Section 4 - Security

LDoms Community Cookbook
Contents
In this Section ...

Section Introduction

This section provides examples of procedures that affect the security of your Logical Domains Environment.

Virtual Network Terminal Service Daemon (vntsd)

Using ssh to connect to virtual consoles

(Adapted from and email thread by Javier Conde)

While the current implementation of LDoms utilizes a telnet client to connect to the virtual network terminal server daemon (vntsd), and only connections to localhost area allowed by default, it is possible to execute the telnet command via an ssh "wrapper". This requires a local user to have permissions to connect to the primary (or service domain providing the vntsd). It may be achieved with the following command:

remote_host# remote_host$ ssh <user>@<remote service domain> telnet <port>

For example

  • To connect from machine fred to the console service on control domain barney as user dino using port 5001 which connects to domain bambam, the following would be the command:

    fred$ ssh -t dino@barney telnet 0 5001
    Password: xxxxxxxx
    Trying 0.0.0.0...
    Connected to 0.
    Escape character is '^]'.
    Connecting to console "bambam" in group "bambam" ....
    Press ~? for control options ..
    {0}ok

Solaris Minimization and LDoms

(Adapted from an email thread by Alex Noordergraaf)

LDoms is fully supported on minimized Solaris installations!

Just wanted to make sure everyone realized that LDoms, Solaris minimization, and supported could be used in the same sentence .

Just to be clear LDoms fully supports minimization of all four types of domains (and has since v1.0.1):

1) Control domains
2) Root domains
3) Service domains
4) Guest domains

Version 4.2 of the Solaris Security Toolkit, which has been bundled with LDoms since its release, includes a JumpStart profile which is a recommended baseline for minimization of the control/root/service domains. Guest domains can be minimized just as any other Solaris instance. This profile (minimal-ldm_control.profile) contains the following required packags and clusters:

# Start with the minimal required number of packages, Core Distribution.
cluster SUNWCreq
# SUNWldomu should be in SUNWCreq, but isn't there for Solaris 10 11/06.
# SUNWldomr is in SUNWCreq and both SUNWldom* packages are in SUNWCldom.
# This has been fixed in NV58 (Sun Request ID 6484072).
cluster SUNWCldom add
# The Core software cluster does not include Secure Shell software, so
# it must be added here.
cluster SUNWCssh add
# Add SUNWgzip to support installation or upgrade of LDoms software.
# Not required for operation of LDoms after LDoms installation
# is complete.
package SUNWgzip add
# To support Process Accounting, used by enable-process-accounting.fin
cluster SUNWCacc add
# To support Basic Auditing and Reporting Tool (BART), used
# by enable-bart.fin
package SUNWbart add

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (1)

 

  1. Feb 26, 2009

    meierch says:

    to connect by ssh to the console you need to allocate a tty, otherwise you will ...

    to connect by ssh to the console you need to allocate a tty, otherwise you will have trouble with Ctrl-C and the display.

    ssh -t dino@barney telnet 0 5001

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact