04.02 Configuration of container st1
After installation and initial configuration of st1 container you need to look on working services and disable those, which are not necessary. But at first I will set up more comfortable environment to work. I will change default shell to zsh and home directory of root user. I will use GNU sed for this purpose. Remember that /usr/local directory is inherited from global zone in read-only mode.
root@feniks:~# cp /etc/zshrc /zones/st1/root/etc
root@feniks:~# zlogin st1
[Connected to zone 'st1' pts/4]
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# /usr/local/bin/gsed -i "/^root:/ s/:\/:\/sbin\/sh/:\/root:\/bin\/zsh/" /etc/passwd
# echo "PATH=/usr/local/apache/bin:/usr/local/bin:$PATH" >> /etc/zshrc
# echo "export PATH" >> /etc/zshrc
# mv /.sunw /root
# exit
On next login /bin/zsh is called and it reads /etc/zshrc, which I copied from global zone. I set there PATH and so on. Zsh is exemplary of course, you can use bash or other if you like.
root@feniks:~# zlogin st1
[Connected to zone 'st1' pts/4]
Last login: Thu Aug 12 13:40:01 on pts/4
root@st1:~# mv /.histfile /root
root@st1:~# netstat -an
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- ----------
*.111 Idle
*.* Unbound
*.46901 Idle
*.* Unbound
*.* Unbound
*.46902 Idle
*.4045 Idle
*.6481 Idle
*.46922 Idle
*.46923 Idle
*.46925 Idle
*.514 Idle
UDP: IPv6
Local Address Remote Address State If
--------------------------------- --------------------------------- ---------- -----
*.6481 Idle
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -----------
*.111 *.* 0 0 49152 0 LISTEN
*.* *.* 0 0 49152 0 IDLE
*.43667 *.* 0 0 49152 0 LISTEN
*.43668 *.* 0 0 49152 0 LISTEN
*.4045 *.* 0 0 49152 0 LISTEN
*.5987 *.* 0 0 49152 0 LISTEN
*.514 *.* 0 0 49152 0 LISTEN
*.6481 *.* 0 0 49152 0 LISTEN
*.513 *.* 0 0 49152 0 LISTEN
*.43669 *.* 0 0 49152 0 LISTEN
*.79 *.* 0 0 49152 0 LISTEN
*.22 *.* 0 0 49152 0 LISTEN
*.23 *.* 0 0 49152 0 LISTEN
*.43712 *.* 0 0 49152 0 BOUND
127.0.0.1.6788 *.* 0 0 49152 0 LISTEN
127.0.0.1.6789 *.* 0 0 49152 0 LISTEN
127.0.0.1.43706 *.* 0 0 49152 0 LISTEN
TCP: IPv6
Local Address Remote Address Swind Send-Q Rwind Recv-Q State If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
*.514 *.* 0 0 49152 0 LISTEN
*.513 *.* 0 0 49152 0 LISTEN
*.79 *.* 0 0 49152 0 LISTEN
*.22 *.* 0 0 49152 0 LISTEN
*.23 *.* 0 0 49152 0 LISTEN
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
60039b36758 stream-ord 30077930300 00000000 /var/run/.inetd.uds
There is a lot of opened ports, this is not good for security. For what is telnet opened, who use this nowadays? If you initially configure system with sysidcfg file, you can choose profile limited_net, and this will constrain runing services, but if your system is configured "by hand" then you will see something similiar to this above. You can disable services one by one with use of svcadm command, because there are managed by another Solaris 10 innovation named Service Management Facility (SMF).
root@st1:~# svcs
STATE STIME FMRI
legacy_run 15:41:36 lrc:/etc/rc2_d/S20sysetup
legacy_run 15:41:36 lrc:/etc/rc2_d/S72autoinstall
legacy_run 15:41:36 lrc:/etc/rc2_d/S73cachefs_daemon
legacy_run 15:41:36 lrc:/etc/rc2_d/S89PRESERVE
legacy_run 15:41:36 lrc:/etc/rc2_d/S98deallocate
legacy_run 15:41:36 lrc:/etc/rc3_d/S16boot_server
disabled 15:41:35 svc:/system/filesystem/volfs:default
online 15:41:31 svc:/system/svc/restarter:default
online 15:41:31 svc:/system/filesystem/root:default
online 15:41:31 svc:/network/loopback:default
online 15:41:32 svc:/network/pfil:default
online 15:41:32 svc:/system/boot-archive:default
online 15:41:32 svc:/system/installupdates:default
online 15:41:32 svc:/network/physical:default
online 15:41:32 svc:/system/filesystem/usr:default
online 15:41:33 svc:/system/identity:node
online 15:41:33 svc:/system/keymap:default
online 15:41:33 svc:/system/device/local:default
online 15:41:33 svc:/milestone/devices:default
online 15:41:33 svc:/system/filesystem/minimal:default
online 15:41:33 svc:/system/cluster/cl_boot_check:default
online 15:41:33 svc:/system/name-service-cache:default
online 15:41:33 svc:/system/rmtmpfiles:default
online 15:41:33 svc:/system/cryptosvc:default
online 15:41:33 svc:/system/identity:domain
online 15:41:33 svc:/network/ipsec/ipsecalgs:default
online 15:41:33 svc:/system/pkgserv:default
online 15:41:33 svc:/network/ipsec/policy:default
online 15:41:33 svc:/system/manifest-import:default
online 15:41:33 svc:/system/coreadm:default
online 15:41:33 svc:/system/patchchk:default
online 15:41:33 svc:/milestone/network:default
online 15:41:33 svc:/milestone/single-user:default
online 15:41:33 svc:/network/initial:default
online 15:41:33 svc:/network/routing-setup:default
online 15:41:33 svc:/system/filesystem/local:default
online 15:41:33 svc:/network/service:default
online 15:41:33 svc:/network/shares/group:default
online 15:41:34 svc:/network/dns/client:default
online 15:41:34 svc:/system/sysidtool:net
online 15:41:34 svc:/system/boot-archive-update:default
online 15:41:34 svc:/milestone/name-services:default
online 15:41:34 svc:/network/rpc/bind:default
online 15:41:34 svc:/system/cron:default
online 15:41:34 svc:/network/nfs/mapid:default
online 15:41:34 svc:/network/nfs/cbd:default
online 15:41:34 svc:/system/sysidtool:system
online 15:41:34 svc:/network/nfs/status:default
online 15:41:34 svc:/milestone/sysconfig:default
online 15:41:34 svc:/network/nfs/nlockmgr:default
online 15:41:34 svc:/application/stosreg:default
online 15:41:34 svc:/system/sac:default
online 15:41:34 svc:/network/inetd:default
online 15:41:34 svc:/application/management/wbem:default
online 15:41:34 svc:/system/utmp:default
online 15:41:35 svc:/network/rpc/gss:default
online 15:41:35 svc:/network/security/ktkt_warn:default
online 15:41:35 svc:/network/shell:default
online 15:41:35 svc:/network/stlisten:default
online 15:41:35 svc:/network/stdiscover:default
online 15:41:35 svc:/network/nfs/client:default
online 15:41:35 svc:/network/login:rlogin
online 15:41:35 svc:/network/rpc/rusers:default
online 15:41:35 svc:/network/rpc/rstat:default
online 15:41:35 svc:/system/filesystem/autofs:default
online 15:41:35 svc:/network/rpc/smserver:default
online 15:41:35 svc:/network/nfs/rquota:default
online 15:41:35 svc:/network/finger:default
online 15:41:35 svc:/network/ssh:default
online 15:41:35 svc:/system/system-log:default
online 15:41:35 svc:/network/telnet:default
online 15:41:35 svc:/network/rpc-100235_1/rpc_ticotsord:default
online 15:41:36 svc:/milestone/multi-user:default
online 15:41:36 svc:/milestone/multi-user-server:default
online 15:41:47 svc:/system/webconsole:console
online 15:50:44 svc:/system/console-login:default
There is lot of that, and probably you do not know what can you safely disable. RPC processes? Finger, Telnet? What else? I suggest you that we will apply limited_net profile for beginning, and we will check what was done:
root@st1:~# svccfg apply /var/svc/profile/generic_limited_net.xml
root@st1:~# netstat -an
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- ----------
*.111 Idle
*.* Unbound
*.46901 Idle
*.514 Idle
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -----------
*.111 *.* 0 0 49152 0 LISTEN
*.* *.* 0 0 49152 0 IDLE
*.5987 *.* 0 0 49152 0 LISTEN
*.22 *.* 0 0 49152 0 LISTEN
*.43712 *.* 0 0 49152 0 BOUND
127.0.0.1.6788 *.* 0 0 49152 0 LISTEN
127.0.0.1.6789 *.* 0 0 49152 0 LISTEN
127.0.0.1.43706 *.* 0 0 49152 0 LISTEN
TCP: IPv6
Local Address Remote Address Swind Send-Q Rwind Recv-Q State If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
*.22 *.* 0 0 49152 0 LISTEN
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
60039b36758 stream-ord 30077930300 00000000 /var/run/.inetd.uds
Now is better, but we can disable all rpc/*, autofs and volfs if they are not used
root@st1:~# svcs|grep rpc
online 14:39:51 svc:/network/rpc/bind:default
online 14:39:52 svc:/network/rpc/gss:default
online 14:39:52 svc:/network/rpc/smserver:default
online 14:39:52 svc:/network/rpc-100235_1/rpc_ticotsord:default
root@st1:~# svcs|gawk '/rpc/ { print $3 }'|xargs svcadm disable
root@st1:~# svcs|grep rpc
root@st1:~# svcs -xv
svc:/network/rpc/bind:default (RPC bindings)
State: disabled since Thu Aug 12 14:46:32 2010
Reason: Disabled by an administrator.
See: http://sun.com/msg/SMF-8000-05
See: man -M /usr/share/man -s 1M rpcbind
See: /var/svc/log/network-rpc-bind:default.log
Impact: 1 dependent service is not running:
svc:/system/filesystem/autofs:default
root@st1:~# svcadm disable autofs
root@st1:~# svcadm disable volfs
root@st1:~# svcs -xv
From my experience I can prompt you, that you should now reboot your container (not system) and check services after login.
root@st1:~# reboot
[Connection to zone 'st1' pts/4 closed]
root@feniks:~# zlogin st1
[Connected to zone 'st1' pts/4]
Last login: Thu Aug 12 14:47:55 on pts/4
root@st1:~# svcs -xv
svc:/network/security/ktkt_warn:default (Kerberos V5 warning messages daemon)
State: maintenance since Thu Aug 12 14:47:56 2010
Reason: Restarter svc:/network/inetd:default gave no explanation.
See: http://sun.com/msg/SMF-8000-9C
See: man -M /usr/share/man -s 1M ktkt_warnd
Impact: This service is not running.
root@st1:~# netstat -an
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- ----------
*.514 Idle
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -----------
*.5987 *.* 0 0 49152 0 LISTEN
*.22 *.* 0 0 49152 0 LISTEN
*.40180 *.* 0 0 49152 0 BOUND
127.0.0.1.6788 *.* 0 0 49152 0 LISTEN
127.0.0.1.6789 *.* 0 0 49152 0 LISTEN
127.0.0.1.40174 *.* 0 0 49152 0 LISTEN
TCP: IPv6
Local Address Remote Address Swind Send-Q Rwind Recv-Q State If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
*.22 *.* 0 0 49152 0 LISTEN
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
30040ed8bd0 stream-ord 300397d2380 00000000 /var/run/.inetd.uds
If you will not use webconsole to manage, you can disable those services too. And Kerberos warning daemon.
root@st1:~# svcadm disable wbem webconsole
root@st1:~# svcadm disable ktkt_warn
root@st1:~# svcs -xv
root@st1:~# netstat -an
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- ----------
*.514 Idle
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -----------
*.22 *.* 0 0 49152 0 LISTEN
TCP: IPv6
Local Address Remote Address Swind Send-Q Rwind Recv-Q State If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
*.22 *.* 0 0 49152 0 LISTEN
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
3000a4dcd38 stream-ord 30022517c00 00000000 /var/run/.inetd.uds
Only syslog 514/UDP and SSH on 22/TCP remained. If you do not want to use SSH for connect to container and you will use only zlogin from global zone, you can safaly disable SSH.
