#!/bin/ksh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
# Copyright 2014 Garrett D'Amore
#
#
# This script provides a simple GUI for managing labeled zones.
# It provides contextual menus which provide appropriate choices.
# It must be run in the global zone as root.
# These arguments are accepted, and will result in non-interactive
# (text-only) mode:
#
# txzonemgr [-c | -d[f]]
#
# -c create default zones
# -d destroy all zones; prompts for confirmation unless
# the -f flag is also specified
# -f force
#
# DISP - use GUI (otherwise use non-interactive mode)
DISP=1
# CREATEDEF - make default zones (non-interactive)
CREATEDEF=0
# DESTROYZONES - tear down all zones (non-interactive)
DESTROYZONES=0
# FORCE - force
FORCE=0
NSCD_PER_LABEL=0
NSCD_INDICATOR=/var/tsol/doors/nscd_per_label
if [ -f $NSCD_INDICATOR ] ; then
NSCD_PER_LABEL=1
fi
myname=$(basename $0)
TXTMP=/tmp/txzonemgr
TNRHTP=/etc/security/tsol/tnrhtp
TNRHDB=/etc/security/tsol/tnrhdb
TNZONECFG=/etc/security/tsol/tnzonecfg
PUBZONE=public
INTZONE=internal
PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
title="Labeled Zone Manager 2.1"
msg_defzones=$(gettext "Create default zones using default settings?")
msg_confirmkill=$(gettext "OK to destroy all zones?")
msg_continue=$(gettext "(exit to resume $(basename $0) when ready)")
msg_getlabel=$(gettext "Select a label for the")
msg_getremote=$(gettext "Select a remote host or network from the list below:")
msg_getnet=$(gettext "Select a network configuration for the")
msg_getzone=$(gettext "Select a zone from the list below:
(select global for zone creation and shared settings)")
msg_getcmd=$(gettext "Select a command from the list below:")
msg_inuse=$(gettext "That label is already assigned\nto the")
msg_getmin=$(gettext "Select the minimum network label for the")
msg_getmax=$(gettext "Select the maximum network label for the")
msg_badip=$(gettext " is not a valid IP address")
process_options()
{
typeset opt optlist
optlist='cdf'
while getopts ":$optlist" opt
do
case $opt in
c) CREATEDEF=1
DISP=0
;;
d) DESTROYZONES=1
DISP=0
;;
f) FORCE=1
;;
*) gettext "invalid option -$OPTARG\n"
usage
return 2
;;
esac
done
if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
gettext "cannot combine options -c and -d\n"
usage
return 2
fi
if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
gettext "option -f not allowed with -c\n"
usage
return 2
fi
if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
gettext "option -f specified without any other options\n"
usage
return 2
fi
shift $((OPTIND - 1))
if [ "x$1" != "x" ] ; then
usage
return 2
fi
return 0
}
usage() {
gettext "usage: $myname [-c | -d[f]]\n"
}
consoleCheck() {
if [ $zonename != global ] ; then
zconsole=$(pgrep -f "zlogin -C $zonename")
if [ $? != 0 ] ; then
console="Zone Console...\n"
fi
fi
}
labelCheck() {
hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2);
if [[ $hexlabel ]] ; then
label=
if [ $zonename = global ] ; then
template="admin_low"
addcipsohost="Add Multilevel Access to Remote Host...\n"
removecipsohost="Remove Multilevel Access to Remote Host...\n"
setmlps="Configure Multilevel Ports...\n"
else
template=${zonename}_unlab
addcipsohost=
removecipsohost=
setmlps=
net=$(zonecfg -z $zonename info net)
if [[ -n $net ]] ; then
setmlps="Configure Multilevel Ports...\n"
elif [ $zonestate = configured ] ; then
addnet="Configure Network Interfaces...\n"
fi
fi
addremotehost="Add Single-level Access to Remote Host...\n"
remotes=$(grep -v "^#" $TNRHDB|grep $template)
if [ $? = 0 ] ; then
removeremotehost="Remove Single-level Access to Remote Host...\n"
else
removeremotehost=
fi
else
label="Select Label...\n"
addremotehost=
removeremotehost=
addcipsohost=
removecipsohost=
setmlps=
fi
}
cloneCheck() {
set -A zonelist
integer clone_cnt=0
for p in $(zoneadm list -ip) ; do
z=$(echo "$p"|cut -d : -f2)
s=$(echo "$p"|cut -d : -f3)
if [ $z = $zonename ] ; then
continue
elif [ $s = "installed" ] ; then
zonelist[clone_cnt]=$z
clone_cnt+=1
fi
done
if [ $clone_cnt -gt 0 ] ; then
clone="Clone...\n"; \
fi
}
relabelCheck() {
macstate=$(zonecfg -z $zonename info|grep win_mac_write)
if [[ -n $macstate ]] ; then
permitrelabel="Deny Relabeling\n"
else
permitrelabel="Permit Relabeling\n"
fi
}
autobootCheck() {
bootmode=$(zonecfg -z $zonename info autoboot)
if [[ $bootmode == 'autoboot: true' ]] ; then
autoboot="Set Manual Booting\n"
else
autoboot="Set Automatic Booting\n"
fi
}
newZone() {
if [[ ! -n $zonename ]] ; then
zonename=$(zenity --entry \
--title="$title" \
--width=330 \
--entry-text="" \
--text="Enter Zone Name: ")
if [[ ! -n $zonename ]] ; then
zonename=global
return
fi
fi
zonecfg -z $zonename "create -t SUNWtsoldef;\
set zonepath=/zone/$zonename"
}
removeZoneBEs() {
delopt=$*
zfs list -H $ZDSET/$zonename 1>/dev/null 2>&1
if [ $? = 0 ] ; then
for zbe in $(zfs list -rHo name $ZDSET/$zonename|grep ROOT/zbe) ; do
zfs destroy $delopt $zbe
done
fi
}
updateTemplate () {
if [ $hostType = cipso ] ; then
template=${zonename}_cipso
deflabel=
else
template=${zonename}_unlab
deflabel="def_label=${hexlabel};"
fi
tnzone=$(grep "^${template}:" $TNRHTP 2>/dev/null)
if [ $? -eq 0 ] ; then
sed -e "/^${template}/d" $TNRHTP > $TXTMP/tnrhtp.$$ 2>/dev/null
mv $TXTMP/tnrhtp.$$ $TNRHTP
fi
print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
tnctl -t $template
}
setTNdata () {
tnzline="$zonename:${hexlabel}:0::"
grep "^$tnzline" $TNZONECFG 1>/dev/null 2>&1
if [ $? -eq 1 ] ; then
print "$tnzline" >> $TNZONECFG
fi
#
# Add matching entries in tnrhtp if necessary
#
minlabel=admin_low
maxlabel=admin_high
hostType=cipso
updateTemplate
hostType=unlabeled
updateTemplate
}
selectLabel() {
hexlabel=$(tgnome-selectlabel \
--title="$title" \
--text="$msg_getlabel $zonename zone:" \
--min="${DEFAULTLABEL}" \
--default="${DEFAULTLABEL}" \
--max=$(chk_encodings -X) \
--accredcheck=yes \
--mode=sensitivity \
--format=internal)
if [ $? = 0 ] ; then
x=$(grep -i :{$hexlabel}: $TNZONECFG)
if [ $? = 0 ] ; then
z=$(print $x|cut -d : -f1)
x=$(zenity --error \
--title="$title" \
--text="$msg_inuse $z zone.")
else
setTNdata
fi
fi
}
getLabelRange() {
deflabel=$(hextoalabel $hexlabel)
minlabel=$(tgnome-selectlabel \
--title="$title" \
--text="$msg_getmin $zonename zone:" \
--min="${DEFAULTLABEL}" \
--max="$deflabel" \
--default="$hexlabel" \
--accredcheck=no \
--mode=sensitivity \
--format=internal)
[ $? != 0 ] && return
maxlabel=$(tgnome-selectlabel \
--title="$title" \
--text="$msg_getmax $zonename zone:" \
--min="$deflabel" \
--max=$(chk_encodings -X) \
--default="$hexlabel" \
--accredcheck=no \
--mode=sensitivity \
--format=internal)
[ $? != 0 ] && return
hostType=cipso
updateTemplate
}
encryptionValues() {
echo $(zfs get 2>&1 | grep encryption | sed -e s/^.*YES// -e s/\|//g)
}
getPassphrase() {
pass1=$(zenity --entry --title="$title" --text="Enter passphrase:" \
--width=330 --hide-text)
pass2=$(zenity --entry --title="$title" --text="Re-enter passphrase:" \
--width=330 --hide-text)
if [[ "$pass1" != "$pass2" ]]; then
zenity --error --title="$title" \
--text="Passphrases do not match"
return ""
fi
file=$(mktemp)
echo "$pass1" > $file
echo "$file"
}
createZDSET() {
options=$1
pool=${2%%/*}
# First check if ZFS encrytption support is available
pversion=$(zpool list -H -o version $pool)
cversion=$(zpool upgrade -v | grep Crypto | awk '{ print $1 }')
if (( cversion == 0 || pversion < cversion )); then
zfs create $options $ZDSET
return
fi
encryption=$(zenity --list --title="$title" --height=320 \
--text="Select cipher for encryption of all labels:" \
--column="encryption" $(encryptionValues))
if [[ $? != 0 || $encryption == "off" ]]; then
zfs create $options $ZDSET
return
fi
format=$(zenity --list --title="$title" \
--text "Select encryption key source:" \
--column="Key format and location" \
"Passphrase" "Generate Key in file")
[ $? != 0 ] && exit
if [[ $format == "Passphrase" ]]; then
file=$(getPassphrase)
if [[ $file == "" ]]; then
exit
fi
keysource="passphrase,file://$file"
removefile=1;
elif [[ $format == "Generate Key in file" ]]; then
file=$(zenity --file-selection \
--title="$title: Location of key file" \
--save --confirm-overwrite)
[ $? != 0 ] && exit
if [[ $encryption == "on" ]]; then
keylen=128
else
t=${encryption#aes-} && keylen=${t%%-*}
fi
pktool genkey keystore=file keytype=aes \
keylen=$keylen outkey=$file
keysource="raw,file:///$file"
fi
options="$options -o encryption=$encryption -o keysource=$keysource"
zfs create $options $ZDSET
if (( removefile == 1 )); then
zfs set keysource=passphrase,prompt $ZDSET
rm $file
fi
}
initialize() {
zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
ZONE_ETC_DIR=$zonepath/root/etc
SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
if [ -f /var/ldap/ldap_client_file ] ; then
ldapaddress=$(ldapclient list | \
grep "^NS_LDAP_SERVERS" | cut -d " " -f2)
print "name_service=LDAP {" > ${SYSIDCFG}
domain=$(domainname)
print "domain_name=$domain" >> ${SYSIDCFG}
profName=$(ldapclient list | \
grep "^NS_LDAP_PROFILE" | cut -d " " -f2)
proxyPwd=$(ldapclient list | \
grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2)
proxyDN=$(ldapclient list | \
grep "^NS_LDAP_BINDDN" | cut -d " " -f 2)
if [ "$proxyDN" ] ; then
print "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
print "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
fi
print "profile=$profName" >> ${SYSIDCFG}
print "profile_server=$ldapaddress }" >> ${SYSIDCFG}
cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
else
print "name_service=NONE" > ${SYSIDCFG}
fi
print "security_policy=NONE" >> ${SYSIDCFG}
locale=$(locale|grep LANG | cut -d "=" -f2)
if [[ -z $locale ]] ; then
locale="C"
fi
print "system_locale=$locale" >> ${SYSIDCFG}
timezone=$(grep "^TZ" /etc/default/init|cut -d "=" -f2)
print "timezone=$timezone" >> ${SYSIDCFG}
print "terminal=vt100" >> ${SYSIDCFG}
rootpwd=$(grep "^root:" /etc/shadow|cut -d : -f2)
# There are two problems with setting the root password:
# The zone's shadow file may be read-only
# The password contains unparsable characters
# so the following line is commented out until this is resolved.
#print "root_password=$rootpwd" >> ${SYSIDCFG}
print "nfs4_domain=dynamic" >> ${SYSIDCFG}
print "network_interface=PRIMARY {" >> ${SYSIDCFG}
net=$(zonecfg -z $zonename info net)
ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
if [ $ipType = exclusive ] ; then
hostname=$(zenity --entry \
--title="$title" \
--width=330 \
--text="${zonename}0: Enter Hostname or dhcp: ")
[ $? != 0 ] && return
if [ $hostname = dhcp ] ; then
print "dhcp" >> ${SYSIDCFG}
else
print "hostname=$hostname" >> ${SYSIDCFG}
ipaddr=$(getent hosts $hostname|cut -f1)
if [ $? != 0 ] ; then
ipaddr=$(zenity --entry \
--title="$title" \
--text="$nic: Enter IP address: " \
--entry-text a.b.c.d)
[ $? != 0 ] && return
validateIPaddr
if [[ -z $ipaddr ]] ; then
return
fi
fi
print "ip_address=$ipaddr" >> ${SYSIDCFG}
getNetmask
print "netmask=$nm" >> ${SYSIDCFG}
print "default_route=none" >> ${SYSIDCFG}
template=${zonename}_cipso
cidr=32
updateTnrhdb
fi
elif [[ -n $net ]] ; then
hostname=$(hostname)
hostname=$(zenity --entry \
--title="$title" \
--width=330 \
--text="Enter Hostname: " \
--entry-text $hostname)
[ $? != 0 ] && return
print "hostname=$hostname" >> ${SYSIDCFG}
ipaddr=$(getent hosts $hostname|cut -f1)
if [ $? = 0 ] ; then
print "ip_address=$ipaddr" >> ${SYSIDCFG}
fi
else
getAllZoneNICs
for i in ${aznics[*]} ; do
ipaddr=$(ifconfig $i|grep inet|cut -d " " -f2)
done
print "hostname=$(hostname)" >> ${SYSIDCFG}
print "ip_address=$ipaddr" >> ${SYSIDCFG}
fi
print "protocol_ipv6=no }" >> ${SYSIDCFG}
cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
}
clone() {
image=$1
if [[ -z $image ]] ; then
msg_clone=$(gettext "Clone the $zonename zone using a
snapshot of one of the following halted zones:")
image=$(zenity --list \
--title="$title" \
--text="$msg_clone" \
--height=300 \
--width=330 \
--column="Installed Zones" ${zonelist[*]})
fi
if [[ -n $image ]] ; then
removeZoneBEs
zoneadm -z $zonename clone $image
if [ $NSCD_PER_LABEL = 0 ] ; then
sharePasswd $zonename
else
unsharePasswd $zonename
fi
ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
if [ $ipType = exclusive ] ; then
zoneadm -z $zonename ready
zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
sys-unconfig -R $zonepath/root 2>/dev/null
initialize
zoneadm -z $zonename halt
fi
fi
}
install() {
removeZoneBEs
if [ $DISP -eq 0 ] ; then
gettext "installing zone $zonename ...\n"
zoneadm -z $zonename install
else
# sleep is needed here to avoid occasional timing
# problem with gnome-terminal display...
sleep 2
gnome-terminal \
--title="$title: Installing $zonename zone" \
--command "zoneadm -z $zonename install" \
--disable-factory \
--hide-menubar
fi
zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
if [ $zonestate != installed ] ; then
gettext "error installing zone $zonename.\n"
return 1
fi
if [ $NSCD_PER_LABEL = 0 ] ; then
sharePasswd $zonename
else
unsharePasswd $zonename
fi
zoneadm -z $zonename ready
zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
if [ $zonestate != ready ] ; then
gettext "error making zone $zonename ready.\n"
return 1
fi
initialize
zoneadm -z $zonename halt
}
delete() {
delopt=$*
# if there is an entry for this zone in tnzonecfg, remove it
# before deleting the zone.
tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
if [ -n "${tnzone}" ] ; then
sed -e "/^$zonename:/d" $TNZONECFG > \
$TXTMP/tnzonefg.$$ 2>/dev/null
mv $TXTMP/tnzonefg.$$ $TNZONECFG
fi
for tnzone in $(grep ":${zonename}_unlab" $TNRHDB 2>/dev/null) ; do
tnctl -dh "$tnzone"
sed -e "/:${zonename}_unlab/d" $TNRHDB > \
$TXTMP/tnrhdb.$$ 2>/dev/null
mv $TXTMP/tnrhdb.$$ $TNRHDB
done
for tnzone in $(grep "^${zonename}_unlab:" $TNRHTP 2>/dev/null) ; do
tnctl -dt ${zonename}_unlab
sed -e "/^${zonename}_unlab:/d" $TNRHTP > \
$TXTMP/tnrhtp.$$ 2>/dev/null
mv $TXTMP/tnrhtp.$$ $TNRHTP
done
for tnzone in $(grep ":${zonename}_cipso" $TNRHDB 2>/dev/null) ; do
tnctl -dh "$tnzone"
sed -e "/:${zonename}_cipso/d" $TNRHDB > \
$TXTMP/tnrhdb.$$ 2>/dev/null
mv $TXTMP/tnrhdb.$$ $TNRHDB
done
for tnzone in $(grep "^${zonename}_cipso:" $TNRHTP 2>/dev/null) ; do
tnctl -dt ${zonename}_cipso
sed -e "/^${zonename}_cipso:/d" $TNRHTP > \
$TXTMP/tnrhtp.$$ 2>/dev/null
mv $TXTMP/tnrhtp.$$ $TNRHTP
done
zonecfg -z $zonename delete -F
removeZoneBEs $delopt
for snap in $(zfs list -Ho name -t snapshot|grep "\@${zonename}_snap") ; do
zfs destroy -R $snap
done
}
validateIPaddr () {
OLDIFS=$IFS
IFS=.
integer octet_cnt=0
integer dummy
set -A octets $ipaddr
IFS=$OLDIFS
if [ ${#octets[*]} == 4 ] ; then
while (( octet_cnt < ${#octets[*]} )); do
dummy=${octets[octet_cnt]}
if [ $dummy = ${octets[octet_cnt]} ] ; then
if (( dummy >= 0 && \
dummy < 256 )) ; then
octet_cnt+=1
continue
fi
else
x=$(zenity --error \
--title="$title" \
--text="$ipaddr $msg_badip")
ipaddr=
return
fi
done
else
x=$(zenity --error \
--title="$title" \
--text="$ipaddr $msg_badip")
ipaddr=
fi
}
getAllZoneNICs(){
integer count=0
for i in $(ifconfig -a4|grep "^[a-z].*:")
do
print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
[ $? -eq 1 ] && continue
i=${i%:} # Remove colon after interface name
for j in $(ifconfig $i)
do
case $j in
all-zones)
aznics[count]=$i
count+=1
;;
esac
done
done
}
getNetmask() {
cidr=
nm=$(zenity --entry \
--title="$title" \
--width=330 \
--text="$ipaddr: Enter netmask: " \
--entry-text 255.255.255.0)
[ $? != 0 ] && return;
cidr=$(perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm)
}
addNet() {
getIPaddr
if [[ -z $ipaddr ]] ; then
return;
fi
getNetmask
if [[ -z $cidr ]] ; then
return;
fi
zonecfg -z $zonename "add net; \
set address=${ipaddr}/${cidr}; \
set physical=$nic; \
end"
template=${zonename}_cipso
cidr=32
updateTnrhdb
}
getAttrs() {
zone=global
type=ignore
for j in $(ifconfig $nic)
do
case $j in
inet) type=$j;;
zone) type=$j;;
all-zones) zone=all-zones;;
flags*) flags=$j;;
*) case $type in
inet) ipaddr=$j ;;
zone) zone=$j ;;
*) continue ;;
esac;
type=ignore;;
esac
done
if [[ $flags == ~(E).UP, ]] ; then
updown=Up
else
updown=Down
fi
if [[ $nic == ~(E).: ]] ; then
linktype=logical
else
vnic=$(dladm show-vnic -po link $nic 2>/dev/null)
if [[ -n $vnic ]] ; then
linktype=virtual
else
linktype=physical
fi
fi
if [ $ipaddr != 0.0.0.0 ] ; then
x=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
if [ $? = 1 ] ; then
template=cipso
cidr=32
updateTnrhdb
else
template=$(print "$x"|cut -d : -f2)
fi
else
template="..."
ipaddr="..."
fi
}
deleteTnrhdbEntry() {
remote=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
if [ $? = 0 ] ; then
ip=$(print $remote|cut -d "/" -f1)
if [[ $remote == ~(E)./ ]] ; then
pr=$(print $remote|cut -d "/" -f2)
remote="$ip\\/$pr"
fi
sed -e "/^${remote}/d" $TNRHDB > /tmp/tnrhdb.$$ 2>/dev/null
mv /tmp/tnrhdb.$$ $TNRHDB
fi
}
updateTnrhdb() {
deleteTnrhdbEntry
if [[ -n $cidr ]] ; then
print "${ipaddr}/$cidr:$template" >> $TNRHDB
tnctl -h ${ipaddr}/$cidr:$template
else
print "${ipaddr}:$template" >> $TNRHDB
tnctl -h ${ipaddr}:$template
fi
}
getIPaddr() {
hostname=$(zenity --entry \
--title="$title" \
--width=330 \
--text="$nic: Enter Hostname: ")
[ $? != 0 ] && return
ipaddr=$(getent hosts $hostname|cut -f1)
if [[ -z $ipaddr ]] ; then
ipaddr=$(zenity --entry \
--title="$title" \
--text="$nic: Enter IP address: " \
--entry-text a.b.c.d)
[ $? != 0 ] && return
validateIPaddr
fi
}
addHost() {
# Update hosts
if [[ -z $ipaddr ]] ; then
return;
fi
grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
if [ $? -eq 1 ] ; then
print "$ipaddr\t$hostname" >> /etc/inet/hosts
fi
template=cipso
cidr=32
updateTnrhdb
ifconfig $nic $ipaddr netmask + broadcast +
#
# TODO: better integration with nwam
# TODO: get/set netmask for IP address
#
print $hostname > /etc/hostname.$nic
}
createInterface() {
msg=$(ifconfig $nic addif 0.0.0.0)
$(zenity --info \
--title="$title" \
--text="$msg" )
nic=$(print "$msg"|cut -d" " -f5)
}
createVNIC() {
if [ $zonename != global ] ; then
vnicname=${zonename}0
else
vnicname=$(zenity --entry \
--title="$title" \
--width=330 \
--entry-text="" \
--text="Enter VNIC Name: ")
if [[ ! -n $vnicname ]] ; then
return
fi
fi
x=$(dladm show-vnic|grep "^$vnicname " )
if [[ ! -n $x ]] ; then
dladm create-vnic -l $nic $vnicname
fi
if [ $zonename = global ] ; then
ifconfig $vnicname plumb
else
zonecfg -z $zonename "add net; \
set physical=$vnicname; \
end"
fi
nic=$vnicname
}
shareInterface() {
#
# TODO: better integration with nwam
#
ifconfig $nic all-zones;\
if_file=/etc/hostname.$nic
sed q | sed -e "s/$/ all-zones/" < $if_file >$TXTMP/txnetmgr.$$
mv $TXTMP/txnetmgr.$$ $if_file
}
unshareInterface() {
#
# TODO: better integration with nwam
#
ifconfig $nic -zone;\
if_file=/etc/hostname.$nic
sed q | sed -e "s/all-zones/ /" < $if_file >$TXTMP/txnetmgr.$$
mv $TXTMP/txnetmgr.$$ $if_file
}
addTnrhdb() {
ipaddr=$(zenity --entry \
--title="$title" \
--width=330 \
--text="Zone:$zonename. Enter IP address of remote host or network: " \
--entry-text a.b.c.d)
[ $? != 0 ] && return
validateIPaddr
if [[ -z $ipaddr ]] ; then
return;
fi
if [ ${octets[3]} = 0 ] ; then
nic="$ipaddr"
getNetmask
if [[ -z $cidr ]] ; then
return;
fi
else
cidr=32
fi
print "${ipaddr}/$cidr:$template" > $TXTMP/tnrhdb_new.$$
x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
if [ $? = 0 ] ; then
updateTnrhdb
else
syntax=$(cat $TXTMP/syntax_error.$$)
x=$(zenity --error \
--title="$title" \
--text="$syntax")
fi
rm $TXTMP/tnrhdb_new.$$
rm $TXTMP/syntax_error.$$
}
removeTnrhdb() {
while (( 1 )) do
remotes=$(grep "^[^#][0-9.]" $TNRHDB|grep ":$template"|cut -d : -f1-2|tr : " ")
if [ $template = cipso ] ; then
templateHeading="from All Zones":
else
templateHeading="from this Zone":
fi
if [[ -n $remotes ]] ; then
ipaddr=$(zenity --list \
--title="$title" \
--text="$msg_getremote" \
--height=250 \
--width=300 \
--column="Remove Access to:" \
--column="$templateHeading" \
$remotes)
if [[ -n $ipaddr ]] ; then
deleteTnrhdbEntry
tnctl -dh ${ip}:$template
else
return
fi
else
return
fi
done
}
setMLPs() {
tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
zoneMLPs=:$(print "$tnzone"|cut -d : -f4)
sharedMLPs=:$(print "$tnzone"|cut -d : -f5)
attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
ports=$(print "$attrs"|zenity --list \
--title="$title" \
--height=200 \
--width=450 \
--text="Zone: $zonename\nClick once to select, twice to edit.\nShift-click to select both rows." \
--column="Multilevel Ports (example: 80-81/tcp;111/udp;)" \
--editable \
--multiple
)
if [[ -z $ports ]] ; then
return
fi
# getopts needs another a blank and another dash
ports=--$(print "$ports"|sed 's/ //g'|sed 's/|/ --/g'|sed 's/Interfaces:/ :/g')
OPTIND=1
while getopts "z:(Private)s:(Shared)" opt $ports ; do
case $opt in
z) zoneMLPs=$OPTARG ;;
s) sharedMLPs=$OPTARG ;;
esac
done
sed -e "/^$zonename:*/d" $TNZONECFG > $TXTMP/tnzonecfg.$$ 2>/dev/null
tnzone=$(print "$tnzone"|cut -d : -f1-3)
echo "${tnzone}${zoneMLPs}${sharedMLPs}" >> $TXTMP/tnzonecfg.$$
x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
if [ $? = 0 ] ; then
mv $TXTMP/tnzonecfg.$$ $TNZONECFG
zenity --info \
--title="$title" \
--text="Multilevel ports for the $zonename zone\nwill be interpreted on next reboot."
if [ $zonename != global ] ; then
getLabelRange
fi
else
syntax=$(cat $TXTMP/syntax_error.$$)
x=$(zenity --error \
--title="$title" \
--text="$syntax")
rm $TXTMP/tnzonecfg.$$
fi
rm $TXTMP/syntax_error.$$
}
enableAuthentication() {
integer file_cnt=0
zonepath=$(zoneadm -z $1 list -p|cut -d : -f4)
ZONE_ETC_DIR=$zonepath/root/etc
# If the zone's shadow file was previously read-only
# there may be no root password entry for this zone.
# If so, replace the root password entry with the global zone's.
entry=$(grep ^root:: $ZONE_ETC_DIR/shadow)
if [ $? -eq 0 ] ; then
grep ^root: /etc/shadow > $TXTMP/shadow.$$
sed -e "/^root::/d" $ZONE_ETC_DIR/shadow >> \
$TXTMP/shadow.$$ 2>/dev/null
mv $TXTMP/shadow.$$ $ZONE_ETC_DIR/shadow
chmod 400 $ZONE_ETC_DIR/shadow
fi
if [ $LOGNAME = "root" ]; then
return
fi
file[0]="passwd"
file[1]="shadow"
file[2]="user_attr"
#
# Add the user who assumed the root role to each installed zone
#
while (( file_cnt < ${#file[*]} )); do
exists=$(grep "^${LOGNAME}:" \
$ZONE_ETC_DIR/${file[file_cnt]} >/dev/null)
if [ $? -ne 0 ] ; then
entry=$(grep "^${LOGNAME}:" \
/etc/${file[file_cnt]})
if [ $? -eq 0 ] ; then
print "$entry" >> \
$ZONE_ETC_DIR/${file[file_cnt]}
fi
fi
file_cnt+=1
done
chmod 400 $ZONE_ETC_DIR/shadow
}
unsharePasswd() {
zonecfg -z $1 remove fs dir=/etc/passwd >/dev/null 2>&1 | grep -v such
zonecfg -z $1 remove fs dir=/etc/shadow >/dev/null 2>&1 | grep -v such
zoneadm -z $1 ready >/dev/null 2>&1
if [ $? -eq 0 ] ; then
enableAuthentication $1
zoneadm -z $1 halt >/dev/null 2>&1
else
echo Skipping $1
fi
}
sharePasswd() {
passwd=$(zonecfg -z $1 info|grep /etc/passwd)
if [ $? -eq 1 ] ; then
zonecfg -z $1 "add fs; \
set special=/etc/passwd; \
set dir=/etc/passwd; \
set type=lofs; \
add options ro; \
end; \
add fs; \
set special=/etc/shadow; \
set dir=/etc/shadow; \
set type=lofs; \
add options ro; \
end"
fi
zoneadm -z $1 halt >/dev/null 2>&1
}
# This routine is a toggle -- if we find it configured for global nscd,
# change to nscd-per-label and vice-versa.
#
# The user was presented with only the choice to CHANGE the existing
# configuration.
manageNscd() {
if [ $NSCD_PER_LABEL -eq 0 ] ; then
# this MUST be a regular file for svc-nscd to detect
touch $NSCD_INDICATOR
NSCD_OPT="Unconfigure per-zone name service"
NSCD_PER_LABEL=1
for i in $(zoneadm list -i | grep -v global) ; do
zoneadm -z $i halt >/dev/null 2>&1
unsharePasswd $i
done
else
rm -f $NSCD_INDICATOR
NSCD_OPT="Configure per-zone name service"
NSCD_PER_LABEL=0
for i in $(zoneadm list -i | grep -v global) ; do
zoneadm -z $i halt >/dev/null 2>&1
sharePasswd $i
done
fi
}
manageZoneNets () {
ncmds[0]="Only use all-zones interfaces"
ncmds[1]="Add a logical interface"
ncmds[2]="Add a virtual interface (VNIC)"
stacks[0]="Shared Stack"
stacks[1]="Exclusive Stack"
getAllZoneNICs
netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
integer nic_cnt=0
integer netOp_cnt=2
set -A nics $(dladm show-phys|grep -v LINK|cut -f1 -d " ")
while (( nic_cnt < ${#nics[*]} )); do
netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
netOp_cnt+=1
netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
netOp_cnt+=1
nic_cnt+=1
done
netOp=$(print "${netOps[*]}"|zenity --list \
--title="$title" \
--text="$msg_getnet $zonename zone:" \
--height=300 \
--width=500 \
--column="#" \
--column="Network Configuration " \
--column="IP Type" \
--column="Available Interfaces" \
--hide-column=1
)
# User picked cancel or no selection
if [[ -z $netOp ]] ; then
return
fi
# All-zones is the default, so just return
if [ $netOp = 1 ] ; then
return
fi
cmd=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 3)
nic=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 5)
case $cmd in
${ncmds[1]} )
addNet;
;;
${ncmds[2]} )
zonecfg -z $zonename set ip-type=exclusive
createVNIC
;;
esac
}
manageInterface () {
while (( 1 )) do
getAttrs
# Clear list of commands
share=
setipaddr=
newlogical=
newvnic=
unplumb=
bringup=
bringdown=
if [ $updown = Down ] ; then
bringup="Bring Up\n"
else
bringdown="Bring Down\n"
fi
case $linktype in
physical )
newlogical="Create Logical Interface...\n";
newvnic="Create Virtual Interface (VNIC)...\n";
;;
logical )
unplumb="Remove Logical Interface\n"
;;
virtual )
newlogical="Create Logical Interface...\n";
unplumb="Remove Virtual Interface\n" ;
;;
esac
if [ $ipaddr = "..." ] ; then
setipaddr="Set IP address...\n"
elif [ $zone != all-zones ] ; then
share="Share with Shared-IP Zones\n"
else
share="Remove from Shared-IP Zones\n"
fi
command=$(print ""\
$share \
$setipaddr \
$newlogical \
$newvnic \
$unplumb \
$bringup \
$bringdown \
| zenity --list \
--title="$title" \
--text="Select a command from the list below:" \
--height=300 \
--column "Interface: $nic" )
case $command in
" Create Logical Interface...")
createInterface;;
" Create Virtual Interface (VNIC)...")
createVNIC ;;
" Set IP address...")
getIPaddr
addHost;;
" Share with Shared-IP Zones")
shareInterface;;
" Remove from Shared-IP Zones")
unshareInterface;;
" Remove Logical Interface")
ifconfig $nic unplumb
rm -f /etc/hostname.$nic
return;;
" Remove Virtual Interface")
ifconfig $nic unplumb
dladm delete-vnic $nic
rm -f /etc/hostname.$nic
return;;
" Bring Up")
ifconfig $nic up;;
" Bring Down")
ifconfig $nic down;;
*) return;;
esac
done
}
sharePrimaryNic() {
set -A ip $(getent hosts $(cat /etc/nodename))
for i in $(ifconfig -au4|grep "^[a-z].*:" |grep -v LOOPBACK)
do
print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
[ $? -eq 1 ] && continue
nic=${i%:} # Remove colon after interface name
getAttrs
if [ ${ip[0]} = $ipaddr ]; then
shareInterface
break
fi
done
}
manageNets() {
while (( 1 )) do
attrs=
for i in $(ifconfig -a4|grep "^[a-z].*:" |grep -v LOOPBACK)
do
print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
[ $? -eq 1 ] && continue
nic=${i%:} # Remove colon after interface name
getAttrs
attrs="$nic $linktype $zone $ipaddr $template $updown $attrs"
done
nic=$(zenity --list \
--title="$title" \
--text="Select an interface from the list below:" \
--height=300 \
--width=500 \
--column="Interface" \
--column="Type" \
--column="Zone Name" \
--column="IP Address" \
--column="Template" \
--column="State" \
$attrs)
if [[ -z $nic ]] ; then
return
fi
manageInterface
done
}
createLDAPclient() {
ldaptitle="$title: Create LDAP Client"
ldapdomain=$(zenity --entry \
--width=400 \
--title="$ldaptitle" \
--text="Enter Domain Name: ")
if [[ -n $ldapdomain ]] ; then
ldapserver=$(zenity --entry \
--width=400 \
--title="$ldaptitle" \
--text="Enter Hostname of LDAP Server: ")
else
return
fi
if [[ -n $ldapserver ]] ; then
ldapserveraddr=$(zenity --entry \
--width=400 \
--title="$ldaptitle" \
--text="Enter IP adddress of LDAP Server $ldapserver: ")
else
return
fi
ldappassword=""
while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]] ; do
ldappassword=$(zenity --entry \
--width=400 \
--title="$ldaptitle" \
--hide-text \
--text="Enter LDAP Proxy Password:")
ldappasswordconfirm=$(zenity --entry \
--width=400 \
--title="$ldaptitle" \
--hide-text \
--text="Confirm LDAP Proxy Password:")
done
ldapprofile=$(zenity --entry \
--width=400 \
--title="$ldaptitle" \
--text="Enter LDAP Profile Name: ")
whatnext=$(zenity --list \
--width=400 \
--height=250 \
--title="$ldaptitle" \
--text="Proceed to create LDAP Client?" \
--column=Parameter --column=Value \
"Domain Name" "$ldapdomain" \
"Hostname" "$ldapserver" \
"IP Address" "$ldapserveraddr" \
"Password" "$(print "$ldappassword" | sed 's/./*/g')" \
"Profile" "$ldapprofile")
[ $? != 0 ] && return
grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
if [ $? -eq 1 ] ; then
print "$ldapserveraddr $ldapserver" >> /etc/hosts
fi
grep "${ldapserver}:" $TNRHDB > /dev/null
if [ $? -eq 1 ] ; then
print "# ${ldapserver} - ldap server" \
>> $TNRHDB
print "${ldapserveraddr}:cipso" \
>> $TNRHDB
tnctl -h "${ldapserveraddr}:cipso"
fi
proxyDN=$(print $ldapdomain|awk -F"." \
"{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
zenity --info \
--title="$ldaptitle" \
--width=500 \
--text="global zone will be LDAP client of $ldapserver"
ldapout=$TXTMP/ldapclient.$$
ldapclient init -a profileName="$ldapprofile" \
-a domainName="$ldapdomain" \
-a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
-a proxyPassword="$ldappassword" \
"$ldapserveraddr" >$ldapout 2>&1
if [ $? -eq 0 ] ; then
ldapstatus=Success
else
ldapstatus=Error
fi
zenity --text-info \
--width=700 \
--height=300 \
--title="$ldaptitle: $ldapstatus" \
--filename=$ldapout
rm -f $ldapout
}
tearDownZones() {
if [ $DISP -eq 0 ] ; then
if [ $FORCE -eq 0 ] ; then
gettext "OK to destroy all zones [y|N]? "
read ans
printf "%s\n" "$ans" \
| /usr/xpg4/bin/grep -Eq "$(locale yesexpr)"
if [ $? -ne 0 ] ; then
gettext "canceled.\n"
return 1
fi
fi
gettext "destroying all zones ...\n"
else
killall=$(zenity --question \
--title="$title" \
--width=330 \
--text="$msg_confirmkill")
if [[ $? != 0 ]]; then
return
fi
fi
for p in $(zoneadm list -cp|grep -v global:) ; do
zonename=$(echo "$p"|cut -d : -f2)
if [ $DISP -eq 0 ] ; then
gettext "destroying zone $zonename ...\n"
fi
zoneadm -z $zonename halt 1>/dev/null 2>&1
zoneadm -z $zonename uninstall -F 1>/dev/null 2>&1
delete -rRf
done
zonename=global
}
createDefaultZones() {
# If GUI display is not used, skip the dialog
if [ $DISP -eq 0 ] ; then
createDefaultPublic
if [ $? -ne 0 ] ; then
return 1
fi
createDefaultInternal
return
fi
msg_choose1=$(gettext "Choose one:")
defpub=$(gettext "$PUBZONE zone only")
defboth=$(gettext "$PUBZONE and $INTZONE zones")
defskip=$(gettext "Main Menu...")
command=$(echo ""\
"$defpub\n" \
"$defboth\n" \
"$defskip\n" \
| zenity --list \
--title="$title" \
--text="$msg_defzones" \
--column="$msg_choose1" \
--height=400 \
--width=330 )
case $command in
" $defpub")
createDefaultPublic ;;
" $defboth")
createDefaultPublic
if [ $? -ne 0 ] ; then
return 1
fi
createDefaultInternal ;;
*)
return;;
esac
}
createDefaultPublic() {
zonename=$PUBZONE
if [ $DISP -eq 0 ] ; then
gettext "creating default $zonename zone ...\n"
fi
newZone
zone_cnt+=1
hexlabel=$DEFAULTLABEL
setTNdata
sharePrimaryNic
install
if [ $? -ne 0 ] ; then
return 1
fi
if [ $DISP -eq 0 ] ; then
gettext "booting zone $zonename ...\n"
zoneadm -z $zonename boot
else
zoneadm -z $zonename boot &
gnome-terminal \
--disable-factory \
--title="Zone Console: $zonename $msg_continue" \
--command "zlogin -C $zonename"
fi
}
createDefaultInternal() {
zoneadm -z $PUBZONE halt
zonename=snapshot
newZone
zone_cnt+=1
zonecfg -z $zonename set autoboot=false
clone $PUBZONE
zoneadm -z $PUBZONE boot &
zonename=$INTZONE
if [ $DISP -eq 0 ] ; then
gettext "creating default $zonename zone ...\n"
fi
newZone
zone_cnt+=1
hexlabel=$INTLABEL
x=$(grep -i :{$hexlabel}: $TNZONECFG)
if [ $? = 0 ] ; then
z=$(print $x|cut -d : -f1)
echo "$msg_inuse $z zone."
else
setTNdata
fi
clone snapshot
if [ $DISP -eq 0 ] ; then
gettext "booting zone $zonename ...\n"
else
gnome-terminal \
--title="Zone Console: $zonename" \
--command "zlogin -C $zonename" &
fi
zoneadm -z $zonename boot &
}
selectZone() {
set -A zonelist "global\nrunning\nADMIN_HIGH"
integer zone_cnt=1
for p in $(zoneadm list -cp|grep -v global:) ; do
zone_cnt+=1
done
if [ $zone_cnt == 1 ] ; then
createDefaultZones
fi
if [ $zone_cnt == 1 ] ; then
zonename=global
singleZone
return
fi
zone_cnt=1
for p in $(zoneadm list -cp|grep -v global:) ; do
zonename=$(echo "$p"|cut -d : -f2)
state=$(echo "$p"|cut -d : -f3)
hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2)
if [[ $hexlabel ]] ; then
curlabel=$(hextoalabel $hexlabel)
else
curlabel=...
fi
zonelist[zone_cnt]="\n$zonename\n$state\n$curlabel"
zone_cnt+=1
done
zonename=$(print "${zonelist[*]}"|zenity --list \
--title="$title" \
--text="$msg_getzone" \
--height=300 \
--width=500 \
--column="Zone Name" \
--column="Status" \
--column="Sensitivity Label" \
)
# if the menu choice was a zonename, pop up zone menu
if [[ -n $zonename ]] ; then
singleZone
else
exit
fi
}
# Loop for single-zone menu
singleZone() {
while (( 1 )) do
# Clear list of commands
console=
label=
start=
reboot=
stop=
clone=
install=
ready=
uninstall=
autoboot=
delete=
deletenet=
permitrelabel=
if [ $zone_cnt -gt 1 ] ; then
killZones="Destroy all zones...\n"
xit="Select another zone..."
else
killZones=
xit="Exit"
fi
if [ $zonename = global ] ; then
ldapClient="Create LDAP Client...\n"
nscdOpt="$NSCD_OPT\n"
createZone="Create a new zone...\n"
addnet="Configure Network Interfaces...\n"
else
ldapClient=
nscdOpt=
createZone=
addnet=
killZones=
fi
zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
consoleCheck;
labelCheck;
delay=0
if [ $zonename != global ] ; then
case $zonestate in
running)
ready="Ready\n"
reboot="Reboot\n"
stop="Halt\n"
;;
ready)
start="Boot\n"
stop="Halt\n"
;;
installed)
if [[ -z $label ]] ; then
ready="Ready\n"
start="Boot\n"
fi
uninstall="Uninstall\n"
relabelCheck
autobootCheck
;;
configured)
install="Install...\n"
cloneCheck
delete="Delete\n"
console=
;;
incomplete)
uninstall="Uninstall\n"
;;
*)
;;
esac
fi
command=$(echo ""\
$createZone \
$console \
$label \
$start \
$reboot \
$stop \
$clone \
$install \
$ready \
$uninstall \
$delete \
$addnet \
$deletenet \
$addremotehost \
$addcipsohost \
$removeremotehost \
$removecipsohost \
$setmlps \
$permitrelabel \
$autoboot \
$ldapClient \
$nscdOpt \
$killZones \
$xit \
| zenity --list \
--title="$title" \
--text="$msg_getcmd" \
--height=400 \
--width=330 \
--column "Zone: $zonename Status: $zonestate" )
case $command in
" Create a new zone...")
zonename=
newZone ;;
" Zone Console...")
delay=2
gnome-terminal \
--title="Zone Console: $zonename" \
--command "zlogin -C $zonename" & ;;
" Select Label...")
selectLabel;;
" Ready")
zoneadm -z $zonename ready ;;
" Boot")
zoneadm -z $zonename boot ;;
" Halt")
zoneadm -z $zonename halt ;;
" Reboot")
zoneadm -z $zonename reboot ;;
" Install...")
install;;
" Clone...")
clone ;;
" Uninstall")
zoneadm -z $zonename uninstall -F;;
" Delete")
delete
return ;;
" Configure Network Interfaces...")
if [ $zonename = global ] ; then
manageNets
else
manageZoneNets
fi;;
" Add Single-level Access to Remote Host...")
addTnrhdb ;;
" Add Multilevel Access to Remote Host...")
template=cipso
addTnrhdb ;;
" Remove Single-level Access to Remote Host...")
removeTnrhdb ;;
" Remove Multilevel Access to Remote Host...")
template=cipso
removeTnrhdb ;;
" Configure Multilevel Ports...")
setMLPs;;
" Permit Relabeling")
zonecfg -z $zonename set limitpriv=default,\
win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,\
file_downgrade_sl,file_upgrade_sl,sys_trans_label ;;
" Deny Relabeling")
zonecfg -z $zonename set limitpriv=default ;;
" Set Automatic Booting")
zonecfg -z $zonename set autoboot=true ;;
" Set Manual Booting")
zonecfg -z $zonename set autoboot=false ;;
" Create LDAP Client...")
createLDAPclient ;;
" Configure per-zone name service")
manageNscd ;;
" Unconfigure per-zone name service")
manageNscd ;;
" Destroy all zones...")
tearDownZones
return ;;
*)
if [ $zone_cnt == 1 ] ; then
exit
else
return
fi;;
esac
sleep $delay;
done
}
# Main loop for top-level window
#
/usr/bin/plabel $$ 1>/dev/null 2>&1
if [ $? != 0 ] ; then
gettext "$0 : Trusted Extensions must be enabled.\n"
exit 1
fi
myzone=$(/sbin/zonename)
if [ $myzone != "global" ] ; then
gettext "$0 : must be in global zone to run.\n"
exit 1
fi
process_options "$@" || exit
mkdir $TXTMP 2>/dev/null
deflabel=$(chk_encodings -a|grep "Default User Sensitivity"|\
sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
DEFAULTLABEL=$(atohexlabel ${deflabel})
intlabel=$(chk_encodings -a|grep "Default User Clearance"|\
sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
INTLABEL=$(atohexlabel -c "${intlabel}")
# are there any zfs pools?
ZDSET=none
zpool iostat 1>/dev/null 2>&1
if [ $? = 0 ] ; then
# is there a zfs pool named "zone"?
zpool list -H zone 1>/dev/null 2>&1
if [ $? = 0 ] ; then
# yes
ZDSET=zone
else
# no, but is there a root pool?
rootfs=$(df -n / | awk '{print $3}')
if [ $rootfs = "zfs" ] ; then
# yes, use it
ZDSET=$(zfs list -Ho name / | cut -d/ -f 1)/zones
zfs list -H $ZDSET 1>/dev/null 2>&1
if [ $? = 1 ] ; then
createZDSET "-o mountpoint=/zone" $ZDSET
fi
fi
fi
fi
if [ $DISP -eq 0 ] ; then
gettext "non-interactive mode ...\n"
if [ $DESTROYZONES -eq 1 ] ; then
tearDownZones
fi
if [ $CREATEDEF -eq 1 ] ; then
if [[ $(zoneadm list -c) == global ]] ; then
createDefaultZones
else
gettext "cannot create default zones because there are existing zones.\n"
fi
fi
exit
fi
if [ $NSCD_PER_LABEL -eq 0 ] ; then
NSCD_OPT="Configure per-zone name service"
else
NSCD_OPT="Unconfigure per-zone name service"
fi
while (( 1 )) do
selectZone
done