|
|
|
Reflection for Secure IT and Support for Solaris Zones
Technical Note 2254
Last Reviewed 09-Nov-2012
Applies To
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Sun Solaris version 10
Summary
Technical Note 2254
Last Reviewed 09-Nov-2012
Applies To
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Sun Solaris version 10
Summary
This technical note describes how Reflection for Secure IT works in the Solaris 10 zones feature, specifically focusing on the effects of the -G switch and on the global zone and two non-global zones: sparse root and whole root.
Reflection for Secure IT Installation Factors in a Zone Environment
Zones are a feature in Solaris 10 that allow a single Solaris instance to be partitioned into isolated application environments.
The behavior of a Reflection for Secure IT package, when installed in a zone environment, can be influenced by three factors:
- The Reflection for Secure IT product version.
- The type of zone (global, sparse root, or whole root) configured when pkgadd is used.
- If the -G command line switch is used with the Solaris pkgadd tool to install Reflection for Secure IT (version 6.1.x).
Product Version
Values for the variables vary, depending on the version of Reflection for Secure IT:
| Variable |
6.1.x |
7.x |
8.x |
| SUNW_PKG_ALLZONES |
False |
True |
True |
| SUNW_PKG_HOLLOW |
False |
False |
False |
| SUNW_PKG_THISZONE |
False |
False |
False |
Note: In version 7.x, the values are visible in the pkginfo file. In version 6.1.x, the above variables are not explicitly set, so they are not visible in the pkginfo file.
Global Zone
If only global zones are used, then Reflection for Secure IT will perform as it has in earlier Solaris versions that did not support zones.
Sparse Root Zone
If you are installing Reflection for Secure IT in a Solaris 10 environment for the first time, you cannot install Reflection into a sparse root zone. The default configuration for a sparse root configuration is to mount /usr, /lib, /platform, and /sbin read-only from the global zone, and Reflection will not install in a sparse root zone.
If you replaced the Solaris default ssh in the global zone with Reflection for Secure IT, and then you create a new sparse root zone, Reflection for Secure IT behaves as a standalone in the new sparse root zone with a separate /etc/ssh2 directory that contains the configuration files.
While the binary files in the global zone are read-only, the config files in the /etc/ssh2 directory are read/write.
Note: Be sure to disconnect from the non-global zone when upgrading Reflection for Secure IT,
Whole Root Zone
By definition, a whole root configuration is a non-global zone that does not inherit any directories from the global zone.
Reflection for Secure IT 7.x or higher cannot be installed in a whole root zone. Reflection 7.x or higher must be installed in the global zone for any current or future whole root zones to inherit Reflection.
Reflection for Secure IT 6.1.x can be installed and run in a whole root zone. Since the whole root configuration does not inherit any directories from the global zone, you have a more complete Solaris zone where /usr, /lib, /platform, and /sbin have write access.
Installing 6.1.x with the –G Switch
If Reflection for Secure IT 6.1.x was installed in the global zone with the -G switch, it will not be added to the whole root zone when it is created. Reflection 6.1.x versions can be installed in the whole root zone and will operate independently of an installation in the global zone. Each installation is unique and independent with separate host keys and daemons that can be started and stopped without affecting the other installation.
Installing 6.1.x without the –G Switch
If Reflection for Secure IT 6.1.x was installed in the global zone without the -G switch then Reflection will be added to the whole root zone upon creation. While the two Reflection installations are unique and not dependent upon each other, removing Reflection from the global zone also removes it from the whole root zone. Removing Reflection from the whole root zone does not affect the global zone.
Note: Be sure to disconnect from the non-global zone when upgrading Reflection for Secure IT.
|
|
|
©2013 Attachmate Corporation. All Rights Reserved. | |
 | |
