When running Privileged Identity Management on Solaris zones, there are some scenarios that need to be taken into consideration.
Scenario 1: Branded Zones
By default, PIM uses /etc/name_to_sysnum to use the native system call for communication with the local zones. When branded zones are being used, communication between the global zone and local zones can be affected, resulting in a situation where the local endpoints cannot see the kernel being loaded. To fix this, it is recommended that IOCTL be used as the communication method.
Please follow the steps in the "Use ioctl for Communication" section of our Implementation Guide to configure PIM for IOCTL communication.
Scenario 2: Adding Additional Local Zones
Another scenario that may arise is when adding new zones after IOCTL has been configured. The new zone will not be able to communicate with the global zone until the kernel is reloaded in the global zone. To prevent this from occurring, please follow the steps below when adding new zones.
- Stop PIM on the global zone (no need to unload the kernel extension)
- Create and install a new zone
- Log into the new zone and turn the IOCTL token on (seos.ini)
SEOS_use_ioctl = 1
- On the global zone invoke 'SEOS_load -z' followed by SEOS_load -i
This should produce an output similar to the one below listing all the configured zones:
SEOS_load: device usage enabled.
module: 219 7ae00000 72140 314 1 seos (SEOS driver v8.0)
dev major: seos 314
dev path : /devices/pseudo/seos@0:seos
dev link : /dev/seos
zone: eactest1 match: /dev/seos.
zone: eactest2 match: /dev/seos.
- Reboot the new zone and start PIM.