Solaris 11 brought both ZFS encryption and the Immutable Zones feature and I've talked about the combination in the past. Solaris 11.1 adds a fully supported method of storing zones in their own ZFS using shared
storage so lets update things a little and put all three parts together.
When using an iSCSI (or other supported shared
storage target) for a Zone we can either let the Zones framework setup the ZFS pool or we can do it manually before hand and tell the Zones framework to use the one we made earlier. To enable encryption we have to take the second path so that we can setup the pool with encryption before we start to install the zones on it.
We start by configuring the zone and specifying an rootzpool resource:
# zonecfg -z eizoss
Use 'create' to begin configuring a new zone.
zonecfg:eizoss> create
create: Using system default template 'SYSdefault'
zonecfg:eizoss> set zonepath=/zones/eizoss
zonecfg:eizoss> set file-mac-profile=fixed-configuration
zonecfg:eizoss> add rootzpool
zonecfg:eizoss:rootzpool> add
storage \
iscsi://zs7120-tvp540-c.uk.oracle.com/luname.naa.600144f09acaacd20000508e64a70001
zonecfg:eizoss:rootzpool> end
zonecfg:eizoss> verify
zonecfg:eizoss> commit
zonecfg:eizoss>
Now lets create the pool and specify encryption:
# suriadm map \
iscsi://zs7120-tvp540-c.uk.oracle.com/luname.naa.600144f09acaacd20000508e64a70001
PROPERTY VALUE
mapped-dev /dev/dsk/c10t600144F09ACAACD20000508E64A70001d0
# echo "zfscrypto" > /zones/p
# zpool create -O encryption=on -O keysource=passphrase,file:///zones/p eizoss \
/dev/dsk/c10t600144F09ACAACD20000508E64A70001d0
# zpool export eizoss
Note that the keysource example above is just for this example, realistically you should probably use an Oracle Key Manager or some other better keystorage, but that isn't the purpose of this example. Note however that it does need to be one of file:// https:// pkcs11: and not prompt for the key location. Also note that we exported the newly created pool. The name we used here doesn't actually mater because it will get set properly on import anyway. So lets go ahead and do our install:
zoneadm -z eizoss install -x force-zpool-import
Configured zone
storage resource(s) from:
iscsi://zs7120-tvp540-c.uk.oracle.com/luname.naa.600144f09acaacd20000508e64a70001
Imported zone zpool: eizoss_rpool
Progress being logged to /var/log/zones/zoneadm.20121029T115231Z.eizoss.install
Image: Preparing at /zones/eizoss/root.
AI Manifest: /tmp/manifest.xml.ujaq54
SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Zonename: eizoss
Installation: Starting ...
Creating IPS image
Startup linked: 1/1 done
Installing packages from:
solaris
origin: http://pkg.us.oracle.com/solaris/release/
Please review the licenses for the following packages post-install:
consolidation/osnet/osnet-incorporation (automatically accepted,
not displayed)
Package licenses may be viewed using the command:
pkg info --license <pkg_fmri>
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 187/187 33575/33575 227.0/227.0 384k/s
PHASE ITEMS
Installing new actions 47449/47449
Updating package state database Done
Updating image state Done
Creating fast lookup database Done
Installation: Succeeded
Note: Man pages can be obtained by installing pkg:/system/manual
done.
Done: Installation completed in 929.606 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)
to complete the configuration process.
Log saved in non-global zone as /zones/eizoss/root/var/log/zones/zoneadm.20121029T115231Z.eizoss.install
That was really all we had to do, when the install is done boot it up as normal.
The zone administrator has no direct access to the ZFS wrapping keys used for the encrypted pool zone is stored on. Due to how inheritance works in ZFS he can still create new encrypted datasets that use those wrapping keys (without them ever being inside a process in the zone) or he can create encrypted datasets inside the zone that use keys of his own choosing, the output below shows the two cases:
rpool is inheriting the key material from the global zone (note we can see the value of the keysource property but we don't use it inside the zone nor does that path need to be (or is) accessible inside the zone). Whereas rpool/export/home/bob has set keysource locally.
# zfs get encryption,keysource rpool rpool/export/home/bob
NAME PROPERTY VALUE SOURCE
rpool encryption on inherited from $globalzone
rpool keysource passphrase,file:///zones/p inherited from $globalzone
rpool/export/home/bob encryption on local
rpool/export/home/bob keysource passphrase,prompt local
