zone create script

Geplaatst op 5 februari, 2013 door Rob

To install a solaris 10 zone, run the script /etc/zone_config.sh.
If the script does not exist, copy the script below to /etc/zone_config.sh

The systax of the script is as follows:

/etc/zone_config.sh

To create a zone called testzone with ip-address 172.20.54.1 on nic bge2, that has metadevice d60 for the root filesystem of 200MB:

/etc/zone_config.sh testzone 172.20.54.1 bge2 d60 200m

On creation of the zone, two new softpartions will be created:

one for the root filesystem of the zone with a size as given by running the command

one for /var of the zone with a default size of 1GB

The softpartions will be created as d90x (/) and d93x (/var), where -x- is the zonenumber.

The zone will be configured as a LDAP client. A netgroup with the zonename will be added to the /etc/passwd.
The new netgroup must be created within LDAP, with the appropriate user access.

All unnecessary services like ftp,telnet,finger etc will be dissabled

A hobbit user will be created and hobbit will be started when the zone starts

#!/bin/ksh

#########################################################################
#
# Version 1.1
# Bart van der Putten
# July 2008
#
#########################################################################

#########################################################################
#
# Check free space within softpartion
#
#########################################################################
free() {

SIZE=`echo “${2}” | sed s/.$//`
let ROOT_SIZE=$SIZE
#echo “ROOT SIZE=$ROOT_SIZE”
CMD=`echo $2 | grep g`
if [ $? != 1 ]
then
let “ROOT_BLOCKS=$ROOT_SIZE * 1024 *2048”
else
let “ROOT_BLOCKS=$ROOT_SIZE * 2048”
fi
#echo “ROOT SIZE=$ROOT_BLOCKS”

TOTAL_SIZE=`metastat -c |grep $1 | grep m | awk ‘{print $3}’`
NUMBER=`echo “${TOTAL_SIZE}” | sed s/.$// | sed s/.$//`
let INT_NUMBER=$NUMBER
#echo “size of $1=$INT_NUMBER”
CMD=`echo “$TOTAL_SIZE” | grep GB`

if [ $? != 1 ]
then
BYTES=”GB”
let “BLOCKS=$INT_NUMBER * 1024 *2048″
else
BYTES=”MB”
let “BLOCKS=$INT_NUMBER * 2048”
fi
#echo “size of $1=$BLOCKS”

USED=0
for SIZE in `metastat -p | grep $1 | grep -v “\-m” | awk ‘{print $7}’`
do
let “USED=$USED + $SIZE”
#echo “USED=$USED”
done
let “TARGET_SIZE=$USED + $ROOT_BLOCKS + 2097152”
let “FREE=$BLOCKS – $USED”;
let “FREE_SIZE=$FREE / 2048”

if [ $TARGET_SIZE -ge $BLOCKS ]
then
echo “”
echo “Not sufficient diskspace in metadevice $1”
echo “Target size : $TARGET_SIZE blocks”
echo “”
echo “Total size $1 : $BLOCKS blocks”
echo “Used Space : $USED blocks”
echo “——————————————- -”
echo “Free Space : $FREE blocks ( $FREE_SIZE MB )”;
exit 1
fi
}

#########################################################################

#########################################################################
#
# Harden zone by disabeling services
#
#########################################################################
hardening() {

echo ”
# Hardening Server
/usr/sbin/svcadm disable svc:/network/ftp:default
/usr/sbin/svcadm disable svc:/network/telnet:default
/usr/sbin/svcadm disable svc:/network/login:rlogin
/usr/sbin/svcadm disable svc:/network/rpc/rusers:default
/usr/sbin/svcadm disable svc:/network/nfs/rquota:default
/usr/sbin/svcadm disable svc:/network/rpc/rstat:default
/usr/sbin/svcadm disable svc:/network/shell:default
/usr/sbin/svcadm disable svc:/network/finger:default
/usr/sbin/svcadm disable svc:/application/x11/xfs:default
/usr/sbin/svcadm disable svc:/network/rpc/smserver:default
/usr/sbin/svcadm disable svc:/network/rpc/gss:default
/usr/sbin/svcadm disable svc:/network/rpc-100235_1/rpc_ticotsord:default
/usr/sbin/svcadm disable svc:/application/print/cleanup:default
/usr/sbin/svcadm disable svc:/application/print/rfc1179:default
/usr/sbin/svcadm disable svc:/network/nfs/nlockmgr:default
/usr/sbin/svcadm disable svc:/network/nfs/status:default
/usr/sbin/svcadm disable svc:/network/nfs/client:default
/usr/sbin/svcadm disable svc:/application/font/stfsloader:default
/usr/sbin/svcadm disable svc:/application/font/fc-cache:default
/usr/sbin/svcadm disable svc:/application/cde-printinfo:default
/usr/sbin/svcadm disable svc:/network/rpc/cde-calendar-manager:default
/usr/sbin/svcadm disable svc:/network/rpc/cde-ttdbserver:tcp
/usr/sbin/svcadm disable svc:/network/cde-spc:default
/usr/sbin/svcadm disable svc:/application/graphical-login/cde-login:default
/usr/sbin/svcadm disable svc:/system/filesystem/volfs:default
/usr/sbin/svcadm disable svc:/application/management/snmpdx:default
/usr/sbin/svcadm disable svc:/application/management/seaport:default
/usr/sbin/svcadm disable svc:/application/management/sma:default
#
echo “LOG_FROM_REMOTE=NO” >> /etc/default/syslogd
/usr/sbin/svcadm restart svc:/system/system-log:default
# Enabeling LDAP
/usr/bin/cp /etc/nsswitch.conf.ldap /etc/nsswitch.conf
/usr/bin/cp /etc/resolv.conf.ldap /etc/resolv.conf
/usr/bin/cp /etc/pam.conf.ldap /etc/pam.conf
/usr/sbin/svcadm enable svc:/network/ldap/client:default

/usr/bin/mv /etc/rc3.d/S80hardening /etc/rc3.d/s80hardening” > /zones/$1/root/etc/rc3.d/S80hardening
}

#########################################################################

#########################################################################
#
# Configure zone as ldap client
#
#########################################################################
add_ldap() {

echo “—–BEGIN CERTIFICATE—–
MIICXjCCAcegAwIBAgIBADANBgkqhkiG9w0BAQUFADAvMQswCQYDVQQGEwJubDET
MBEGA1UEChMKQXQgSG9tZSBDQTELMAkGA1UEAxMCQ0EwHhcNMDgwNzMwMDk0NjIz
WhcNMTgwNzI4MDk0NjIzWjAvMQswCQYDVQQGEwJubDETMBEGA1UEChMKQXQgSG9t
ZSBDQTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEg
7eKiSHGdX7ZYAP+1j3UV5E7v+hTN8rqZoiSxZflkbA+vlmP05tVS+jpbGRSDDB8N
2bA+uS3Qqzuc0xVxTMLZiTjZC9wNitofqRtbldT4SCkASyx5U1lOxH/09fZuyJGI
vURe9/K7mRW1hr1WkFOxUFVFElxLXT/ms3phM9o3AgMBAAGjgYkwgYYwHQYDVR0O
BBYEFE1JlMgNGxLEHVMVdzMoWxGcAmtgMFcGA1UdIwRQME6AFE1JlMgNGxLEHVMV
dzMoWxGcAmtgoTOkMTAvMQswCQYDVQQGEwJubDETMBEGA1UEChMKQXQgSG9tZSBD
QTELMAkGA1UEAxMCQ0GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQBObw306RHCAX63Dd1XCLxpHO3Pw3LK6f+8Jkeg8eomX591r8rVwtiy8iPkSiE9
xVyGg62K40UhJ3Rtb/9vXzDxui/MoDwo1v3S9SHhmPtJcX6CMsB1VVFqOLlgmPw0
3uAY3Ns712fif6faXY/RCo9a8aBH4pUwCbNzBco+c99Q7w==
—–END CERTIFICATE—–” > /tmp/cacert.pem

/usr/sbin/mount /dev/md/dsk/d93$MYZONE /zones/$1/root/var

/usr/sfw/bin/certutil -N -d /zones/$1/root/var/ldap
/usr/sfw/bin/certutil -A -n “ca-cert” -i /tmp/cacert.pem -a -t CT -d /zones/$1/root/var/ldap
/usr/bin/chmod 644 /zones/$1/root/var/ldap/*.db

/usr/bin/cp /var/ldap/ldap_client_cred /zones/$1/root/var/ldap
/usr/bin/cp /var/ldap/ldap_client_file /zones/$1/root/var/ldap
/usr/bin/cp /etc/nsswitch.conf /zones/$1/root/etc/nsswitch.conf.ldap
/usr/bin/cp /etc/resolv.conf /zones/$1/root/etc/resolv.conf.ldap
/usr/bin/cp /etc/pam.conf /zones/$1/root/etc/pam.conf.ldap
/usr/bin/cp /tmp/sysidcfg /zones/$1/root/etc/sysidcfg
/usr/bin/touch /zones/$1/root/etc/.NFSinst_state.domain
echo “+@$1:x:::::” >> /zones/$1/root/etc/passwd
echo “+@$1:x:::::::” >> /zones/$1/root/etc/shadow

/usr/sbin/umount /zones/$1/root/var

}

#########################################################################

#########################################################################
#
# Add hobbit user to zone if nessecary
#
#########################################################################
add_hobbit_user() {

cat /zones/$1/root/etc/passwd |grep hobbit
if [ $? != 0 ]
then
echo “Adding hobbit user”
cat /etc/passwd | grep hobbit >> /zones/$1/root/etc/passwd
cat /etc/shadow | grep hobbit >> /zones/$1/root/etc/shadow
cat /etc/group | grep hobbit >> /zones/$1/root/etc/group
fi
}

#########################################################################

#########################################################################
#
# Create a sysidcfg file
#
#########################################################################
create_sysidcfg() {

MASK=`ifconfig $3 | grep netmask | awk ‘{print $4}’`
TMP=`echo $MASK | sed ‘s/../ 0x&/g’`
NETMASK=`printf “%d.%d.%d.%d\n” $TMP`

echo “system_locale=C
timezone=MET
network_interface=primary {hostname=$1
ip_address=$2
netmask=$NETMASK
protocol_ipv6=no }

nfs4_domain=dynamic
terminal=vt100
security_policy=NONE
name_service=NONE
root_password=GIT.TWNm8fMh6” > /tmp/sysidcfg

}

##########################################################################

##########################################################################
#
# MAIN
#
##########################################################################

PATH=/usr/sbin:/usr/bin
export PATH

if [ “$1” = “” ] || [ “$2” = “” ] || [ “$3” = “” ] || [ “$4” = “” ] || [ “$5” = “” ]
then
echo “Usage $0 { zonename ip-address interface metadevice size}”
else
ip_test1=`echo “$2” | tr ‘.’ ‘ ‘`
ip_test2=`echo “$2” | egrep ‘^[0-9.][0-9.]*$’`
ip_test3=`echo “$2” | tr ‘.’ ‘ ‘ | wc -w`
for x in $ip_test1 1
do
if [ ! “$ip_test2” ] || [ “$x” -gt 255 ] || [ “$ip_test3” -gt 4 ] || [ “$ip_test3” -lt 3 ]
then
echo “Not a valid ip address”
exit 1
fi
done

echo “”
echo “$5” | grep -v b | grep -v B| grep “[1-9]*[0-9][m|g]”
if [ $? = 0 ]
then
echo “Root filesystem of $5 will be created”
else
echo “Please enter number of megabytes or gigabytes (e.g. 200m or 2g)”
exit 1
fi

########
#
# Create zone $1 with ip address $2 on interface $3
#
########
`/usr/sbin/metastat -p $4 >/dev/null 2>&1 `
if [ $? != 0 ]
then
echo “Missing metadevice $4 this is a prerequisite.”
exit 1
fi

free $4 $5

LASTZONE=`/usr/sbin/metastat -p|grep d90|grep $4|sort|tail -1|awk {‘print $1’}|sed ‘s/d90//’`
if [ -z $LASTZONE ]
then
LASTZONE=0
fi
MYZONE=`expr $LASTZONE + 1`

echo “”
echo “Create zone $1 with ip addres $2 on interface $3. This will be zone number $MYZONE on this system (on $4 – $5B). (y/n): ”
read ok
case “$ok” in
‘y’ | ‘Y’) # start configuration

mkdir -p /zones/$1

metainit d90$MYZONE -p $4 $5 # Creating Zone / filesystem
metainit d93$MYZONE -p $4 1g # Creating Zone /var filesystem

newfs -m1 /dev/md/rdsk/d90$MYZONE
newfs -m1 /dev/md/rdsk/d93$MYZONE

echo “/dev/md/dsk/d90$MYZONE /dev/md/rdsk/d90$MYZONE /zones/$1 ufs 2 yes -” >> /etc/vfstab

mount /zones/$1

chmod -R g-rx /zones/$1
chmod -R o-rx /zones/$1

echo “Creating SysIdCfg….”
create_sysidcfg $1 $2 $3

echo “Creating zone cfg file….”
echo ”
create -b
set zonepath=/zones/$1
set autoboot=true
add net
set physical=$3
set address=$2
end
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add fs
set dir=/var
set special=/dev/md/dsk/d93$MYZONE
set raw=/dev/md/rdsk/d93$MYZONE
set type=ufs
add options logging
end
add fs
set dir=/home
set special=/export/home
set type=lofs
end
” > /tmp/$1.cfg

echo “Creating zone with command:”
echo “zonecfg -z $1 -f $1.cfg”
/usr/sbin/zonecfg -z $1 -f /tmp/$1.cfg

echo “”
echo “=================================================
echo “”

Zone Configurations Finished ”

echo “Verifying Zone $1”
echo “”
zoneadm -z $1 verify
if [ $? = 0 ]
then
echo “Installing Zone $1”
zoneadm -z $1 install

echo “Adding hobbit user ”
add_hobbit_user $1
echo “Adding LDAP stuff ”
add_ldap $1
echo “Harding zone $1”
hardening $1

echo “”
echo “Booting Zone $1”
echo “”
zoneadm -z $1 boot
fi

zoneadm -z $1 verify
if [ $? = 0 ]
then
zlogin -C $1
fi
;;
*) echo “Aborting Zone creation”
exit 1
;;
esac
exit 0
fi

Bookmark de permalink.

Geef een reactie

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *