« November 2008 | Main

February 2009 Archives

February 11, 2009

Wrangling Solaris Zone Consoles

After running with several zones in production for a while, I wanted a better way to log things like console messages, since some things will still occasionally spit them out. For a little bit I tried using screen with a bunch of open windows running zlogin to each zone. But settled on using conserver since it's very well suited for handling access to multiple consoles.

You can download both my sample config file and SMF manifest here.

At first I looked into the method that zlogin itself uses when connecting to the zone console, which talks over a unix domain socket to zoneadmd after a short handshake. But that has a couple issues, one of which is that it's not a supported interface, and could change at some point in the future. Also if the zoneadmd is not yet running, zlogin handles starting it, which establishes the console socket:

default zlogin {
    type exec;
    host localhost;
    exec /usr/sbin/zlogin -CE &;
    execsubst &=cs;
}
console web { include zlogin-bigbox; }

Instead I stuck with using zlogin itself, using -E to disable being able to escape out of the zlogin command. Now conserver launches zlogin and keeps control of the zone's console as long as it is running. It does have a few extra processes around, since there's a shell forked for each zone, which then runs zlogin.

The SMF manifest supports authorizations, so a non-root user can manage the service. I've been creating my own authorizations seperate from the solaris.* namespace. The trick is adding "toplevel.*,toplevel.grant" to root's auths in /etc/user_attr:

# tail -4 /etc/security/auth_attr
seppuku.:::All Seppuku Authorizations::
seppuku.grant:::Grant All Seppuku Authorizations::
seppuku.smf.manage.conserver:::Manage Console Server Service::
seppuku.smf.modify.conserver:::Modify Console Server Properties::
# usermod -A seppuku.smf.manage.conserver ivan

One possible addition would be to run the service as a seperate user with a new RBAC profile that allows that user to run zlogin only. The default Solaris "Zone Management" profile also allows the use of zonecfg and zoneadm.

About February 2009

This page contains all entries posted to Here's A Nickel, Kid in February 2009. They are listed from oldest to newest.

November 2008 is the previous archive.

Many more can be found on the main index page or by looking through the archives.