[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-smf-discuss
Subject: Re: [smf-discuss] [ilb-dev] Question on privileges needed for ilbd
From: Sangeeta Misra <Sangeeta.Misra () Sun ! COM>
Date: 2009-06-15 17:16:48
Message-ID: 4A368200.1030007 () Sun ! COM
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 06/15/09 09:10, Sangeeta Misra wrote:
> Folks,
> Currently ilbd daemon runs as "root" and uses SCF to store
> persistent configuration. ILB's rules, servergroups and healthcheck
> objects are represented as property groups in SCF. Note that we use
> the property group type SCF_GROUP_APPLICATION.
>
> Below is a sample layout of the ilb property groups/properties:
>
> prop-group name | property name | property type | property value
> -------------------------------------------------------------------------
> rule123 status boolean disabled/enabled
> vip net-v4/6-addr v4/6 IP address
> port astring port range
> protocol astring TCP/UDP...
> ilb-alg astring round-robin...
> ilb-type astring NAT/DSR...
> healthcheck astring healthcheck name
> drain-time int sec
> nat-timeout int sec
> pers-timeout int sec
> hc-port astring ALL/ANY/some-number
> servergroup astring servergroup name
> [.... more rules ....]
> servergroup123 status boolean disabled/enabled
> server1 astring
> IP-addr:port:enable/disable
> server2 astring
> IP-addr:port:enable/disable
> [ .... more servers ....]
> healthcheck123 hc-test astring test program
> hc-timeout int timeout value in sec
> hc-interval int interval val in sec
> hc-count int test repetition
> [ .... more healthchecks ....]
>
> I am trying to see if I can get ilbd to run as "daemon" instead of
> "root" . See attached ilbd.xml file to see the list of privileges
> that ilbd daemon runs with. After starting the ilbd daemon ( ie
> running with "daemon" uid), when I try to configure healthcheck thus:
>
> # ilbadm create-healthcheck -h
> hc-test=ping,hc-timeout=3,hc-count=2,hc-interval=14 hc1
>
> I get the error:
> ilbadm: no scf permit
>
> The command executes fine, but its the writing to scf that is
> failing. My questions are as follows:
>
> Question 1
> ===========
> I assume in order to authorize ilbd daemon to successfully call the
> the scf_* functions to create/modify /delete/retrieve the
> configuration to/from scf framework, all I need to do is add this to
> usr/src/lib/libsecdb/user_attr.txt :
>
> daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify
>
> Can you confirm that this is indeed all that is required? Or does
> one need to do more than that ( and if so what exactly)?
>
I tried the above and it seems to work. But the question is is this OK
to do. If not , then we would need to create a uid of "netadm" and
run ilbd with that uid instead and change the user_attr entry to:
netadm::::auths=solaris.smf.manage.ilb,solaris.smf.modify
Please advise.
Sangeeta
> Question 2
> =============
> Is it OK for a process running as "daemon" to have
> "solaris.smf.modify"/"solaris.smf.modify.application" authorization?
> Or should this authorization only be granted to processes that run as
> "root" ?
>
> Sangeeta
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> ilb-dev mailing list
> ilb-dev@opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/ilb-dev
[Attachment #5 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 06/15/09 09:10, Sangeeta Misra wrote:
<blockquote cite="mid:4A367276.6020506@Sun.COM" type="cite">Folks,
<br>
Currently ilbd daemon runs as "root" and uses SCF to store persistent
configuration. ILB's rules, servergroups and healthcheck objects are
represented as property groups in SCF. Note that we use the property
group type SCF_GROUP_APPLICATION.
<br>
<br>
Below is a sample layout of the ilb property groups/properties:
<br>
<br>
prop-group name | property name | property type | property value
<br>
-------------------------------------------------------------------------
<br>
rule123 \
status \
boolean disabled/enabled <br>
\
vip \
net-v4/6-addr v4/6 IP address <br>
\
port \
astring port range <br>
\
protocol \
astring TCP/UDP... <br>
\
ilb-alg \
astring round-robin... <br>
\
ilb-type \
astring NAT/DSR... <br>
\
healthcheck \
astring healthcheck name <br>
\
drain-time \
int sec \
<br> \
nat-timeout \
int sec \
<br> \
pers-timeout \
int sec \
<br> \
hc-port \
astring ALL/ANY/some-number \
<br> \
servergroup \
astring servergroup name <br>
\
[.... more rules ....] <br>
servergroup123 \
status \
boolean disabled/enabled <br>
\
server1 \
astring \
IP-addr:port:enable/disable <br>
\
server2 \
astring \
IP-addr:port:enable/disable <br>
\
[ .... more servers ....] <br>
healthcheck123 \
hc-test \
astring test program <br>
\
hc-timeout \
int \
timeout value in sec <br>
\
hc-interval \
int \
interval val in sec <br>
\
hc-count \
int \
test repetition <br>
\
[ .... more healthchecks ....] <br>
<br>
I am trying to see if I can get ilbd to run as "daemon" instead of
"root" . See attached ilbd.xml file to see the list of privileges that
ilbd daemon runs with. After starting the ilbd daemon ( ie running
with "daemon" uid), when I try to configure healthcheck thus:
<br>
<br>
# ilbadm create-healthcheck -h
hc-test=ping,hc-timeout=3,hc-count=2,hc-interval=14 hc1
<br>
<br>
I get the error: <br>
ilbadm: no scf permit
<br>
<br>
The command executes fine, but its the writing to scf that is
failing. My questions are as follows:
<br>
<br>
Question 1
<br>
===========
<br>
I assume in order to authorize ilbd daemon to successfully call the the
scf_* functions to create/modify /delete/retrieve the configuration
to/from scf framework, all I need to do is add this to
usr/src/lib/libsecdb/user_attr.txt :
<br>
<br>
daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify <br>
</blockquote>
<blockquote cite="mid:4A367276.6020506@Sun.COM" type="cite"><br>
Can you confirm that this is indeed all that is required? Or does one
need to do more than that ( and if so what exactly)?
<br>
<br>
</blockquote>
I tried the above and it seems to work. But the question is is this OK
to do. If not , then we would need to create a uid of "netadm" and
run ilbd with that uid instead and change the user_attr entry to:<br>
<br>
netadm::::auths=solaris.smf.manage.ilb,solaris.smf.modify <br>
<br>
Please advise. <br>
<br>
Sangeeta<br>
<blockquote cite="mid:4A367276.6020506@Sun.COM" type="cite">Question 2
<br>
=============
<br>
Is it OK for a process running as "daemon" to have
"solaris.smf.modify"/"solaris.smf.modify.application" authorization? Or
should this authorization only be granted to processes that run as
"root" ?
<br>
<br>
Sangeeta
<br>
<br>
<pre wrap=""><pre wrap="">
<hr size="4" width="90%">
_______________________________________________
ilb-dev mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:ilb-dev@opensolaris.org">ilb-dev@opensolaris.org</a> <a \
class="moz-txt-link-freetext" \
href="http://mail.opensolaris.org/mailman/listinfo/ilb-dev">http://mail.opensolaris.org/mailman/listinfo/ilb-dev</a>
</pre></pre>
</blockquote>
<br>
</body>
</html>
["ilbd.xml" (text/xml)]
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
Copyright 2009 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
CDDL HEADER START
The contents of this file are subject to the terms of the
Common Development and Distribution License (the "License").
You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions
and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each
file and include the License file at usr/src/OPENSOLARIS.LICENSE.
If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying
information: Portions Copyright [yyyy] [name of copyright owner]
CDDL HEADER END
NOTE: This service manifest is not editable; its contents will
be overwritten by package or patch operations, including
operating system upgrade. Make customizations in a different
file.
Service manifest for Integrated Load balancer(ILB).
-->
<service_bundle type='manifest' name='SUNWilbr:ilb'>
<service
name='network/loadbalancer/ilb'
type='service'
version='1'>
<create_default_instance enabled='false' />
<single_instance />
<!--
Ensure that name services is enabled before ILB service begins.
-->
<dependency
name='name-services'
grouping='require_all'
restart_on='error'
type='service'>
<service_fmri value='svc:/milestone/name-services' />
</dependency>
<!--
Ensure that forwarding service is enabled before load balancing
service begins. The forwarding service is dependent on
the filesystem and devices services.
-->
<dependency
name='network'
grouping='require_any'
restart_on='error'
type='service'>
<service_fmri value='svc:/network/ipv4-forwarding' />
<service_fmri value='svc:/network/ipv6-forwarding' />
</dependency>
<exec_method
type='method'
name='stop'
exec='/usr/sbin/ilbadm shutdown'
timeout_seconds='60' >
</exec_method>
<exec_method
type='method'
name='start'
exec='/usr/lib/inet/ilbd'
timeout_seconds='60' >
<method_context>
<method_credential
user='daemon'
group='daemon'
privileges='basic,proc_owner,proc_audit,net_icmpaccess,sys_ip_config'
/>
</method_context>
</exec_method>
<!-- to start stop routing services -->
<property_group name='general' type='framework'>
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.ilb' />
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.ilb' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'> Integrated layer 3/4 load balancer
</loctext>
</common_name>
<documentation>
<manpage title='ilbd' section='1M'
manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>
_______________________________________________
smf-discuss mailing list
smf-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic