#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2014 Garrett D'Amore
#
#
# This script provides a simple GUI for managing labeled zones.
# It provides contextual menus which provide appropriate choices.
# It must be run in the global zone as root.
# These arguments are accepted, and will result in non-interactive
# (text-only) mode:
#
# txzonemgr [-c | -d[f]]
#
# -c create default zones
# -d destroy all zones; prompts for confirmation unless
# the -f flag is also specified
# -f force
#
# DISP - use GUI (otherwise use non-interactive mode)
DISP=1
# CREATEDEF - make default zones (non-interactive)
# DESTROYZONES - tear down all zones (non-interactive)
# FORCE - force
FORCE=0
if [ -f $NSCD_INDICATOR ] ; then
fi
title="Labeled Zone Manager 2.1"
(select global for zone creation and shared settings)")
{
optlist='cdf'
do
c) CREATEDEF=1
DISP=0
;;
d) DESTROYZONES=1
DISP=0
;;
f) FORCE=1
;;
return 2
;;
esac
done
if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
gettext "cannot combine options -c and -d\n"
return 2
fi
if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
gettext "option -f not allowed with -c\n"
return 2
fi
if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
gettext "option -f specified without any other options\n"
return 2
fi
if [ "x$1" != "x" ] ; then
return 2
fi
return 0
}
}
if [ $? != 0 ] ; then
console="Zone Console...\n"
fi
fi
}
if [[ $hexlabel ]] ; then
template="admin_low"
addcipsohost="Add Multilevel Access to Remote Host...\n"
removecipsohost="Remove Multilevel Access to Remote Host...\n"
setmlps="Configure Multilevel Ports...\n"
else
if [[ -n $net ]] ; then
setmlps="Configure Multilevel Ports...\n"
elif [ $zonestate = configured ] ; then
addnet="Configure Network Interfaces...\n"
fi
fi
addremotehost="Add Single-level Access to Remote Host...\n"
if [ $? = 0 ] ; then
removeremotehost="Remove Single-level Access to Remote Host...\n"
else
fi
else
label="Select Label...\n"
fi
}
set -A zonelist
integer clone_cnt=0
if [ $z = $zonename ] ; then
continue
elif [ $s = "installed" ] ; then
clone_cnt+=1
fi
done
if [ $clone_cnt -gt 0 ] ; then
fi
}
if [[ -n $macstate ]] ; then
permitrelabel="Deny Relabeling\n"
else
permitrelabel="Permit Relabeling\n"
fi
}
autoboot="Set Manual Booting\n"
else
autoboot="Set Automatic Booting\n"
fi
}
if [[ ! -n $zonename ]] ; then
--width=330 \
if [[ ! -n $zonename ]] ; then
return
fi
fi
set zonepath=/zone/$zonename"
}
delopt=$*
if [ $? = 0 ] ; then
done
fi
}
else
deflabel="def_label=${hexlabel};"
fi
if [ $? -eq 0 ] ; then
fi
print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
}
if [ $? -eq 1 ] ; then
fi
#
# Add matching entries in tnrhtp if necessary
#
}
--accredcheck=yes \
--mode=sensitivity \
if [ $? = 0 ] ; then
x=$(grep -i :{$hexlabel}: $TNZONECFG)
if [ $? = 0 ] ; then
else
fi
fi
}
--accredcheck=no \
--mode=sensitivity \
[ $? != 0 ] && return
--accredcheck=no \
--mode=sensitivity \
[ $? != 0 ] && return
}
}
--text="Passphrases do not match"
return ""
fi
echo "$file"
}
options=$1
pool=${2%%/*}
# First check if ZFS encrytption support is available
return
fi
return
fi
"Passphrase" "Generate Key in file")
[ $? != 0 ] && exit
exit
fi
removefile=1;
[ $? != 0 ] && exit
keylen=128
else
t=${encryption#aes-} && keylen=${t%%-*}
fi
fi
options="$options -o encryption=$encryption -o keysource=$keysource"
fi
}
if [ -f /var/ldap/ldap_client_file ] ; then
ldapaddress=$(ldapclient list | \
domain=$(domainname)
profName=$(ldapclient list | \
proxyPwd=$(ldapclient list | \
proxyDN=$(ldapclient list | \
fi
else
fi
if [[ -z $locale ]] ; then
locale="C"
fi
# There are two problems with setting the root password:
# The zone's shadow file may be read-only
# The password contains unparsable characters
# so the following line is commented out until this is resolved.
#print "root_password=$rootpwd" >> ${SYSIDCFG}
--width=330 \
[ $? != 0 ] && return
else
if [ $? != 0 ] ; then
[ $? != 0 ] && return
if [[ -z $ipaddr ]] ; then
return
fi
fi
cidr=32
fi
elif [[ -n $net ]] ; then
--width=330 \
[ $? != 0 ] && return
if [ $? = 0 ] ; then
fi
else
done
fi
}
image=$1
if [[ -z $image ]] ; then
snapshot of one of the following halted zones:")
--height=300 \
--width=330 \
fi
if [[ -n $image ]] ; then
if [ $NSCD_PER_LABEL = 0 ] ; then
else
fi
fi
fi
}
else
# sleep is needed here to avoid occasional timing
# problem with gnome-terminal display...
sleep 2
fi
if [ $zonestate != installed ] ; then
return 1
fi
if [ $NSCD_PER_LABEL = 0 ] ; then
else
fi
if [ $zonestate != ready ] ; then
return 1
fi
}
delopt=$*
# if there is an entry for this zone in tnzonecfg, remove it
# before deleting the zone.
if [ -n "${tnzone}" ] ; then
fi
done
done
done
done
done
}
IFS=.
integer octet_cnt=0
integer dummy
if [ ${#octets[*]} == 4 ] ; then
octet_cnt+=1
continue
fi
else
return
fi
done
else
fi
}
integer count=0
do
[ $? -eq 1 ] && continue
i=${i%:} # Remove colon after interface name
do
case $j in
count+=1
;;
esac
done
done
}
cidr=
--width=330 \
[ $? != 0 ] && return;
}
if [[ -z $ipaddr ]] ; then
return;
fi
if [[ -z $cidr ]] ; then
return;
fi
set address=${ipaddr}/${cidr}; \
set physical=$nic; \
end"
cidr=32
}
type=ignore
do
case $j in
inet) type=$j;;
zone) type=$j;;
*) continue ;;
esac;
type=ignore;;
esac
done
else
fi
else
if [[ -n $vnic ]] ; then
else
fi
fi
if [ $ipaddr != 0.0.0.0 ] ; then
if [ $? = 1 ] ; then
cidr=32
else
fi
else
template="..."
ipaddr="..."
fi
}
if [ $? = 0 ] ; then
fi
fi
}
if [[ -n $cidr ]] ; then
else
fi
}
--width=330 \
[ $? != 0 ] && return
if [[ -z $ipaddr ]] ; then
[ $? != 0 ] && return
fi
}
# Update hosts
if [[ -z $ipaddr ]] ; then
return;
fi
if [ $? -eq 1 ] ; then
fi
cidr=32
#
# TODO: better integration with nwam
#
}
}
else
--width=330 \
if [[ ! -n $vnicname ]] ; then
return
fi
fi
if [[ ! -n $x ]] ; then
fi
else
set physical=$vnicname; \
end"
fi
}
#
# TODO: better integration with nwam
#
}
#
# TODO: better integration with nwam
#
}
--width=330 \
[ $? != 0 ] && return
if [[ -z $ipaddr ]] ; then
return;
fi
if [ ${octets[3]} = 0 ] ; then
if [[ -z $cidr ]] ; then
return;
fi
else
cidr=32
fi
x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
if [ $? = 0 ] ; then
else
syntax=$(cat $TXTMP/syntax_error.$$)
fi
rm $TXTMP/tnrhdb_new.$$
rm $TXTMP/syntax_error.$$
}
while (( 1 )) do
else
fi
if [[ -n $remotes ]] ; then
--height=250 \
--width=300 \
if [[ -n $ipaddr ]] ; then
else
return
fi
else
return
fi
done
}
attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
--height=200 \
--width=450 \
--editable \
--multiple
)
if [[ -z $ports ]] ; then
return
fi
# getopts needs another a blank and another dash
OPTIND=1
s) sharedMLPs=$OPTARG ;;
esac
done
x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
if [ $? = 0 ] ; then
fi
else
syntax=$(cat $TXTMP/syntax_error.$$)
fi
rm $TXTMP/syntax_error.$$
}
integer file_cnt=0
# If the zone's shadow file was previously read-only
# there may be no root password entry for this zone.
# If so, replace the root password entry with the global zone's.
entry=$(grep ^root:: $ZONE_ETC_DIR/shadow)
if [ $? -eq 0 ] ; then
chmod 400 $ZONE_ETC_DIR/shadow
fi
return
fi
file[0]="passwd"
file[1]="shadow"
file[2]="user_attr"
#
# Add the user who assumed the root role to each installed zone
#
$ZONE_ETC_DIR/${file[file_cnt]} >/dev/null)
if [ $? -ne 0 ] ; then
if [ $? -eq 0 ] ; then
fi
fi
file_cnt+=1
done
chmod 400 $ZONE_ETC_DIR/shadow
}
if [ $? -eq 0 ] ; then
else
echo Skipping $1
fi
}
if [ $? -eq 1 ] ; then
zonecfg -z $1 "add fs; \
set type=lofs; \
add options ro; \
end; \
add fs; \
set type=lofs; \
add options ro; \
end"
fi
}
# This routine is a toggle -- if we find it configured for global nscd,
# change to nscd-per-label and vice-versa.
#
# The user was presented with only the choice to CHANGE the existing
# configuration.
if [ $NSCD_PER_LABEL -eq 0 ] ; then
# this MUST be a regular file for svc-nscd to detect
NSCD_OPT="Unconfigure per-zone name service"
done
else
NSCD_OPT="Configure per-zone name service"
sharePasswd $i
done
fi
}
ncmds[0]="Only use all-zones interfaces"
ncmds[1]="Add a logical interface"
ncmds[2]="Add a virtual interface (VNIC)"
stacks[0]="Shared Stack"
stacks[1]="Exclusive Stack"
netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
integer nic_cnt=0
integer netOp_cnt=2
netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
netOp_cnt+=1
netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
netOp_cnt+=1
nic_cnt+=1
done
--height=300 \
--width=500 \
)
# User picked cancel or no selection
if [[ -z $netOp ]] ; then
return
fi
# All-zones is the default, so just return
if [ $netOp = 1 ] ; then
return
fi
${ncmds[1]} )
;;
${ncmds[2]} )
;;
esac
}
while (( 1 )) do
# Clear list of commands
bringup="Bring Up\n"
else
bringdown="Bring Down\n"
fi
physical )
;;
logical )
unplumb="Remove Logical Interface\n"
;;
virtual )
;;
esac
setipaddr="Set IP address...\n"
share="Share with Shared-IP Zones\n"
else
share="Remove from Shared-IP Zones\n"
fi
command=$(print ""\
$share \
$newvnic \
$unplumb \
$bringup \
--height=300 \
" Create Logical Interface...")
" Create Virtual Interface (VNIC)...")
createVNIC ;;
" Set IP address...")
addHost;;
" Share with Shared-IP Zones")
" Remove from Shared-IP Zones")
" Remove Logical Interface")
return;;
" Remove Virtual Interface")
return;;
" Bring Up")
" Bring Down")
*) return;;
esac
done
}
do
[ $? -eq 1 ] && continue
nic=${i%:} # Remove colon after interface name
break
fi
done
}
while (( 1 )) do
do
[ $? -eq 1 ] && continue
nic=${i%:} # Remove colon after interface name
done
--height=300 \
--width=500 \
if [[ -z $nic ]] ; then
return
fi
done
}
ldapdomain=$(zenity --entry \
--width=400 \
if [[ -n $ldapdomain ]] ; then
ldapserver=$(zenity --entry \
--width=400 \
else
return
fi
if [[ -n $ldapserver ]] ; then
ldapserveraddr=$(zenity --entry \
--width=400 \
else
return
fi
ldappassword=""
ldappassword=$(zenity --entry \
--width=400 \
ldappasswordconfirm=$(zenity --entry \
--width=400 \
done
ldapprofile=$(zenity --entry \
--width=400 \
--width=400 \
--height=250 \
[ $? != 0 ] && return
if [ $? -eq 1 ] ; then
fi
if [ $? -eq 1 ] ; then
print "# ${ldapserver} - ldap server" \
>> $TNRHDB
print "${ldapserveraddr}:cipso" \
>> $TNRHDB
tnctl -h "${ldapserveraddr}:cipso"
fi
"{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
--width=500 \
--text="global zone will be LDAP client of $ldapserver"
if [ $? -eq 0 ] ; then
else
fi
--width=700 \
--height=300 \
}
gettext "OK to destroy all zones [y|N]? "
read ans
if [ $? -ne 0 ] ; then
gettext "canceled.\n"
return 1
fi
fi
gettext "destroying all zones ...\n"
else
--width=330 \
if [[ $? != 0 ]]; then
return
fi
fi
fi
done
}
# If GUI display is not used, skip the dialog
if [ $? -ne 0 ] ; then
return 1
fi
return
fi
command=$(echo ""\
--height=400 \
--width=330 )
if [ $? -ne 0 ] ; then
return 1
fi
*)
return;;
esac
}
fi
zone_cnt+=1
if [ $? -ne 0 ] ; then
return 1
fi
else
--command "zlogin -C $zonename"
fi
}
zone_cnt+=1
fi
zone_cnt+=1
x=$(grep -i :{$hexlabel}: $TNZONECFG)
if [ $? = 0 ] ; then
echo "$msg_inuse $z zone."
else
fi
else
fi
}
set -A zonelist "global\nrunning\nADMIN_HIGH"
integer zone_cnt=1
zone_cnt+=1
done
if [ $zone_cnt == 1 ] ; then
fi
if [ $zone_cnt == 1 ] ; then
return
fi
zone_cnt=1
if [[ $hexlabel ]] ; then
else
curlabel=...
fi
zone_cnt+=1
done
--height=300 \
--width=500 \
)
# if the menu choice was a zonename, pop up zone menu
if [[ -n $zonename ]] ; then
else
exit
fi
}
# Loop for single-zone menu
while (( 1 )) do
# Clear list of commands
stop=
killZones="Destroy all zones...\n"
xit="Select another zone..."
else
xit="Exit"
fi
ldapClient="Create LDAP Client...\n"
createZone="Create a new zone...\n"
addnet="Configure Network Interfaces...\n"
else
fi
delay=0
case $zonestate in
ready="Ready\n"
reboot="Reboot\n"
stop="Halt\n"
;;
start="Boot\n"
stop="Halt\n"
;;
if [[ -z $label ]] ; then
ready="Ready\n"
start="Boot\n"
fi
uninstall="Uninstall\n"
;;
install="Install...\n"
delete="Delete\n"
;;
uninstall="Uninstall\n"
;;
*)
;;
esac
fi
command=$(echo ""\
$console \
$label \
$start \
$reboot \
$stop \
$clone \
$install \
$ready \
$delete \
$addnet \
$setmlps \
$nscdOpt \
$xit \
--height=400 \
--width=330 \
" Create a new zone...")
newZone ;;
" Zone Console...")
delay=2
" Select Label...")
" Ready")
" Boot")
" Halt")
" Reboot")
" Install...")
install;;
" Clone...")
clone ;;
" Uninstall")
" Delete")
return ;;
" Configure Network Interfaces...")
else
fi;;
" Add Single-level Access to Remote Host...")
addTnrhdb ;;
" Add Multilevel Access to Remote Host...")
addTnrhdb ;;
" Remove Single-level Access to Remote Host...")
removeTnrhdb ;;
" Remove Multilevel Access to Remote Host...")
removeTnrhdb ;;
" Configure Multilevel Ports...")
setMLPs;;
" Permit Relabeling")
" Deny Relabeling")
" Set Automatic Booting")
" Set Manual Booting")
" Create LDAP Client...")
" Configure per-zone name service")
manageNscd ;;
" Unconfigure per-zone name service")
manageNscd ;;
" Destroy all zones...")
return ;;
*)
if [ $zone_cnt == 1 ] ; then
exit
else
return
fi;;
esac
done
}
# Main loop for top-level window
#
if [ $? != 0 ] ; then
gettext "$0 : Trusted Extensions must be enabled.\n"
exit 1
fi
gettext "$0 : must be in global zone to run.\n"
exit 1
fi
DEFAULTLABEL=$(atohexlabel ${deflabel})
# are there any zfs pools?
if [ $? = 0 ] ; then
# is there a zfs pool named "zone"?
if [ $? = 0 ] ; then
# yes
else
# no, but is there a root pool?
# yes, use it
if [ $? = 1 ] ; then
fi
fi
fi
fi
gettext "non-interactive mode ...\n"
if [ $DESTROYZONES -eq 1 ] ; then
fi
if [ $CREATEDEF -eq 1 ] ; then
else
gettext "cannot create default zones because there are existing zones.\n"
fi
fi
exit
fi
if [ $NSCD_PER_LABEL -eq 0 ] ; then
NSCD_OPT="Configure per-zone name service"
else
NSCD_OPT="Unconfigure per-zone name service"
fi
while (( 1 )) do
done