I’ve been asked several times by my students:
1) “What is the advantage of an immutable zone?”
2) “How does the immutable zone compare to the sparse root zone in Solaris 10?”
3) “What’s the advantage of the four different types of read-only non-global zones in Solaris 11?”
Background Information: Solaris 10 Zones
In Solaris 10, a non-global zone’s root file system could be either whole root or sparse. The whole root zone provided the greatest configuration flexibility because all the required Solaris packages are copied to the zone’s private file system and the root file system is read-writable.
In Solaris 10, a sparse root zone shares parts of the root file system with the global zone. The sparse root zone implemented a read-only loopback file system from the global zone and it installed only a subset of the system root packages locally. The majority of the root file system was shared (inherited) from the global zone, which saved a great deal of disk space. The sparse root file system provided a smaller foot print requiring less disk space and a read-only root file system that could not be modified. Although the read-only sparse root zone provided security against unauthorized or accidental changes, the disadvantage is that it was difficult to make authorized modifications to the root file system. In addition, with advances in ZFS file systems such as ZFS data deduplication, sparse root zones are no longer required and have been discontinued and replaced with immutable zones.
Solaris 11 – Immutable Zones
Immutable zones are read-only zones, but still contain “whole root” file systems. The immutable zone can be configured as a completely read-only zone or it can be partially read-only. The immutable zone is controlled by a mandatory write access control (MWAC) kernel policy. This MWAC policy enforces the zone’s root file system write privilege through a zonecfg file-mac-profile property. The policy is enabled at zone boot.
By default, a zone’s file-mac-profile property is not set in a non-global zone. The default policy for a nonglobal zone is to have a writable root file system. In a Solaris read-only zone, the file-mac-profile property is used to configure a read-only zone root. A read-only root restricts access to the run-time environment from inside the zone. Through the zonecfg utility, the file-mac-profile can be set to one of the following values.
file-mac-profile Values
| none |
|
| strict |
|
| fixed-configuration |
|
| flexible-configuration |
|
All of the profiles except none will cause the /var/pkg directory and its contents to be read-only from inside the zone.
I like to explain things by using examples. The following examples explain each immutable zone model by taking you through the creation of each of the four types immutable zones.
Create a Simple Zone (read-writeable)
It’s not required, but I prefer to put my non-global zones on their own ZFS pool, so I create a storage pool named “zones” as follows:
root@solaris:~# zpool create zones c7t2d0
Now, let’s create a simple exclusive-IP zone with no restrictions:
root@solaris:~# zonecfg -z testzone
Use ‘create’ to begin configuring a new zone.
zonecfg:testzone> create
create: Using system default template ‘SYSdefault’
zonecfg:testzone> set zonepath=/zones/testzone
zonecfg:testzone> exit
Use the # zonecfg command to view the zone configuration as follows.
zonename: testzone
zonepath: /zones/testzone
brand: solaris
autoboot: false
bootargs:
file-mac-profile:
pool:
…<output has been truncated>…
Notice that the file-mac-profile property is not set. Not setting the value of the file-mac-profile property is equivalent to setting the value to none. This value can be set to any of the four file-mac-profile values described in the previous table. The zone is a standard, read-write, non-global zone, with no additional protection beyond the existing zone’s boundaries.
Install the zone as follows:
root@solaris:~# zoneadm -z testzone install
Boot the zone and connect to the zone console as follows:
root@solaris:~# zoneadm -z testzone boot; zlogin –C testzone
You’ll be asked to answer the typical system configuration questions ( network, time zone, user and root accounts, name services). After completing the system configuration tool, log into the zone console.
The following examples will illustrate that the root file system is unrestricted to the root user. I’ll create the directory /usr/local:
No errors are displayed because /usr is writeable.
Set the Zone to Immutable: strict
The strict configuration profile provides the tightest security because all file systems, except /tmp are read-only. This is more strict that the Oracle Solaris 10 sparse root zone. It’s equivalent to booting from the DVD, a read-only file system. Nothing can be changed, added or deleted in this zone including the /root directory and the /export file system.
Shut the zone down and reconfigure it with a strict profile as follows:
root@solaris:~# zonecfg -z testzone set file-mac-profile=strict
Verify that the file-mac-profile property was set on the zone by typing:
root@solaris:~# zonecfg -z testzone info
zonename: testzone
zonepath: /zones/testzone
brand: solaris
autoboot: false
bootargs:
file-mac-profile: strict
pool:
limitpriv:
..<output has been truncated>…
You can also get a quick overview of the file-mac-profile property by typing:
root@solaris:~# zoneadm list -p
0:global:running:/::solaris:shared:-:none
2:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:strict
Notice that the global zone has a policy of none and the testzone has a strict policy. The R in the second to last field indicates that the non-global zone is Read-Only.
Boot the zone and log back into the testzone console as follows:
root@solaris:~# zoneadm -z testzone boot
Try to create a subdirectory in the /usr/local directory that you created earlier:
root@testzone:/usr/local# mkdir /usr/local/bin
mkdir: Failed to make directory “bin”; Read-only file system
The /usr file system is read-only. The strict profile allows no exceptions to the read-only policy. Everything in the root filesystem is read only, including /var/tmp, the /root home directory, and /export as illustrated in the following examples:
root@testzone:/# touch /var/adm/foo
touch: cannot create /var/adm/foo: Read-only file system
root@testzone:/# touch /export/foo
touch: cannot create /export/foo: Read-only file system
root@testzone:~# touch /root/foo
touch: cannot create /root/foo: Read-only file system
The only file system that is writeable is /tmp:
root@testzone:/# touch /tmp/foo
In a strict configuration, I can change a service state, but it is not persistent because the SMF repository is read-only as shown next:
# svcadm disable ssh
The SMF repository is changed in memory, but not on disk. Therefore, the service is disabled now, but the next time the system boots, this service will return to its default state. The change is not a persistent change.
When the immutable zone is in strict mode:
- IPS packages cannot be installed.
- Persistently enabled SMF services are fixed.
- SMF manifests cannot be added from the default locations.
- Logging and auditing configuration files are fixed (ie. syslog.conf). Data can only be logged remotely, so syslog cannot write to the /var/adm/messages file.
However, you can always shut the zone down, change the file-mac-profile property back to none and install packages, update the packages and modify services. When finished, set the zone back to a strict policy. But, there is even an easier method. Simply boot the zone using the -w (write) option as follows:
# zoneadm –z testzone boot -w
As the zone boots, the following message is displayed in the testzone console:
[NOTICE: Read-only zone booting up read-write]
From the global zone, view the testzone properties as follows:
root@solaris:~# zoneadm -z testzone list -p
6:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:W:strict
Notice the W (write) in the second to last field.
Log into the zone and make the required changes. In the example, I log into the zone and create a new directory in /usr/local and disable the ssh service as follows:
root@testzone:~# mkdir /usr/local/bin
root@testzone:~# svcadm disable ssh
Because the zone is in a writeable state, the service changes were saved in the repository (on disk) and will be persistent across reboots.
Set the Zone to Immutable: fixed-configuration
A fixed-configuration zone provides more flexibility than the strict profile and allows log files to be created and modified in /var. A non-global zone is set with a fixed-configuration by setting the file-mac-profile and booting the zone as follows:
root@solaris:~# zonecfg -z testzone set file-mac-profile=fixed-configuration
root@solaris:~# zoneadm -z testzone boot
A fixed-configuration profile allows the zone to write to files in and below /var, except directories containing configuration files:
- /var/ld
- /var/lib/postrun
- /var/pkg
- /var/spool/cron,
- /var/spool/postrun
- /var/svc/manifest
- /var/svc/profiles
When the zone is booted, view the zone properties as follows:
root@solaris:~# zoneadm -z testzone list -p
2:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:fixed-configuration
Notice that the global zone has a policy of none and the testzone has a fixed-configuration policy. The R in the second to last field indicates that the non-global zone is Read-Only.
Log into the zone console and the following examples will show that the root file system is still read-only and some of the directories in /var are writeable. For example, /var/tmp and /tmp are writeable:
root@testzone:~# touch /var/tmp/foo
root@testzone:~# touch /tmp/foo
The /var directories which contain configuration files are still read-only as shown when I try to create a file in /var/spool/cron/crontabs:
The /export and the /root home directories are also read-only as shown:
root@testzone:/# touch /export/foo
touch: cannot create /export/foo: Read-only file system
root@testzone:~# touch /root/foo
touch: cannot create /root/foo: Read-only file system
Set the Zone to Immutable: flexible-configuration
The flexible-configuration provides the closest functionality to the Oracle Solaris 10 sparse root zone. The flexible configuration is equal to the fixed-configuration, but it also allows write access to files in the /etc, /var, and /root home directories.
Set the flexible-configuration on testzone and boot the zone as follows:
root@solaris:~# zonecfg -z testzone set file-mac-profile=flexible-configuration
root@solaris:~# zoneadm -z testzone boot
List the properties for testzone as follows:
root@solaris:~# zoneadm -z testzone list -p
3:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:flexible-configuration
Verify write access to the /etc, /var and /root directories as follows:
root@testzone:~# touch /etc/hosts
root@testzone:~# touch /etc/foo
root@testzone:/# touch /root/foo
The /export file system is still read-only:
root@testzone:/# touch /export/foo
touch: cannot create /export/foo: Read-only file system
Summary
I’ve provided an explanation and given a few examples of immutable zones for Solaris 11. Send me a comment below if there is anything I can help clear up for you.
Pingback: Containers, Speed, and Security « Runaway Sequence
Dear Sir
I am wondering how to update OS patches in immutable zones in Solaris 11 .What I presume , updating the global zone OS patch can update the zone OS patch . Is it right?
Regards
Mayank Saxena