Configuring Zones on Solaris 11.3

Introduction

My first acquaintance with container virtualization was with jail on FreeBSD, this approach allows you to isolate various services in a secure environment. The disadvantage of jail is that it is not possible to create its own network subsystem, in contrast to Zones Solaris. This publication will consider the creation of a zone with its own network subsystem, as well as without it.

Firewall

As a “firewall”, the packet filter from OpenBSD will be used. Using packet filter, nat will be implemented from the zone with its own network subsystem, as well as restrictions of the global zone network. To install the packet filter and run, run the following commands:

pkg install firewall svcadm enable firewall 

Next, open the file with the future rules:

 nano /etc/firewall/pf.conf 

Add the following lines to the nano editor:
')

 table <good> {192.168.1.105,192.168.1.106} table <nat> {192.168.0.0/24} pass quick on lo0 from any to any no state pass quick on vnic0 from any to any pass out quick on net0 from <nat> to any nat-to (net0) pass in quick on net0 proto tcp from any to 192.168.1.105 port 80 rdr-to 192.168.0.2 pass in quick on net0 proto tcp from any to <good> port=22 flags S/SA modulate state pass out quick on net0 proto tcp from <good> to any port {80,443,21,53} flags S/SA modulate state pass out quick on net0 proto udp from <good> to any port=53 keep state pass out quick on net0 proto icmp from <good> to any block from any to any fragment block from any to any block all 

Specify which file to use in the packet filter:

 pfctl -f /etc/firewall/pf.conf 

In this rule file there are two tables with a list of ip addresses:

 table <good> {192.168.1.105,192.168.1.106} table <nat> {192.168.0.0/24} 

The good table lists the ip addresses of the global zone and the zone that does not have its own network subsystem; if you plan to use several such zones, specify a list of ip addresses separated by commas. Outgoing traffic will be allowed to ip addresses, and it will be possible to connect via ssh. If you plan to organize, for example, a web server in the global zone, or in a zone without a network subsystem, in this case you need to add the following line:

 pass in quick on net0 proto tcp from any to 192.168.1.106 port=80 flags S/SA modulate state 

Or a group of ports:

 pass in quick on net0 proto tcp from any to 192.168.1.106 port {80, 443, 21,22} flags S/SA modulate state 

In such cases, it is possible to connect using http, https, ftp, ssh.

The nat table shows a subnet zone with its own network subsystem; if you plan several such networks, specify them separated by commas. In the line below, “nate” through net0 all subnets from the nat table.

 pass out quick on net0 from <nat> to any nat-to (net0) 

The zone with its own network subsystem can be used as a DMZ , but for this it is necessary to forward the necessary ports, the next line forwards the web server port 80 to the zone, ie all calls to ip 192.168.1.105 (global zone) will be redirected to ip 192.168.0.2:

 pass in quick on net0 proto tcp from any to 192.168.1.105 port 80 rdr-to 192.168.0.2 

You also need to pay attention to the line:

 pass quick on vnic0 from any to any 

This line allows any traffic on the virtual interface vnic0, this interface will act as a gateway. The ip address of this interface is 192.168.0.1, this interface will be active in the global zone, so you need to specify it in the rules file. If several gateways are planned for different subnets, in this case you need to add a similar line with the name of the virtual interface. For example, if you are planning another subnet 192.168.2.0/24 and assigned the adapter vnic5 ip (how it will be written in the next chapter) address 192.168.2.1, then the line will look like this:

 pass quick on vnic5 from any to any 

Virtual interfaces that are created for a non-global zone do not need to be specified.

Zone creation

This chapter can be started with the creation of virtual interfaces, and it is also necessary to allow packets to go between the interfaces net0 and vnic0:

 dladm create-vnic -l net0 vnic0 dladm create-vnic -l net0 vnic1 ipadm set-ifprop -p forwarding=on -m ipv4 net0 ipadm set-ifprop -p forwarding=on -m ipv4 vnic0 

After creation, it is necessary to create an ip address for vnic0:

 ipadm create-ip vnic0 ipadm create-addr -T static -a 192.168.0.1/24 vnic0/v4 

This completes the virtual interfaces, unless of course you need to create several more subnets.

The next step is to create a zfs pool for storing zones, create a pool from an image file:

 mkfile 10g /disk 

This command will create a file of 10 gigabytes in size (you must specify the size you need), create a pool with the command:

 zpool create zones /disk 

Create two partitions for future zones and assign each quota of 5 gigabytes:

 zfs create zones/zone1 zfs create zones/zone2 zfs set quota=5g zones/zone1 zfs set quota=5g zones/zone2 

At the time of this writing, the version of Solaris 11.4 was a beta version, this version adds the ability to restrict (not applicable to version 11.3) the reading and writing to the zfs section:

 zfs set writelimit=50mb zones/zone1 zfs set readlimit=50mb zones/zone2 

Let us proceed directly to the creation of the zone, initially create a zone without its own network subsystem, enter the command:

 zonecfg -z zone1 

After you create the main parameters with the create command, the next step is to remove the anet parameter (contains the network name, mac address, mtu, and so on):

 remove anet 

Next, we specify the path for the future zone, set the autorun zone and the type of ip address:

 set zonepath=/zones/zone1 set autoboot=true set ip-type=shared 

Next, you need to create a network for the zone:

 add net 

The next step is to specify the physical interface and ip address for the zone, and exit the network settings (end):

 set physical=net0 set address=192.168.1.106/24 end 

Save the changes and exit zonecfg with the commands:

 commit exit 

Setting the zone occurs after the execution of the command:

  zoneadm -z zone1 install 

If the speed of access to the Internet is large enough, then the whole process will take no more than 5 minutes. After the zone is installed, you need to start it and perform the initial configuration (hostname, dns, domen search, root password, create an account), the configuration is the same as during the installation of the system. Execute the following commands sequentially (for starting the zone and initial setup):

 zoneadm -z zone1 boot zlogin -C zone1 

Wait until the "setup wizard" appears. In the future, it is possible to connect to the zone with the command:

 zlogin zone1 

This completes the setup and installation of the zone. Setting up a zone with its own network subsystem is not much different from creating a normal zone, you only need to specify the type of ip address, specify the virtual adapter vnic1 (for which the ip address was not created) as the physical interface, and also not create the ip address for the zone network, ip address will be created when you first connect to the zone (zlogin -C zone2). In order for everything to work correctly, according to this publication, you must specify the ip address 192.168.0.2.

 zonecfg -z zone2 create remove anet set zonepath=/zones/zone2 set autoboot=true set ip-type=exclusive add net set physical=vnic1 end commit exit zoneadm -z zone2 install zoneadm -z zone2 boot zlogin -C zone2 

After the initial configuration is complete, install apache, nano and packet filter, and run apache and packet filter

 pkg install apache-24 pkg install firewall pkg install nano svcadm enable apache24 svcadm enable firewall 

Edit pf.conf:

 nano /etc/firewall/pf.conf 

In nano, add the lines:

 ip=192.168.0.2 pass in quick on vnic1 proto tcp from any to $ip port 80 flags S/SA modulate state pass out quick on vnic1 proto tcp from $ip to any port {80,443,21,53} flags S/SA modulate state pass out quick on vnic1 proto udp from $ip to any port=53 keep state pass out quick on vnic1 proto icmp from $ip to any block from any to any fragment block from any to any block all 

Specify which file to use in the packet filter:

 pfctl -f /etc/firewall/pf.conf 

In this example, the $ ip variable is used, if you specified a different ip address, then it is enough to change the first line to the correct address.

Additionally

The final chapter discusses zone restrictions, folder mounting, and extended zone powers. Suppose you need to mount a directory from the global zone, to do this, select the required zone:

 zonecfg -z zone1 

Next, add the file system:

 add fs 

Specify the directory in the global zone (for example, the / test directory):

 set special=/test 

Specify where to mount it:

 set dir=/usr/test 

The file system type is loopback:

 set type=lofs 

We set the rights to the read-only directory (if necessary, specify rw for writing, or do not add this parameter at all):

 add options [ro,nodevices] 

Exit the file system settings and save the changes:

 end commit exit 

You can also mount the zfs partition:

 add dataset set name=rpool/export/home end commit 

Restart the zone:

 zoneadm -z zone1 reboot 

Now let's limit the RAM, swap and CPU usage, select the necessary zone:

 zonecfg -z zone1 

Add memory limits:

 add capped-memory 

Let's limit the RAM to 1 gigabyte, and swap to 500 megabytes:

 set physical=1024m set swap=500m end commit 

We limit the use of each processor core to 30 percent:

 add capped-cpu set ncpus=.30 end commit 

The final touch, add the default privilege zone, a list of all privileges can be viewed by running the command:

 ppriv -l -v 

You can familiarize yourself with the privileges that are used by default (and which can be added if necessary) in this guide . You can add privileges with the following command (from zonecfg):

 set limitpriv="default,sys_time" 

As indicated in this guide , this line will set the privileges by default, and also allow you to change the system time from a non-global zone. In my opinion, it is better for the zone not to add additional privileges, since a zone with a small amount of privileges is more limited in functionality, and therefore more protected.

Conclusion

As can be seen from this publication, the zones are quite simple to configure, but at the same time they provide a high level of protection (especially zones with their own network subsystem) in conjunction with the packet filter configured for the policy “everything is not allowed is not allowed”. Setup and deployment takes a minimum of effort in time.

List of sources that helped me write this publication.

Zones

Packet filter