• Bez kategorii

04.02 Configuration of container st1

After installation and initial configuration of st1 container you need to look on working services and disable those, which are not necessary. But at first I will set up more comfortable environment to work. I will change default shell to zsh and home directory of root user. I will use GNU sed for this purpose. Remember that /usr/local directory is inherited from global zone in read-only mode.

root@feniks:~# cp /etc/zshrc /zones/st1/root/etc
root@feniks:~# zlogin st1 
[Connected to zone 'st1' pts/4]
Sun Microsystems Inc.	SunOS 5.10	Generic	January 2005
# /usr/local/bin/gsed -i "/^root:/ s/:\/:\/sbin\/sh/:\/root:\/bin\/zsh/" /etc/passwd
# echo "PATH=/usr/local/apache/bin:/usr/local/bin:$PATH" >> /etc/zshrc
# echo "export PATH" >> /etc/zshrc
# mv /.sunw /root
# exit

On next login /bin/zsh is called and it reads /etc/zshrc, which I copied from global zone. I set there PATH and so on. Zsh is exemplary of course, you can use bash or other if you like.

root@feniks:~# zlogin st1
[Connected to zone 'st1' pts/4]
Last login: Thu Aug 12 13:40:01 on pts/4
root@st1:~# mv /.histfile /root
root@st1:~# netstat -an

UDP: IPv4
   Local Address        Remote Address      State
-------------------- -------------------- ----------
      *.111                               Idle
      *.*                                 Unbound
      *.46901                             Idle
      *.*                                 Unbound
      *.*                                 Unbound
      *.46902                             Idle
      *.4045                              Idle
      *.6481                              Idle
      *.46922                             Idle
      *.46923                             Idle
      *.46925                             Idle
      *.514                               Idle

UDP: IPv6
   Local Address                     Remote Address                   State      If
--------------------------------- --------------------------------- ---------- -----
      *.6481                                                        Idle       

TCP: IPv4
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q    State
-------------------- -------------------- ----- ------ ----- ------ -----------
      *.111                *.*                0      0 49152      0 LISTEN
      *.*                  *.*                0      0 49152      0 IDLE
      *.43667              *.*                0      0 49152      0 LISTEN
      *.43668              *.*                0      0 49152      0 LISTEN
      *.4045               *.*                0      0 49152      0 LISTEN
      *.5987               *.*                0      0 49152      0 LISTEN
      *.514                *.*                0      0 49152      0 LISTEN
      *.6481               *.*                0      0 49152      0 LISTEN
      *.513                *.*                0      0 49152      0 LISTEN
      *.43669              *.*                0      0 49152      0 LISTEN
      *.79                 *.*                0      0 49152      0 LISTEN
      *.22                 *.*                0      0 49152      0 LISTEN
      *.23                 *.*                0      0 49152      0 LISTEN
      *.43712              *.*                0      0 49152      0 BOUND
127.0.0.1.6788             *.*                0      0 49152      0 LISTEN
127.0.0.1.6789             *.*                0      0 49152      0 LISTEN
127.0.0.1.43706            *.*                0      0 49152      0 LISTEN

TCP: IPv6
   Local Address                     Remote Address                 Swind Send-Q Rwind Recv-Q   State      If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
      *.514                             *.*                             0      0 49152      0 LISTEN      
      *.513                             *.*                             0      0 49152      0 LISTEN      
      *.79                              *.*                             0      0 49152      0 LISTEN      
      *.22                              *.*                             0      0 49152      0 LISTEN      
      *.23                              *.*                             0      0 49152      0 LISTEN      

Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
60039b36758 stream-ord 30077930300 00000000 /var/run/.inetd.uds 

There is a lot of opened ports, this is not good for security. For what is telnet opened, who use this nowadays? If you initially configure system with sysidcfg file, you can choose profile limited_net, and this will constrain runing services, but if your system is configured "by hand" then you will see something similiar to this above. You can disable services one by one with use of svcadm command, because there are managed by another Solaris 10 innovation named Service Management Facility (SMF).

root@st1:~# svcs
STATE          STIME    FMRI
legacy_run     15:41:36 lrc:/etc/rc2_d/S20sysetup
legacy_run     15:41:36 lrc:/etc/rc2_d/S72autoinstall
legacy_run     15:41:36 lrc:/etc/rc2_d/S73cachefs_daemon
legacy_run     15:41:36 lrc:/etc/rc2_d/S89PRESERVE
legacy_run     15:41:36 lrc:/etc/rc2_d/S98deallocate
legacy_run     15:41:36 lrc:/etc/rc3_d/S16boot_server
disabled       15:41:35 svc:/system/filesystem/volfs:default
online         15:41:31 svc:/system/svc/restarter:default
online         15:41:31 svc:/system/filesystem/root:default
online         15:41:31 svc:/network/loopback:default
online         15:41:32 svc:/network/pfil:default
online         15:41:32 svc:/system/boot-archive:default
online         15:41:32 svc:/system/installupdates:default
online         15:41:32 svc:/network/physical:default
online         15:41:32 svc:/system/filesystem/usr:default
online         15:41:33 svc:/system/identity:node
online         15:41:33 svc:/system/keymap:default
online         15:41:33 svc:/system/device/local:default
online         15:41:33 svc:/milestone/devices:default
online         15:41:33 svc:/system/filesystem/minimal:default
online         15:41:33 svc:/system/cluster/cl_boot_check:default
online         15:41:33 svc:/system/name-service-cache:default
online         15:41:33 svc:/system/rmtmpfiles:default
online         15:41:33 svc:/system/cryptosvc:default
online         15:41:33 svc:/system/identity:domain
online         15:41:33 svc:/network/ipsec/ipsecalgs:default
online         15:41:33 svc:/system/pkgserv:default
online         15:41:33 svc:/network/ipsec/policy:default
online         15:41:33 svc:/system/manifest-import:default
online         15:41:33 svc:/system/coreadm:default
online         15:41:33 svc:/system/patchchk:default
online         15:41:33 svc:/milestone/network:default
online         15:41:33 svc:/milestone/single-user:default
online         15:41:33 svc:/network/initial:default
online         15:41:33 svc:/network/routing-setup:default
online         15:41:33 svc:/system/filesystem/local:default
online         15:41:33 svc:/network/service:default
online         15:41:33 svc:/network/shares/group:default
online         15:41:34 svc:/network/dns/client:default
online         15:41:34 svc:/system/sysidtool:net
online         15:41:34 svc:/system/boot-archive-update:default
online         15:41:34 svc:/milestone/name-services:default
online         15:41:34 svc:/network/rpc/bind:default
online         15:41:34 svc:/system/cron:default
online         15:41:34 svc:/network/nfs/mapid:default
online         15:41:34 svc:/network/nfs/cbd:default
online         15:41:34 svc:/system/sysidtool:system
online         15:41:34 svc:/network/nfs/status:default
online         15:41:34 svc:/milestone/sysconfig:default
online         15:41:34 svc:/network/nfs/nlockmgr:default
online         15:41:34 svc:/application/stosreg:default
online         15:41:34 svc:/system/sac:default
online         15:41:34 svc:/network/inetd:default
online         15:41:34 svc:/application/management/wbem:default
online         15:41:34 svc:/system/utmp:default
online         15:41:35 svc:/network/rpc/gss:default
online         15:41:35 svc:/network/security/ktkt_warn:default
online         15:41:35 svc:/network/shell:default
online         15:41:35 svc:/network/stlisten:default
online         15:41:35 svc:/network/stdiscover:default
online         15:41:35 svc:/network/nfs/client:default
online         15:41:35 svc:/network/login:rlogin
online         15:41:35 svc:/network/rpc/rusers:default
online         15:41:35 svc:/network/rpc/rstat:default
online         15:41:35 svc:/system/filesystem/autofs:default
online         15:41:35 svc:/network/rpc/smserver:default
online         15:41:35 svc:/network/nfs/rquota:default
online         15:41:35 svc:/network/finger:default
online         15:41:35 svc:/network/ssh:default
online         15:41:35 svc:/system/system-log:default
online         15:41:35 svc:/network/telnet:default
online         15:41:35 svc:/network/rpc-100235_1/rpc_ticotsord:default
online         15:41:36 svc:/milestone/multi-user:default
online         15:41:36 svc:/milestone/multi-user-server:default
online         15:41:47 svc:/system/webconsole:console
online         15:50:44 svc:/system/console-login:default

There is lot of that, and probably you do not know what can you safely disable. RPC processes? Finger, Telnet? What else? I suggest you that we will apply limited_net profile for beginning, and we will check what was done:

root@st1:~# svccfg apply /var/svc/profile/generic_limited_net.xml
root@st1:~# netstat -an

UDP: IPv4
   Local Address        Remote Address      State
-------------------- -------------------- ----------
      *.111                               Idle
      *.*                                 Unbound
      *.46901                             Idle
      *.514                               Idle

TCP: IPv4
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q    State
-------------------- -------------------- ----- ------ ----- ------ -----------
      *.111                *.*                0      0 49152      0 LISTEN
      *.*                  *.*                0      0 49152      0 IDLE
      *.5987               *.*                0      0 49152      0 LISTEN
      *.22                 *.*                0      0 49152      0 LISTEN
      *.43712              *.*                0      0 49152      0 BOUND
127.0.0.1.6788             *.*                0      0 49152      0 LISTEN
127.0.0.1.6789             *.*                0      0 49152      0 LISTEN
127.0.0.1.43706            *.*                0      0 49152      0 LISTEN

TCP: IPv6
   Local Address                     Remote Address                 Swind Send-Q Rwind Recv-Q   State      If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
      *.22                              *.*                             0      0 49152      0 LISTEN      

Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
60039b36758 stream-ord 30077930300 00000000 /var/run/.inetd.uds 

Now is better, but we can disable all rpc/*, autofs and volfs if they are not used

root@st1:~# svcs|grep rpc                 
online         14:39:51 svc:/network/rpc/bind:default
online         14:39:52 svc:/network/rpc/gss:default
online         14:39:52 svc:/network/rpc/smserver:default
online         14:39:52 svc:/network/rpc-100235_1/rpc_ticotsord:default
root@st1:~# svcs|gawk '/rpc/ { print $3 }'|xargs svcadm disable
root@st1:~# svcs|grep rpc
root@st1:~# svcs -xv
svc:/network/rpc/bind:default (RPC bindings)
 State: disabled since Thu Aug 12 14:46:32 2010
Reason: Disabled by an administrator.
   See: http://sun.com/msg/SMF-8000-05
   See: man -M /usr/share/man -s 1M rpcbind
   See: /var/svc/log/network-rpc-bind:default.log
Impact: 1 dependent service is not running:
        svc:/system/filesystem/autofs:default
root@st1:~# svcadm disable autofs
root@st1:~# svcadm disable volfs
root@st1:~# svcs -xv

From my experience I can prompt you, that you should now reboot your container (not system) and check services after login.

root@st1:~# reboot

[Connection to zone 'st1' pts/4 closed]
root@feniks:~# zlogin st1
[Connected to zone 'st1' pts/4]
Last login: Thu Aug 12 14:47:55 on pts/4
root@st1:~# svcs -xv            
svc:/network/security/ktkt_warn:default (Kerberos V5 warning messages daemon)
 State: maintenance since Thu Aug 12 14:47:56 2010
Reason: Restarter svc:/network/inetd:default gave no explanation.
   See: http://sun.com/msg/SMF-8000-9C
   See: man -M /usr/share/man -s 1M ktkt_warnd
Impact: This service is not running.

root@st1:~# netstat -an

UDP: IPv4
   Local Address        Remote Address      State
-------------------- -------------------- ----------
      *.514                               Idle

TCP: IPv4
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q    State
-------------------- -------------------- ----- ------ ----- ------ -----------
      *.5987               *.*                0      0 49152      0 LISTEN
      *.22                 *.*                0      0 49152      0 LISTEN
      *.40180              *.*                0      0 49152      0 BOUND
127.0.0.1.6788             *.*                0      0 49152      0 LISTEN
127.0.0.1.6789             *.*                0      0 49152      0 LISTEN
127.0.0.1.40174            *.*                0      0 49152      0 LISTEN

TCP: IPv6
   Local Address                     Remote Address                 Swind Send-Q Rwind Recv-Q   State      If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
      *.22                              *.*                             0      0 49152      0 LISTEN      

Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
30040ed8bd0 stream-ord 300397d2380 00000000 /var/run/.inetd.uds

If you will not use webconsole to manage, you can disable those services too. And Kerberos warning daemon.

root@st1:~# svcadm disable wbem webconsole
root@st1:~# svcadm disable ktkt_warn
root@st1:~# svcs -xv
root@st1:~# netstat -an

UDP: IPv4
   Local Address        Remote Address      State
-------------------- -------------------- ----------
      *.514                               Idle

TCP: IPv4
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q    State
-------------------- -------------------- ----- ------ ----- ------ -----------
      *.22                 *.*                0      0 49152      0 LISTEN

TCP: IPv6
   Local Address                     Remote Address                 Swind Send-Q Rwind Recv-Q   State      If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
      *.22                              *.*                             0      0 49152      0 LISTEN      

Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
3000a4dcd38 stream-ord 30022517c00 00000000 /var/run/.inetd.uds

Only syslog 514/UDP and SSH on 22/TCP remained. If you do not want to use SSH for connect to container and you will use only zlogin from global zone, you can safaly disable SSH.

Może Ci się również spodoba

Dodaj komentarz