1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
|
#!/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
#
# s10 boot script.
#
# The arguments to this script are the zone name and the zonepath.
#
. /usr/lib/brand/solaris10/common.ksh
ZONENAME=$1
ZONEPATH=$2
ZONEROOT=$ZONEPATH/root
w_missing=$(gettext "Warning: \"%s\" is not installed in the global zone")
arch=`uname -p`
if [ "$arch" = "i386" ]; then
ARCH32=i86
ARCH64=amd64
elif [ "$arch" = "sparc" ]; then
# 32-bit SPARC not supported!
ARCH32=
ARCH64=sparcv9
else
echo "Unsupported architecture: $arch"
exit 2
fi
#
# Run the s10_support boot hook.
#
/usr/lib/brand/solaris10/s10_support boot $ZONENAME
if (( $? != 0 )) ; then
exit 1
fi
BRANDDIR=/.SUNWnative/usr/lib/brand/solaris10;
FILEDIR=$BRANDDIR/files;
EXIT_CODE=1
#
# Replace the specified file in the booting zone with a wrapper script that
# invokes s10_isaexec_wrapper. This is a convenience function that reduces
# clutter and code duplication.
#
# Parameters:
# $1 The full path of the file to replace (e.g., /sbin/ifconfig)
# $2 The access mode of the replacement file in hex (e.g., 0555)
# $3 The name of the replacement file's owner (e.g., root:bin)
#
# NOTE: The checks performed in the 'if' statement below are not generic: they
# depend on the success of the zone filesystem structure validation performed
# above to ensure that intermediate directories exist and aren't symlinks.
#
replace_with_native() {
path_dname=$ZONEROOT/`dirname $1`
[ ! -f $1 ] && printf "$w_missing" "$1"
if [ ! -h $path_dname -a -d $path_dname ]; then
safe_replace $ZONEROOT/$1 $BRANDDIR/s10_isaexec_wrapper $2 $3 \
remove
fi
}
#
# Create a new wrapper script that invokes s10_isaexec_wrapper in the
# brand (for a non-existing s10c file) pointing to the native brand file.
#
# Parameters:
# $1 The full path of the wrapper file to create
# $2 The access mode of the replacement file in hex (e.g., 0555)
# $3 The name of the replacement file's owner (e.g., root:bin)
#
wrap_with_native() {
[ ! -f $1 ] && printf "$w_missing" "$1"
path_dname=$ZONEROOT/`dirname $1`
if [ ! -h $path_dname -a -d $path_dname -a ! -f $ZONEROOT/$1 ]; then
safe_wrap $ZONEROOT/$1 $BRANDDIR/s10_isaexec_wrapper $2 $3
fi
}
#
# Before we boot we validate and fix, if necessary, the required files within
# the zone. These modifications can be lost if a patch is applied within the
# zone, so we validate and fix the zone every time it boots.
#
#
# BINARY REPLACEMENT
#
# This section of the boot script is responsible for replacing Solaris 10
# binaries within the booting zone with Nevada binaries. This is a two-step
# process: First, the directory structure of the zone is validated to ensure
# that binary replacement will proceed safely. Second, Solaris 10 binaries
# are replaced with Nevada binaries.
#
# Here's an example. Suppose that you want to replace /usr/bin/zcat with the
# Nevada /usr/bin/zcat binary. Then you should do the following:
#
# 1. Go to the section below labeled "STEP ONE" and add the following
# two lines:
#
# safe_dir /usr
# safe_dir /usr/bin
#
# These lines ensure that both /usr and /usr/bin are directories
# within the booting zone that can be safely accessed by the global
# zone.
# 2. Go to the section below labeled "STEP TWO" and add the following
# line:
#
# replace_with_native /usr/bin/zcat 0555 root:bin
#
# Details about the binary replacement procedure can be found in the Solaris 10
# Containers Developer Guide.
#
#
# STEP ONE
#
# Validate that the zone filesystem looks like we expect it to.
#
safe_dir /lib
safe_dir /lib/svc
safe_dir /lib/svc/method
safe_dir /lib/svc/share
safe_dir /usr
safe_dir /usr/bin
safe_dir /usr/lib
safe_dir /usr/lib/autofs
safe_dir /usr/lib/fs
safe_dir /usr/lib/fs/autofs
safe_dir /usr/lib/fs/ufs
safe_dir /usr/lib/fs/zfs
safe_dir /usr/lib/inet
safe_dir /usr/lib/zfs
safe_dir /usr/sbin
if [ -n "$ARCH32" ]; then
safe_dir /usr/lib/ipf/$ARCH32
safe_dir /usr/sbin/$ARCH32
fi
if [ -n "$ARCH64" ]; then
safe_dir /usr/lib/ipf/$ARCH64
safe_dir /usr/sbin/$ARCH64
fi
safe_dir /sbin
safe_dir /var
safe_dir /var/svc
safe_dir /var/svc/manifest
safe_dir /var/svc/manifest/network
#
# Some of the native networking daemons such as in.mpathd are
# expected under /lib/inet
#
mkdir -m 0755 -p $ZONEROOT/lib/inet
chown root:bin $ZONEROOT/lib/inet
safe_dir /lib/inet
#
# STEP TWO
#
# Replace Solaris 10 binaries with Nevada binaries.
#
#
# Replace various network-related programs with native wrappers.
#
replace_with_native /sbin/dhcpagent 0555 root:bin
replace_with_native /sbin/dhcpinfo 0555 root:bin
replace_with_native /sbin/ifconfig 0555 root:bin
replace_with_native /usr/bin/netstat 0555 root:bin
replace_with_native /usr/lib/inet/in.ndpd 0555 root:bin
replace_with_native /usr/sbin/in.routed 0555 root:bin
replace_with_native /usr/sbin/ndd 0555 root:bin
replace_with_native /usr/sbin/snoop 0555 root:bin
replace_with_native /usr/sbin/if_mpadm 0555 root:bin
#
# Replace IPFilter commands with native wrappers
#
if [ -n "$ARCH32" ]; then
replace_with_native /usr/lib/ipf/$ARCH32/ipftest 0555 root:bin
replace_with_native /usr/sbin/$ARCH32/ipf 0555 root:bin
replace_with_native /usr/sbin/$ARCH32/ipfs 0555 root:bin
replace_with_native /usr/sbin/$ARCH32/ipfstat 0555 root:bin
replace_with_native /usr/sbin/$ARCH32/ipmon 0555 root:bin
replace_with_native /usr/sbin/$ARCH32/ipnat 0555 root:bin
replace_with_native /usr/sbin/$ARCH32/ippool 0555 root:bin
fi
if [ -n "$ARCH64" ]; then
replace_with_native /usr/lib/ipf/$ARCH64/ipftest 0555 root:bin
replace_with_native /usr/sbin/$ARCH64/ipf 0555 root:bin
replace_with_native /usr/sbin/$ARCH64/ipfs 0555 root:bin
replace_with_native /usr/sbin/$ARCH64/ipfstat 0555 root:bin
replace_with_native /usr/sbin/$ARCH64/ipmon 0555 root:bin
replace_with_native /usr/sbin/$ARCH64/ipnat 0555 root:bin
replace_with_native /usr/sbin/$ARCH64/ippool 0555 root:bin
fi
#
# Replace in.mpathd daemon at /usr/lib/inet by native wrapper
#
if [ ! -h $ZONEROOT/usr/lib/inet -a -d $ZONEROOT/usr/lib/inet ]; then
safe_replace $ZONEROOT/usr/lib/inet/in.mpathd \
/lib/inet/in.mpathd 0555 root:bin remove
fi
#
# Create wrapper at /lib/inet/in.mpathd as well because native ifconfig
# looks up in.mpathd under /lib/inet.
#
wrap_with_native /lib/inet/in.mpathd 0555 root:bin
# Create native wrapper for /sbin/ipmpstat
wrap_with_native /sbin/ipmpstat 0555 root:bin
#
# Create ipmgmtd wrapper to native binary in s10 container
# and copy ipmgmt service manifest and method.
#
wrap_with_native /lib/inet/ipmgmtd 0555 root:bin
safe_copy /lib/svc/manifest/network/network-ipmgmt.xml \
$ZONEROOT/var/svc/manifest/network/network-ipmgmt.xml
safe_copy /lib/svc/method/net-ipmgmt \
$ZONEROOT/lib/svc/method/net-ipmgmt
#
# To handle certain IPMP configurations, we need updated
# net-physical method script and native net_include.sh
#
filename=$ZONEROOT/lib/svc/method/net-physical
safe_backup $filename $filename.pre_p2v
safe_copy /usr/lib/brand/solaris10/s10_net_physical $filename
filename=$ZONEROOT/lib/svc/share/net_include.sh
safe_backup $filename $filename.pre_p2v
safe_copy /lib/svc/share/net_include.sh $filename
#
# PSARC 2009/306 removed the ND_SET/ND_GET ioctl's for modifying
# IP/TCP/UDP/SCTP/ICMP tunables. If S10 ndd(8) is used within an
# S10 container, the kernel will return EINVAL. So we need this.
#
replace_with_native /usr/sbin/ndd 0555 root:bin
#
# Replace various ZFS-related programs with native wrappers. These commands
# either link with libzfs, dlopen libzfs or link with libraries that link
# or dlopen libzfs. Commands which fall into these categories but which can
# only be used in the global zone are not wrapped. The libdiskmgt dm_in_use
# code uses libfs, but only the zpool_in_use() -> zpool_read_label() code path.
# That code does not issue ioctls on /dev/zfs and does not need wrapping.
#
replace_with_native /sbin/zfs 0555 root:bin
replace_with_native /sbin/zpool 0555 root:bin
replace_with_native /usr/lib/fs/ufs/quota 0555 root:bin
replace_with_native /usr/lib/fs/zfs/fstyp 0555 root:bin
replace_with_native /usr/lib/zfs/availdevs 0555 root:bin
replace_with_native /usr/sbin/df 0555 root:bin
replace_with_native /usr/sbin/zstreamdump 0555 root:bin
#
# Replace automount and automountd with native wrappers.
#
replace_with_native /usr/lib/fs/autofs/automount 0555 root:bin
replace_with_native /usr/lib/autofs/automountd 0555 root:bin
#
# The class-specific dispadmin(8) and priocntl(1) binaries must be native
# wrappers, and we must have all of the ones the native zone does. This
# allows new scheduling classes to appear without causing dispadmin and
# priocntl to be unhappy.
#
rm -rf $ZONEROOT/usr/lib/class
mkdir $ZONEROOT/usr/lib/class || exit 1
find /usr/lib/class -type d -o -type f | while read x; do
[ -d $x ] && mkdir -p -m 755 $ZONEROOT$x
[ -f $x ] && wrap_with_native $x 0555 root:bin
done
#
# END OF STEP TWO
#
#
# Replace add_drv and rem_drv with /usr/bin/true so that pkgs/patches which
# install or remove drivers will work. NOTE: add_drv and rem_drv are hard
# linked to isaexec so we want to remove the current executable and
# then copy true so that we don't clobber isaexec.
#
filename=$ZONEROOT/usr/sbin/add_drv
[ ! -f $filename.pre_p2v ] && safe_backup $filename $filename.pre_p2v
rm -f $filename
safe_copy $ZONEROOT/usr/bin/true $filename
filename=$ZONEROOT/usr/sbin/rem_drv
[ ! -f $filename.pre_p2v ] && safe_backup $filename $filename.pre_p2v
rm -f $filename
safe_copy $ZONEROOT/usr/bin/true $filename
exit 0
|
