diff options
Diffstat (limited to 'usr/src/lib')
62 files changed, 3703 insertions, 191 deletions
diff --git a/usr/src/lib/brand/Makefile b/usr/src/lib/brand/Makefile index bab69e385a..8b25716c27 100644 --- a/usr/src/lib/brand/Makefile +++ b/usr/src/lib/brand/Makefile @@ -20,33 +20,29 @@ # # # Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright (c) 2018, Joyent, Inc. +# Copyright 2019 Joyent, Inc. # -# lib/brand/Makefile -# -# include global definitions include ../../Makefile.master -# -# Build everything in parallel; use .WAIT for dependencies .PARALLEL: -i386_SUBDIRS= lx bhyve +i386_SUBDIRS= bhyve kvm lx i386_MSGSUBDIRS= lx -SUBDIRS= shared .WAIT sn1 solaris10 ipkg labeled $($(MACH)_SUBDIRS) +SUBDIRS= shared .WAIT sn1 solaris10 ipkg labeled \ + jcommon joyent joyent-minimal $($(MACH)_SUBDIRS) + MSGSUBDIRS= solaris10 shared $($(MACH)_MSGSUBDIRS) all := TARGET= all install := TARGET= install clean := TARGET= clean clobber := TARGET= clobber -lint := TARGET= lint _msg := TARGET= _msg .KEEP_STATE: -all install clean clobber lint: $(SUBDIRS) +all install clean clobber: $(SUBDIRS) _msg: $(MSGSUBDIRS) diff --git a/usr/src/lib/brand/ipkg/zone/Makefile b/usr/src/lib/brand/ipkg/zone/Makefile index a7324491c9..3f5183966b 100644 --- a/usr/src/lib/brand/ipkg/zone/Makefile +++ b/usr/src/lib/brand/ipkg/zone/Makefile @@ -23,8 +23,10 @@ # Copyright 2010 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2019 Joyent, Inc. +# -TEMPLATES= SUNWdefault.xml SUNWblank.xml +TEMPLATES= SUNWblank.xml XMLDOCS= config.xml platform.xml CLOBBERFILES= $(ROOTXMLDOCS) $(ROOTTEMPLATES) diff --git a/usr/src/lib/brand/jcommon/Makefile b/usr/src/lib/brand/jcommon/Makefile new file mode 100644 index 0000000000..d6ca5fb229 --- /dev/null +++ b/usr/src/lib/brand/jcommon/Makefile @@ -0,0 +1,26 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +PROGS = cattach cdetach cinstall cuninstall libhooks.ksh \ + poststate prestate query statechange +BRAND = jcommon +FILEMODE = 0444 + +include ../Makefile.brand + +clean: + +clobber: + $(RM) $(ROOTPROGS) + +install: $(ROOTPROGS) diff --git a/usr/src/lib/brand/jcommon/README.smf b/usr/src/lib/brand/jcommon/README.smf new file mode 100644 index 0000000000..64cd3ade4f --- /dev/null +++ b/usr/src/lib/brand/jcommon/README.smf @@ -0,0 +1,107 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright 2015 Joyent, Inc. +# + +There are a few rather brand specific issues related to how SMF works inside of +them. This README describes how the different pieces interact and where they are +defined. Note that this README only applies to the Joyent-style sparse zones. It +does not apply to the KVM brand or the traditional ipkg and S10 branded zones. + +# +# Per-brand manifests file +# + +Each brand has a file called `manifests`. This file lists the set of manifests +that the brand cares about being available to the zone. It is formatted as: + +<manifest_name> <enabled | disabled> + +Examples are: + +network/smb/client.xml disabled +network/ssh.xml enabled + +The use of enabled or disabled determines the default disposition of the service +when it is imported. + +This list is used in various places throughout the rest of the system for +determining what shows up in the SMF repositories by default and what shows up +in /lib/svc/manifest. + +# +# Files in /lib/svc/manifest +# + +/lib/svc/manifest is part of the sparse filesystem that gets placed into every +zone. Unlike /usr, /lib/svc/manifest is brand specific. The zones service +(svc:/system/zones:default) is responsible for creating the per-brand +/lib/svc/manifest directories and they live in /zones/manifests/<brand-name>. +This brand specific directory is lofs-mounted read-only into each zone. + +The presence of the enabled and disabled option in the brand's manifests file +determine whether or not the service is enabled by default when imported. The +xml file is changed to match the setting. + +# +# Initial SMF repositories +# + +SMF in the minimal brand works differently than it does in the normal Joyent +Brand when it comes to specifying the initial services that are inside of the +dataset and what files are in the SMF repository. + +SMF has the notion of a `seed repository`. This repository is the initial one +that is used or copied for new zones. This repository contains various services +already imported, whether or not they are enabled or disabled, and the various +service properties. + +The traditional `joyent` brand gets this from the dataset itself. In other words, +the database is already populated with the proper SMF state. + +In the `joyent-minimal` brand we handle this differently. We want to be able to +reuse the datasets that exist but not be stuck with their rather large seed +repositories that contain many things which are harmful in the minimal context, +particularly manifest import (both the early and normal kind). To handle this +the joyent-minimal brand defines a seed repository of its own that gets +installed at zone creation time and replaces any existing repository. + +This seed repository is generated using the `svc.configd-native` and +`svccfg-native` binaries. Every manifest listed in the brand's manifests file is +included. + +Manifests available to the `joyent` brand not imported into the database are +available for manual import in /lib/svc/manifest. With the minimal brand, only +the bare minimum number of manifests should be imported. + +# +# Using non-imported manifests +# + +To use one of the manifests that exists but hasn't been imported is pretty easy. +At some point in time after the initial creation of the zone (during the first +boot setup script for example), you can import the service. For example, if you +were going to import the cron service you would run: + +svccfg import /lib/svc/manifest/system/cron.xml + +Next, you need to potentially enable the service depending on the default +disposition of the service. You enable the service by running: + +svcadm enable -s <service> + +Adding the `-s` flag causes the enabling to be synchronous. If you do not +include the flag then it will poke svc.startd to enable the service and return. +If the service is already enabled by default, then this is safe to run and it +won't change anything. It is safer to just always enable or disable the service +after importing it based on your needs. diff --git a/usr/src/lib/brand/jcommon/cattach b/usr/src/lib/brand/jcommon/cattach new file mode 100644 index 0000000000..4f2e65ad83 --- /dev/null +++ b/usr/src/lib/brand/jcommon/cattach @@ -0,0 +1,63 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +. /usr/lib/brand/shared/common.ksh + +ZONENAME="" +ZONEPATH="" +# Default to 10GB diskset quota +ZQUOTA=10 + +while getopts "R:t:U:q:z:" opt +do + case "$opt" in + R) ZONEPATH="$OPTARG";; + q) ZQUOTA="$OPTARG";; + z) ZONENAME="$OPTARG";; + *) printf "$m_usage\n" + exit $ZONE_SUBPROC_USAGE;; + esac +done +shift OPTIND-1 + +if [[ -z $ZONEPATH || -z $ZONENAME ]]; then + print -u2 "Brand error: No zone path or name" + exit $ZONE_SUBPROC_USAGE +fi + +# The dataset quota must be a number. +case $ZQUOTA in *[!0-9]*) + print -u2 "Brand error: The quota $ZQUOTA is not a number" + exit $ZONE_SUBPROC_USAGE;; +esac + +ZROOT=$ZONEPATH/root + +# Get the dataset of the parent directory of the zonepath. +dname=${ZONEPATH%/*} +bname=${ZONEPATH##*/} +PDS_NAME=`mount | nawk -v p=$dname '{if ($1 == p) print $3}'` +[ -z "$PDS_NAME" ] && \ + print -u2 "Brand error: missing parent ZFS dataset for $dname" + +jcommon_attach_hook + +exit $ZONE_SUBPROC_OK diff --git a/usr/src/lib/brand/jcommon/cdetach b/usr/src/lib/brand/jcommon/cdetach new file mode 100644 index 0000000000..4b67b31fc5 --- /dev/null +++ b/usr/src/lib/brand/jcommon/cdetach @@ -0,0 +1,50 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +. /usr/lib/brand/shared/common.ksh + +ZONENAME="" +ZONEPATH="" + +while getopts "R:t:U:z:" opt +do + case "$opt" in + R) ZONEPATH="$OPTARG";; + z) ZONENAME="$OPTARG";; + *) printf "$m_usage\n" + exit $ZONE_SUBPROC_USAGE;; + esac +done +shift OPTIND-1 + +if [[ -z $ZONEPATH || -z $ZONENAME ]]; then + print -u2 "Brand error: No zone path or name" + exit $ZONE_SUBPROC_USAGE +fi + +# +# We just need a brand hook so that we can bypass the mount checking +# that zoneadm does. This is needed because we have the cores dataset +# mounted under {zonepath}/root. +# +cp /etc/zones/${ZONENAME}.xml ${ZONEPATH}/SUNWdetached.xml + +exit $ZONE_SUBPROC_OK diff --git a/usr/src/lib/brand/jcommon/cinstall b/usr/src/lib/brand/jcommon/cinstall new file mode 100644 index 0000000000..98b9322b5f --- /dev/null +++ b/usr/src/lib/brand/jcommon/cinstall @@ -0,0 +1,183 @@ +#!/bin/ksh -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2016, Joyent, Inc. All rights reserved. +# Use is subject to license terms. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +. /usr/lib/brand/shared/common.ksh + +REPROVISONING="" +ZONENAME="" +ZONEPATH="" +# Default to 10GB diskset quota +ZQUOTA=10 +ZVOL_NAME=`/usr/bin/uuid -v 4` + +# +# The following are the list of features that a corresponding brand may +# enable. If they wish to do so, then they must set the following flags +# to values such that [[ -z $flag ]] is true. The following are the +# currently supported flags: +# +# o jst_reprovision - Brand supports reprovision +# o jst_tmplopt - Template image optional +# + +function fixup_images +{ + # New imgadm renames the dataset's snapshot at import to @final for us + # and when it exists, we use that. However, when it does not exist we + # still use the old method of creating a zones/<uuid>@<uuid> snapshot + # so we can support old datasets. + exists=$(zfs list -Ho name ${PDS_NAME}/${TMPLZONE}@final 2>&1) + if [[ $? == 0 && ${exists} == "${PDS_NAME}/${TMPLZONE}@final" ]]; then + zfs clone -o devices=off -F ${QUOTA_ARG} ${PDS_NAME}/${TMPLZONE}@final \ + ${PDS_NAME}/${bname} || fatal "failed to clone zone dataset" + elif [[ ${exists} =~ "dataset does not exist" ]]; then + zfs snapshot ${PDS_NAME}/${TMPLZONE}@${bname} + zfs clone -o devices=off -F ${QUOTA_ARG} ${PDS_NAME}/${TMPLZONE}@${bname} \ + ${PDS_NAME}/${bname} || fatal "failed to clone zone dataset" + else + fatal "Unable to determine snapshot for ${PDS_NAME}/${TMPLZONE}" + fi +} + +while getopts "rR:t:U:q:z:" opt +do + case "$opt" in + r) + set -x + if [[ -z "$jst_reprovision" ]]; then + print -u2 "unsupported reprovision requested" + exit $ZONE_SUBPROC_USAGE + fi + REPROVISIONING="true" + ;; + R) ZONEPATH="$OPTARG";; + t) TMPLZONE="$OPTARG";; + # UUID is only used in the postinstall script + U) UUID="$OPTARG";; + q) ZQUOTA="$OPTARG";; + z) ZONENAME="$OPTARG";; + *) printf "$m_usage\n" + exit $ZONE_SUBPROC_USAGE;; + esac +done +shift OPTIND-1 + +# +# IMPORTANT: all actions below need to consider reprovision. If the action +# modifies files in the zoneroot itself, it should be run on reprovision +# any other changes to the zone or dataset should not be done on reprovision. +# + +if [[ -z ${REPROVISIONING} \ + && -n $(zonecfg -z "${ZONENAME}" info attr name=transition \ + | grep "value: receiving:") ]]; then + + # Here we're doing an install for a received zone, the dataset should have + # already been created. + exit $ZONE_SUBPROC_OK +fi + +if [[ -z $ZONEPATH || -z $ZONENAME ]]; then + print -u2 "Brand error: No zone path or name" + exit $ZONE_SUBPROC_USAGE +fi + +if [[ -z ${REPROVISIONING} ]]; then + # The install may requires a template zone. + if [[ -z $TMPLZONE && -z "$jst_tmplopt" ]]; then + print -u2 "Brand error: a zone template is required" + exit $ZONE_SUBPROC_USAGE + fi + + # The dataset quota must be a number. + case $ZQUOTA in *[!0-9]*) + print -u2 "Brand error: The quota $ZQUOTA is not a number" + exit $ZONE_SUBPROC_USAGE;; + esac +fi + +ZROOT=$ZONEPATH/root + +if [[ -z ${REPROVISIONING} ]]; then + # Get the dataset of the parent directory of the zonepath. + dname=${ZONEPATH%/*} + bname=${ZONEPATH##*/} + PDS_NAME=`mount | nawk -v p=$dname '{if ($1 == p) print $3}'` + [ -z "$PDS_NAME" ] && \ + print -u2 "Brand error: missing parent ZFS dataset for $dname" + + # We expect that zoneadm was invoked with '-x nodataset', so it won't have + # created the dataset. + + QUOTA_ARG= + if [[ ${ZQUOTA} != "0" ]]; then + QUOTA_ARG="-o quota=${ZQUOTA}g" + fi + + # + # Some zone brands (KVM) optionally have a top level dataset. If + # they don't have one, we need to set the quota on the data + # disk. Otherwise, we set it on the normal top level dataset. + # + if [[ -z ${TMPLZONE} ]]; then + zfs set quota=${ZQUOTA}g ${PDS_NAME}/${bname} + else + fixup_images + fi + +fi + +# The rest should be run when REPROVISIONING is set as well. + +# Make sure zoneinit is setup to use -o xtrace, this handles old datasets where +# is not yet enabled by default. +if [[ -f ${ZROOT}/root/zoneinit && \ + -z $(grep "^set -o xtrace" ${ZROOT}/root/zoneinit) ]]; then + sed -i "" -e "s/^#set -o xtrace/set -o xtrace/" ${ZROOT}/root/zoneinit +fi + +if [ ! -d ${ZONEPATH}/config ]; then + mkdir -p ${ZONEPATH}/config + chmod 755 ${ZONEPATH}/config +fi + +if [ ! -d ${ZROOT}/tmp ]; then + mkdir -p ${ZROOT}/tmp + chmod 1777 ${ZROOT}/tmp +fi + +# make /var/svc for the 'provisioning file' +if [ ! -d ${ZROOT}/var/svc ]; then + mkdir -p ${ZROOT}/var/svc + chmod 0755 ${ZROOT}/var/svc +fi + +jcommon_attach_hook + +exit $ZONE_SUBPROC_OK diff --git a/usr/src/lib/brand/jcommon/cuninstall b/usr/src/lib/brand/jcommon/cuninstall new file mode 100644 index 0000000000..9be35bc7a9 --- /dev/null +++ b/usr/src/lib/brand/jcommon/cuninstall @@ -0,0 +1,74 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2016 Joyent, Inc. All rights reserved. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +. /usr/lib/brand/shared/common.ksh + +ZONENAME="" +ZONEPATH="" + +while getopts "FR:z:" opt +do + case "$opt" in + F) ;; + R) ZONEPATH="$OPTARG";; + z) ZONENAME="$OPTARG";; + *) printf "$m_usage\n" + exit $ZONE_SUBPROC_USAGE;; + esac +done +shift OPTIND-1 + +if [[ -z $ZONEPATH || -z $ZONENAME ]]; then + print -u2 "Brand error: No zone path or name" + exit $ZONE_SUBPROC_USAGE +fi + +# Get the dataset of the parent directory of the zonepath. +dname=${ZONEPATH%/*} +bname=${ZONEPATH##*/} +PDS_NAME=`mount | nawk -v p=$dname '{if ($1 == p) print $3}'` +if [[ -z "$PDS_NAME" ]]; then + print -u2 "Brand error: missing parent ZFS dataset for $dname" + exit $ZONE_SUBPROC_USAGE +fi + +# check if the origin is not an @final dataset, if not, we'll destroy it +ORIGIN=`zfs get -H -ovalue origin $PDS_NAME/$bname | grep -v "@final$"` + +zfs destroy -rF $PDS_NAME/cores/$bname +zfs destroy -rF $PDS_NAME/$bname +if [[ $? != 0 ]]; then + echo "processes in zone: " + fuser ${ZONEPATH} + # Since we are destroying the zone, we don't want to leave a zoneroot behind + # just because something couldn't be umounted. So we'll also force the + # umount with the 'f' option here. + zfs destroy -rfF $PDS_NAME/$bname +fi + +[[ -n ${ORIGIN} && ${ORIGIN} != "-" ]] && zfs destroy -F $ORIGIN + +rm -rf $ZONEPATH +rm -rf /var/zonecontrol/${ZONENAME} + +jcommon_uninstall_hook + +exit $ZONE_SUBPROC_OK diff --git a/usr/src/lib/brand/jcommon/libhooks.ksh b/usr/src/lib/brand/jcommon/libhooks.ksh new file mode 100644 index 0000000000..346356519c --- /dev/null +++ b/usr/src/lib/brand/jcommon/libhooks.ksh @@ -0,0 +1,96 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +# +# This file contains various hooks that are used by nore than a single +# brand. This file should be included by the brand-specific files. +# + +jattach_kvm_final_setup() +{ + ZRAM=$(zonecfg -z ${ZONENAME} info attr name=ram | \ + grep "value: " | cut -d ':' -f2 | tr -d ' ') + + if [[ -z ${ZRAM} ]]; then + echo "Unable to find RAM value for KVM VM" + exit $ZONE_SUBPROC_FATAL + fi + + # 100G unless the VM has 80G or more DRAM, in which case: DRAM + 20G. + CORE_QUOTA=102400 + if [[ ${ZRAM} -gt 81920 ]]; then + CORE_QUOTA=$((${ZRAM} + 20480)) + fi + + # The cores quota exists to control run-away zones. As such we make it + # such that it will protect the system from a single run-away, but + # still allow us to get most cores. + rm -rf $ZONEPATH/cores + zfs create -o quota=${CORE_QUOTA}m -o mountpoint=/${PDS_NAME}/$bname/cores \ + ${PDS_NAME}/cores/$bname +} + +jattach_zone_final_setup() +{ + if [[ -z ${REPROVISIONING} ]]; then + # The cores quota exists to control run-away zones. As such we make it + # such that it will protect the system from a single run-away, but + # still allow us to get most cores. 100G seems good enough based on + # samples from JPC. + rm -rf $ZONEPATH/cores + CORE_QUOTA=102400 + zfs create -o quota=${CORE_QUOTA}m -o mountpoint=/${PDS_NAME}/$bname/cores \ + ${PDS_NAME}/cores/$bname + + chmod 700 $ZONEPATH + fi + + egrep -s "netcfg:" $ZROOT/etc/passwd + if (( $? != 0 )); then + echo "netcfg:x:17:65:Network Configuration Admin:/:" \ + >> $ZROOT/etc/passwd + echo "netcfg:*LK*:::::::" >> $ZROOT/etc/shadow + fi + egrep -s "netadm:" $ZROOT/etc/group + (( $? != 0 )) && echo "netadm::65:" >> $ZROOT/etc/group + + # /etc/svc/profile needs to be a directory with some contents which we + # can get from the template. The early manifest import svc + # (lib/svc/method/manifest-import) copies some symlinks from the + # template's var/svc/profile dir and we need to make sure those are + # pointing at the right files and not left dangling. + ZPROFILE=$ZROOT/etc/svc/profile + if [ ! -d $ZPROFILE ]; then + mkdir $ZPROFILE + cp -p $ZROOT/var/svc/profile/generic_limited_net.xml $ZPROFILE + cp -p $ZROOT/var/svc/profile/inetd_generic.xml $ZPROFILE + cp -p $ZROOT/var/svc/profile/ns_dns.xml $ZPROFILE + cp -p $ZROOT/var/svc/profile/platform_none.xml $ZPROFILE + fi + + touch $ZROOT/var/log/courier.log +} + +function juninstall_delegated_dataset +{ + # Now destroy any delegated datasets. Redirect to /dev/null in case they + # were already destroyed when we removed the zonepath dataset. + DD=`zonecfg -z $ZONENAME info dataset | nawk '{if ($1 == "name:") print $2}'` + for i in $DD; do + zfs destroy -rF $i >/dev/null 2>&1 + done +} diff --git a/usr/src/lib/brand/jcommon/poststate b/usr/src/lib/brand/jcommon/poststate new file mode 100644 index 0000000000..4e4b1207ed --- /dev/null +++ b/usr/src/lib/brand/jcommon/poststate @@ -0,0 +1,34 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +if [[ -n $_ZONEADMD_brand_debug ]]; then + logfile=/var/log/zone_bh.$1 + date >>$logfile + echo "zone $1 post-state-change $3 $4" >>$logfile + ksh -x /usr/lib/brand/$ps_brand/statechange "post" $@ 2>>$logfile + res=$? + echo "zone $1 post-state-change result $res" >>$logfile +else + /usr/lib/brand/$ps_brand/statechange "post" $@ + res=$? +fi + +exit $res diff --git a/usr/src/lib/brand/jcommon/prestate b/usr/src/lib/brand/jcommon/prestate new file mode 100644 index 0000000000..a61af89752 --- /dev/null +++ b/usr/src/lib/brand/jcommon/prestate @@ -0,0 +1,34 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +if [[ -n $_ZONEADMD_brand_debug ]]; then + logfile=/var/log/zone_bh.$1 + date >>$logfile + echo "zone $1 pre-state-change $3 $4" >>$logfile + ksh -x /usr/lib/brand/$ps_brand/statechange "pre" $@ 2>>$logfile + res=$? + echo "zone $1 pre-state-change result $res" >>$logfile +else + /usr/lib/brand/$ps_brand/statechange "pre" $@ + res=$? +fi + +exit $res diff --git a/usr/src/lib/brand/jcommon/query b/usr/src/lib/brand/jcommon/query new file mode 100755 index 0000000000..70ea39d8e2 --- /dev/null +++ b/usr/src/lib/brand/jcommon/query @@ -0,0 +1,52 @@ +#!/bin/ksh -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# + +PATH=/usr/bin:/usr/sbin +export PATH + +. /usr/lib/brand/shared/common.ksh + +zonename=$1 +zonepath=$2 +cmd=$3 + +if [ $3 == "env" ]; then + # + # zoneadmd reads one (arbitrary length) line of input from the query + # hook. If there is more than one environment variable to pass back, + # delimit each one with tabs. zoneadmd will split the line at the tabs + # and set each key/value pair in its environment. + # + # Currently, only _ZONEADMD_ZPOOL is used to set the %P substitution + # for the brand configuration. + # + entry=$(svccfg -s smartdc/init listprop '*/zpool') + if [ -n "$entry" ]; then + val=${entry##* * } + [ -n "$val" ] && echo "_ZONEADMD_ZPOOL=/${val}\c" + fi +fi + +exit $ZONE_SUBPROC_OK diff --git a/usr/src/lib/brand/jcommon/statechange b/usr/src/lib/brand/jcommon/statechange new file mode 100644 index 0000000000..58eae5ab5a --- /dev/null +++ b/usr/src/lib/brand/jcommon/statechange @@ -0,0 +1,906 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2018 Joyent, Inc. All rights reserved. +# + +unset LD_LIBRARY_PATH +PATH=/usr/bin:/usr/sbin +export PATH + +. /lib/sdc/config.sh + +# subcommand: +# pre +# post + +# state +# ZONE_STATE_CONFIGURED 0 (script will never see this) +# ZONE_STATE_INCOMPLETE 1 (script will never see this) +# ZONE_STATE_INSTALLED 2 +# ZONE_STATE_READY 3 +# ZONE_STATE_RUNNING 4 +# ZONE_STATE_SHUTTING_DOWN 5 +# ZONE_STATE_DOWN 6 +# ZONE_STATE_MOUNTED 7 + +# cmd +# +# ready 0 +# boot 1 +# forceboot 2 +# reboot 3 +# halt 4 +# uninstalling 5 +# mount 6 +# forcemount 7 +# unmount 8 + +subcommand=$1 +ZONENAME=$2 +ZONEPATH=$3 +state=$4 +cmd=$5 + +VNDADM=/usr/sbin/vndadm +SNAPSHOT_DIR=root/checkpoints +OVERLAY_RULES=/var/run/smartdc/networking/overlay_rules.json +DEFAULT_MTU=1500 + +# +# The following are the list of features that a corresponding brand may +# enable. If they wish to do so, then they must set the following flags +# to values such that [[ -z $flag ]] is true. The following are the +# currently supported flags: +# +# o jst_vrrp - Enables vrrp +# o jst_ufpromisc - Supports unfiltered promiscuous mode +# o jst_createvnd - Create vnd devices +# o jst_simplefs - Only setup lastbooted in the FS +# o jst_showsnap - Show snapshots in the FS +# +# In addition, the brand must also specify the following parameters: +# +# o jst_mdatapath - The path the metadata socket is expected in the zone +# + +get_boolean_nic_property() +{ + bool_val=$(eval echo \$_ZONECFG_net_${1}_${2}) + if [[ "${bool_val}" == "1" ]] || [[ "${bool_val}" == "true" ]]; then + echo "true" + else + echo "false" + fi +} + +nm2prefix() +{ + prefix=0 + numparts=0 + OLDIFS=$IFS + IFS=. + for digit in $1 ; do + (( numparts+=1 )) + case $digit in + 255) + (( prefix+=8 )) + ;; + 254) + (( prefix+=7 )) + ;; + 252) + (( prefix+=6 )) + ;; + 248) + (( prefix+=5 )) + ;; + 240) + (( prefix+=4 )) + ;; + 224) + (( prefix+=3 )) + ;; + 192) + (( prefix+=2 )) + ;; + 128) + (( prefix+=1 )) + ;; + 0);; + *) + echo "Invalid digit in netmask: $digit" 1>&2; + IFS=$OLDIFS + return 1;; + esac + done + if [[ $numparts -ne 4 ]]; then + echo "Too many parts in the IP address" 1>&2; + IFS=$OLDIFS + return 1 + fi + IFS=$OLDIFS + echo "$prefix" +} + +# +# Set up the vnic(s) for the zone. +# +setup_net() +{ + typeset tmp overlay tag id rule + for nic in $_ZONECFG_net_resources + do + # Get simplified versions of the network config. variables. + address=$(eval echo \$_ZONECFG_net_${nic}_address) + # If address set, must be a shared stack zone + [[ -n $address ]] && exit 0 + + global_nic=$(eval echo \$_ZONECFG_net_${nic}_global_nic) + # If no global-nic, must be a dedicated physical NIC instead + # of a vnic + [[ -z $global_nic ]] && continue + + dhcp_server=$(get_boolean_nic_property ${nic} dhcp_server) + mac_addr=$(eval echo \$_ZONECFG_net_${nic}_mac_addr) + vlan_id=$(eval echo \$_ZONECFG_net_${nic}_vlan_id) + blocked_outgoing_ports=$(eval \ + echo \$_ZONECFG_net_${nic}_blocked_outgoing_ports) + zone_ips=$(eval echo \$_ZONECFG_net_${nic}_ips) + zone_ip=$(eval echo \$_ZONECFG_net_${nic}_ip) + zone_netmask=$(eval echo \$_ZONECFG_net_${nic}_netmask) + allow_dhcp_spoof=$(get_boolean_nic_property ${nic} allow_dhcp_spoofing) + allow_ip_spoof=$(get_boolean_nic_property ${nic} allow_ip_spoofing) + allow_mac_spoof=$(get_boolean_nic_property ${nic} allow_mac_spoofing) + allow_restricted_traffic=$(get_boolean_nic_property ${nic} \ + allow_restricted_traffic) + allow_unfiltered_promisc=$(get_boolean_nic_property ${nic} \ + allow_unfiltered_promisc) + allowed_ips=$(eval echo \$_ZONECFG_net_${nic}_allowed_ips) + allowed_dhcp_cids=$(eval echo \$_ZONECFG_net_${nic}_allowed_dhcp_cids) + vrid=$(eval echo \$_ZONECFG_net_${nic}_vrrp_vrid) + vrrp_primary_ip=$(eval \ + echo \$_ZONECFG_net_${nic}_vrrp_primary_ip) + mtu=$(eval echo \$_ZONECFG_net_${nic}_mtu) + isoverlay= + + # If we don't have our zone_ips, it may be because the configuration + # was made on an older platform. In that case, use the "ip" and + # "netmask" properties for this NIC, and save it as "ips". + if [[ -z $zone_ips && -n $zone_ip ]]; then + [[ -n $zone_netmask ]] && + zone_ip=$zone_ip/`nm2prefix $zone_netmask` + + zone_ips=$zone_ip + fi + + + + orig_global=$global_nic + + # + # The nic tag for a device (the zonecfg global_nic) can come in + # one of a few forms. It may: + # + # 1) Be a traditional tag which refers to a physical device or + # aggregation to create a VNIC over. The source of this + # mapping is sysinfo. + # + # 2) It can be the name of an etherstub. The source of these is + # from dladm show-etherstub + # + # 3) It can take the form of an overlay device rule. An overlay + # device rule is an invalid DLPI device and invalid nic tag. + # It has the form of <name>/<number>. For example, + # sdc_sdn/23. That refers to the overlay rule sdc_sdn. If we + # have an overlay rule, we may need to dynamically create the + # overlay device if it doesn't exist. + # + # To handle these cases, we first check if it's an overlay + # device, and then if not, check the other cases. + # + + tmp=$(echo $orig_global | sed -E 's_[a-zA-Z_0-9]+/[0-9]+__') + if [[ -n "$tmp" ]]; then + + # + # We only need sysinfo if we get here, and we only need to load it + # once. Loading is about the same cost as looking up a single + # value. + # + if [[ -z $SYSINFO_LOADED ]]; then + load_sdc_sysinfo + SYSINFO_LOADED="LOADED" + fi + global_nic=$(eval echo \$SYSINFO_NIC_${orig_global}) + + # If the global nic is specified as a device or etherstub name + # rather than a tag. + if [[ -z $global_nic ]]; then + echo "$(dladm show-phys -p -o LINK) $(dladm show-etherstub -p -o LINK)" \ + | egrep "(^| )${orig_global}( |$)" > /dev/null + (( $? == 0 )) && global_nic=${orig_global} + fi + else + isoverlay="true" + tag=${orig_global%/*} + num=${orig_global#*/} + global_nic="$tag$num" + rule=$(json -f $OVERLAY_RULES $tag) + if [[ $? -ne 0 || -z "$rule" ]]; then + logger -p daemon.err "zone $ZONENAME had tag " \ + "$tag which indicates an overlay rule, " \ + "no corresponding overlay rule found." + exit 1 + fi + fi + + # For backwards compatibility with the other parts of the + # system, check if this zone already has this vnic setup. + # If so, move on to the next vnic. + dladm show-vnic -p -o LINK -z $ZONENAME $nic >/dev/null 2>&1 + (( $? == 0 )) && continue + + if [[ -z $global_nic ]]; then + echo "undefined VNIC $nic " \ + "(global NIC $orig_global)" + logger -p daemon.err "zone $ZONENAME " \ + "undefined VNIC $nic (global NIC $orig_global)" + exit 1 + fi + + # + # If we have an overlay device, do we need to create it, or does + # it already exist? + # + if [[ -n "$isoverlay" ]]; then + if ! dladm show-overlay $global_nic 2>/dev/null; then + dladm create-overlay $rule -v $num $global_nic + if [[ $? -ne 0 ]]; then + # If creation fails, ALSO check + # for existence again, in case + # someone beat us to it. + if ! dladm show-overlay $global_nic \ + 2> /dev/null; then + logger -p daemon.err "zone $ZONENAME " \ + "failed to create overlay device " \ + "$global_nic with command " \ + "'dladm create-overlay $rule -v " \ + "$num $global_nic" + exit 1 + fi + fi + fi + fi + + + # + # Create the vnic. + # + + opt_str="-p " + + # + # Traditionally we created VNICs without ever specifying + # the MTU. In the world before we supported any kind of + # jumbo frames, this is fine, because it would always + # match the physical which was 1500 by default for + # almost all of our devices. However, when we added + # support for mtu in nictagadm and changing it in boot + # up, we didn't properly assert the default MTU. This + # has led to VMs potentially getting the wrong MTU and + # ending up using jumbo frames when the network is + # expecting 1500 byte frames. Marx Brothers-esque comedy + # and despair ensues. + # + # Thus we always assert that if no MTU is specified by + # the VM, then we go back to the traditional 'default' + # value which is 1500. + # + if [[ -z "$mtu" ]]; then + mtu=$DEFAULT_MTU + fi + + opt_str="$opt_str mtu=$mtu," + + # + # Always append the zone as the last property. This is + # to work around the fact that once we associate it with + # a zone, the zone will have a hold on the device and + # we'll not be able to delete it if a create fails due + # to a bad property (say an invalid MTU). Note if we + # have other properties, it is their responsibility to + # put a trailing comma on it. + # + opt_str="${opt_str}zone=$ZONENAME" + + if [[ -n "$jst_vrrp" && -n $vrid ]]; then + # MAC addresses for VRRP vnics are determined by the VRID + mac_addr="vrrp" + opt_str="$opt_str -V $vrid -A inet" + fi + + [[ -n $mac_addr ]] && opt_str="$opt_str -m $mac_addr" + + [[ -n $vlan_id && $vlan_id != 0 ]] && \ + opt_str="$opt_str -v $vlan_id" + + + # + # Creating a VNIC in a zone is a multi-step process internally. + # This means there is a short window where the VNIC exists in + # the global zone and that could lead to a race condition if + # two zones boot at the same time with the same VNIC name. Use + # a temp. name to create the VNIC then rename it to have the + # correct name. + # + tname=tmp$$0 + dout=`dladm create-vnic -t -l $global_nic $opt_str $tname 2>&1` + if (( $? != 0 )); then + printf "error creating VNIC %s (global NIC %s)\n" \ + "$nic" "$orig_global" + printf "msg: %s\n" "$dout" + printf "Failed cmd: dladm create-vnic %s" \ + "-t -l $global_nic $opt_str $tname" + logger -p daemon.err "zone $ZONENAME error creating " \ + "VNIC $nic (global NIC $orig_global $global_nic)" + logger -p daemon.err "msg: $dout" + logger -p daemon.err "Failed cmd: dladm create-vnic " \ + "-t -l $global_nic $opt_str $tname" + + # Show more info if dup MAC addr. + echo $dout | egrep -s "MAC address is already in use" + if (( $? == 0 )); then + entry=`dladm show-vnic -olink,macaddress,zone \ + | nawk -v addr=$mac_addr '{ + if ($2 == addr) + print $0 + }'` + if [[ -n $entry ]]; then + print -f "LINK\tMACADDRESS\tZONE\n" + print -f "%s\n" "$entry" + fi + fi + exit 1 + fi + dladm rename-link -z $ZONENAME $tname $nic + if (( $? != 0 )); then + echo "error renaming VNIC $tname $nic" + logger -p daemon.err "zone $ZONENAME error renaming " \ + "VNIC $tname $nic" + exit 1 + fi + + if [[ -z $mac_addr ]]; then + # There was no assigned mac address + + # Get newly assigned mac address. + mac_addr=$(dladm show-vnic -z $ZONENAME -p -o \ + MACADDRESS ${nic}) + + # Save newly assigned mac address + [[ -n $mac_addr ]] && zonecfg -z $ZONENAME \ + "select net physical=$nic; " \ + "set mac-addr=$mac_addr; end; exit" + fi + + # Set up antispoof options + + if [[ $dhcp_server == "true" ]] || [[ $allow_dhcp_spoof == "true" ]]; then + enable_dhcp="true" + # This needs to be off for dhcp server zones + allow_ip_spoof="true" + else + enable_dhcp="false" + fi + + comma="" + spoof_opts="" + if [[ $allow_mac_spoof != "true" ]]; then + spoof_opts="${spoof_opts}${comma}mac-nospoof" + comma="," + fi + if [[ $allow_ip_spoof != "true" ]]; then + spoof_opts="${spoof_opts}${comma}ip-nospoof" + comma="," + fi + if [[ $allow_restricted_traffic != "true" ]]; then + spoof_opts="${spoof_opts}${comma}restricted" + comma="," + fi + if [[ ${enable_dhcp} == "false" ]]; then + spoof_opts="${spoof_opts}${comma}dhcp-nospoof" + comma="," + fi + + if [[ -n ${spoof_opts} ]]; then + dladm set-linkprop -t -z $ZONENAME -p \ + "protection=${spoof_opts}" ${nic} + if (( $? != 0 )); then + echo "error setting VNIC protection $nic $spoof_opts" + logger -p daemon.err "zone $ZONENAME error setting " \ + "VNIC protection $nic $spoof_opts" + exit 1 + fi + fi + + # If we aren't using IP spoofing, we'll need to set the allowed-ips + # property on the NIC so that the zone will be able to ifconfig the + # proper addresses. + if [[ $allow_ip_spoof != "true" ]]; then + unset allowed_ip_map + typeset -A allowed_ip_map + + dynamic_methods="" + separator="" + OLDIFS=$IFS + IFS=, + + for zone_ip in $zone_ips; do + # For each static IP available, add it to the list. + if [[ $zone_ip == "dhcp" ]]; then + dynamic_methods+="${separator}dhcpv4" + separator="," + elif [[ $zone_ip == "addrconf" ]]; then + dynamic_methods+="${separator}addrconf" + separator="," + else + clean_ip=`printf "%s" "${zone_ip}" | sed 's|^\([^/]*\)/.*|\1|'` + allowed_ip_map[${clean_ip}]=true + fi + done + + # If any additional IPs have been specified (for example, older + # VMs set up for IPv6 before vmadm gained support), add them to + # the list. + for allowed_ip in $allowed_ips; do + allowed_ip_map[${allowed_ip}]=true + done + IFS=$OLDIFS + + # If we're using VRRP and have the IP, add it to the list. + if [[ -n "$jst_vrrp" && -n $vrrp_primary_ip ]]; then + allowed_ip_map[${vrrp_primary_ip}]=true + fi + + allowed_ip_list="" + + separator="" + for allowed_ip in ${!allowed_ip_map[@]}; do + allowed_ip_list+="${separator}${allowed_ip}" + separator="," + done + + # Set the allowed-ips property on the NIC + if [[ -n ${allowed_ip_list} ]] && + ! dladm set-linkprop -t -z $ZONENAME \ + -p "allowed-ips=${allowed_ip_list}" ${nic}; then + log_and_exit \ + "error setting VNIC allowed-ips $nic $allowed_ip_list" + fi + + # Set the dynamic-methods property on the NIC + if [[ -n ${dynamic_methods} ]] && + ! dladm set-linkprop -t -z $ZONENAME \ + -p "dynamic-methods=${dynamic_methods}" ${nic}; then + log_and_exit \ + "error setting VNIC dynamic-methods $nic $dynamic_methods" + fi + fi + + if [[ "$enable_dhcp" != "true" ]] && [[ -n "$allowed_dhcp_cids" ]] && + ! dladm set-linkprop -p "allowed-dhcp-cids=${allowed_dhcp_cids}" \ + -t -z $ZONENAME $nic; then + log_and_exit \ + "error setting VNIC allowed-dhcp-cids $nic $allowed_dhcp_cids" + fi + + if [[ "$enable_dhcp" != "true" ]] && [[ -z "$allowed_dhcp_cids" ]] && + [[ "$zone_ips" == *dhcp* || "$zone_ips" == *addrconf* ]] && + ! dladm set-linkprop -p "allow-all-dhcp-cids=true" \ + -t -z $ZONENAME $nic; then + log_and_exit "error setting VNIC allow-all-dhcp-cids $nic" + fi + + if [[ -n "$jst_ufpromisc" && ${allow_unfiltered_promisc} == "true" ]]; then + dladm set-linkprop -t -z $ZONENAME -p "promisc-filtered=off" ${nic} + fi + + if [[ -n $blocked_outgoing_ports ]]; then + OLDIFS=$IFS + IFS=, + for port in $blocked_outgoing_ports; do + # br='block remote'. Flow names should be < 31 + # chars in length so that they get unique + # kstats. + # Use the VNIC mac addr. to generate a unique + # name. + mac_addr=`dladm show-vnic -z $ZONENAME -p \ + -o MACADDRESS $nic | tr ':' '_'` + flowadm add-flow -t -l $nic -z $ZONENAME \ + -a transport=tcp,remote_port=$port \ + -p maxbw=0 f${mac_addr}_br_${port} + if (( $? != 0 )); then + echo "error adding flow " \ + "$nic f${mac_addr}_br_${port}" + logger -p daemon.err "zone $ZONENAME " \ + "error adding flow " \ + "$nic f${mac_addr}_br_${port}" + exit 1 + fi + done + IFS=$OLDIFS + fi + + if [[ -n "$jst_createvnd" ]]; then + # + # At this point we should go ahead and set up + # the vnd interface for this datalink. + # + $VNDADM create -z $ZONENAME $nic + if [[ $? -ne 0 ]]; then + echo "failed to create vnd device" + exit 1 + fi + fi + done +} + +# +# Log a message, then exit +# +log_and_exit() +{ + echo "$1" + logger -p daemon.err "zone $ZONENAME $1" + exit 1 +} + +# +# Set up the firewall for the zone. +# +setup_fw() +{ + ipf_conf=$ZONEPATH/config/ipf.conf + ipf6_conf=$ZONEPATH/config/ipf6.conf + if [ -e $ipf_conf ]; then + echo "starting firewall ($ipf_conf)" + /usr/sbin/ipf -GE $ZONENAME + if (( $? != 0 )); then + log_and_exit "error enabling ipfilter" + fi + + /usr/sbin/ipf -GFa $ZONENAME + if (( $? != 0 )); then + log_and_exit "error flushing ipfilter (IPv4)" + fi + + /usr/sbin/ipf -6GFa $ZONENAME + if (( $? != 0 )); then + log_and_exit "error flushing ipfilter (IPv6)" + fi + + /usr/sbin/ipf -Gf $ipf_conf $ZONENAME + if (( $? != 0 )); then + log_and_exit "error loading ipfilter config for IPv4" + fi + + if [[ -e $ipf6_conf ]] && + ! /usr/sbin/ipf -6Gf $ipf6_conf $ZONENAME; then + log_and_exit "error loading ipfilter config for IPv6" + fi + + /usr/sbin/ipf -Gy $ZONENAME + if (( $? != 0 )); then + log_and_exit "error syncing ipfilter interfaces" + fi + fi +} + +# +# We're readying the zone. Make sure the per-zone writable +# directories exist so that we can lofs mount them. We do this here, +# instead of in the install script, since this list has evolved and +# there are already zones out there in the installed state. +# +setup_fs() +{ + # create directory for metadata socket + mkdir -m755 -p /var/zonecontrol/${ZONENAME} + + uname -v > $ZONEPATH/lastbooted + [[ -n "$jst_simplefs" ]] && return + + [ ! -d $ZONEPATH/site ] && mkdir -m755 $ZONEPATH/site + [ ! -d $ZONEPATH/local ] && mkdir -m755 $ZONEPATH/local + [ ! -d $ZONEPATH/$SNAPSHOT_DIR ] && mkdir -m755 $ZONEPATH/$SNAPSHOT_DIR + if [ ! -d $ZONEPATH/ccs ]; then + mkdir -m755 $ZONEPATH/ccs + (cd /usr/ccs; tar cbf 512 - *) | \ + (cd $ZONEPATH/ccs; tar xbf 512 -) + fi + +} + +setup_snapshots() +{ + # + # Because the top-level directory of each ZFS snapshot contains some + # internal information, mount the /root directory of each snapshot + # separately. + # + for snap in $(ls -1 $ZONEPATH/.zfs/snapshot); do + snapdir=$ZONEPATH/$SNAPSHOT_DIR/$(echo ${snap} | sed -e "s/^vmsnap-//") + mkdir -p ${snapdir} + mount -F lofs -o ro,setuid,nodevices \ + $ZONEPATH/.zfs/snapshot/${snap}/root ${snapdir} + done +} + +# +# If the zone has a CPU cap, calculate the CPU baseline and set it so we can +# track when we're bursting. There are many ways that the baseline can be +# calculated based on the other settings in the zones (e.g. a simple way would +# be as a precentage of the cap). +# +# For SmartMachines, our CPU baseline is calculated off of the system's +# provisionable memory and the memory cap of the zone. We assume that 83% of +# the system's memory is usable by zones (the rest is for the OS) and we assume +# that the zone memory cap is set so that we're proportional to how many zones +# we can provision on the system (i.e. we don't overprovision memory). Using +# these assumptions, we calculate the proportion of CPU for the zone based on +# its proportion of memory. Thus, the zone's CPU baseline is calculated using: +# ((zone capped memsize in MB) * 100) / (MB/core). +# Uncapped zones have no baseline (i.e. infrastructure zones). +# +# Remember that the cpu-cap rctl and the baseline are expressed in units of +# a percent of a CPU, so 100 is 1 full CPU. +# +setup_cpu_baseline() +{ + # A brand can override the setup of bursting. + [ -n "$NO_BURSTING" ] && return + + # If there is already a baseline, don't set one heuristically + curr_base=`prctl -P -n zone.cpu-baseline -i zone $ZONENAME | nawk '{ + if ($2 == "privileged") print $3 + }'` + [ -n "$curr_base" ] && return + + # Get current cap and convert from zonecfg format into rctl format + cap=`zonecfg -z $ZONENAME info capped-cpu | nawk '{ + if ($1 == "[ncpus:") print (substr($2, 1, length($2) - 1) * 100) + }'` + [ -z "$cap" ] && return + + # Get zone's memory cap in MB times 100 + zmem=`zonecfg -z $ZONENAME info capped-memory | nawk '{ + if ($1 == "[physical:") { + val = substr($2, 1, length($2) - 2) + units = substr($2, length($2) - 1, 1) + + # convert GB to MB + if (units == "G") + val *= 1024 + print (val * 100) + } + }'` + [ -z "$zmem" ] && return + + # Get system's total memory in MB + smem=`prtconf -m` + # provisionable memory is 83% of total memory (bash can't do floats) + prov_mem=$((($smem * 83) / 100)) + nprocs=`psrinfo -v | \ + nawk '/virtual processor/ {cnt++} END {print cnt}'` + + mb_per_core=$(($prov_mem / $nprocs)) + + baseline=$(($zmem / $mb_per_core)) + [[ $baseline == 0 ]] && baseline=1 + [[ $baseline -gt $cap ]] && baseline=$cap + + prctl -n zone.cpu-baseline -v $baseline -t priv -i zone $ZONENAME +} + +cleanup_snapshots() +{ + # + # Each ZFS snapshot is mounted separately, so find all mounted + # snapshots for this zone, and unmount them. + # + snaps=$(ls -1 $ZONEPATH/$SNAPSHOT_DIR) + + for snap in ${snaps}; do + snapdir=$ZONEPATH/$SNAPSHOT_DIR/$(echo ${snap} | sed -e "s/^vmsnap-//") + umount ${snapdir} + rmdir ${snapdir} + done +} + +# +# We're halting the zone, perform network cleanup. +# +cleanup_net() +{ + # Cleanup any flows that were setup. + for nic in $_ZONECFG_net_resources + do + flowadm remove-flow -t -z $ZONENAME -l $nic + if (( $? != 0 )); then + echo "error removing flows for $nic" + logger -p daemon.err "zone $ZONENAME " \ + "error removing flows for $nic" + fi + done +} + +id_gz_sockholder() +{ + echo "searching for GZ process holding socket $1" + logger -p daemon.err "zone $ZONENAME " \ + "searching for GZ process holding socket $1" + + pid=`(cd /proc; + for i in *; + do + pfiles $i 2>/dev/null | egrep -s "AF_UNIX $1"; + [ $? == 0 ] && echo "$i"; + done)` + + [ -z "$pid" ] && return + + echo "Error: GZ process $pid holding socket $1 blocking shutdown" + logger -p daemon.err "Error: zone $ZONENAME:" \ + "GZ process $pid holding socket $1 blocking shutdown" +} + +# zonadmd unable to unmount the given path, try to cleanup so unmount can +# succeed. +cleanup_mount() +{ + echo "attempting to cleanup mount $1" + logger -p daemon.err "zone $ZONENAME attempting to cleanup mount $1" + + fnd_procs=0 + for i in `fuser -c $1 2>/dev/null` + do + fnd_procs=1 + + pty=`ps -otty -p $i | \ + nawk '{if ($1 != "TT" && $1 != "?") print $0}'` + + if [ -n "$pty" ]; then + echo "shell process $i blocking zone" \ + "$ZONENAME shutdown, killing the process" | wall + echo "killing GZ user shell $i under $1" + logger -p daemon.err "zone $ZONENAME:" \ + "killing GZ user shell $i under $1" + kill -9 $i + else + echo "Error: GZ process $i under $1 blocking shutdown" + logger -p daemon.err "Error: zone $ZONENAME:" \ + "GZ process $i under $1 blocking shutdown" + + local args="pargs: `pargs $i`" + echo "$args" + logger -p daemon.err "$args" + + local tree="ptree: `ptree $i`" + echo "$tree" + logger -p daemon.err "$tree" + fi + done + + if [ $fnd_procs -eq 1 ]; then + # Exit out to give the zoneadmd umount a chance to suceed now. + # Zoneadmd will give us another shot if it still can't umount. + sleep 1 + exit 0 + fi + + # Processes which are injected into a zone and then open a file as a + # socket end-point will show in pfiles with the path relative to the + # zone's root. For example, a zone with its root at /zones/foo/root and + # an open socket as /zones/foo/root/var/run/x will show up in a pfiles + # search as /var/run/x. This is a problem since we have no way to + # narrow down which process is the culprit. + # + # Because the socket doesn't have enough information for us to tie to + # the specific GZ process, we hardcode to id things we know will open + # sockets into the zone: + # $jst_mdatapath/metadata.sock + # /var/run/.smartdc-amon.sock + + ZVR=$ZONEPATH/root/var/run + [ -S $ZVR/smartdc/metadata.sock ] && + id_gz_sockholder $jst_mdatapath/metadata.sock + + [ -S $ZVR/.smartdc-amon.sock ] && + id_gz_sockholder /var/run/.smartdc-amon.sock +} + +function fix_forced_attrs { + typeset attr + + for attr in ${!FORCED_ATTRS[@]}; do + typeset nval=${FORCED_ATTRS["$attr"]} + typeset -n envvar=_ZONECFG_attr_${attr//-/_} + typeset cval=$envvar + + if [[ $cval == $nval ]]; then + # In most cases, $nval and $cval will be the same and + # nothing needs to be done. This includes the case where + # $nval and $cval are "". + continue + elif [[ -z $nval ]]; then + logger -p daemon.error "[zone $ZONENAME]" \ + "Illegal value for attr '$attr': '$cval'." \ + "Removing attr '$attr'" + zonecfg -z "$ZONENAME" "remove -F attr name=$attr" + + unset ${!envvar} + else + logger -p daemon.error "[zone $ZONENAME]" \ + "Illegal value for attr '$attr': '$cval'." \ + "Setting to '$nval'" + zonecfg -z "$ZONENAME" "remove -F attr name=$attr;" \ + "add attr; set type=string;" \ + "set name=$attr; set value=\"$nval\"; end;" + + export ${!envvar}="$nval" + fi + done +} + +# +# Main +# + +case $subcommand in +pre) + case $cmd in + 0) # pre-ready + fix_forced_attrs + setup_fs + ;; + 4) # pre-halt + [[ -n "$jst_showsnap" ]] && cleanup_snapshots + cleanup_net + ;; + esac + ;; +post) + case $cmd in + 0) # post-ready + [[ -n "$jst_showsnap" ]] && setup_snapshots + setup_net + setup_fw + ;; + 1) # post-boot + # We can't set a rctl until we have a process in the zone to + # grab + setup_cpu_baseline + ;; + 8) # post-unmount + # Zone halt is hung unmounting, try to recover + if [[ $state == 6 ]]; then + cleanup_mount "$6" + fi + ;; + esac + ;; +esac + +exit 0 diff --git a/usr/src/lib/brand/joyent-minimal/Makefile b/usr/src/lib/brand/joyent-minimal/Makefile new file mode 100644 index 0000000000..0823a1f94e --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/Makefile @@ -0,0 +1,31 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +default: all + +# Build everything in parallel; use .WAIT for dependencies +.PARALLEL: + +SUBDIRS = zone + +all := TARGET= all +install := TARGET= install +clean := TARGET= clean +clobber := TARGET= clobber + +all install clean clobber: $(SUBDIRS) + +$(SUBDIRS): FRC + @cd $@; pwd; $(MAKE) $(TARGET) + +FRC: diff --git a/usr/src/lib/brand/joyent-minimal/zone/Makefile b/usr/src/lib/brand/joyent-minimal/zone/Makefile new file mode 100644 index 0000000000..a0fbc14d5c --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/Makefile @@ -0,0 +1,37 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +BRAND = joyent-minimal + +include $(SRC)/lib/brand/Makefile.brand + +PROGS = jattach jdetach jinstall juninstall poststate prestate statechange +XMLDOCS = config.xml platform.xml +TXTS = manifests + +CLOBBERFILES = $(ROOTXMLDOCS) $(ROOTTXTS) $(ROOTPROGS) + +# These shouldn't be necessary, but for some reason the same thing in +# ../../Makefile.brand is not being picked up. +$(ROOTPROGS) := FILEMODE = 755 +$(ROOTTXTS) := FILEMODE = 444 +$(ROOTXMLDOCS) := FILEMODE = 444 + +all: $(PROGS) + +install: $(PROGS) $(ROOTPROGS) $(ROOTXMLDOCS) $(ROOTTXTS) + +clean: + $(RM) $(CLEANFILES) + +include $(SRC)/cmd/Makefile.targ diff --git a/usr/src/lib/brand/joyent-minimal/zone/config.xml b/usr/src/lib/brand/joyent-minimal/zone/config.xml new file mode 100644 index 0000000000..64e92464fe --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/config.xml @@ -0,0 +1,115 @@ +<?xml version="1.0"?> + +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2015 Joyent, Inc. All rights reserved. + Use is subject to license terms. + + DO NOT EDIT THIS FILE. +--> + +<!DOCTYPE brand PUBLIC "-//Joyent Inc//DTD Brands//EN" + "file:///usr/share/lib/xml/dtd/brand.dtd.1"> + +<brand name="joyent-minimal"> + <modname></modname> + + <initname>/sbin/init</initname> + <login_cmd>/usr/bin/login -z %Z %u</login_cmd> + <forcedlogin_cmd>/usr/bin/login -z %Z -f %u</forcedlogin_cmd> + <user_cmd>/usr/bin/getent passwd %u</user_cmd> + + <install>/usr/lib/brand/joyent-minimal/jinstall -z %z -R %R</install> + <installopts>R:t:U:q:z:</installopts> + <boot></boot> + <halt></halt> + <verify_cfg></verify_cfg> + <verify_adm></verify_adm> + <postclone></postclone> + <postinstall></postinstall> + <attach>/usr/lib/brand/joyent-minimal/jattach -z %z -R %R</attach> + <detach>/usr/lib/brand/joyent-minimal/jdetach -z %z -R %R</detach> + <clone></clone> + <uninstall>/usr/lib/brand/joyent-minimal/juninstall -z %z -R %R</uninstall> + <prestatechange>/usr/lib/brand/joyent-minimal/prestate %z %R</prestatechange> + <poststatechange>/usr/lib/brand/joyent-minimal/poststate %z %R</poststatechange> + <query>/usr/lib/brand/joyent-minimal/query %z %R</query> + + <privilege set="default" name="contract_event" /> + <privilege set="default" name="contract_identity" /> + <privilege set="default" name="contract_observer" /> + <privilege set="default" name="dtrace_proc" /> + <privilege set="default" name="dtrace_user" /> + <privilege set="default" name="file_chown" /> + <privilege set="default" name="file_chown_self" /> + <privilege set="default" name="file_dac_execute" /> + <privilege set="default" name="file_dac_read" /> + <privilege set="default" name="file_dac_search" /> + <privilege set="default" name="file_dac_write" /> + <privilege set="default" name="file_owner" /> + <privilege set="default" name="file_setid" /> + <privilege set="default" name="ipc_dac_read" /> + <privilege set="default" name="ipc_dac_write" /> + <privilege set="default" name="ipc_owner" /> + <privilege set="default" name="net_bindmlp" /> + <privilege set="default" name="net_icmpaccess" /> + <privilege set="default" name="net_mac_aware" /> + <privilege set="default" name="net_observability" /> + <privilege set="default" name="net_privaddr" /> + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> + <privilege set="default" name="proc_chroot" /> + <privilege set="default" name="sys_audit" /> + <privilege set="default" name="proc_audit" /> + <privilege set="default" name="proc_lock_memory" /> + <privilege set="default" name="proc_owner" /> + <privilege set="default" name="proc_prioup" /> + <privilege set="default" name="proc_secflags" /> + <privilege set="default" name="proc_setid" /> + <privilege set="default" name="proc_taskid" /> + <privilege set="default" name="sys_acct" /> + <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_fs_import" /> + <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> + <privilege set="default" name="sys_iptun_config" ip-type="exclusive" /> + <privilege set="default" name="sys_mount" /> + <privilege set="default" name="sys_nfs" /> + <privilege set="default" name="sys_smb" /> + <privilege set="default" name="sys_resource" /> + <privilege set="default" name="sys_ppp_config" ip-type="exclusive" /> + + <privilege set="prohibited" name="dtrace_kernel" /> + <privilege set="prohibited" name="proc_zone" /> + <privilege set="prohibited" name="sys_config" /> + <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> + <privilege set="prohibited" name="sys_linkdir" /> + <privilege set="prohibited" name="sys_net_config" /> + <privilege set="prohibited" name="sys_res_config" /> + <privilege set="prohibited" name="sys_suser_compat" /> + <privilege set="prohibited" name="xvm_control" /> + <privilege set="prohibited" name="virt_manage" /> + <privilege set="prohibited" name="sys_ppp_config" ip-type="shared" /> + + <privilege set="required" name="proc_exec" /> + <privilege set="required" name="proc_fork" /> + <privilege set="required" name="sys_ip_config" ip-type="exclusive" /> + <privilege set="required" name="sys_mount" /> +</brand> diff --git a/usr/src/lib/brand/joyent-minimal/zone/jattach b/usr/src/lib/brand/joyent-minimal/zone/jattach new file mode 100755 index 0000000000..b99c0211fe --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/jattach @@ -0,0 +1,26 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_attach_hook +{ + jattach_zone_final_setup +} + +ps_brand="joyent-minimal" +. /usr/lib/brand/jcommon/cattach diff --git a/usr/src/lib/brand/joyent-minimal/zone/jdetach b/usr/src/lib/brand/joyent-minimal/zone/jdetach new file mode 100755 index 0000000000..5671f06bf9 --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/jdetach @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="joyent-minimal" +. /usr/lib/brand/jcommon/cdetach diff --git a/usr/src/lib/brand/joyent-minimal/zone/jinstall b/usr/src/lib/brand/joyent-minimal/zone/jinstall new file mode 100755 index 0000000000..167566bdca --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/jinstall @@ -0,0 +1,32 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +# Does this brand support reprovisioning? +jst_reprovision="yes" + +# Is a template image optional? +# jst_tmplopt="yes" + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_attach_hook +{ + jattach_zone_final_setup + cp /usr/lib/brand/joyent-minimal/repository.db ${ZROOT}/etc/svc +} + +. /usr/lib/brand/jcommon/cinstall diff --git a/usr/src/lib/brand/joyent-minimal/zone/juninstall b/usr/src/lib/brand/joyent-minimal/zone/juninstall new file mode 100755 index 0000000000..09051a17b6 --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/juninstall @@ -0,0 +1,25 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_uninstall_hook +{ + juninstall_delegated_dataset +} + +. /usr/lib/brand/jcommon/cuninstall diff --git a/usr/src/lib/brand/joyent-minimal/zone/manifests b/usr/src/lib/brand/joyent-minimal/zone/manifests new file mode 100644 index 0000000000..955d46702e --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/manifests @@ -0,0 +1,127 @@ +# +# This file lists the SMF manifests which are available in the global +# zone and which should be setup for use in non-global zones. Not +# all SMF services are usable within a zone, so only those that are usable +# should be listed here. +# +# The format of the file is: +# manifest_name enable/disable +# The manifest_name is found relative to /lib/svc/manifest on the system. +# The second field is used to indicate if the svc should be enabled or +# disabled by default within zones, independently of its current status in +# the global zone. +# +# The following is a list of SMF svcs which could be run in a zone, but +# which we're not currently installing on our live image. If we add any +# of these to the image and we want it to also be available in zones, +# then we need to move the entry to the end and uncomment it out. +# +# application/cups.xml +# application/font/fc-cache.xml +# application/graphical-login/gdm.xml +# application/management/net-snmp.xml +# application/management/seaport.xml +# application/management/snmpdx.xml +# application/opengl/ogl-select.xml +# application/print/service-selector.xml +# application/security/tcsd.xml +# application/x11/x11-server.xml +# application/x11/xfs.xml +# application/x11/xvnc-inetd.xml +# network/ldap/client.xml +# network/rpc/keyserv.xml +# network/socket-filter-kssl.xml +# network/ssl/kssl-proxy.xml +# network/nfs/rquota.xml +# network/smb/server.xml +# network/dns/server.xml +# network/ftp.xml +# network/finger.xml +# network/comsat.xml +# network/rpc/rstat.xml +# network/rpc/rusers.xml +# network/rpc/spray.xml +# network/rpc/wall.xml +# network/talk.xml +# network/ntp.xml +# network/sendmail-client.xml +# network/smtp-sendmail.xml +# network/telnet.xml +# network/wpa.xml +# network/rpc/gss.xml +# network/security/kadmin.xml +# network/security/krb5kdc.xml +# network/security/ktkt_warn.xml +# network/rpc/smserver.xml +# network/nfs/cbd.xml +# network/nfs/mapid.xml +# network/nfs/status.xml +# network/ipmievd.xml +# network/nis/client.xml +# network/http-apache22.xml +# system/consolekit.xml +# system/device/devices-audio.xml +# system/fm/notify-params.xml +# system/install/system-config.xml +# system/pkgserv.xml +# + +# +# The following is a list of SMF svcs which are installed on our live image and +# which could be run in a zone, but which we choose not to run in our zones. +# If we ever do want to run any of these, move the entry to the end and +# uncomment it out. +# +# network/nfs/client.xml +# network/nfs/nlockmgr.xml +# system/boot-archive-update.xml +# system/boot-archive.xml +# system/boot-config.xml +# system/cron.xml +# system/fmd.xml +# system/sac.xml +# + +# +# The following is a list of SMF svc manifests under /lib/svc/manifest. These +# are available on our live image and are runnable in a zone. Since the zones +# are sharing the base file system with the global zone, we set up so that +# only these svcs are configured in zones, independently of the global zone +# /lib/svc/manifest hierarchy. +# + +system/svc/restarter.xml enabled +network/dlmgmt.xml enabled +system/filesystem/root-fs.xml enabled +# +# This was running, but not in our set of manifests. Maybe it came in +# from /var. +# +system/boot-archive.xml enabled +network/network-ipmgmt.xml enabled +system/filesystem/usr-fs.xml enabled +network/network-loopback.xml enabled +system/device/devices-local.xml enabled +milestone/single-user.xml enabled +network/network-physical.xml enabled +system/filesystem/minimal-fs.xml enabled +milestone/network.xml enabled +system/filesystem/joyent-fs.xml enabled +system/filesystem/local-fs.xml enabled +system/name-service-cache.xml enabled +system/process-security.xml enabled +milestone/name-services.xml enabled +system/identity.xml enabled +network/network-initial.xml enabled +network/network-service.xml enabled +network/dns/client.xml enabled +network/network-netmask.xml enabled +network/network-routing-setup.xml enabled +milestone/sysconfig.xml enabled +system/system-log.xml enabled +milestone/multi-user-server.xml enabled +milestone/multi-user.xml enabled +milestone/name-services.xml enabled +system/early-manifest-import.xml disabled +system/manifest-import.xml disabled +system/mdata.xml enabled diff --git a/usr/src/lib/brand/joyent-minimal/zone/platform.xml b/usr/src/lib/brand/joyent-minimal/zone/platform.xml new file mode 100644 index 0000000000..025d0e9d79 --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/platform.xml @@ -0,0 +1,171 @@ +<?xml version="1.0"?> + +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2017 Joyent, Inc. + + DO NOT EDIT THIS FILE. +--> + +<!DOCTYPE platform PUBLIC "-//Joyent Inc//Zones Platform//EN" + "file:///usr/share/lib/xml/dtd/zone_platform.dtd.1"> + +<platform name="joyent-minimal" allow-exclusive-ip="true"> + + <!-- Global filesystems to mount when booting the zone --> + <global_mount special="/dev" directory="/dev" type="dev" + opt="attrdir=%R/root/dev"/> + + <global_mount special="/var/zonecontrol/%z" directory="/.zonecontrol" + opt="ro,nodevices,nosetuid,noexec" type="lofs" /> + + <global_mount special="/lib" directory="/lib" + opt="ro,nodevices" type="lofs" /> + <global_mount special="%P/manifests/joyent" directory="/lib/svc/manifest" + opt="ro,nodevices" type="lofs" /> + <global_mount special="%R/site" directory="/lib/svc/manifest/site" + opt="nodevices" type="lofs" /> + <global_mount special="/sbin" directory="/sbin" + opt="ro,nodevices" type="lofs" /> + <global_mount special="/usr" directory="/usr" + opt="ro,nodevices" type="lofs" /> + <global_mount special="%R/local" directory="/usr/local" + opt="nodevices" type="lofs" /> + <global_mount special="%R/ccs" directory="/usr/ccs" + opt="nodevices" type="lofs" /> + + <!-- Local filesystems to mount when booting the zone --> + <mount special="/proc" directory="/proc" type="proc" /> + <mount special="ctfs" directory="/system/contract" type="ctfs" /> + <mount special="mnttab" directory="/etc/mnttab" type="mntfs" /> + <mount special="objfs" directory="/system/object" type="objfs" /> + <mount special="lxproc" directory="/system/lxproc" type="lxproc" /> + <mount special="swap" directory="/etc/svc/volatile" type="tmpfs" /> + + <!-- Devices to create under /dev --> + <device match="arp" /> + <device match="bpf" /> + <device match="conslog" /> + <device match="cpu/self/cpuid" /> + <device match="crypto" /> + <device match="cryptoadm" /> + <device match="dsk" /> + <device match="dtrace/*" /> + <device match="dtrace/provider/*" /> + <device match="eventfd" /> + <device match="fd" /> + <device match="full" /> + <device match="inotify" /> + <device match="ipnet" /> + <device match="kstat" /> + <device match="lo0" /> + <device match="lofictl" /> + <device match="lofi" /> + <device match="log" /> + <device match="logindmux" /> + <device match="nsmb" /> + <device match="net/*" /> + <device match="null" /> + <device match="openprom" arch="sparc" /> + <device match="poll" /> + <device match="pool" /> + <device match="ptmx" /> + <device match="pts/*" /> + <device match="random" /> + <device match="rdsk" /> + <device match="rlofi" /> + <device match="rmt" /> + <device match="sad/user" /> + <device match="smbsrv" /> + <device match="signalfd" /> + <device match="svvslo0" /> + <device match="svvslo1" /> + <device match="svvslo2" /> + <device match="svvslo3" /> + <device match="swap" /> + <device match="sysevent" /> + <device match="tap" /> + <device match="tcp" /> + <device match="tcp6" /> + <device match="term" /> + <device match="ticlts" /> + <device match="ticots" /> + <device match="ticotsord" /> + <device match="timerfd" /> + <device match="tty" /> + <device match="tun" /> + <device match="udp" /> + <device match="udp6" /> + <device match="urandom" /> + <device match="vnd/*" /> + <device match="zero" /> + <device match="zfd/%z/slave/0" name="zfd/0" /> + <device match="zfd/%z/slave/1" name="zfd/1" /> + <device match="zfd/%z/slave/2" name="zfd/2" /> + <device match="zfs" /> + <device match="zvol/dsk/%P/%z/*" /> + <device match="zvol/rdsk/%P/%z/*" /> + + <!-- Devices to create in exclusive IP zone only --> + <device match="dld" ip-type="exclusive" /> + <device match="icmp" ip-type="exclusive" /> + <device match="icmp6" ip-type="exclusive" /> + <device match="ip" ip-type="exclusive" /> + <device match="ip6" ip-type="exclusive" /> + <device match="ipauth" ip-type="exclusive" /> + <device match="ipd" ip-type="exclusive" /> + <device match="ipf" ip-type="exclusive" /> + <device match="ipl" ip-type="exclusive" /> + <device match="iplookup" ip-type="exclusive" /> + <device match="ipmpstub" ip-type="exclusive" /> + <device match="ipnat" ip-type="exclusive" /> + <device match="ipscan" ip-type="exclusive" /> + <device match="ipsecah" ip-type="exclusive" /> + <device match="ipsecesp" ip-type="exclusive" /> + <device match="ipstate" ip-type="exclusive" /> + <device match="ipsync" ip-type="exclusive" /> + <device match="keysock" ip-type="exclusive" /> + <device match="rawip" ip-type="exclusive" /> + <device match="rawip6" ip-type="exclusive" /> + <device match="rts" ip-type="exclusive" /> + <device match="sad/admin" ip-type="exclusive" /> + <device match="sctp" ip-type="exclusive" /> + <device match="sctp6" ip-type="exclusive" /> + <device match="spdsock" ip-type="exclusive" /> + <device match="sppp" ip-type="exclusive" /> + <device match="sppptun" ip-type="exclusive" /> + <device match="vni" ip-type="exclusive" /> + + <!-- Renamed devices to create under /dev --> + <device match="zcons/%z/zoneconsole" name="zconsole" /> + + <!-- Symlinks to create under /dev --> + <symlink source="console" target="zconsole" /> + <symlink source="dtremote" target="/dev/null" /> + <symlink source="msglog" target="zconsole" /> + <symlink source="stderr" target="./fd/2" /> + <symlink source="stdin" target="./fd/0" /> + <symlink source="stdout" target="./fd/1" /> + <symlink source="syscon" target="zconsole" /> + <symlink source="sysmsg" target="zconsole" /> + <symlink source="systty" target="zconsole" /> + +</platform> diff --git a/usr/src/lib/brand/joyent-minimal/zone/poststate b/usr/src/lib/brand/joyent-minimal/zone/poststate new file mode 100755 index 0000000000..be489ef55b --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/poststate @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="joyent-minimal" +. /usr/lib/brand/jcommon/poststate diff --git a/usr/src/lib/brand/joyent-minimal/zone/prestate b/usr/src/lib/brand/joyent-minimal/zone/prestate new file mode 100755 index 0000000000..e6aeb1cba5 --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/prestate @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="joyent-minimal" +. /usr/lib/brand/jcommon/prestate diff --git a/usr/src/lib/brand/joyent-minimal/zone/statechange b/usr/src/lib/brand/joyent-minimal/zone/statechange new file mode 100755 index 0000000000..5e2eeff0f2 --- /dev/null +++ b/usr/src/lib/brand/joyent-minimal/zone/statechange @@ -0,0 +1,42 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2018 Joyent, Inc. All rights reserved. +# + +# Do we support vrrp? +jst_vrrp="yes" + +# Do we support unfiltered promiscuous mode +# jst_ufpromisc="yes" + +# Do we use vnd devices +# jst_createvnd="yes" + +# Do we not need to have various SMF and ccs stuff created for us? +# jst_simplefs="yes" + +# Should we show snapshots? +jst_showsnap="yes" + +# Where does the mdata socket live? +jst_mdatapath="/.zonecontrol/" + +# Ensure docker zfd(7D) log is not put in the wrong place +if [[ "$_ZONECFG_attr_docker" == true ]]; then + typeset -A FORCED_ATTRS + FORCED_ATTRS["zlog-name"]= +fi + +. /usr/lib/brand/jcommon/statechange diff --git a/usr/src/lib/brand/joyent/Makefile b/usr/src/lib/brand/joyent/Makefile new file mode 100644 index 0000000000..0823a1f94e --- /dev/null +++ b/usr/src/lib/brand/joyent/Makefile @@ -0,0 +1,31 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +default: all + +# Build everything in parallel; use .WAIT for dependencies +.PARALLEL: + +SUBDIRS = zone + +all := TARGET= all +install := TARGET= install +clean := TARGET= clean +clobber := TARGET= clobber + +all install clean clobber: $(SUBDIRS) + +$(SUBDIRS): FRC + @cd $@; pwd; $(MAKE) $(TARGET) + +FRC: diff --git a/usr/src/lib/brand/joyent/zone/Joyent.xml b/usr/src/lib/brand/joyent/zone/Joyent.xml new file mode 100644 index 0000000000..cbb810301e --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/Joyent.xml @@ -0,0 +1,32 @@ +<?xml version="1.0"?> + +<!-- + Copyright 2010 Joyent, Inc. All rights reserved. + Use is subject to license terms. + + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. +--> + +<!DOCTYPE zone PUBLIC "-//Joyent Inc//DTD Zones//EN" "file:///usr/share/lib/xml/dtd/zonecfg.dtd.1"> + +<zone name="default" zonepath="" autoboot="false" brand="joyent"> +</zone> diff --git a/usr/src/lib/brand/joyent/zone/Makefile b/usr/src/lib/brand/joyent/zone/Makefile new file mode 100644 index 0000000000..3ffc11c8a0 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/Makefile @@ -0,0 +1,39 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +BRAND = joyent + +include $(SRC)/lib/brand/Makefile.brand + +PROGS = jattach jdetach jinstall juninstall poststate prestate statechange +XMLDOCS = config.xml platform.xml +TEMPLATES = Joyent.xml SUNWdefault.xml +TXTS = manifests + +CLOBBERFILES = $(ROOTXMLDOCS) $(ROOTTXTS) $(ROOTPROGS) $(ROOTTEMPLATES) + +# These shouldn't be necessary, but for some reason the same thing in +# ../../Makefile.brand is not being picked up. +$(ROOTPROGS) := FILEMODE = 755 +$(ROOTTXTS) := FILEMODE = 444 +$(ROOTXMLDOCS) := FILEMODE = 444 +$(ROOTTEMPLATES) := FILEMODE = 444 + +all: $(PROGS) + +install: $(PROGS) $(ROOTPROGS) $(ROOTXMLDOCS) $(ROOTTXTS) $(ROOTTEMPLATES) + +clean: + $(RM) $(CLEANFILES) + +include $(SRC)/cmd/Makefile.targ diff --git a/usr/src/lib/brand/ipkg/zone/SUNWdefault.xml b/usr/src/lib/brand/joyent/zone/SUNWdefault.xml index 8c1079256b..070412f6c1 100644 --- a/usr/src/lib/brand/ipkg/zone/SUNWdefault.xml +++ b/usr/src/lib/brand/joyent/zone/SUNWdefault.xml @@ -28,5 +28,5 @@ <!DOCTYPE zone PUBLIC "-//Sun Microsystems Inc//DTD Zones//EN" "file:///usr/share/lib/xml/dtd/zonecfg.dtd.1"> -<zone name="default" zonepath="" autoboot="false" brand="ipkg"> +<zone name="default" zonepath="" autoboot="false" brand="joyent"> </zone> diff --git a/usr/src/lib/brand/joyent/zone/config.xml b/usr/src/lib/brand/joyent/zone/config.xml new file mode 100644 index 0000000000..c6fdb574dd --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/config.xml @@ -0,0 +1,115 @@ +<?xml version="1.0"?> + +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2015 Joyent, Inc. All rights reserved. + Use is subject to license terms. + + DO NOT EDIT THIS FILE. +--> + +<!DOCTYPE brand PUBLIC "-//Joyent Inc//DTD Brands//EN" + "file:///usr/share/lib/xml/dtd/brand.dtd.1"> + +<brand name="joyent"> + <modname></modname> + + <initname>/sbin/init</initname> + <login_cmd>/usr/bin/login -z %Z %u</login_cmd> + <forcedlogin_cmd>/usr/bin/login -z %Z -f %u</forcedlogin_cmd> + <user_cmd>/usr/bin/getent passwd %u</user_cmd> + + <install>/usr/lib/brand/joyent/jinstall -z %z -R %R</install> + <installopts>R:t:U:q:z:</installopts> + <boot></boot> + <halt></halt> + <verify_cfg></verify_cfg> + <verify_adm></verify_adm> + <postclone></postclone> + <postinstall></postinstall> + <attach>/usr/lib/brand/joyent/jattach -z %z -R %R</attach> + <detach>/usr/lib/brand/joyent/jdetach -z %z -R %R</detach> + <clone></clone> + <uninstall>/usr/lib/brand/joyent/juninstall -z %z -R %R</uninstall> + <prestatechange>/usr/lib/brand/joyent/prestate %z %R</prestatechange> + <poststatechange>/usr/lib/brand/joyent/poststate %z %R</poststatechange> + <query>/usr/lib/brand/joyent/query %z %R</query> + + <privilege set="default" name="contract_event" /> + <privilege set="default" name="contract_identity" /> + <privilege set="default" name="contract_observer" /> + <privilege set="default" name="dtrace_proc" /> + <privilege set="default" name="dtrace_user" /> + <privilege set="default" name="file_chown" /> + <privilege set="default" name="file_chown_self" /> + <privilege set="default" name="file_dac_execute" /> + <privilege set="default" name="file_dac_read" /> + <privilege set="default" name="file_dac_search" /> + <privilege set="default" name="file_dac_write" /> + <privilege set="default" name="file_owner" /> + <privilege set="default" name="file_setid" /> + <privilege set="default" name="ipc_dac_read" /> + <privilege set="default" name="ipc_dac_write" /> + <privilege set="default" name="ipc_owner" /> + <privilege set="default" name="net_bindmlp" /> + <privilege set="default" name="net_icmpaccess" /> + <privilege set="default" name="net_mac_aware" /> + <privilege set="default" name="net_observability" /> + <privilege set="default" name="net_privaddr" /> + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> + <privilege set="default" name="proc_chroot" /> + <privilege set="default" name="sys_audit" /> + <privilege set="default" name="proc_audit" /> + <privilege set="default" name="proc_lock_memory" /> + <privilege set="default" name="proc_owner" /> + <privilege set="default" name="proc_prioup" /> + <privilege set="default" name="proc_secflags" /> + <privilege set="default" name="proc_setid" /> + <privilege set="default" name="proc_taskid" /> + <privilege set="default" name="sys_acct" /> + <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_fs_import" /> + <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> + <privilege set="default" name="sys_iptun_config" ip-type="exclusive" /> + <privilege set="default" name="sys_mount" /> + <privilege set="default" name="sys_nfs" /> + <privilege set="default" name="sys_smb" /> + <privilege set="default" name="sys_resource" /> + <privilege set="default" name="sys_ppp_config" ip-type="exclusive" /> + + <privilege set="prohibited" name="dtrace_kernel" /> + <privilege set="prohibited" name="proc_zone" /> + <privilege set="prohibited" name="sys_config" /> + <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> + <privilege set="prohibited" name="sys_linkdir" /> + <privilege set="prohibited" name="sys_net_config" /> + <privilege set="prohibited" name="sys_res_config" /> + <privilege set="prohibited" name="sys_suser_compat" /> + <privilege set="prohibited" name="xvm_control" /> + <privilege set="prohibited" name="virt_manage" /> + <privilege set="prohibited" name="sys_ppp_config" ip-type="shared" /> + + <privilege set="required" name="proc_exec" /> + <privilege set="required" name="proc_fork" /> + <privilege set="required" name="sys_ip_config" ip-type="exclusive" /> + <privilege set="required" name="sys_mount" /> +</brand> diff --git a/usr/src/lib/brand/joyent/zone/jattach b/usr/src/lib/brand/joyent/zone/jattach new file mode 100755 index 0000000000..11844b9ac4 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/jattach @@ -0,0 +1,26 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_attach_hook +{ + jattach_zone_final_setup +} + +ps_brand="joyent" +. /usr/lib/brand/jcommon/cattach diff --git a/usr/src/lib/brand/joyent/zone/jdetach b/usr/src/lib/brand/joyent/zone/jdetach new file mode 100755 index 0000000000..89681919f1 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/jdetach @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="joyent" +. /usr/lib/brand/jcommon/cdetach diff --git a/usr/src/lib/brand/joyent/zone/jinstall b/usr/src/lib/brand/joyent/zone/jinstall new file mode 100755 index 0000000000..8e6ec2a7b2 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/jinstall @@ -0,0 +1,31 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +# Does this brand support reprovisioning? +jst_reprovision="yes" + +# Is a template image optional? +# jst_tmplopt="yes" + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_attach_hook +{ + jattach_zone_final_setup +} + +. /usr/lib/brand/jcommon/cinstall diff --git a/usr/src/lib/brand/joyent/zone/juninstall b/usr/src/lib/brand/joyent/zone/juninstall new file mode 100755 index 0000000000..09051a17b6 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/juninstall @@ -0,0 +1,25 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_uninstall_hook +{ + juninstall_delegated_dataset +} + +. /usr/lib/brand/jcommon/cuninstall diff --git a/usr/src/lib/brand/joyent/zone/manifests b/usr/src/lib/brand/joyent/zone/manifests new file mode 100644 index 0000000000..00c43b3f8e --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/manifests @@ -0,0 +1,176 @@ +# +# This file lists the SMF manifests which are available in the global +# zone and which should be setup for use in non-global zones. Not +# all SMF services are usable within a zone, so only those that are usable +# should be listed here. +# +# The format of the file is: +# manifest_name enable/disable +# The manifest_name is found relative to /lib/svc/manifest on the system. +# The second field is used to indicate if the svc should be enabled or +# disabled by default within zones, independently of its current status in +# the global zone. +# +# The following is a list of SMF svcs which could be run in a zone, but +# which we're not currently installing on our live image. If we add any +# of these to the image and we want it to also be available in zones, +# then we need to move the entry to the end and uncomment it out. +# +# application/cups.xml +# application/font/fc-cache.xml +# application/graphical-login/gdm.xml +# application/management/net-snmp.xml +# application/management/seaport.xml +# application/management/snmpdx.xml +# application/opengl/ogl-select.xml +# application/print/service-selector.xml +# application/security/tcsd.xml +# application/x11/x11-server.xml +# application/x11/xfs.xml +# application/x11/xvnc-inetd.xml +# network/rpc/keyserv.xml +# network/socket-filter-kssl.xml +# network/ssl/kssl-proxy.xml +# network/dns/server.xml +# network/ftp.xml +# network/finger.xml +# network/comsat.xml +# network/rpc/rstat.xml +# network/rpc/rusers.xml +# network/rpc/spray.xml +# network/rpc/wall.xml +# network/talk.xml +# network/ntp.xml +# network/sendmail-client.xml +# network/smtp-sendmail.xml +# network/telnet.xml +# network/wpa.xml +# network/rpc/gss.xml +# network/security/kadmin.xml +# network/security/krb5kdc.xml +# network/security/ktkt_warn.xml +# network/rpc/smserver.xml +# network/nfs/cbd.xml +# network/ipmievd.xml +# network/http-apache22.xml +# system/consolekit.xml +# system/device/devices-audio.xml +# system/fm/notify-params.xml +# system/install/system-config.xml +# system/pkgserv.xml +# + +# +# The following is a list of SMF svcs which are installed on our live image and +# which could be run in a zone, but which we choose not to run in our zones. +# If we ever do want to run any of these, move the entry to the end and +# uncomment it out. +# +# system/boot-archive-update.xml +# system/boot-config.xml +# + +# +# The following is a list of SMF svc manifests under /lib/svc/manifest. These +# are available on our live image and are runnable in a zone. Since the zones +# are sharing the base file system with the global zone, we set up so that +# only these svcs are configured in zones, independently of the global zone +# /lib/svc/manifest hierarchy. +# +milestone/multi-user-server.xml enabled +milestone/multi-user.xml enabled +milestone/name-services.xml enabled +milestone/network.xml enabled +milestone/single-user.xml enabled +milestone/sysconfig.xml enabled +network/bridge.xml enabled +network/dlmgmt.xml enabled +network/dns/client.xml enabled +network/dns/install.xml disabled +network/dns/multicast.xml disabled +network/forwarding.xml disabled +network/inetd-upgrade.xml enabled +network/inetd.xml disabled +network/ipfilter.xml disabled +network/ipsec/ike.xml disabled +network/ipsec/ipsecalgs.xml enabled +network/ipsec/manual-key.xml disabled +network/ipsec/policy.xml enabled +network/ldap/client.xml disabled +network/loadbalancer/ilbd.xml disabled +network/login.xml enabled +network/network-initial.xml enabled +network/network-install.xml disabled +network/network-ipmgmt.xml enabled +network/network-ipqos.xml disabled +network/network-iptun.xml enabled +network/network-location.xml disabled +network/network-loopback.xml enabled +network/network-netcfg.xml enabled +network/network-netmask.xml enabled +network/network-physical.xml enabled +network/network-routing-setup.xml enabled +network/network-service.xml enabled +network/nfs/client.xml disabled +network/nfs/mapid.xml disabled +network/nfs/nlockmgr.xml disabled +network/nfs/rquota.xml disabled +network/nfs/status.xml disabled +network/nis/client.xml disabled +network/rexec.xml disabled +network/routing/legacy-routing.xml enabled +network/routing/ndp.xml disabled +network/routing/rdisc.xml disabled +network/routing/ripng.xml disabled +network/routing/route.xml disabled +network/rpc/bind.xml enabled +network/shares/group.xml enabled +network/shares/reparsed.xml disabled +network/shell.xml disabled +network/slp.xml disabled +network/smb/client.xml disabled +network/smb/server.xml disabled +network/ssh.xml enabled +network/vrrp.xml disabled +system/auditd.xml disabled +system/auditset.xml disabled +system/boot-archive.xml enabled +system/consadm.xml disabled +system/console-login.xml disabled +system/coreadm.xml enabled +system/cron.xml enabled +system/cryptosvc.xml enabled +system/device/allocate.xml disabled +system/device/devices-local.xml enabled +system/device/mpxio-upgrade.xml disabled +system/early-manifest-import.xml enabled +system/extended-accounting.xml enabled +system/filesystem/autofs.xml disabled +system/filesystem/joyent-fs.xml enabled +system/filesystem/local-fs.xml enabled +system/filesystem/minimal-fs.xml enabled +system/filesystem/root-fs.xml enabled +system/filesystem/usr-fs.xml enabled +system/fmd.xml disabled +system/hostid.xml enabled +system/hotplug.xml disabled +system/identity.xml enabled +system/idmap.xml disabled +system/keymap.xml enabled +system/logadm-upgrade.xml enabled +system/manifest-import.xml enabled +system/mdata.xml disabled +system/name-service-cache.xml enabled +system/pfexecd.xml enabled +system/process-security.xml enabled +system/rbac.xml enabled +system/rcap.xml disabled +system/rmtmpfiles.xml enabled +system/sac.xml disabled +system/sar.xml disabled +system/svc/global.xml disabled +system/svc/restarter.xml enabled +system/sysidtool.xml enabled +system/system-log.xml enabled +system/utmp.xml enabled +system/vtdaemon.xml disabled diff --git a/usr/src/lib/brand/joyent/zone/platform.xml b/usr/src/lib/brand/joyent/zone/platform.xml new file mode 100644 index 0000000000..5a4a960141 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/platform.xml @@ -0,0 +1,168 @@ +<?xml version="1.0"?> + +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2017 Joyent, Inc. + + DO NOT EDIT THIS FILE. +--> + +<!DOCTYPE platform PUBLIC "-//Joyent Inc//Zones Platform//EN" + "file:///usr/share/lib/xml/dtd/zone_platform.dtd.1"> + +<platform name="joyent" allow-exclusive-ip="true"> + + <!-- Global filesystems to mount when booting the zone --> + <global_mount special="/dev" directory="/dev" type="dev" + opt="attrdir=%R/root/dev"/> + + <global_mount special="/var/zonecontrol/%z" directory="/.zonecontrol" + opt="ro,nodevices,nosetuid,noexec" type="lofs" /> + <global_mount special="/lib" directory="/lib" + opt="ro,nodevices" type="lofs" /> + <global_mount special="%P/manifests/joyent" + directory="/lib/svc/manifest" + opt="ro,nodevices" type="lofs" /> + <global_mount special="%R/site" directory="/lib/svc/manifest/site" + opt="nodevices" type="lofs" /> + <global_mount special="/sbin" directory="/sbin" + opt="ro,nodevices" type="lofs" /> + <global_mount special="/usr" directory="/usr" + opt="ro,nodevices" type="lofs" /> + <global_mount special="%R/local" directory="/usr/local" + opt="nodevices" type="lofs" /> + <global_mount special="%R/ccs" directory="/usr/ccs" + opt="nodevices" type="lofs" /> + + <!-- Local filesystems to mount when booting the zone --> + <mount special="/proc" directory="/proc" type="proc" /> + <mount special="ctfs" directory="/system/contract" type="ctfs" /> + <mount special="mnttab" directory="/etc/mnttab" type="mntfs" /> + <mount special="objfs" directory="/system/object" type="objfs" /> + <mount special="lxproc" directory="/system/lxproc" type="lxproc" /> + <mount special="swap" directory="/etc/svc/volatile" type="tmpfs" /> + + <!-- Devices to create under /dev --> + <device match="arp" /> + <device match="bpf" /> + <device match="conslog" /> + <device match="cpu/self/cpuid" /> + <device match="crypto" /> + <device match="cryptoadm" /> + <device match="dsk" /> + <device match="dtrace/*" /> + <device match="dtrace/provider/*" /> + <device match="eventfd" /> + <device match="fd" /> + <device match="full" /> + <device match="inotify" /> + <device match="ipnet" /> + <device match="kstat" /> + <device match="lo0" /> + <device match="lofictl" /> + <device match="lofi" /> + <device match="log" /> + <device match="logindmux" /> + <device match="nsmb" /> + <device match="net/*" /> + <device match="null" /> + <device match="openprom" arch="sparc" /> + <device match="poll" /> + <device match="pool" /> + <device match="ptmx" /> + <device match="pts/*" /> + <device match="random" /> + <device match="rdsk" /> + <device match="rlofi" /> + <device match="rmt" /> + <device match="sad/user" /> + <device match="smbsrv" /> + <device match="signalfd" /> + <device match="svvslo0" /> + <device match="svvslo1" /> + <device match="svvslo2" /> + <device match="svvslo3" /> + <device match="swap" /> + <device match="sysevent" /> + <device match="tap" /> + <device match="tcp" /> + <device match="tcp6" /> + <device match="term" /> + <device match="ticlts" /> + <device match="ticots" /> + <device match="ticotsord" /> + <device match="timerfd" /> + <device match="tty" /> + <device match="tun" /> + <device match="udp" /> + <device match="udp6" /> + <device match="urandom" /> + <device match="vnd/*" /> + <device match="zero" /> + <device match="zfs" /> + <device match="zvol/dsk/%P/%z/*" /> + <device match="zvol/rdsk/%P/%z/*" /> + + <!-- Devices to create in exclusive IP zone only --> + <device match="dld" ip-type="exclusive" /> + <device match="icmp" ip-type="exclusive" /> + <device match="icmp6" ip-type="exclusive" /> + <device match="ip" ip-type="exclusive" /> + <device match="ip6" ip-type="exclusive" /> + <device match="ipauth" ip-type="exclusive" /> + <device match="ipd" ip-type="exclusive" /> + <device match="ipf" ip-type="exclusive" /> + <device match="ipl" ip-type="exclusive" /> + <device match="iplookup" ip-type="exclusive" /> + <device match="ipmpstub" ip-type="exclusive" /> + <device match="ipnat" ip-type="exclusive" /> + <device match="ipscan" ip-type="exclusive" /> + <device match="ipsecah" ip-type="exclusive" /> + <device match="ipsecesp" ip-type="exclusive" /> + <device match="ipstate" ip-type="exclusive" /> + <device match="ipsync" ip-type="exclusive" /> + <device match="keysock" ip-type="exclusive" /> + <device match="rawip" ip-type="exclusive" /> + <device match="rawip6" ip-type="exclusive" /> + <device match="rts" ip-type="exclusive" /> + <device match="sad/admin" ip-type="exclusive" /> + <device match="sctp" ip-type="exclusive" /> + <device match="sctp6" ip-type="exclusive" /> + <device match="spdsock" ip-type="exclusive" /> + <device match="sppp" ip-type="exclusive" /> + <device match="sppptun" ip-type="exclusive" /> + <device match="vni" ip-type="exclusive" /> + + <!-- Renamed devices to create under /dev --> + <device match="zcons/%z/zoneconsole" name="zconsole" /> + + <!-- Symlinks to create under /dev --> + <symlink source="console" target="zconsole" /> + <symlink source="dtremote" target="/dev/null" /> + <symlink source="msglog" target="zconsole" /> + <symlink source="stderr" target="./fd/2" /> + <symlink source="stdin" target="./fd/0" /> + <symlink source="stdout" target="./fd/1" /> + <symlink source="syscon" target="zconsole" /> + <symlink source="sysmsg" target="zconsole" /> + <symlink source="systty" target="zconsole" /> + +</platform> diff --git a/usr/src/lib/brand/joyent/zone/poststate b/usr/src/lib/brand/joyent/zone/poststate new file mode 100755 index 0000000000..6cd0d0a18f --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/poststate @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="joyent" +. /usr/lib/brand/jcommon/poststate diff --git a/usr/src/lib/brand/joyent/zone/prestate b/usr/src/lib/brand/joyent/zone/prestate new file mode 100755 index 0000000000..10b73285c6 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/prestate @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="joyent" +. /usr/lib/brand/jcommon/prestate diff --git a/usr/src/lib/brand/joyent/zone/statechange b/usr/src/lib/brand/joyent/zone/statechange new file mode 100755 index 0000000000..5e2eeff0f2 --- /dev/null +++ b/usr/src/lib/brand/joyent/zone/statechange @@ -0,0 +1,42 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2018 Joyent, Inc. All rights reserved. +# + +# Do we support vrrp? +jst_vrrp="yes" + +# Do we support unfiltered promiscuous mode +# jst_ufpromisc="yes" + +# Do we use vnd devices +# jst_createvnd="yes" + +# Do we not need to have various SMF and ccs stuff created for us? +# jst_simplefs="yes" + +# Should we show snapshots? +jst_showsnap="yes" + +# Where does the mdata socket live? +jst_mdatapath="/.zonecontrol/" + +# Ensure docker zfd(7D) log is not put in the wrong place +if [[ "$_ZONECFG_attr_docker" == true ]]; then + typeset -A FORCED_ATTRS + FORCED_ATTRS["zlog-name"]= +fi + +. /usr/lib/brand/jcommon/statechange diff --git a/usr/src/lib/brand/kvm/Makefile b/usr/src/lib/brand/kvm/Makefile new file mode 100644 index 0000000000..0823a1f94e --- /dev/null +++ b/usr/src/lib/brand/kvm/Makefile @@ -0,0 +1,31 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +default: all + +# Build everything in parallel; use .WAIT for dependencies +.PARALLEL: + +SUBDIRS = zone + +all := TARGET= all +install := TARGET= install +clean := TARGET= clean +clobber := TARGET= clobber + +all install clean clobber: $(SUBDIRS) + +$(SUBDIRS): FRC + @cd $@; pwd; $(MAKE) $(TARGET) + +FRC: diff --git a/usr/src/lib/brand/kvm/zone/Makefile b/usr/src/lib/brand/kvm/zone/Makefile new file mode 100644 index 0000000000..0fc0a1a375 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/Makefile @@ -0,0 +1,35 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# +# Copyright 2019 Joyent, Inc. +# + +BRAND = kvm + +include $(SRC)/lib/brand/Makefile.brand + +PROGS = kattach kdetach kinstall kuninstall prestate poststate statechange +XMLDOCS = config.xml platform.xml + +CLOBBERFILES = $(ROOTXMLDOCS) $(ROOTPROGS) + +# These shouldn't be necessary, but for some reason the same thing in +# ../../Makefile.brand is not being picked up. +$(ROOTPROGS) := FILEMODE = 755 +$(ROOTXMLDOCS) := FILEMODE = 444 + +all: $(PROGS) + +install: $(PROGS) $(ROOTPROGS) $(ROOTXMLDOCS) + +clean: + $(RM) $(CLEANFILES) + +include $(SRC)/cmd/Makefile.targ diff --git a/usr/src/lib/brand/kvm/zone/config.xml b/usr/src/lib/brand/kvm/zone/config.xml new file mode 100644 index 0000000000..461805ae1f --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/config.xml @@ -0,0 +1,77 @@ +<?xml version="1.0"?> + +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2010,2011 Joyent, Inc. All rights reserved. + Use is subject to license terms. + + DO NOT EDIT THIS FILE. +--> + +<!DOCTYPE brand PUBLIC "-//Joyent Inc//DTD Brands//EN" + "file:///usr/share/lib/xml/dtd/brand.dtd.1"> + +<brand name="kvm"> + <modname></modname> + + <initname>/startvm</initname> + <restartinit>false</restartinit> + <login_cmd>/usr/bin/login -z %Z %u</login_cmd> + <forcedlogin_cmd>/usr/bin/login -z %Z -f %u</forcedlogin_cmd> + <user_cmd>/usr/bin/getent passwd %u</user_cmd> + + <install>/usr/lib/brand/kvm/kinstall -z %z -R %R</install> + <installopts>R:t:U:q:z:</installopts> + <boot></boot> + <halt></halt> + <verify_cfg></verify_cfg> + <verify_adm></verify_adm> + <postclone></postclone> + <postinstall></postinstall> + <attach>/usr/lib/brand/kvm/kattach -z %z -R %R</attach> + <detach>/usr/lib/brand/kvm/kdetach -z %z -R %R</detach> + <clone></clone> + <uninstall>/usr/lib/brand/kvm/kuninstall -z %z -R %R</uninstall> + <prestatechange>/usr/lib/brand/kvm/prestate %z %R</prestatechange> + <poststatechange>/usr/lib/brand/kvm/poststate %z %R</poststatechange> + + <privilege set="default" name="net_rawaccess" ip-type="exclusive" /> + <privilege set="default" name="proc_clock_highres" /> + <privilege set="default" name="proc_lock_memory" /> + <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_mount" /> + + <privilege set="prohibited" name="dtrace_kernel" /> + <privilege set="prohibited" name="proc_zone" /> + <privilege set="prohibited" name="sys_config" /> + <privilege set="prohibited" name="sys_devices" /> + <privilege set="prohibited" name="sys_ip_config" ip-type="shared" /> + <privilege set="prohibited" name="sys_linkdir" /> + <privilege set="prohibited" name="sys_net_config" /> + <privilege set="prohibited" name="sys_res_config" /> + <privilege set="prohibited" name="sys_suser_compat" /> + <privilege set="prohibited" name="xvm_control" /> + <privilege set="prohibited" name="virt_manage" /> + <privilege set="prohibited" name="sys_ppp_config" ip-type="shared" /> + + <privilege set="required" name="proc_exec" /> + <privilege set="required" name="sys_mount" /> +</brand> diff --git a/usr/src/lib/brand/kvm/zone/kattach b/usr/src/lib/brand/kvm/zone/kattach new file mode 100755 index 0000000000..17d1242c83 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/kattach @@ -0,0 +1,26 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_attach_hook +{ + jattach_kvm_final_setup +} + +ps_brand="kvm" +. /usr/lib/brand/jcommon/cattach diff --git a/usr/src/lib/brand/kvm/zone/kdetach b/usr/src/lib/brand/kvm/zone/kdetach new file mode 100755 index 0000000000..f3785b45e2 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/kdetach @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="kvm" +. /usr/lib/brand/jcommon/cdetach diff --git a/usr/src/lib/brand/kvm/zone/kinstall b/usr/src/lib/brand/kvm/zone/kinstall new file mode 100755 index 0000000000..b070f3a176 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/kinstall @@ -0,0 +1,31 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +# Does this brand support reprovisioning? +# jst_reprovision="yes" + +# Is a template image optional? +jst_tmplopt="yes" + +. /usr/lib/brand/jcommon/libhooks.ksh + +function jcommon_attach_hook +{ + jattach_kvm_final_setup +} + +. /usr/lib/brand/jcommon/cinstall diff --git a/usr/src/lib/brand/kvm/zone/kuninstall b/usr/src/lib/brand/kvm/zone/kuninstall new file mode 100755 index 0000000000..136044ad9e --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/kuninstall @@ -0,0 +1,23 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +function jcommon_uninstall_hook +{ + : +} + +. /usr/lib/brand/jcommon/cuninstall diff --git a/usr/src/lib/brand/kvm/zone/platform.xml b/usr/src/lib/brand/kvm/zone/platform.xml new file mode 100644 index 0000000000..825344b1e8 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/platform.xml @@ -0,0 +1,145 @@ +<?xml version="1.0"?> + +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2010, 2011 Joyent, Inc. All rights reserved. + Use is subject to license terms. + + DO NOT EDIT THIS FILE. +--> + +<!DOCTYPE platform PUBLIC "-//Joyent Inc//Zones Platform//EN" + "file:///usr/share/lib/xml/dtd/zone_platform.dtd.1"> + +<platform name="kvm" allow-exclusive-ip="true"> + + <!-- Global filesystems to mount when booting the zone --> + <global_mount special="/dev" directory="/dev" type="dev" + opt="attrdir=%R/root/dev"/> + + <global_mount special="/lib" directory="/lib" + opt="ro,nodevices" type="lofs" /> + <global_mount special="/sbin" directory="/sbin" + opt="ro,nodevices" type="lofs" /> + <global_mount special="/usr" directory="/usr" + opt="ro,nodevices" type="lofs" /> + <global_mount special="/smartdc" directory="/smartdc" + opt="ro,nodevices" type="lofs" /> + + <!-- Local filesystems to mount when booting the zone --> + <mount special="swap" directory="/etc/svc/volatile" type="tmpfs" /> + + <!-- Devices to create under /dev --> + <device match="arp" /> + <device match="bpf" /> + <device match="conslog" /> + <device match="cpu/self/cpuid" /> + <device match="crypto" /> + <device match="cryptoadm" /> + <device match="dsk" /> + <device match="dtrace/*" /> + <device match="dtrace/provider/*" /> + <device match="fd" /> + <device match="ipnet" /> + <device match="kstat" /> + <device match="kvm" /> + <device match="lo0" /> + <device match="lofictl" /> + <device match="lofi" /> + <device match="log" /> + <device match="logindmux" /> + <device match="nsmb" /> + <device match="net/*" /> + <device match="null" /> + <device match="openprom" arch="sparc" /> + <device match="poll" /> + <device match="pool" /> + <device match="ptmx" /> + <device match="pts/*" /> + <device match="random" /> + <device match="rdsk" /> + <device match="rlofi" /> + <device match="rmt" /> + <device match="sad/user" /> + <device match="svvslo0" /> + <device match="svvslo1" /> + <device match="svvslo2" /> + <device match="svvslo3" /> + <device match="swap" /> + <device match="sysevent" /> + <device match="tcp" /> + <device match="tcp6" /> + <device match="term" /> + <device match="ticlts" /> + <device match="ticots" /> + <device match="ticotsord" /> + <device match="tty" /> + <device match="udp" /> + <device match="udp6" /> + <device match="urandom" /> + <device match="vnd/*" /> + <device match="zero" /> + <device match="zfs" /> + + <!-- Devices to create in exclusive IP zone only --> + <device match="dld" ip-type="exclusive" /> + <device match="icmp" ip-type="exclusive" /> + <device match="icmp6" ip-type="exclusive" /> + <device match="ip" ip-type="exclusive" /> + <device match="ip6" ip-type="exclusive" /> + <device match="ipauth" ip-type="exclusive" /> + <device match="ipf" ip-type="exclusive" /> + <device match="ipl" ip-type="exclusive" /> + <device match="iplookup" ip-type="exclusive" /> + <device match="ipmpstub" ip-type="exclusive" /> + <device match="ipnat" ip-type="exclusive" /> + <device match="ipscan" ip-type="exclusive" /> + <device match="ipsecah" ip-type="exclusive" /> + <device match="ipsecesp" ip-type="exclusive" /> + <device match="ipstate" ip-type="exclusive" /> + <device match="ipsync" ip-type="exclusive" /> + <device match="keysock" ip-type="exclusive" /> + <device match="rawip" ip-type="exclusive" /> + <device match="rawip6" ip-type="exclusive" /> + <device match="rts" ip-type="exclusive" /> + <device match="sad/admin" ip-type="exclusive" /> + <device match="sctp" ip-type="exclusive" /> + <device match="sctp6" ip-type="exclusive" /> + <device match="spdsock" ip-type="exclusive" /> + <device match="sppp" ip-type="exclusive" /> + <device match="sppptun" ip-type="exclusive" /> + <device match="vni" ip-type="exclusive" /> + + <!-- Renamed devices to create under /dev --> + <device match="zcons/%z/zoneconsole" name="zconsole" /> + + <!-- Symlinks to create under /dev --> + <symlink source="console" target="zconsole" /> + <symlink source="dtremote" target="/dev/null" /> + <symlink source="msglog" target="zconsole" /> + <symlink source="stderr" target="./fd/2" /> + <symlink source="stdin" target="./fd/0" /> + <symlink source="stdout" target="./fd/1" /> + <symlink source="syscon" target="zconsole" /> + <symlink source="sysmsg" target="zconsole" /> + <symlink source="systty" target="zconsole" /> + +</platform> diff --git a/usr/src/lib/brand/kvm/zone/poststate b/usr/src/lib/brand/kvm/zone/poststate new file mode 100755 index 0000000000..17060a3b68 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/poststate @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="kvm" +. /usr/lib/brand/jcommon/poststate diff --git a/usr/src/lib/brand/kvm/zone/prestate b/usr/src/lib/brand/kvm/zone/prestate new file mode 100755 index 0000000000..a05fe69368 --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/prestate @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="kvm" +. /usr/lib/brand/jcommon/prestate diff --git a/usr/src/lib/brand/kvm/zone/statechange b/usr/src/lib/brand/kvm/zone/statechange new file mode 100755 index 0000000000..4e3fab34ca --- /dev/null +++ b/usr/src/lib/brand/kvm/zone/statechange @@ -0,0 +1,36 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +# Do we support vrrp? +# jst_vrrp="yes" + +# Do we support unfiltered promiscuous mode +jst_ufpromisc="yes" + +# Do we use vnd devices +jst_createvnd="yes" + +# Do we not need to have various SMF and ccs stuff created for us? +jst_simplefs="yes" + +# Should we show snapshots? +# jst_showsnap="yes" + +# Where does the mdata socket live? +jst_mdatapath="/var/run/smartdc" + +. /usr/lib/brand/jcommon/statechange diff --git a/usr/src/lib/brand/lx/zone/Makefile b/usr/src/lib/brand/lx/zone/Makefile index ddcca6046a..58a5723c5d 100644 --- a/usr/src/lib/brand/lx/zone/Makefile +++ b/usr/src/lib/brand/lx/zone/Makefile @@ -21,13 +21,13 @@ # # Copyright 2006 Sun Microsystems, Inc. All rights reserved. -# Copyright 2015 Joyent, Inc. All rights reserved. +# Copyright 2019 Joyent, Inc. # Copyright 2017 ASS-Einrichtungssysteme GmbH, Inc. All rights reserved. # -PROGS = lx_boot +PROGS = lx_boot lx_install lx_uninstall prestate poststate statechange PROGS += lx_boot_zone_redhat lx_boot_zone_ubuntu lx_boot_zone_debian -PROGS += lx_boot_zone_busybox lx_boot_zone_suse +PROGS += lx_boot_zone_busybox lx_boot_zone_suse lx_boot_zone_docker XMLDOCS = config.xml platform.xml TEMPLATES = SUNWlx.xml SUNWlx26.xml diff --git a/usr/src/lib/brand/lx/zone/config.xml b/usr/src/lib/brand/lx/zone/config.xml index ba7a150a2c..ba2192f867 100644 --- a/usr/src/lib/brand/lx/zone/config.xml +++ b/usr/src/lib/brand/lx/zone/config.xml @@ -37,14 +37,17 @@ <forcedlogin_cmd>/bin/login -h zone:%Z -f %u</forcedlogin_cmd> <user_cmd>/usr/bin/getent passwd %u</user_cmd> - <install>/usr/lib/brand/lx/lx_install %z %R</install> - <installopts>d:hsvX</installopts> + <install>/usr/lib/brand/lx/lx_install -z %z -R %R</install> + <installopts>R:t:U:q:z:</installopts> <boot>/usr/lib/brand/lx/lx_boot %z %R</boot> <halt>/usr/lib/brand/lx/lx_support halt %R %z</halt> <verify_cfg>/usr/lib/brand/lx/lx_support verify</verify_cfg> <verify_adm></verify_adm> <postclone></postclone> <postinstall></postinstall> + <uninstall>/usr/lib/brand/lx/lx_uninstall -z %z -R %R</uninstall> + <prestatechange>/usr/lib/brand/lx/prestate %z %R</prestatechange> + <poststatechange>/usr/lib/brand/lx/poststate %z %R</poststatechange> <privilege set="default" name="contract_event" /> <privilege set="default" name="contract_identity" /> @@ -70,6 +73,7 @@ <privilege set="default" name="proc_chroot" /> <privilege set="default" name="sys_audit" /> <privilege set="default" name="proc_audit" /> + <privilege set="default" name="proc_clock_highres" /> <privilege set="default" name="proc_lock_memory" /> <privilege set="default" name="proc_owner" /> <privilege set="default" name="proc_secflags" /> @@ -78,10 +82,12 @@ <privilege set="default" name="proc_taskid" /> <privilege set="default" name="sys_acct" /> <privilege set="default" name="sys_admin" /> + <privilege set="default" name="sys_fs_import" /> <privilege set="default" name="sys_ip_config" ip-type="exclusive" /> <privilege set="default" name="sys_iptun_config" ip-type="exclusive" /> <privilege set="default" name="sys_mount" /> <privilege set="default" name="sys_nfs" /> + <privilege set="default" name="sys_smb" /> <privilege set="default" name="sys_resource" /> <privilege set="default" name="sys_ppp_config" ip-type="exclusive" /> diff --git a/usr/src/lib/brand/lx/zone/lx_boot_zone_docker b/usr/src/lib/brand/lx/zone/lx_boot_zone_docker new file mode 100755 index 0000000000..9d332a723d --- /dev/null +++ b/usr/src/lib/brand/lx/zone/lx_boot_zone_docker @@ -0,0 +1,17 @@ +#!/bin/ksh -p +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright 2014 Joyent, Inc. All rights reserved. +# + +# Hand control back to lx_boot diff --git a/usr/src/lib/brand/lx/zone/lx_boot_zone_docker.ksh b/usr/src/lib/brand/lx/zone/lx_boot_zone_docker.ksh new file mode 100755 index 0000000000..9d332a723d --- /dev/null +++ b/usr/src/lib/brand/lx/zone/lx_boot_zone_docker.ksh @@ -0,0 +1,17 @@ +#!/bin/ksh -p +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright 2014 Joyent, Inc. All rights reserved. +# + +# Hand control back to lx_boot diff --git a/usr/src/lib/brand/lx/zone/lx_install.ksh b/usr/src/lib/brand/lx/zone/lx_install.ksh index c31b8355ac..d979bb373e 100644 --- a/usr/src/lib/brand/lx/zone/lx_install.ksh +++ b/usr/src/lib/brand/lx/zone/lx_install.ksh @@ -9,186 +9,54 @@ # source. A copy of the CDDL is also available via the Internet at # http://www.illumos.org/license/CDDL. # -# Copyright 2016 Joyent, Inc. All rights reserved. -# # -# This is only an example install script. It is not currently used for anything. +# Copyright 2015 Joyent, Inc. # -PATH=/bin:/usr/bin:/usr/sbin -export PATH +# Does this brand support reprovisioning? +jst_reprovision="yes" -fullpath() -{ - typeset path="$1" +# Is a template image optional? +# jst_tmplopt="yes" - echo $path | egrep -s "^/" || path="${PWD:=$(pwd)}/$path" - echo $path -} +. /usr/lib/brand/jcommon/libhooks.ksh -makedir() +function jcommon_attach_hook { - typeset dirname=$(fullpath "$1") - typeset mode="" - - [[ $# -eq 2 ]] && mode="-m $2" - - [[ -d "$dirname" ]] && return - - if ! mkdir $mode -p "$dirname"; then - echo $(gettext "Aborting installation...") - exit 255 + # lx-brand specific stuff is done here as final step of install + + # + # Make sure the localhost has a hostname alias in the zone's + # /etc/hosts file + # + zroot=$ZONEPATH/root + hname=$ZONENAME + hostnamef=$zroot/etc/hostname + if [[ ! -h $hostnamef ]]; then + echo $hname >$hostnamef fi -} - -symlink() -{ - typeset src="$1" - typeset dst=$(fullpath "$2") - [[ -e "$dst" || -h "$dst" ]] && rm -f "$dst" - - if ! ln -s "$src" "$dst"; then - echo $(gettext "Aborting installation...") - exit 255 + hostfile=$zroot/etc/hosts + if [[ -f $hostfile && ! -h $hostfile ]]; then + # use awk to search and append to loopback in one command + awk -v hname="$hname" '{ + if ($1 ~ /^127\./ && index($0, hname) == 0) { + printf("%s %s\n", $0, hname); + } else { + print $0 + } + }' $hostfile >/tmp/tmp_${ZONENAME}_$$ + mv /tmp/tmp_${ZONENAME}_$$ $hostfile + chmod 644 $hostfile fi -} -install_ln() -{ - typeset source="$1" - typeset target=$(fullpath "$2") + rm -rf $ZONEPATH/cores + CORE_QUOTA=102400 + zfs create -o quota=${CORE_QUOTA}m \ + -o mountpoint=/${PDS_NAME}/$bname/cores ${PDS_NAME}/cores/$bname - log " Installing \"$target\"" - - mv -f "$target" "$target.$tag" 2>/dev/null - - if ! ln -s "$source" "$target"; then - return 1 - fi - - return 0 + chmod 700 $ZONEPATH } -# If we weren't passed 3 arguments, exit now. -[[ $# -lt 3 ]] && exit 254 - -# Extract the brand directory name from the path. -branddir=$(dirname "$0") -zonename="$1" -zoneroot="$2" -install_src="3" -install_root="$zoneroot/root" -ZPOOL=`df $ZONEROOT | awk -F '[()]' '{split($2, field, "/"); print field[1]; }'` -if [ -z "$ZPOOL" ]; then - ROOTDEV="none" -else - ROOTDEV="/dev/$ZPOOL" -fi - -if [[ ! -f "$install_src" ]]; then - echo "$install_src: file not found\n" - exit 254 -fi - -if [[ ! -d "$install_root" ]]; then - if ! mkdir -p "$install_root" 2>/dev/null; then - echo "Could not create install directory $install_root" - exit 254 - fi -fi - -if ! ( cd "$install_root" && gtar -xzf "$install_src" ) ; then - echo "Error: extraction from tar archive failed" - exit 255 -fi - -tag="lxsave_$(date +%m.%d.%Y@%T)" - -if [[ ! -d "$install_root" ]]; then - exit 255 -fi - -cd "$install_root" - -makedir native/dev -makedir native/etc/default -makedir native/etc/svc/volatile -makedir native/lib -makedir native/proc -makedir native/tmp 1777 -makedir native/usr -makedir native/var - -makedir mnt -makedir opt -makedir usr/local/bin -makedir usr/local/include -makedir usr/local/lib -makedir usr/local/sbin -makedir usr/local/share -makedir usr/local/src - -makedir dev 0755 -makedir tmp 1777 -makedir proc 0555 -makedir boot 0755 - -symlink /bin/sh sbin/sh -symlink /bin/su usr/bin/su -symlink /native/usr/lib/ld.so.1 usr/lib/ld.so.1 - -libpam_so="$(echo lib/libpam.so.0.*)" -libpam_misc="$(echo lib/libpam_misc.so.0.*)" -libpamc_so="$(echo lib/libpamc.so.0.*)" - -symlink "/$libpam_so" lib/libpam.so.0 -symlink "/$libpam_misc" lib/libpam_misc.so.0 -symlink "/$libpamc_so" lib/libpamc.so.0 - -makedir var/ld - -if ! crle -c var/ld/ld.config -l /native/lib:/native/usr/lib \ - -s /native/lib/secure:/native/usr/lib/secure; then - exit 255 -fi - -mv -f etc/fstab etc/fstab.$tag 2>/dev/null - -cat > etc/fstab <<- EOF - $ROOTDEV / zfs defaults 1 1 - proc /proc proc defaults 0 0 -EOF - -if [[ $? -ne 0 ]]; then - exit 255 -fi - -if [[ ! -e "$install_root/etc/hosts" ]]; then - cat > "$install_root/etc/hosts" <<-_EOF_ - 127.0.0.1 localhost - _EOF_ -fi - -# -# Perform distribution-specific changes. -# -distro="" -if [[ -f etc/redhat-release ]]; then - distro="redhat" -elif [[ -f etc/lsb-release ]]; then - if egrep -s Ubuntu etc/lsb-release; then - distro="ubuntu" - elif [[ -f etc/debian_version ]]; then - distro="debian" - fi -elif [[ -f etc/debian_version ]]; then - distro="debian" -fi - -if [[ -z $distro ]]; then - exit 255 -fi - -exit 0 +. /usr/lib/brand/jcommon/cinstall diff --git a/usr/src/lib/brand/lx/zone/lx_uninstall.ksh b/usr/src/lib/brand/lx/zone/lx_uninstall.ksh new file mode 100755 index 0000000000..136044ad9e --- /dev/null +++ b/usr/src/lib/brand/lx/zone/lx_uninstall.ksh @@ -0,0 +1,23 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +function jcommon_uninstall_hook +{ + : +} + +. /usr/lib/brand/jcommon/cuninstall diff --git a/usr/src/lib/brand/lx/zone/poststate.ksh b/usr/src/lib/brand/lx/zone/poststate.ksh new file mode 100755 index 0000000000..49370fce60 --- /dev/null +++ b/usr/src/lib/brand/lx/zone/poststate.ksh @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="lx" +. /usr/lib/brand/jcommon/poststate diff --git a/usr/src/lib/brand/lx/zone/prestate.ksh b/usr/src/lib/brand/lx/zone/prestate.ksh new file mode 100755 index 0000000000..04d9969a65 --- /dev/null +++ b/usr/src/lib/brand/lx/zone/prestate.ksh @@ -0,0 +1,19 @@ +#!/bin/ksh -p +# +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2014 Joyent, Inc. All rights reserved. +# + +ps_brand="lx" +. /usr/lib/brand/jcommon/prestate diff --git a/usr/src/lib/brand/lx/zone/statechange.ksh b/usr/src/lib/brand/lx/zone/statechange.ksh new file mode 100755 index 0000000000..d0bc11eee9 --- /dev/null +++ b/usr/src/lib/brand/lx/zone/statechange.ksh @@ -0,0 +1,41 @@ +#!/bin/ksh -p +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +# +# Copyright (c) 2018 Joyent, Inc. All rights reserved. +# + +# Do we support vrrp? +# jst_vrrp="yes" + +# Do we support unfiltered promiscuous mode +# jst_ufpromisc="yes" + +# Do we use vnd devices +# jst_createvnd="yes" + +# Do we not need to have various SMF and ccs stuff created for us? +jst_simplefs="yes" + +# Should we show snapshots? +jst_showsnap="yes" + +# Where does the mdata socket live? +jst_mdatapath="/native/.zonecontrol/" + +# Ensure docker zfd(7D) log is not put in the wrong place +if [[ "$_ZONECFG_attr_docker" == true ]]; then + typeset -A FORCED_ATTRS + FORCED_ATTRS["zlog-name"]= +fi + +. /usr/lib/brand/jcommon/statechange diff --git a/usr/src/lib/libppt/Makefile b/usr/src/lib/libppt/Makefile index 21c26d447e..7119d6715c 100644 --- a/usr/src/lib/libppt/Makefile +++ b/usr/src/lib/libppt/Makefile @@ -10,7 +10,7 @@ # # -# Copyright 2018 Joyent, Inc. +# Copyright 2019 Joyent, Inc. # include $(SRC)/lib/Makefile.lib @@ -20,25 +20,35 @@ SUBDIRS = $(MACH) $(BUILD64) $(MACH64) HDRS = libppt.h HDRDIR = common +ETCFILES= ppt_matches +ROOTETC= $(ROOT)/etc +IETCFILES= $(ETCFILES:%=$(ROOTETC)/%) + +$(IETCFILES) := FILEMODE = 0444 + all := TARGET= all clean := TARGET= clean clobber := TARGET= clobber install := TARGET= install -lint := TARGET= lint .KEEP_STATE: -all clean clobber install lint: $(SUBDIRS) +all clean clobber install: $(SUBDIRS) install_h: $(ROOTHDRS) all install: install_h +install: $(IETCFILES) + check: $(CHECKHDRS) $(SUBDIRS): FRC @cd $@; pwd; $(MAKE) $(TARGET) +$(ROOTETC)/%: % + $(INS.file) + FRC: include $(SRC)/lib/Makefile.targ diff --git a/usr/src/lib/libppt/ppt_matches b/usr/src/lib/libppt/ppt_matches new file mode 100644 index 0000000000..03ff7e03ba --- /dev/null +++ b/usr/src/lib/libppt/ppt_matches @@ -0,0 +1 @@ +pci10de,15f0 diff --git a/usr/src/lib/libsecdb/user_attr.txt b/usr/src/lib/libsecdb/user_attr.txt index aa31d7373b..227468d7c0 100644 --- a/usr/src/lib/libsecdb/user_attr.txt +++ b/usr/src/lib/libsecdb/user_attr.txt @@ -1,5 +1,6 @@ # # Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, Joyent, Inc. All rights reserved. # # CDDL HEADER START # @@ -25,11 +26,12 @@ # user attributes. see user_attr(4) # # -root::::auths=solaris.*,solaris.grant;profiles=All;audit_flags=lo\:no;lock_after_retries=no;min_label=admin_low;clearance=admin_high -lp::::profiles=Printer Management adm::::profiles=Log Management -dladm::::auths=solaris.smf.manage.wpa,solaris.smf.modify +admin::::profiles=Primary Administrator;roles=root daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify.application +dladm::::auths=solaris.smf.manage.wpa,solaris.smf.modify +lp::::profiles=Printer Management netadm::::type=role;project=default;profiles=Network Autoconf Admin,Network Management,Service Management netcfg::::type=role;project=default;profiles=Network Autoconf User;auths=solaris.network.autoconf.write +root::::auths=solaris.*,solaris.grant;profiles=All;audit_flags=lo\:no;lock_after_retries=no;min_label=admin_low;clearance=admin_high zfssnap::::type=role;auths=solaris.smf.manage.zfs-auto-snapshot;profiles=ZFS File System Management |