-->
To configure a Secure dns instance in a
Solaris 10 non-global zone using zfs, roles, and chroot:
- Create the zone and filesystem for the dns chroot structure
* This assumes that
you have a zfs root or at least a zfs pool to build your zone on
- zfs create rpool/Root/S10x_u9/zone1
- chmod 700 /zone1
- zonecfg -z zone1
zonecfg:zone1>
create
zonecfg:zone1>
set zonepath=/zone1
zonecfg:zone1>
set autoboot=true
zonecfg:zone1>
add net
zonecfg:zone1:net>
set physical=net0
* giving the zone
a physical interface instead of an ip makes enables an exclusive ip
zone. This gives the benefit of having a physically separated
interface that can be on a network not connected to the global zone.
zonecfg:zone1:net>
end
zonecfg:zone1>
set ip-type=exclusive
zonecfg:zone1>
verify
zonecfg:zone1>
commit
zonecfg:zone1>
exit
*you can now run a
# zoneadm list -civ to see the zone as configured
- zoneadm -z zone1 install
- zoneadm -z zone1 boot
- zlogin -C -e “#.” zone1
*Login on the
console for the zone to se the original parameters, just like an
initial install of Solaris. (~.) is the escape sequence although this
functionality is lacking. That's why I add the -e “#.” to the
zlogin command. This way I wont get kicked out of the entire session.
It may be necessary to log back into the global zone and kill the
zlogin -C process.
- Create the role and modify the dns services to run as a role and in a chroot environment
* These commands
are ran in the zone unless otherwise noted
- roleadd -d /local/dns -s /bin/false named
* make the role,
give it a home dir of the chroot filesystem and set the shell to
/bin/false
- groupadd dnsgroup
- rolemod -g dnsgroup named
- chown -R named:dnsgroup /local/dns
- cd /var/svc/manifest/network/dns
- cp server.xml chroot-server.xml
- vi chroot-server.xml
*Make the
following changes
- go down to last dependency statement and copy 7 line (7yy)
- go just above the <exec_method> statement and paste your seven line (p)
- change the dependency statement as follows
<dependency
name='config'
grouping='optional_all'
restart_on='error'
type='path'>
<service_fmri
value='file://localhost/local/dns/etc/named.conf'
/>
</dependency>
* modify this line
if your named.conf is not going to be under an etc directory in your
chroot structure
- change the instance name statement to reflect the name of your new server chroot-server
* the line looks like
this
<instance
name='chroot-server' enabled='false' >
- go down to the method credential statement and change the user and group to our role and group
<method_credential
user='named'
group='dnsgroup'
* leave the rest of
the statement alone
- change the propval method for chroot_dir
<propval
name='chroot_dir' type='astring' value='/local/dns' />
- validate the configured
svccfg validate
chroot-server.xml
*if there are any
errors go back and fix whichever line it is complaining about
- import the service
- svccfg
- svc:> import /var/svc/manifest/network/dns/chroot-server.xml
- svc:> exit
- Configure your dns files within the chroot directory structure
* Typically you
will want to put your dns files in standard as possible locations
inside your chroot directory structure of /local/dns. For instance
usual directories will be etc, var, and db. Another directory we will
need to create under /local/dns is dev. This will hold our character
devices used by dns.
- mkdir /local/dns/etc
- mkdir /local/dns/var
- mkdir /local/dns/db
- mkdir /local/dns/dev
*The devices
necessary for named will need to added to this dev directory. Because
this is in a zone this will have be done from the global zone.
- ls -laL /dev/poll
- ls -laL /dev/random
- ls -laL /dev/urandom
*Be sure to not
the major and minor number and the type of device for each of these
files.
For instance ls
-laL /dev/poll produces
crw-rw-rw 1 root
sys 135, 0 /dev/poll
The “c” means
a character device and the first number (135) is the major and the
second (0) is the minor
- Add the devices to the zone
*Done from the
global zone
- mknod /zone1/root/local/dns/dev/poll c 135 0
- mknod /zone1/root/local/dns/dev/random c 149 0
- mknod /zone1/root/local/dns/dev/urandom c 149 1
- Make the named user and dnsgroup owner of the devices
- chown -R named:dnsgroup /local/dns/dev
- Configure your dns files however you see fit. The only things to keep in mind is that all files needed to run dns including logs and pid files will need to exist with your /local/dns chroot directory structure. Also the named.conf needs to exist in the location you specified while creating the chroot-server.xml service.
- Modify the named.conf file to point to files within the directory structure.
*All paths in the
named.conf should be relative to the chroot starting point. For
instance the directory option should read /db, not /local/dns/db.
Here are the changes I make in named.conf.
- Directory “/db”;
- key-directory “/etc/”;
- pid-file “/etc/named.pid”;
*The main point is
that any file or path specified in the named.conf needs to be
relative the the chroot starting point of /local/dns so if you keep
key files in /local/dns/key/zone1.key the entry in the named.conf
should only point to /key/zone1.key
- Enable the dns service
- svcadm enable svc:/network/dns/server:chroot-server
*ps -ef | grep
named
the named process
should be running with a “-t” option and the path to the chroot
directory structure. If not look in /var/adm/messages for any errors
(usually due to permissions of the devices or non-chroot based file
paths in the named.conf
References:
