 Len=0 Win=32806 Options=<nop,nop,tstamp 129469216 129469211>

	   0: 0208 20e4 7813 0208 20ea 4c3d 0800 4500    .. .x... .L=..E.
	  16: 0034 ea7d 4000 4006 0000 ac11 0065 ac11    .4.}@.@......e..
	  32: 00c9 03ff 0801 4667 a076 2d1f 33c4 8010    ......Fg.v-.3...
	  48: 8026 5977 0000 0101 080a 07b7 8b20 07b7    .&Yw......... ..
	  64: 8b1b                                       ..


root@host1:~#

And now using the clear text mount point.

root@host1:~# snoop -d net0 -r -x 0 host zfs1 &
[1] 21593
root@host1:~# Using device net0 (promiscuous mode)

root@host1:~# cat /net/zfs1/clear/fox.txt
The quick brown fox jumps over the lazy dog.
...

172.17.0.201 -> 172.17.0.101 NFS R 4 (read        ) NFS4_OK PUTFH NFS4_OK READ NFS4_OK (45 bytes) EOF

	   0: 0208 20ea 4c3d 0208 20e4 7813 0800 4500    .. .L=.. .x...E.
	  16: 00b0 f594 4000 4006 eb62 ac11 00c9 ac11    ....@.@..b......
	  32: 0065 0801 03ff 2d1f 3ba8 4667 a8d2 8018    .e....-.;.Fg....
	  48: 8026 f4c5 0000 0101 080a 07b7 9377 07b7    .&...........w..
	  64: 9377 8000 0078 917d 0f68 0000 0001 0000    .w...x.}.h......
	  80: 0000 0000 0000 0000 0000 0000 0000 0000    ................
	  96: 0000 0000 000c 7265 6164 2020 2020 2020    ......read     
	 112: 2020 0000 0002 0000 0016 0000 0000 0000      ..............
	 128: 0019 0000 0000 0000 0001 0000 002d 5468    .............-Th
	 144: 6520 7175 6963 6b20 6272 6f77 6e20 666f    e quick brown fo
	 160: 7820 6a75 6d70 7320 6f76 6572 2074 6865    x jumps over the
	 176: 206c 617a 7920 646f 672e 0a00 0000          lazy dog.....

...

172.17.0.101 -> 172.17.0.201 TCP D=2049 S=1023 Ack=757021992 Seq=1181198770 Len=0 Win=32806 Options=<nop,nop,tstamp 129471358 129471351>

	   0: 0208 20e4 7813 0208 20ea 4c3d 0800 4500    .. .x... .L=..E.
	  16: 0034 ea89 4000 4006 0000 ac11 0065 ac11    .4..@.@......e..
	  32: 00c9 03ff 0801 4667 a9b2 2d1f 3d28 8010    ......Fg..-.=(..
	  48: 8026 5977 0000 0101 080a 07b7 937e 07b7    .&Yw.........~..
	  64: 9377                                       .w


root@host1:~#

In both cases, because I let automounter time out and a new mount is initiated in each case, the are so many packets it is hard to know which is doing what. However, in the case of reading the file on /clear the "quick brown fox" text is clearly visibale. Your own tests and snoop output should make this difference very clear.

By default, the mounts use NFS version 4 (NFSv4). You can mount stating you want version 3. The results will be the same.

Additional NFS Client Configuration Options

root@host1:~# mount -o vers=3 zfs1:/secure /mnt
root@host1:~#

And as a reminder you can force mounts to use version 3 on either a client or a server using the sharectl(1M) command.

root@host1:~# sharectl get -p client_versmax nfs
client_versmax=4
root@host1:~#
root@host1:~# sharectl set -p client_versmax=3 nfs
root@host1:~# sharectl get -p client_versmax nfs
client_versmax=3
root@host1:~#

Summary and Next Step

This completes the Secure NFS setup. One option is to co-located the KDC and NFS server. Either go to Combining KDC and NFS Server or back to the introduction.

Secure NFS: Step 4--Combining the KDC and NFS Server

Combining the KDC and NFS Server

When I asked my customer about their availability requirements, they stated that they only need a few NFS clients with encrypted traffic. They would like to keep the setup simple, and therefore combine the KDC and NFS server. They are using Oracle Solaris Cluster for availability, and by putting both services in a single Solaris Zone, can meet their availability requirements with Oracle Solaris Cluster managing the Solaris Zone startup and failover.

So I looked into whether this is a good idea, and I was informed that this is fully supported and tested. They way to do this is to make the KDC a client of itself.

Making the KDC a Kerberos Client

root@kdc1:~# kclient -p /net/kdc1/share/krb5/kcprofile

Starting client setup

---------------------------------------------------

Setting up /etc/krb5/krb5.conf.

Copied /net/kdc1.steffentw.com/share/krb5/krb5.conf to /system/volatile/kclient/kclient-krb5conf.mmayyQ.
Obtaining TGT for kws/admin ...
Password for kws/admin@STEFFENTW.COM:
kinit:  no ktkt_warnd warning possible

nfs/kdc1.steffentw.com entry ADDED to KDC database.
nfs/kdc1.steffentw.com entry ADDED to keytab.

host/kdc1.steffentw.com entry already exists in KDC database.
host/kdc1.steffentw.com entry already present in keytab.
host/kdc1.steffentw.com entry ADDED to keytab.

---------------------------------------------------
Setup COMPLETE.

root@kdc1:~#
root@kdc1:~# klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/kdc1.steffentw.com@STEFFENTW.COM
   3 host/kdc1.steffentw.com@STEFFENTW.COM
   3 host/kdc1.steffentw.com@STEFFENTW.COM
   3 host/kdc1.steffentw.com@STEFFENTW.COM
   2 nfs/kdc1.steffentw.com@STEFFENTW.COM
   2 nfs/kdc1.steffentw.com@STEFFENTW.COM
   2 nfs/kdc1.steffentw.com@STEFFENTW.COM
   2 nfs/kdc1.steffentw.com@STEFFENTW.COM
root@kdc1:~#

Creating Secured NFS Share

Then create a new mount point and put some data into it.

root@kdc1:~# zfs create -o mountpoint=/secure -o share.nfs=on -o share.nfs.sec=krb5p rpool/secure
root@kdc1:~#
root@kdc1:~# share
rpool_share     /share  nfs     sec=sys,rw     
rpool_secure    /secure nfs     sec=krb5p,rw   
root@kdc1:~#
root@kdc1:~# cp /net/zfs1/secure/fox.txt /secure/
root@kdc1:~#
root@kdc1:~# cat /secure/fox.txt
The quick brown fox jumps over the lazy dog.
root@kdc1:~#

Back on the client, read the file on the KDC, with snoop running to show data is encrypted. And since the maximum client version was set to version 3, the snoop shows that as well.

root@host1:~# snoop -d net0 -r host kdc1 &
[1] 21825
root@host1:~# Using device net0 (promiscuous mode)

root@host1:~# cat /net/kdc1/secure/fox.txt
The quick brown fox jumps over the lazy dog.
root@host1:~# 172.17.0.101 -> 172.17.0.251 TCP D=2049 S=1022 Syn Seq=597683294 Len=0 Win=32804 Options=<mss 1460,sackOK,tstamp 129789256 0,nop,wscale 5>
172.17.0.251 -> 172.17.0.101 TCP D=1022 S=2049 Syn Ack=597683295 Seq=1916087307 Len=0 Win=32806 Options=<sackOK,tstamp 129789256 129789256,mss 1460,nop,wscale 5>
172.17.0.101 -> 172.17.0.251 TCP D=2049 S=1022 Ack=1916087308 Seq=597683295 Len=0 Win=32806 Options=<nop,nop,tstamp 129789256 129789256>
172.17.0.101 -> 172.17.0.251 RPC RPCSEC_GSS C NFS ver(3) proc(1) (data encrypted)
172.17.0.251 -> 172.17.0.101 TCP D=1022 S=2049 Ack=597683495 Seq=1916087308 Len=0 Win=32806 Options=<nop,nop,tstamp 129789257 129789257>
172.17.0.251 -> 172.17.0.101 RPC RPCSEC_GSS R NFS ver(3) proc(1) (data encrypted)
172.17.0.101 -> 172.17.0.251 TCP D=2049 S=1022 Ack=1916087520 Seq=597683495 Len=0 Win=32806 Options=<nop,nop,tstamp 129789259 129789259>
172.17.0.101 -> 172.17.0.251 RPC RPCSEC_GSS C NFS ver(3) proc(4) (data encrypted)
172.17.0.251 -> 172.17.0.101 TCP D=1022 S=2049 Ack=597683699 Seq=1916087520 Len=0 Win=32806 Options=<nop,nop,tstamp 129789259 129789259>
172.17.0.251 -> 172.17.0.101 RPC RPCSEC_GSS R NFS ver(3) proc(4) (data encrypted)
172.17.0.101 -> 172.17.0.251 TCP D=2049 S=1022 Ack=1916087740 Seq=597683699 Len=0 Win=32806 Options=<nop,nop,tstamp 129789259 129789259>
172.17.0.101 -> 172.17.0.251 RPC RPCSEC_GSS C NFS ver(3) proc(1) (data encrypted)
172.17.0.251 -> 172.17.0.101 RPC RPCSEC_GSS R NFS ver(3) proc(1) (data encrypted)
172.17.0.101 -> 172.17.0.251 TCP D=2049 S=1022 Ack=1916087952 Seq=597683899 Len=0 Win=32806 Options=<nop,nop,tstamp 129789266 129789259>

root@host1:~#

Summary and Next Step

That is everything, I hope. Here you can quickly go back to the introduction.

Wednesday Jun 08, 2011

ZFS zpool and file system version numbers and features

Often enough I have had to check the version of a ZFS pool or file system version. Sometimes, I am curious where a specific feature was delivered. So I imagine this could be useful for others. (Updated 21 Feb 2012 for Solaris 10 8/11 and Solaris 11.)

One note is that ZFS versions are backward compatible, which means that a kernel with a newer version can import an older version. The reverse is not true. So it is important to know what the oldest kernel version you might want to attach a pool to is, and make sure you don't upgrade your pool or file system to something newer. This table may help with that as well.

Note: This table is sorted by pool version, then file system version. The availability dates of the releases are not chronological, as a feature delivered in a version of Solaris 11 may be delivered in later Solaris 10 update.

delivered in zpool version zfs version features comments
Solaris 11 11/11 33 5
  • Encryption
  • Label support for Trusted Extensions
Solaris 11 Express 2010.11 31 5
  • deduplication
  • diff for snapshots
  • read-only pool import
  • pool import with missing log device
Solaris 10 8/11 29 5
  • ZFS installation with Flash Archives (not really a ZFS feature)
  • ZFS send will include file system properties
  • ZFS diff
  • Pool import with missing log device
  • Pool import as read-only
  • Synchronous writes
  • ACL improvements
  • Improvements in pool messages
Solaris 10 9/10 22 4
  • triple parity RAID-Z (raidz3)
  • logbias property
  • pool recovery
  • mirror splitting
  • device replacement enhancements
  • ZFS system process
Solaris 10 10/09 10 3
  • ZFS with flash installation
  • user and group quotas
  • ZFS cache devices (L2ARC)
  • set ZFS properties at file system creation
  • primarycache and secondarycache properties
  • log device recovery
Solaris 10 5/09 10 3
  • zone clone creates ZFS clone
Solaris 10 10/08 10 3
  • separate ZIL log devices
  • ZFS boot/root file system
  • zone on ZFS
  • recursive snapshot renaming
  • snapshot rollback improvements
  • snapshot send improvements
  • gzip compression
  • multiple user data copies

  • quotas and reservations can exclude snapshots/clones
  • failure mode options
  • ZFS upgrade option
  • delegated administration
In Solaris 10 10/08 and later, zpool and zfs have the version option. It shows the version of the pool or file system, even if it is an older ZFS pool.
Solaris 10 5/08 4 1 Pool version determined using zdb(1M) on Solaris 10 5/08
Solaris 10 8/07 4 1
  • iSCSI support
  • zpool history
  • ability to set properties when creating file system
Pool version determined using zdb(1M) on Solaris 10 8/07
Solaris 10 11/06 3 1
  • recursive snapshots
  • double parity RAID-Z (raidz2)
  • clone promotion
Pool version determined using zdb(1M) on Solaris 10 11/06
Solaris 10 6/06 2 1
  • pool upgrade
  • restore of destroyed pool
  • integration into Solaris FMA
  • file system monitoring (fsstat)
Initial release of ZFS in Solaris 10

Pool version determined using zdb(1M) on Solaris 10 6/06

The details of all the ZFS features introduced in the Solaris 10 updates are listed in Chapter 1 of the ZFS Administration Guide and for Solaris 11 Express in its ZFS Administration Guide.

Hope this helps!

Steffen

Tuesday Nov 23, 2010

Getting GDM to work on text Solaris 11 Express 2010.11 installs

One of the features of Solaris 11 Express is to install into a ZFS pool, which allows updates to be easily managed using ZFS snapshots and clones. The LiveCD install, however, does not offer the option to save space for another ZFS pool. I prefer to have a separate pool for data, even on my single-disk laptop. The only way to do that as I can tell is to install using the text installer. One side effect of the test installer is that it does not install everything necessary to run a GUI desktop, which is very handy on a laptop.

Thanks to some replies to an internal question I posted, there is a relatively easy way to add the necessary packages to allow GDM and related tools to work. I have used them several times, and this writeup describes them.

The initial text based install put 494 packages on the system.

Solaris 11 Express 2010.11# pkg list | wc -l
495
Solaris 11 Express 2010.11# pkg list | head
NAME (PUBLISHER)                              VERSION         STATE      UFOXI
SUNWcs                                        0.5.11-0.151.0.1 installed  -----
SUNWcsd                                       0.5.11-0.151.0.1 installed  -----
archiver/gnu-tar                              1.23-0.151.0.1  installed  -----
compress/bzip2                                1.0.6-0.151.0.1 installed  -----
compress/gzip                                 1.3.5-0.151.0.1 installed  -----
compress/p7zip                                4.55-0.151.0.1  installed  -----
compress/unzip                                5.53.7-0.151.0.1 installed  -----
compress/zip                                  2.32-0.151.0.1  installed  -----
consolidation/SunVTS/SunVTS-incorporation     0.5.11-0.151.0.1 installed  -----
To add the required packages to the system, the slim_install package has to be added. This adds an additional 390 packages to the system.
Solaris 11 Express 2010.11# pkg install slim_install
               Packages to install:   390
           Create boot environment:    No
               Services to restart:    10
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                              390/390 42204/42204  410.5/410.5

PHASE                                        ACTIONS
Install Phase                            67952/67952

PHASE                                          ITEMS
Package State Update Phase                   390/390
Image State Update Phase                         2/2
After this, I did a reboot, just to make sure. Then I uninstalled the slim_install package, which removed only that one. The other 389 packages must have been dependencies of slim_install.
Solaris 11 Express 2010.11# pkg uninstall slim_install
                Packages to remove:     1
           Create boot environment:    No
PHASE                                        ACTIONS
Removal Phase                                828/828

PHASE                                          ITEMS
Package State Update Phase                       1/1
Package Cache Update Phase                       1/1
Image State Update Phase                         2/2
Once I enable GDM, the screen show action and shortly I have the familiar GUI login prompt.
Solaris 11 Express 2010.11# svcs gdm
STATE          STIME    FMRI
disabled       12:26:40 svc:/application/graphical-login/gdm:default

Solaris 11 Express 2010.11# svcadm enable gdm

Solaris 11 Express 2010.11# svcs gdm
STATE          STIME    FMRI
online         12:38:11 svc:/application/graphical-login/gdm:default
I hope this helps others. I certainly know where to look when I have to do this again!

Steffen

[Updated 2010.11.23]

First, I'd like to acknowledge Keith Mitchell who provided me with the suggestion to do the install and uninstall of the slim_install package.

Second, in the process of checking in with Keith, he suggested taking care when doing the above operations while logged in on the console. If you leave yourself logged in at the console when GDM starts, there are small possibilities of certain devices not being configured properly when logging into gnome, due to how logindevperm works. Suggestions include:

svcadm enable gdm && exit
or
svcadm enable gdm; exit
I did this remotely, at least the most recent time, to capture the output for this blog. I did not notice any effects when I had done this the first time on a different system, however, I might have reboot at that point anyway.

Thanks again to Keith for his tips!

Friday Oct 15, 2010

New privilege added to the 'basic' Least Privilege set

Oracle Solaris 10 9/10 (update 9) has added another privilege to the basic set of privileges, the set that all unprivileged (non-root) users have by default.

With Least Privileges, a non-root process by default has the ability to get process information, create and delete files, fork and exec, and now separately open TCP or UDP end points. The ppriv(1) command prints the list of privileges.

Solaris 10 9/10# ppriv -l basic
file_link_any
proc_exec
proc_fork
proc_info
proc_session
net_access
A verbose listing includes basic descriptions, which are also described in privileges(5).

Solaris 10 9/10# ppriv -lv basic
file_link_any
       Allows a process to create hardlinks to files owned by a uid
       different from the process' effective uid.
proc_exec
       Allows a process to call execve().
proc_fork
       Allows a process to call fork1()/forkall()/vfork()
proc_info
       Allows a process to examine the status of processes other
       than those it can send signals to.  Processes which cannot
       be examined cannot be seen in /proc and appear not to exist.
proc_session
       Allows a process to send signals or trace processes outside its
       session.
net_access
       Allows a process to open a TCP or UDP network endpoint.
With the addition of the net_access privilege, it is now possible to prevent a process from creating sockets and network end points, isolating the process from the network. By default, processes have this privilege, so any action would be to remove it.

To demonstrate this I am using the ppriv command to limit the privilege of a command and see with the debug flag what is happening.

Even as an unprivileged user I can see if a specific IP address is in use with the ping command. So lets see what happens when I don't have the net_access privilege. I am doing this as a basic user.

Solaris 10 9/10$ ppriv -D -s I-net_access -e /usr/sbin/ping 172.16.1.1
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
/usr/sbin/ping: unknown host 172.16.1.1
Since I am forking a process with the -e option, I limit the I (inherited) privilege set with the net_access removed. The debug output shows that its net_access that is missing, and it happens three time.

To see how it would look with the privilege, I run the same command with the basic set inherited.

Solaris 10 9/10$ ppriv -D -s I=basic -e /usr/sbin/ping 172.16.1.1
172.16.1.1 is alive 
Everything worked, and no debug output.

Its a good idea to use predefined sets such as basic, so that changes in the set don't affects script in the future.

Steffen

About

Stw-Oracle

Search

Categories
Archives
« June 2016
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today