Section 4 - Security

{section}
{column:width=25%}

h5. [LDoms Community Cookbook]

h6. Contents

{pagetree:root=@parent|searchBox=true}

h6. In this Section ...

{toc:type=list|style=none|maxLevel=3}
{column}
{column:width=75%}

h1. Section Introduction

This section provides examples of procedures that affect the security of your Logical Domains Environment.

----
h1. Virtual Network Terminal Service Daemon (vntsd)


h2. Using ssh to connect to virtual consoles


h6. (Adapted from and email thread by Javier Conde)

While the current implementation of LDoms utilizes a telnet client to connect to the virtual network terminal server daemon (vntsd), and only connections to localhost area allowed by default, it is possible to execute the telnet command via an ssh "wrapper". This requires a local user to have permissions to connect to the primary (or service domain providing the vntsd). It may be achieved with the following command:
{panel:borderStyle=solid| borderColor=black|bgColor=#e6e6e6}
{{remote_host# *remote_host$ ssh <user>@<remote service domain> telnet <port>*}}
{panel}
*For example*

{{Connected to 0.}}
{{Escape character is '^\]'.}}\\
{{Connecting to console "bambam" in group "bambam" ....}}
{{Press \~? for control options ..}}
{{\{0\}ok}}
{panel}

----
h1. Solaris Minimization and LDoms

h6. (Adapted from an email thread by Alex Noordergraaf)

h2. LDoms is fully supported on minimized Solaris installations!

Just wanted to make sure everyone realized that LDoms, Solaris minimization, and supported could be used in the same sentence :-).

Just to be clear LDoms fully supports minimization of all four types of domains (and has since v1.0.1):

1) Control domains
2) Root domains
3) Service domains
4) Guest domains

Version 4.2 of the Solaris Security Toolkit, which has been bundled with LDoms since its release, includes a JumpStart profile which is a recommended baseline for minimization of the control/root/service domains. Guest domains can be minimized just as any other Solaris instance. This profile (minimal-ldm_control.profile) contains the following required packags and clusters:

{panel:borderStyle=solid| borderColor=black|bgColor=#e6e6e6}
{{# Start with the minimal required number of packages, Core Distribution.}}
{{cluster SUNWCreq}}
{{# SUNWldomu should be in SUNWCreq, but isn't there for Solaris 10 11/06.}}
{{# SUNWldomr is in SUNWCreq and both SUNWldom* packages are in SUNWCldom.}}
{{# This has been fixed in NV58 (Sun Request ID 6484072).}}
{{cluster SUNWCldom add}}
{{# The Core software cluster does not include Secure Shell software, so}}
{{# it must be added here.}}
{{cluster SUNWCssh add}}
{{# Add SUNWgzip to support installation or upgrade of LDoms software.}}
{{# Not required for operation of LDoms after LDoms installation}}
{{# is complete.}}
{{package SUNWgzip add}}
{{# To support Process Accounting, used by enable-process-accounting.fin}}
{{cluster SUNWCacc add}}
{{# To support Basic Auditing and Reporting Tool (BART), used}}
{{# by enable-bart.fin}}
{{package SUNWbart add}}
{panel}

{column}
{section}