search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / cmd / tsol / misc / txzonemgr.sh
blob179a0e8170c59209ad8a42d225880b71faac0b68
1 #!/bin/ksh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22 # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 # Copyright 2014 Garrett D'Amore
24 #
25 #
26
27 # This script provides a simple GUI for managing labeled zones.
28 # It provides contextual menus which provide appropriate choices.
29 # It must be run in the global zone as root.
30
31 # These arguments are accepted, and will result in non-interactive
32 # (text-only) mode:
33 #
34 # txzonemgr [-c | -d[f]]
35 #
36 # -c create default zones
37 # -d destroy all zones; prompts for confirmation unless
38 # the -f flag is also specified
39 # -f force
40 #
41
42 # DISP - use GUI (otherwise use non-interactive mode)
43 DISP=1
44 # CREATEDEF - make default zones (non-interactive)
45 CREATEDEF=0
46 # DESTROYZONES - tear down all zones (non-interactive)
47 DESTROYZONES=0
48 # FORCE - force
49 FORCE=0
50
51 NSCD_PER_LABEL=0
52 NSCD_INDICATOR=/var/tsol/doors/nscd_per_label
53 if [ -f $NSCD_INDICATOR ] ; then
54 NSCD_PER_LABEL=1
55 fi
56
57 myname=$(basename $0)
58
59 TXTMP=/tmp/txzonemgr
60 TNRHTP=/etc/security/tsol/tnrhtp
61 TNRHDB=/etc/security/tsol/tnrhdb
62 TNZONECFG=/etc/security/tsol/tnzonecfg
63 PUBZONE=public
64 INTZONE=internal
65
66 PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
67 title="Labeled Zone Manager 2.1"
68
69 msg_defzones=$(gettext "Create default zones using default settings?")
70 msg_confirmkill=$(gettext "OK to destroy all zones?")
71 msg_continue=$(gettext "(exit to resume $(basename $0) when ready)")
72 msg_getlabel=$(gettext "Select a label for the")
73 msg_getremote=$(gettext "Select a remote host or network from the list below:")
74 msg_getnet=$(gettext "Select a network configuration for the")
75 msg_getzone=$(gettext "Select a zone from the list below:
76 (select global for zone creation and shared settings)")
77 msg_getcmd=$(gettext "Select a command from the list below:")
78 msg_inuse=$(gettext "That label is already assigned\nto the")
79 msg_getmin=$(gettext "Select the minimum network label for the")
80 msg_getmax=$(gettext "Select the maximum network label for the")
81 msg_badip=$(gettext " is not a valid IP address")
82
83
84 process_options()
85 {
86 typeset opt optlist
87
88 optlist='cdf'
89
90 while getopts ":$optlist" opt
91 do
92 case $opt in
93 c) CREATEDEF=1
94 DISP=0
95 ;;
96 d) DESTROYZONES=1
97 DISP=0
98 ;;
99 f) FORCE=1
100 ;;
101 *) gettext "invalid option -$OPTARG\n"
102 usage
103 return 2
104 ;;
105 esac
106 done
107
108 if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
109 gettext "cannot combine options -c and -d\n"
110 usage
111 return 2
112 fi
113 if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
114 gettext "option -f not allowed with -c\n"
115 usage
116 return 2
117 fi
118 if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
119 gettext "option -f specified without any other options\n"
120 usage
121 return 2
122 fi
123
124 shift $((OPTIND - 1))
125 if [ "x$1" != "x" ] ; then
126 usage
127 return 2
128 fi
129
130 return 0
131 }
132
133 usage() {
134 gettext "usage: $myname [-c | -d[f]]\n"
135 }
136
137 consoleCheck() {
138 if [ $zonename != global ] ; then
139 zconsole=$(pgrep -f "zlogin -C $zonename")
140 if [ $? != 0 ] ; then
141 console="Zone Console...\n"
142 fi
143 fi
144 }
145
146 labelCheck() {
147 hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2);
148 if [[ $hexlabel ]] ; then
149 label=
150 if [ $zonename = global ] ; then
151 template="admin_low"
152 addcipsohost="Add Multilevel Access to Remote Host...\n"
153 removecipsohost="Remove Multilevel Access to Remote Host...\n"
154 setmlps="Configure Multilevel Ports...\n"
155 else
156 template=${zonename}_unlab
157 addcipsohost=
158 removecipsohost=
159 setmlps=
160
161 net=$(zonecfg -z $zonename info net)
162 if [[ -n $net ]] ; then
163 setmlps="Configure Multilevel Ports...\n"
164 elif [ $zonestate = configured ] ; then
165 addnet="Configure Network Interfaces...\n"
166 fi
167 fi
168 addremotehost="Add Single-level Access to Remote Host...\n"
169 remotes=$(grep -v "^#" $TNRHDB|grep $template)
170 if [ $? = 0 ] ; then
171 removeremotehost="Remove Single-level Access to Remote Host...\n"
172 else
173 removeremotehost=
174 fi
175 else
176 label="Select Label...\n"
177 addremotehost=
178 removeremotehost=
179 addcipsohost=
180 removecipsohost=
181 setmlps=
182 fi
183 }
184
185 cloneCheck() {
186 set -A zonelist
187 integer clone_cnt=0
188 for p in $(zoneadm list -ip) ; do
189 z=$(echo "$p"|cut -d : -f2)
190 s=$(echo "$p"|cut -d : -f3)
191 if [ $z = $zonename ] ; then
192 continue
193 elif [ $s = "installed" ] ; then
194 zonelist[clone_cnt]=$z
195 clone_cnt+=1
196 fi
197 done
198 if [ $clone_cnt -gt 0 ] ; then
199 clone="Clone...\n"; \
200 fi
201 }
202
203 relabelCheck() {
204 macstate=$(zonecfg -z $zonename info|grep win_mac_write)
205 if [[ -n $macstate ]] ; then
206 permitrelabel="Deny Relabeling\n"
207 else
208 permitrelabel="Permit Relabeling\n"
209 fi
210 }
211
212 autobootCheck() {
213 bootmode=$(zonecfg -z $zonename info autoboot)
214 if [[ $bootmode == 'autoboot: true' ]] ; then
215 autoboot="Set Manual Booting\n"
216 else
217 autoboot="Set Automatic Booting\n"
218 fi
219 }
220
221 newZone() {
222 if [[ ! -n $zonename ]] ; then
223 zonename=$(zenity --entry \
224 --title="$title" \
225 --width=330 \
226 --entry-text="" \
227 --text="Enter Zone Name: ")
228
229 if [[ ! -n $zonename ]] ; then
230 zonename=global
231 return
232 fi
233 fi
234 zonecfg -z $zonename "create -t SUNWtsoldef;\
235 set zonepath=/zone/$zonename"
236 }
237
238 removeZoneBEs() {
239 delopt=$*
240
241 zfs list -H $ZDSET/$zonename 1>/dev/null 2>&1
242 if [ $? = 0 ] ; then
243 for zbe in $(zfs list -rHo name $ZDSET/$zonename|grep ROOT/zbe) ; do
244 zfs destroy $delopt $zbe
245 done
246 fi
247 }
248
249 updateTemplate () {
250 if [ $hostType = cipso ] ; then
251 template=${zonename}_cipso
252 deflabel=
253 else
254 template=${zonename}_unlab
255 deflabel="def_label=${hexlabel};"
256 fi
257
258 tnzone=$(grep "^${template}:" $TNRHTP 2>/dev/null)
259 if [ $? -eq 0 ] ; then
260 sed -e "/^${template}/d" $TNRHTP > $TXTMP/tnrhtp.$$ 2>/dev/null
261 mv $TXTMP/tnrhtp.$$ $TNRHTP
262 fi
263 print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
264 tnctl -t $template
265 }
266
267 setTNdata () {
268 tnzline="$zonename:${hexlabel}:0::"
269 grep "^$tnzline" $TNZONECFG 1>/dev/null 2>&1
270 if [ $? -eq 1 ] ; then
271 print "$tnzline" >> $TNZONECFG
272 fi
273
274 #
275 # Add matching entries in tnrhtp if necessary
276 #
277 minlabel=admin_low
278 maxlabel=admin_high
279 hostType=cipso
280 updateTemplate
281
282 hostType=unlabeled
283 updateTemplate
284 }
285
286 selectLabel() {
287 hexlabel=$(tgnome-selectlabel \
288 --title="$title" \
289 --text="$msg_getlabel $zonename zone:" \
290 --min="${DEFAULTLABEL}" \
291 --default="${DEFAULTLABEL}" \
292 --max=$(chk_encodings -X) \
293 --accredcheck=yes \
294 --mode=sensitivity \
295 --format=internal)
296 if [ $? = 0 ] ; then
297 x=$(grep -i :{$hexlabel}: $TNZONECFG)
298 if [ $? = 0 ] ; then
299 z=$(print $x|cut -d : -f1)
300 x=$(zenity --error \
301 --title="$title" \
302 --text="$msg_inuse $z zone.")
303 else
304 setTNdata
305 fi
306 fi
307 }
308
309 getLabelRange() {
310 deflabel=$(hextoalabel $hexlabel)
311 minlabel=$(tgnome-selectlabel \
312 --title="$title" \
313 --text="$msg_getmin $zonename zone:" \
314 --min="${DEFAULTLABEL}" \
315 --max="$deflabel" \
316 --default="$hexlabel" \
317 --accredcheck=no \
318 --mode=sensitivity \
319 --format=internal)
320 [ $? != 0 ] && return
321
322 maxlabel=$(tgnome-selectlabel \
323 --title="$title" \
324 --text="$msg_getmax $zonename zone:" \
325 --min="$deflabel" \
326 --max=$(chk_encodings -X) \
327 --default="$hexlabel" \
328 --accredcheck=no \
329 --mode=sensitivity \
330 --format=internal)
331 [ $? != 0 ] && return
332
333 hostType=cipso
334 updateTemplate
335 }
336
337
338 encryptionValues() {
339 echo $(zfs get 2>&1 | grep encryption | sed -e s/^.*YES// -e s/\|//g)
340 }
341
342 getPassphrase() {
343 pass1=$(zenity --entry --title="$title" --text="Enter passphrase:" \
344 --width=330 --hide-text)
345 pass2=$(zenity --entry --title="$title" --text="Re-enter passphrase:" \
346 --width=330 --hide-text)
347 if [[ "$pass1" != "$pass2" ]]; then
348 zenity --error --title="$title" \
349 --text="Passphrases do not match"
350 return ""
351 fi
352 file=$(mktemp)
353 echo "$pass1" > $file
354 echo "$file"
355 }
356
357 createZDSET() {
358 options=$1
359 pool=${2%%/*}
360
361 # First check if ZFS encrytption support is available
362 pversion=$(zpool list -H -o version $pool)
363 cversion=$(zpool upgrade -v | grep Crypto | awk '{ print $1 }')
364 if (( cversion == 0 || pversion < cversion )); then
365 zfs create $options $ZDSET
366 return
367 fi
368
369 encryption=$(zenity --list --title="$title" --height=320 \
370 --text="Select cipher for encryption of all labels:" \
371 --column="encryption" $(encryptionValues))
372
373 if [[ $? != 0 || $encryption == "off" ]]; then
374 zfs create $options $ZDSET
375 return
376 fi
377
378 format=$(zenity --list --title="$title" \
379 --text "Select encryption key source:" \
380 --column="Key format and location" \
381 "Passphrase" "Generate Key in file")
382 [ $? != 0 ] && exit
383
384 if [[ $format == "Passphrase" ]]; then
385 file=$(getPassphrase)
386 if [[ $file == "" ]]; then
387 exit
388 fi
389 keysource="passphrase,file://$file"
390 removefile=1;
391 elif [[ $format == "Generate Key in file" ]]; then
392 file=$(zenity --file-selection \
393 --title="$title: Location of key file" \
394 --save --confirm-overwrite)
395 [ $? != 0 ] && exit
396 if [[ $encryption == "on" ]]; then
397 keylen=128
398 else
399 t=${encryption#aes-} && keylen=${t%%-*}
400 fi
401 pktool genkey keystore=file keytype=aes \
402 keylen=$keylen outkey=$file
403 keysource="raw,file:///$file"
404 fi
405
406 options="$options -o encryption=$encryption -o keysource=$keysource"
407 zfs create $options $ZDSET
408 if (( removefile == 1 )); then
409 zfs set keysource=passphrase,prompt $ZDSET
410 rm $file
411 fi
412 }
413
414
415 initialize() {
416 zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
417 ZONE_ETC_DIR=$zonepath/root/etc
418 SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
419
420 if [ -f /var/ldap/ldap_client_file ] ; then
421 ldapaddress=$(ldapclient list | \
422 grep "^NS_LDAP_SERVERS" | cut -d " " -f2)
423 print "name_service=LDAP {" > ${SYSIDCFG}
424 domain=$(domainname)
425 print "domain_name=$domain" >> ${SYSIDCFG}
426 profName=$(ldapclient list | \
427 grep "^NS_LDAP_PROFILE" | cut -d " " -f2)
428 proxyPwd=$(ldapclient list | \
429 grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2)
430 proxyDN=$(ldapclient list | \
431 grep "^NS_LDAP_BINDDN" | cut -d " " -f 2)
432 if [ "$proxyDN" ] ; then
433 print "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
434 print "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
435 fi
436 print "profile=$profName" >> ${SYSIDCFG}
437 print "profile_server=$ldapaddress }" >> ${SYSIDCFG}
438 cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
439 else
440 print "name_service=NONE" > ${SYSIDCFG}
441 fi
442 print "security_policy=NONE" >> ${SYSIDCFG}
443 locale=$(locale|grep LANG | cut -d "=" -f2)
444 if [[ -z $locale ]] ; then
445 locale="C"
446 fi
447 print "system_locale=$locale" >> ${SYSIDCFG}
448 timezone=$(grep "^TZ" /etc/default/init|cut -d "=" -f2)
449 print "timezone=$timezone" >> ${SYSIDCFG}
450 print "terminal=vt100" >> ${SYSIDCFG}
451 rootpwd=$(grep "^root:" /etc/shadow|cut -d : -f2)
452
453 # There are two problems with setting the root password:
454 # The zone's shadow file may be read-only
455 # The password contains unparsable characters
456 # so the following line is commented out until this is resolved.
457
458 #print "root_password=$rootpwd" >> ${SYSIDCFG}
459 print "nfs4_domain=dynamic" >> ${SYSIDCFG}
460 print "network_interface=PRIMARY {" >> ${SYSIDCFG}
461
462 net=$(zonecfg -z $zonename info net)
463 ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
464 if [ $ipType = exclusive ] ; then
465 hostname=$(zenity --entry \
466 --title="$title" \
467 --width=330 \
468 --text="${zonename}0: Enter Hostname or dhcp: ")
469 [ $? != 0 ] && return
470
471 if [ $hostname = dhcp ] ; then
472 print "dhcp" >> ${SYSIDCFG}
473 else
474 print "hostname=$hostname" >> ${SYSIDCFG}
475 ipaddr=$(getent hosts $hostname|cut -f1)
476 if [ $? != 0 ] ; then
477 ipaddr=$(zenity --entry \
478 --title="$title" \
479 --text="$nic: Enter IP address: " \
480 --entry-text a.b.c.d)
481 [ $? != 0 ] && return
482
483 validateIPaddr
484 if [[ -z $ipaddr ]] ; then
485 return
486 fi
487 fi
488 print "ip_address=$ipaddr" >> ${SYSIDCFG}
489 getNetmask
490 print "netmask=$nm" >> ${SYSIDCFG}
491 print "default_route=none" >> ${SYSIDCFG}
492 template=${zonename}_cipso
493 cidr=32
494 updateTnrhdb
495 fi
496 elif [[ -n $net ]] ; then
497 hostname=$(hostname)
498 hostname=$(zenity --entry \
499 --title="$title" \
500 --width=330 \
501 --text="Enter Hostname: " \
502 --entry-text $hostname)
503 [ $? != 0 ] && return
504
505 print "hostname=$hostname" >> ${SYSIDCFG}
506 ipaddr=$(getent hosts $hostname|cut -f1)
507 if [ $? = 0 ] ; then
508 print "ip_address=$ipaddr" >> ${SYSIDCFG}
509 fi
510 else
511 getAllZoneNICs
512 for i in ${aznics[*]} ; do
513 ipaddr=$(ifconfig $i|grep inet|cut -d " " -f2)
514 done
515 print "hostname=$(hostname)" >> ${SYSIDCFG}
516 print "ip_address=$ipaddr" >> ${SYSIDCFG}
517 fi
518
519 print "protocol_ipv6=no }" >> ${SYSIDCFG}
520 cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
521 touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
522 }
523
524 clone() {
525 image=$1
526 if [[ -z $image ]] ; then
527 msg_clone=$(gettext "Clone the $zonename zone using a
528 snapshot of one of the following halted zones:")
529 image=$(zenity --list \
530 --title="$title" \
531 --text="$msg_clone" \
532 --height=300 \
533 --width=330 \
534 --column="Installed Zones" ${zonelist[*]})
535 fi
536
537 if [[ -n $image ]] ; then
538 removeZoneBEs
539 zoneadm -z $zonename clone $image
540
541 if [ $NSCD_PER_LABEL = 0 ] ; then
542 sharePasswd $zonename
543 else
544 unsharePasswd $zonename
545 fi
546
547 ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
548 if [ $ipType = exclusive ] ; then
549 zoneadm -z $zonename ready
550 zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
551 sys-unconfig -R $zonepath/root 2>/dev/null
552 initialize
553 zoneadm -z $zonename halt
554 fi
555 fi
556 }
557
558 install() {
559 removeZoneBEs
560 if [ $DISP -eq 0 ] ; then
561 gettext "installing zone $zonename ...\n"
562 zoneadm -z $zonename install
563 else
564 # sleep is needed here to avoid occasional timing
565 # problem with gnome-terminal display...
566 sleep 2
567 gnome-terminal \
568 --title="$title: Installing $zonename zone" \
569 --command "zoneadm -z $zonename install" \
570 --disable-factory \
571 --hide-menubar
572 fi
573
574 zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
575 if [ $zonestate != installed ] ; then
576 gettext "error installing zone $zonename.\n"
577 return 1
578 fi
579
580 if [ $NSCD_PER_LABEL = 0 ] ; then
581 sharePasswd $zonename
582 else
583 unsharePasswd $zonename
584 fi
585
586 zoneadm -z $zonename ready
587 zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
588 if [ $zonestate != ready ] ; then
589 gettext "error making zone $zonename ready.\n"
590 return 1
591 fi
592
593 initialize
594 zoneadm -z $zonename halt
595 }
596
597 delete() {
598 delopt=$*
599
600 # if there is an entry for this zone in tnzonecfg, remove it
601 # before deleting the zone.
602
603 tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
604 if [ -n "${tnzone}" ] ; then
605 sed -e "/^$zonename:/d" $TNZONECFG > \
606 $TXTMP/tnzonefg.$$ 2>/dev/null
607 mv $TXTMP/tnzonefg.$$ $TNZONECFG
608 fi
609
610 for tnzone in $(grep ":${zonename}_unlab" $TNRHDB 2>/dev/null) ; do
611 tnctl -dh "$tnzone"
612 sed -e "/:${zonename}_unlab/d" $TNRHDB > \
613 $TXTMP/tnrhdb.$$ 2>/dev/null
614 mv $TXTMP/tnrhdb.$$ $TNRHDB
615 done
616
617 for tnzone in $(grep "^${zonename}_unlab:" $TNRHTP 2>/dev/null) ; do
618 tnctl -dt ${zonename}_unlab
619 sed -e "/^${zonename}_unlab:/d" $TNRHTP > \
620 $TXTMP/tnrhtp.$$ 2>/dev/null
621 mv $TXTMP/tnrhtp.$$ $TNRHTP
622 done
623
624 for tnzone in $(grep ":${zonename}_cipso" $TNRHDB 2>/dev/null) ; do
625 tnctl -dh "$tnzone"
626 sed -e "/:${zonename}_cipso/d" $TNRHDB > \
627 $TXTMP/tnrhdb.$$ 2>/dev/null
628 mv $TXTMP/tnrhdb.$$ $TNRHDB
629 done
630
631 for tnzone in $(grep "^${zonename}_cipso:" $TNRHTP 2>/dev/null) ; do
632 tnctl -dt ${zonename}_cipso
633 sed -e "/^${zonename}_cipso:/d" $TNRHTP > \
634 $TXTMP/tnrhtp.$$ 2>/dev/null
635 mv $TXTMP/tnrhtp.$$ $TNRHTP
636 done
637
638 zonecfg -z $zonename delete -F
639
640 removeZoneBEs $delopt
641 for snap in $(zfs list -Ho name -t snapshot|grep "\@${zonename}_snap") ; do
642 zfs destroy -R $snap
643 done
644 }
645
646 validateIPaddr () {
647 OLDIFS=$IFS
648 IFS=.
649 integer octet_cnt=0
650 integer dummy
651 set -A octets $ipaddr
652 IFS=$OLDIFS
653 if [ ${#octets[*]} == 4 ] ; then
654 while (( octet_cnt < ${#octets[*]} )); do
655 dummy=${octets[octet_cnt]}
656 if [ $dummy = ${octets[octet_cnt]} ] ; then
657 if (( dummy >= 0 && \
658 dummy < 256 )) ; then
659 octet_cnt+=1
660 continue
661 fi
662 else
663 x=$(zenity --error \
664 --title="$title" \
665 --text="$ipaddr $msg_badip")
666 ipaddr=
667 return
668 fi
669 done
670 else
671 x=$(zenity --error \
672 --title="$title" \
673 --text="$ipaddr $msg_badip")
674 ipaddr=
675 fi
676 }
677
678 getAllZoneNICs(){
679 integer count=0
680 for i in $(ifconfig -a4|grep "^[a-z].*:")
681 do
682 print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
683 [ $? -eq 1 ] && continue
684
685 i=${i%:} # Remove colon after interface name
686 for j in $(ifconfig $i)
687 do
688 case $j in
689 all-zones)
690 aznics[count]=$i
691 count+=1
692 ;;
693 esac
694 done
695 done
696 }
697
698 getNetmask() {
699 cidr=
700 nm=$(zenity --entry \
701 --title="$title" \
702 --width=330 \
703 --text="$ipaddr: Enter netmask: " \
704 --entry-text 255.255.255.0)
705 [ $? != 0 ] && return;
706
707 cidr=$(perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm)
708 }
709
710 addNet() {
711 getIPaddr
712 if [[ -z $ipaddr ]] ; then
713 return;
714 fi
715 getNetmask
716 if [[ -z $cidr ]] ; then
717 return;
718 fi
719 zonecfg -z $zonename "add net; \
720 set address=${ipaddr}/${cidr}; \
721 set physical=$nic; \
722 end"
723 template=${zonename}_cipso
724 cidr=32
725 updateTnrhdb
726 }
727
728 getAttrs() {
729 zone=global
730 type=ignore
731 for j in $(ifconfig $nic)
732 do
733 case $j in
734 inet) type=$j;;
735 zone) type=$j;;
736 all-zones) zone=all-zones;;
737 flags*) flags=$j;;
738 *) case $type in
739 inet) ipaddr=$j ;;
740 zone) zone=$j ;;
741 *) continue ;;
742 esac;
743 type=ignore;;
744 esac
745 done
746 if [[ $flags == ~(E).UP, ]] ; then
747 updown=Up
748 else
749 updown=Down
750 fi
751 if [[ $nic == ~(E).: ]] ; then
752 linktype=logical
753 else
754 vnic=$(dladm show-vnic -po link $nic 2>/dev/null)
755 if [[ -n $vnic ]] ; then
756 linktype=virtual
757 else
758 linktype=physical
759 fi
760 fi
761 if [ $ipaddr != 0.0.0.0 ] ; then
762 x=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
763 if [ $? = 1 ] ; then
764 template=cipso
765 cidr=32
766 updateTnrhdb
767 else
768 template=$(print "$x"|cut -d : -f2)
769 fi
770 else
771 template="..."
772 ipaddr="..."
773 fi
774 }
775 deleteTnrhdbEntry() {
776 remote=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
777 if [ $? = 0 ] ; then
778 ip=$(print $remote|cut -d "/" -f1)
779 if [[ $remote == ~(E)./ ]] ; then
780 pr=$(print $remote|cut -d "/" -f2)
781 remote="$ip\\/$pr"
782 fi
783 sed -e "/^${remote}/d" $TNRHDB > /tmp/tnrhdb.$$ 2>/dev/null
784 mv /tmp/tnrhdb.$$ $TNRHDB
785 fi
786 }
787
788 updateTnrhdb() {
789 deleteTnrhdbEntry
790 if [[ -n $cidr ]] ; then
791 print "${ipaddr}/$cidr:$template" >> $TNRHDB
792 tnctl -h ${ipaddr}/$cidr:$template
793 else
794 print "${ipaddr}:$template" >> $TNRHDB
795 tnctl -h ${ipaddr}:$template
796 fi
797 }
798
799 getIPaddr() {
800 hostname=$(zenity --entry \
801 --title="$title" \
802 --width=330 \
803 --text="$nic: Enter Hostname: ")
804
805 [ $? != 0 ] && return
806
807 ipaddr=$(getent hosts $hostname|cut -f1)
808 if [[ -z $ipaddr ]] ; then
809 ipaddr=$(zenity --entry \
810 --title="$title" \
811 --text="$nic: Enter IP address: " \
812 --entry-text a.b.c.d)
813 [ $? != 0 ] && return
814 validateIPaddr
815 fi
816
817 }
818
819 addHost() {
820 # Update hosts
821 if [[ -z $ipaddr ]] ; then
822 return;
823 fi
824 grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
825 if [ $? -eq 1 ] ; then
826 print "$ipaddr\t$hostname" >> /etc/inet/hosts
827 fi
828
829 template=cipso
830 cidr=32
831 updateTnrhdb
832
833 ifconfig $nic $ipaddr netmask + broadcast +
834 #
835 # TODO: better integration with nwam
836 # TODO: get/set netmask for IP address
837 #
838 print $hostname > /etc/hostname.$nic
839 }
840
841 createInterface() {
842 msg=$(ifconfig $nic addif 0.0.0.0)
843 $(zenity --info \
844 --title="$title" \
845 --text="$msg" )
846 nic=$(print "$msg"|cut -d" " -f5)
847
848 }
849
850 createVNIC() {
851 if [ $zonename != global ] ; then
852 vnicname=${zonename}0
853 else
854 vnicname=$(zenity --entry \
855 --title="$title" \
856 --width=330 \
857 --entry-text="" \
858 --text="Enter VNIC Name: ")
859
860 if [[ ! -n $vnicname ]] ; then
861 return
862 fi
863 fi
864 x=$(dladm show-vnic|grep "^$vnicname " )
865 if [[ ! -n $x ]] ; then
866 dladm create-vnic -l $nic $vnicname
867 fi
868 if [ $zonename = global ] ; then
869 ifconfig $vnicname plumb
870 else
871 zonecfg -z $zonename "add net; \
872 set physical=$vnicname; \
873 end"
874 fi
875 nic=$vnicname
876 }
877
878 shareInterface() {
879 #
880 # TODO: better integration with nwam
881 #
882 ifconfig $nic all-zones;\
883 if_file=/etc/hostname.$nic
884 sed q | sed -e "s/$/ all-zones/" < $if_file >$TXTMP/txnetmgr.$$
885 mv $TXTMP/txnetmgr.$$ $if_file
886 }
887
888 unshareInterface() {
889 #
890 # TODO: better integration with nwam
891 #
892 ifconfig $nic -zone;\
893 if_file=/etc/hostname.$nic
894 sed q | sed -e "s/all-zones/ /" < $if_file >$TXTMP/txnetmgr.$$
895 mv $TXTMP/txnetmgr.$$ $if_file
896 }
897
898 addTnrhdb() {
899 ipaddr=$(zenity --entry \
900 --title="$title" \
901 --width=330 \
902 --text="Zone:$zonename. Enter IP address of remote host or network: " \
903 --entry-text a.b.c.d)
904 [ $? != 0 ] && return
905 validateIPaddr
906 if [[ -z $ipaddr ]] ; then
907 return;
908 fi
909 if [ ${octets[3]} = 0 ] ; then
910 nic="$ipaddr"
911 getNetmask
912 if [[ -z $cidr ]] ; then
913 return;
914 fi
915 else
916 cidr=32
917 fi
918 print "${ipaddr}/$cidr:$template" > $TXTMP/tnrhdb_new.$$
919 x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
920 if [ $? = 0 ] ; then
921 updateTnrhdb
922 else
923 syntax=$(cat $TXTMP/syntax_error.$$)
924 x=$(zenity --error \
925 --title="$title" \
926 --text="$syntax")
927 fi
928 rm $TXTMP/tnrhdb_new.$$
929 rm $TXTMP/syntax_error.$$
930 }
931
932 removeTnrhdb() {
933 while (( 1 )) do
934 remotes=$(grep "^[^#][0-9.]" $TNRHDB|grep ":$template"|cut -d : -f1-2|tr : " ")
935 if [ $template = cipso ] ; then
936 templateHeading="from All Zones":
937 else
938 templateHeading="from this Zone":
939 fi
940 if [[ -n $remotes ]] ; then
941 ipaddr=$(zenity --list \
942 --title="$title" \
943 --text="$msg_getremote" \
944 --height=250 \
945 --width=300 \
946 --column="Remove Access to:" \
947 --column="$templateHeading" \
948 $remotes)
949
950 if [[ -n $ipaddr ]] ; then
951 deleteTnrhdbEntry
952 tnctl -dh ${ip}:$template
953 else
954 return
955 fi
956 else
957 return
958 fi
959 done
960 }
961
962 setMLPs() {
963 tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
964 zoneMLPs=:$(print "$tnzone"|cut -d : -f4)
965 sharedMLPs=:$(print "$tnzone"|cut -d : -f5)
966 attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
967 ports=$(print "$attrs"|zenity --list \
968 --title="$title" \
969 --height=200 \
970 --width=450 \
971 --text="Zone: $zonename\nClick once to select, twice to edit.\nShift-click to select both rows." \
972 --column="Multilevel Ports (example: 80-81/tcp;111/udp;)" \
973 --editable \
974 --multiple
975 )
976
977 if [[ -z $ports ]] ; then
978 return
979 fi
980
981 # getopts needs another a blank and another dash
982 ports=--$(print "$ports"|sed 's/ //g'|sed 's/|/ --/g'|sed 's/Interfaces:/ :/g')
983
984 OPTIND=1
985 while getopts "z:(Private)s:(Shared)" opt $ports ; do
986 case $opt in
987 z) zoneMLPs=$OPTARG ;;
988 s) sharedMLPs=$OPTARG ;;
989 esac
990 done
991
992 sed -e "/^$zonename:*/d" $TNZONECFG > $TXTMP/tnzonecfg.$$ 2>/dev/null
993 tnzone=$(print "$tnzone"|cut -d : -f1-3)
994 echo "${tnzone}${zoneMLPs}${sharedMLPs}" >> $TXTMP/tnzonecfg.$$
995
996 x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
997
998 if [ $? = 0 ] ; then
999 mv $TXTMP/tnzonecfg.$$ $TNZONECFG
1000 zenity --info \
1001 --title="$title" \
1002 --text="Multilevel ports for the $zonename zone\nwill be interpreted on next reboot."
1003 if [ $zonename != global ] ; then
1004 getLabelRange
1005 fi
1006 else
1007 syntax=$(cat $TXTMP/syntax_error.$$)
1008 x=$(zenity --error \
1009 --title="$title" \
1010 --text="$syntax")
1011 rm $TXTMP/tnzonecfg.$$
1012 fi
1013 rm $TXTMP/syntax_error.$$
1014 }
1015
1016 enableAuthentication() {
1017 integer file_cnt=0
1018
1019 zonepath=$(zoneadm -z $1 list -p|cut -d : -f4)
1020 ZONE_ETC_DIR=$zonepath/root/etc
1021
1022 # If the zone's shadow file was previously read-only
1023 # there may be no root password entry for this zone.
1024 # If so, replace the root password entry with the global zone's.
1025
1026 entry=$(grep ^root:: $ZONE_ETC_DIR/shadow)
1027 if [ $? -eq 0 ] ; then
1028 grep ^root: /etc/shadow > $TXTMP/shadow.$$
1029 sed -e "/^root::/d" $ZONE_ETC_DIR/shadow >> \
1030 $TXTMP/shadow.$$ 2>/dev/null
1031 mv $TXTMP/shadow.$$ $ZONE_ETC_DIR/shadow
1032 chmod 400 $ZONE_ETC_DIR/shadow
1033 fi
1034
1035 if [ $LOGNAME = "root" ]; then
1036 return
1037 fi
1038
1039 file[0]="passwd"
1040 file[1]="shadow"
1041 file[2]="user_attr"
1042 #
1043 # Add the user who assumed the root role to each installed zone
1044 #
1045 while (( file_cnt < ${#file[*]} )); do
1046 exists=$(grep "^${LOGNAME}:" \
1047 $ZONE_ETC_DIR/${file[file_cnt]} >/dev/null)
1048 if [ $? -ne 0 ] ; then
1049 entry=$(grep "^${LOGNAME}:" \
1050 /etc/${file[file_cnt]})
1051 if [ $? -eq 0 ] ; then
1052 print "$entry" >> \
1053 $ZONE_ETC_DIR/${file[file_cnt]}
1054 fi
1055 fi
1056 file_cnt+=1
1057 done
1058 chmod 400 $ZONE_ETC_DIR/shadow
1059 }
1060
1061 unsharePasswd() {
1062 zonecfg -z $1 remove fs dir=/etc/passwd >/dev/null 2>&1 | grep -v such
1063 zonecfg -z $1 remove fs dir=/etc/shadow >/dev/null 2>&1 | grep -v such
1064 zoneadm -z $1 ready >/dev/null 2>&1
1065 if [ $? -eq 0 ] ; then
1066 enableAuthentication $1
1067 zoneadm -z $1 halt >/dev/null 2>&1
1068 else
1069 echo Skipping $1
1070 fi
1071 }
1072
1073 sharePasswd() {
1074 passwd=$(zonecfg -z $1 info|grep /etc/passwd)
1075 if [ $? -eq 1 ] ; then
1076 zonecfg -z $1 "add fs; \
1077 set special=/etc/passwd; \
1078 set dir=/etc/passwd; \
1079 set type=lofs; \
1080 add options ro; \
1081 end; \
1082 add fs; \
1083 set special=/etc/shadow; \
1084 set dir=/etc/shadow; \
1085 set type=lofs; \
1086 add options ro; \
1087 end"
1088 fi
1089 zoneadm -z $1 halt >/dev/null 2>&1
1090 }
1091
1092 # This routine is a toggle -- if we find it configured for global nscd,
1093 # change to nscd-per-label and vice-versa.
1094 #
1095 # The user was presented with only the choice to CHANGE the existing
1096 # configuration.
1097
1098 manageNscd() {
1099 if [ $NSCD_PER_LABEL -eq 0 ] ; then
1100 # this MUST be a regular file for svc-nscd to detect
1101 touch $NSCD_INDICATOR
1102 NSCD_OPT="Unconfigure per-zone name service"
1103 NSCD_PER_LABEL=1
1104 for i in $(zoneadm list -i | grep -v global) ; do
1105 zoneadm -z $i halt >/dev/null 2>&1
1106 unsharePasswd $i
1107 done
1108 else
1109 rm -f $NSCD_INDICATOR
1110 NSCD_OPT="Configure per-zone name service"
1111 NSCD_PER_LABEL=0
1112 for i in $(zoneadm list -i | grep -v global) ; do
1113 zoneadm -z $i halt >/dev/null 2>&1
1114 sharePasswd $i
1115 done
1116 fi
1117 }
1118
1119 manageZoneNets () {
1120 ncmds[0]="Only use all-zones interfaces"
1121 ncmds[1]="Add a logical interface"
1122 ncmds[2]="Add a virtual interface (VNIC)"
1123
1124 stacks[0]="Shared Stack"
1125 stacks[1]="Exclusive Stack"
1126
1127 getAllZoneNICs
1128 netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
1129
1130 integer nic_cnt=0
1131 integer netOp_cnt=2
1132
1133 set -A nics $(dladm show-phys|grep -v LINK|cut -f1 -d " ")
1134
1135 while (( nic_cnt < ${#nics[*]} )); do
1136 netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
1137 netOp_cnt+=1
1138 netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
1139 netOp_cnt+=1
1140 nic_cnt+=1
1141 done
1142
1143 netOp=$(print "${netOps[*]}"|zenity --list \
1144 --title="$title" \
1145 --text="$msg_getnet $zonename zone:" \
1146 --height=300 \
1147 --width=500 \
1148 --column="#" \
1149 --column="Network Configuration " \
1150 --column="IP Type" \
1151 --column="Available Interfaces" \
1152 --hide-column=1
1153 )
1154
1155 # User picked cancel or no selection
1156 if [[ -z $netOp ]] ; then
1157 return
1158 fi
1159
1160 # All-zones is the default, so just return
1161 if [ $netOp = 1 ] ; then
1162 return
1163 fi
1164
1165 cmd=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 3)
1166 nic=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 5)
1167 case $cmd in
1168 ${ncmds[1]} )
1169 addNet;
1170 ;;
1171 ${ncmds[2]} )
1172 zonecfg -z $zonename set ip-type=exclusive
1173 createVNIC
1174 ;;
1175 esac
1176 }
1177
1178 manageInterface () {
1179 while (( 1 )) do
1180 getAttrs
1181
1182 # Clear list of commands
1183
1184 share=
1185 setipaddr=
1186 newlogical=
1187 newvnic=
1188 unplumb=
1189 bringup=
1190 bringdown=
1191
1192 if [ $updown = Down ] ; then
1193 bringup="Bring Up\n"
1194 else
1195 bringdown="Bring Down\n"
1196 fi
1197
1198 case $linktype in
1199 physical )
1200 newlogical="Create Logical Interface...\n";
1201 newvnic="Create Virtual Interface (VNIC)...\n";
1202 ;;
1203 logical )
1204 unplumb="Remove Logical Interface\n"
1205 ;;
1206 virtual )
1207 newlogical="Create Logical Interface...\n";
1208 unplumb="Remove Virtual Interface\n" ;
1209 ;;
1210 esac
1211
1212 if [ $ipaddr = "..." ] ; then
1213 setipaddr="Set IP address...\n"
1214 elif [ $zone != all-zones ] ; then
1215 share="Share with Shared-IP Zones\n"
1216 else
1217 share="Remove from Shared-IP Zones\n"
1218 fi
1219
1220 command=$(print ""\
1221 $share \
1222 $setipaddr \
1223 $newlogical \
1224 $newvnic \
1225 $unplumb \
1226 $bringup \
1227 $bringdown \
1228 | zenity --list \
1229 --title="$title" \
1230 --text="Select a command from the list below:" \
1231 --height=300 \
1232 --column "Interface: $nic" )
1233
1234 case $command in
1235 " Create Logical Interface...")
1236 createInterface;;
1237 " Create Virtual Interface (VNIC)...")
1238 createVNIC ;;
1239 " Set IP address...")
1240 getIPaddr
1241 addHost;;
1242 " Share with Shared-IP Zones")
1243 shareInterface;;
1244 " Remove from Shared-IP Zones")
1245 unshareInterface;;
1246 " Remove Logical Interface")
1247 ifconfig $nic unplumb
1248 rm -f /etc/hostname.$nic
1249 return;;
1250 " Remove Virtual Interface")
1251 ifconfig $nic unplumb
1252 dladm delete-vnic $nic
1253 rm -f /etc/hostname.$nic
1254 return;;
1255 " Bring Up")
1256 ifconfig $nic up;;
1257 " Bring Down")
1258 ifconfig $nic down;;
1259 *) return;;
1260 esac
1261 done
1262 }
1263
1264 sharePrimaryNic() {
1265 set -A ip $(getent hosts $(cat /etc/nodename))
1266 for i in $(ifconfig -au4|grep "^[a-z].*:" |grep -v LOOPBACK)
1267 do
1268 print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1269 [ $? -eq 1 ] && continue
1270
1271 nic=${i%:} # Remove colon after interface name
1272 getAttrs
1273 if [ ${ip[0]} = $ipaddr ]; then
1274 shareInterface
1275 break
1276 fi
1277 done
1278 }
1279
1280 manageNets() {
1281 while (( 1 )) do
1282 attrs=
1283 for i in $(ifconfig -a4|grep "^[a-z].*:" |grep -v LOOPBACK)
1284 do
1285 print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1286 [ $? -eq 1 ] && continue
1287
1288 nic=${i%:} # Remove colon after interface name
1289 getAttrs
1290 attrs="$nic $linktype $zone $ipaddr $template $updown $attrs"
1291 done
1292
1293 nic=$(zenity --list \
1294 --title="$title" \
1295 --text="Select an interface from the list below:" \
1296 --height=300 \
1297 --width=500 \
1298 --column="Interface" \
1299 --column="Type" \
1300 --column="Zone Name" \
1301 --column="IP Address" \
1302 --column="Template" \
1303 --column="State" \
1304 $attrs)
1305
1306 if [[ -z $nic ]] ; then
1307 return
1308 fi
1309 manageInterface
1310 done
1311 }
1312
1313 createLDAPclient() {
1314 ldaptitle="$title: Create LDAP Client"
1315 ldapdomain=$(zenity --entry \
1316 --width=400 \
1317 --title="$ldaptitle" \
1318 --text="Enter Domain Name: ")
1319 if [[ -n $ldapdomain ]] ; then
1320 ldapserver=$(zenity --entry \
1321 --width=400 \
1322 --title="$ldaptitle" \
1323 --text="Enter Hostname of LDAP Server: ")
1324 else
1325 return
1326 fi
1327 if [[ -n $ldapserver ]] ; then
1328 ldapserveraddr=$(zenity --entry \
1329 --width=400 \
1330 --title="$ldaptitle" \
1331 --text="Enter IP adddress of LDAP Server $ldapserver: ")
1332 else
1333 return
1334 fi
1335 ldappassword=""
1336 while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]] ; do
1337 ldappassword=$(zenity --entry \
1338 --width=400 \
1339 --title="$ldaptitle" \
1340 --hide-text \
1341 --text="Enter LDAP Proxy Password:")
1342 ldappasswordconfirm=$(zenity --entry \
1343 --width=400 \
1344 --title="$ldaptitle" \
1345 --hide-text \
1346 --text="Confirm LDAP Proxy Password:")
1347 done
1348 ldapprofile=$(zenity --entry \
1349 --width=400 \
1350 --title="$ldaptitle" \
1351 --text="Enter LDAP Profile Name: ")
1352 whatnext=$(zenity --list \
1353 --width=400 \
1354 --height=250 \
1355 --title="$ldaptitle" \
1356 --text="Proceed to create LDAP Client?" \
1357 --column=Parameter --column=Value \
1358 "Domain Name" "$ldapdomain" \
1359 "Hostname" "$ldapserver" \
1360 "IP Address" "$ldapserveraddr" \
1361 "Password" "$(print "$ldappassword" | sed 's/./*/g')" \
1362 "Profile" "$ldapprofile")
1363 [ $? != 0 ] && return
1364
1365 grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
1366 if [ $? -eq 1 ] ; then
1367 print "$ldapserveraddr $ldapserver" >> /etc/hosts
1368 fi
1369
1370 grep "${ldapserver}:" $TNRHDB > /dev/null
1371 if [ $? -eq 1 ] ; then
1372 print "# ${ldapserver} - ldap server" \
1373 >> $TNRHDB
1374 print "${ldapserveraddr}:cipso" \
1375 >> $TNRHDB
1376 tnctl -h "${ldapserveraddr}:cipso"
1377 fi
1378
1379 proxyDN=$(print $ldapdomain|awk -F"." \
1380 "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
1381
1382 zenity --info \
1383 --title="$ldaptitle" \
1384 --width=500 \
1385 --text="global zone will be LDAP client of $ldapserver"
1386
1387 ldapout=$TXTMP/ldapclient.$$
1388
1389 ldapclient init -a profileName="$ldapprofile" \
1390 -a domainName="$ldapdomain" \
1391 -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
1392 -a proxyPassword="$ldappassword" \
1393 "$ldapserveraddr" >$ldapout 2>&1
1394
1395 if [ $? -eq 0 ] ; then
1396 ldapstatus=Success
1397 else
1398 ldapstatus=Error
1399 fi
1400
1401 zenity --text-info \
1402 --width=700 \
1403 --height=300 \
1404 --title="$ldaptitle: $ldapstatus" \
1405 --filename=$ldapout
1406
1407 rm -f $ldapout
1408
1409
1410 }
1411
1412 tearDownZones() {
1413 if [ $DISP -eq 0 ] ; then
1414 if [ $FORCE -eq 0 ] ; then
1415 gettext "OK to destroy all zones [y|N]? "
1416 read ans
1417 printf "%s\n" "$ans" \
1418 | /usr/xpg4/bin/grep -Eq "$(locale yesexpr)"
1419 if [ $? -ne 0 ] ; then
1420 gettext "canceled.\n"
1421 return 1
1422 fi
1423 fi
1424 gettext "destroying all zones ...\n"
1425 else
1426 killall=$(zenity --question \
1427 --title="$title" \
1428 --width=330 \
1429 --text="$msg_confirmkill")
1430 if [[ $? != 0 ]]; then
1431 return
1432 fi
1433 fi
1434
1435 for p in $(zoneadm list -cp|grep -v global:) ; do
1436 zonename=$(echo "$p"|cut -d : -f2)
1437 if [ $DISP -eq 0 ] ; then
1438 gettext "destroying zone $zonename ...\n"
1439 fi
1440 zoneadm -z $zonename halt 1>/dev/null 2>&1
1441 zoneadm -z $zonename uninstall -F 1>/dev/null 2>&1
1442 delete -rRf
1443 done
1444 zonename=global
1445 }
1446
1447 createDefaultZones() {
1448 # If GUI display is not used, skip the dialog
1449 if [ $DISP -eq 0 ] ; then
1450 createDefaultPublic
1451 if [ $? -ne 0 ] ; then
1452 return 1
1453 fi
1454 createDefaultInternal
1455 return
1456 fi
1457
1458 msg_choose1=$(gettext "Choose one:")
1459 defpub=$(gettext "$PUBZONE zone only")
1460 defboth=$(gettext "$PUBZONE and $INTZONE zones")
1461 defskip=$(gettext "Main Menu...")
1462 command=$(echo ""\
1463 "$defpub\n" \
1464 "$defboth\n" \
1465 "$defskip\n" \
1466 | zenity --list \
1467 --title="$title" \
1468 --text="$msg_defzones" \
1469 --column="$msg_choose1" \
1470 --height=400 \
1471 --width=330 )
1472
1473 case $command in
1474 " $defpub")
1475 createDefaultPublic ;;
1476
1477 " $defboth")
1478 createDefaultPublic
1479 if [ $? -ne 0 ] ; then
1480 return 1
1481 fi
1482 createDefaultInternal ;;
1483
1484 *)
1485 return;;
1486 esac
1487 }
1488
1489 createDefaultPublic() {
1490 zonename=$PUBZONE
1491 if [ $DISP -eq 0 ] ; then
1492 gettext "creating default $zonename zone ...\n"
1493 fi
1494 newZone
1495 zone_cnt+=1
1496 hexlabel=$DEFAULTLABEL
1497 setTNdata
1498 sharePrimaryNic
1499
1500 install
1501 if [ $? -ne 0 ] ; then
1502 return 1
1503 fi
1504
1505 if [ $DISP -eq 0 ] ; then
1506 gettext "booting zone $zonename ...\n"
1507 zoneadm -z $zonename boot
1508 else
1509 zoneadm -z $zonename boot &
1510 gnome-terminal \
1511 --disable-factory \
1512 --title="Zone Console: $zonename $msg_continue" \
1513 --command "zlogin -C $zonename"
1514 fi
1515 }
1516
1517 createDefaultInternal() {
1518 zoneadm -z $PUBZONE halt
1519
1520 zonename=snapshot
1521 newZone
1522 zone_cnt+=1
1523 zonecfg -z $zonename set autoboot=false
1524
1525 clone $PUBZONE
1526 zoneadm -z $PUBZONE boot &
1527
1528 zonename=$INTZONE
1529 if [ $DISP -eq 0 ] ; then
1530 gettext "creating default $zonename zone ...\n"
1531 fi
1532 newZone
1533 zone_cnt+=1
1534
1535 hexlabel=$INTLABEL
1536 x=$(grep -i :{$hexlabel}: $TNZONECFG)
1537 if [ $? = 0 ] ; then
1538 z=$(print $x|cut -d : -f1)
1539 echo "$msg_inuse $z zone."
1540 else
1541 setTNdata
1542 fi
1543
1544 clone snapshot
1545 if [ $DISP -eq 0 ] ; then
1546 gettext "booting zone $zonename ...\n"
1547 else
1548 gnome-terminal \
1549 --title="Zone Console: $zonename" \
1550 --command "zlogin -C $zonename" &
1551 fi
1552 zoneadm -z $zonename boot &
1553 }
1554
1555 selectZone() {
1556 set -A zonelist "global\nrunning\nADMIN_HIGH"
1557 integer zone_cnt=1
1558
1559 for p in $(zoneadm list -cp|grep -v global:) ; do
1560 zone_cnt+=1
1561 done
1562 if [ $zone_cnt == 1 ] ; then
1563 createDefaultZones
1564 fi
1565 if [ $zone_cnt == 1 ] ; then
1566 zonename=global
1567 singleZone
1568 return
1569 fi
1570
1571 zone_cnt=1
1572 for p in $(zoneadm list -cp|grep -v global:) ; do
1573 zonename=$(echo "$p"|cut -d : -f2)
1574 state=$(echo "$p"|cut -d : -f3)
1575 hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2)
1576 if [[ $hexlabel ]] ; then
1577 curlabel=$(hextoalabel $hexlabel)
1578 else
1579 curlabel=...
1580 fi
1581 zonelist[zone_cnt]="\n$zonename\n$state\n$curlabel"
1582 zone_cnt+=1
1583 done
1584 zonename=$(print "${zonelist[*]}"|zenity --list \
1585 --title="$title" \
1586 --text="$msg_getzone" \
1587 --height=300 \
1588 --width=500 \
1589 --column="Zone Name" \
1590 --column="Status" \
1591 --column="Sensitivity Label" \
1592 )
1593
1594 # if the menu choice was a zonename, pop up zone menu
1595 if [[ -n $zonename ]] ; then
1596 singleZone
1597 else
1598 exit
1599 fi
1600 }
1601
1602 # Loop for single-zone menu
1603 singleZone() {
1604
1605 while (( 1 )) do
1606 # Clear list of commands
1607
1608 console=
1609 label=
1610 start=
1611 reboot=
1612 stop=
1613 clone=
1614 install=
1615 ready=
1616 uninstall=
1617 autoboot=
1618 delete=
1619 deletenet=
1620 permitrelabel=
1621
1622 if [ $zone_cnt -gt 1 ] ; then
1623 killZones="Destroy all zones...\n"
1624 xit="Select another zone..."
1625 else
1626 killZones=
1627 xit="Exit"
1628 fi
1629 if [ $zonename = global ] ; then
1630 ldapClient="Create LDAP Client...\n"
1631 nscdOpt="$NSCD_OPT\n"
1632 createZone="Create a new zone...\n"
1633 addnet="Configure Network Interfaces...\n"
1634 else
1635 ldapClient=
1636 nscdOpt=
1637 createZone=
1638 addnet=
1639 killZones=
1640 fi
1641
1642 zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
1643
1644 consoleCheck;
1645 labelCheck;
1646 delay=0
1647
1648 if [ $zonename != global ] ; then
1649 case $zonestate in
1650 running)
1651 ready="Ready\n"
1652 reboot="Reboot\n"
1653 stop="Halt\n"
1654 ;;
1655 ready)
1656 start="Boot\n"
1657 stop="Halt\n"
1658 ;;
1659 installed)
1660 if [[ -z $label ]] ; then
1661 ready="Ready\n"
1662 start="Boot\n"
1663 fi
1664 uninstall="Uninstall\n"
1665 relabelCheck
1666 autobootCheck
1667 ;;
1668 configured)
1669 install="Install...\n"
1670 cloneCheck
1671 delete="Delete\n"
1672 console=
1673 ;;
1674 incomplete)
1675 uninstall="Uninstall\n"
1676 ;;
1677 *)
1678 ;;
1679 esac
1680 fi
1681
1682 command=$(echo ""\
1683 $createZone \
1684 $console \
1685 $label \
1686 $start \
1687 $reboot \
1688 $stop \
1689 $clone \
1690 $install \
1691 $ready \
1692 $uninstall \
1693 $delete \
1694 $addnet \
1695 $deletenet \
1696 $addremotehost \
1697 $addcipsohost \
1698 $removeremotehost \
1699 $removecipsohost \
1700 $setmlps \
1701 $permitrelabel \
1702 $autoboot \
1703 $ldapClient \
1704 $nscdOpt \
1705 $killZones \
1706 $xit \
1707 | zenity --list \
1708 --title="$title" \
1709 --text="$msg_getcmd" \
1710 --height=400 \
1711 --width=330 \
1712 --column "Zone: $zonename Status: $zonestate" )
1713
1714 case $command in
1715 " Create a new zone...")
1716 zonename=
1717 newZone ;;
1718
1719 " Zone Console...")
1720 delay=2
1721 gnome-terminal \
1722 --title="Zone Console: $zonename" \
1723 --command "zlogin -C $zonename" & ;;
1724
1725 " Select Label...")
1726 selectLabel;;
1727
1728 " Ready")
1729 zoneadm -z $zonename ready ;;
1730
1731 " Boot")
1732 zoneadm -z $zonename boot ;;
1733
1734 " Halt")
1735 zoneadm -z $zonename halt ;;
1736
1737 " Reboot")
1738 zoneadm -z $zonename reboot ;;
1739
1740 " Install...")
1741 install;;
1742
1743 " Clone...")
1744 clone ;;
1745
1746 " Uninstall")
1747 zoneadm -z $zonename uninstall -F;;
1748
1749 " Delete")
1750 delete
1751 return ;;
1752
1753 " Configure Network Interfaces...")
1754 if [ $zonename = global ] ; then
1755 manageNets
1756 else
1757 manageZoneNets
1758 fi;;
1759
1760 " Add Single-level Access to Remote Host...")
1761 addTnrhdb ;;
1762
1763 " Add Multilevel Access to Remote Host...")
1764 template=cipso
1765 addTnrhdb ;;
1766
1767 " Remove Single-level Access to Remote Host...")
1768 removeTnrhdb ;;
1769
1770 " Remove Multilevel Access to Remote Host...")
1771 template=cipso
1772 removeTnrhdb ;;
1773
1774 " Configure Multilevel Ports...")
1775 setMLPs;;
1776
1777 " Permit Relabeling")
1778 zonecfg -z $zonename set limitpriv=default,\
1779 win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,\
1780 file_downgrade_sl,file_upgrade_sl,sys_trans_label ;;
1781
1782 " Deny Relabeling")
1783 zonecfg -z $zonename set limitpriv=default ;;
1784
1785 " Set Automatic Booting")
1786 zonecfg -z $zonename set autoboot=true ;;
1787
1788 " Set Manual Booting")
1789 zonecfg -z $zonename set autoboot=false ;;
1790
1791 " Create LDAP Client...")
1792 createLDAPclient ;;
1793
1794 " Configure per-zone name service")
1795 manageNscd ;;
1796
1797 " Unconfigure per-zone name service")
1798 manageNscd ;;
1799
1800 " Destroy all zones...")
1801 tearDownZones
1802 return ;;
1803
1804 *)
1805 if [ $zone_cnt == 1 ] ; then
1806 exit
1807 else
1808 return
1809 fi;;
1810 esac
1811 sleep $delay;
1812 done
1813 }
1814
1815 # Main loop for top-level window
1816 #
1817
1818 /usr/bin/plabel $$ 1>/dev/null 2>&1
1819 if [ $? != 0 ] ; then
1820 gettext "$0 : Trusted Extensions must be enabled.\n"
1821 exit 1
1822 fi
1823
1824 myzone=$(/sbin/zonename)
1825 if [ $myzone != "global" ] ; then
1826 gettext "$0 : must be in global zone to run.\n"
1827 exit 1
1828 fi
1829
1830
1831 process_options "$@" || exit
1832
1833 mkdir $TXTMP 2>/dev/null
1834 deflabel=$(chk_encodings -a|grep "Default User Sensitivity"|\
1835 sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1836 DEFAULTLABEL=$(atohexlabel ${deflabel})
1837 intlabel=$(chk_encodings -a|grep "Default User Clearance"|\
1838 sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1839 INTLABEL=$(atohexlabel -c "${intlabel}")
1840
1841 # are there any zfs pools?
1842 ZDSET=none
1843 zpool iostat 1>/dev/null 2>&1
1844 if [ $? = 0 ] ; then
1845 # is there a zfs pool named "zone"?
1846 zpool list -H zone 1>/dev/null 2>&1
1847 if [ $? = 0 ] ; then
1848 # yes
1849 ZDSET=zone
1850 else
1851 # no, but is there a root pool?
1852 rootfs=$(df -n / | awk '{print $3}')
1853 if [ $rootfs = "zfs" ] ; then
1854 # yes, use it
1855 ZDSET=$(zfs list -Ho name / | cut -d/ -f 1)/zones
1856 zfs list -H $ZDSET 1>/dev/null 2>&1
1857 if [ $? = 1 ] ; then
1858 createZDSET "-o mountpoint=/zone" $ZDSET
1859 fi
1860 fi
1861 fi
1862 fi
1863
1864 if [ $DISP -eq 0 ] ; then
1865 gettext "non-interactive mode ...\n"
1866
1867 if [ $DESTROYZONES -eq 1 ] ; then
1868 tearDownZones
1869 fi
1870
1871 if [ $CREATEDEF -eq 1 ] ; then
1872 if [[ $(zoneadm list -c) == global ]] ; then
1873 createDefaultZones
1874 else
1875 gettext "cannot create default zones because there are existing zones.\n"
1876 fi
1877 fi
1878
1879 exit
1880 fi
1881
1882 if [ $NSCD_PER_LABEL -eq 0 ] ; then
1883 NSCD_OPT="Configure per-zone name service"
1884 else
1885 NSCD_OPT="Unconfigure per-zone name service"
1886 fi
1887
1888
1889 while (( 1 )) do
1890 selectZone
1891 done
unleashed repo fork