xref: /illumos-gate/usr/src/lib/brand/solaris10/zone/s10_boot.ksh (revision 6d5f0164c96478925502004890b8c98a4eaf1c55)
1#!/bin/ksh -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
24# Copyright 2024 OmniOS Community Edition (OmniOSce) Association.
25#
26# s10 boot script.
27#
28# The arguments to this script are the zone name and the zonepath.
29#
30
31. /usr/lib/brand/solaris10/common.ksh
32
33ZONENAME=$1
34ZONEPATH=$2
35ZONEROOT=$ZONEPATH/root
36
37w_missing=$(gettext "Warning: \"%s\" is not installed in the global zone")
38
39arch=`uname -p`
40if [ "$arch" = "i386" ]; then
41	ARCH32=i86
42        ARCH64=amd64
43elif [ "$arch" = "sparc" ]; then
44	# 32-bit SPARC not supported!
45	ARCH32=
46        ARCH64=sparcv9
47else
48        echo "Unsupported architecture: $arch"
49        exit 2
50fi
51
52#
53# Run the s10_support boot hook.
54#
55/usr/lib/brand/solaris10/s10_support boot $ZONENAME
56if (( $? != 0 )) ; then
57        exit 1
58fi
59
60BRANDDIR=/.SUNWnative/usr/lib/brand/solaris10;
61FILEDIR=$BRANDDIR/files;
62EXIT_CODE=1
63
64#
65# Replace the specified file in the booting zone with a wrapper script that
66# invokes s10_isaexec_wrapper.  This is a convenience function that reduces
67# clutter and code duplication.
68#
69# Parameters:
70#	$1	The full path of the file to replace (e.g., /sbin/ifconfig)
71#	$2	The access mode of the replacement file in hex (e.g., 0555)
72#	$3	The name of the replacement file's owner (e.g., root:bin)
73#
74# NOTE: The checks performed in the 'if' statement below are not generic: they
75# depend on the success of the zone filesystem structure validation performed
76# above to ensure that intermediate directories exist and aren't symlinks.
77#
78replace_with_native() {
79	path_dname=$ZONEROOT/`dirname $1`
80
81	[ ! -f $1 ] && printf "$w_missing" "$1"
82	if [ ! -h $path_dname -a -d $path_dname ]; then
83		safe_replace $ZONEROOT/$1 $BRANDDIR/s10_isaexec_wrapper $2 $3 \
84		    remove
85	fi
86}
87
88#
89# Create a new wrapper script that invokes s10_isaexec_wrapper in the
90# brand (for a non-existing s10c file) pointing to the native brand file.
91#
92# Parameters:
93#	$1	The full path of the wrapper file to create
94#	$2	The access mode of the replacement file in hex (e.g., 0555)
95#	$3	The name of the replacement file's owner (e.g., root:bin)
96#
97wrap_with_native() {
98
99	[ ! -f $1 ] && printf "$w_missing" "$1"
100
101	path_dname=$ZONEROOT/`dirname $1`
102	if [ ! -h $path_dname -a -d $path_dname -a ! -f $ZONEROOT/$1 ]; then
103		safe_wrap $ZONEROOT/$1 $BRANDDIR/s10_isaexec_wrapper $2 $3
104	fi
105}
106
107#
108# Before we boot we validate and fix, if necessary, the required files within
109# the zone.  These modifications can be lost if a patch is applied within the
110# zone, so we validate and fix the zone every time it boots.
111#
112
113#
114# BINARY REPLACEMENT
115#
116# This section of the boot script is responsible for replacing Solaris 10
117# binaries within the booting zone with Nevada binaries.  This is a two-step
118# process: First, the directory structure of the zone is validated to ensure
119# that binary replacement will proceed safely.  Second, Solaris 10 binaries
120# are replaced with Nevada binaries.
121#
122# Here's an example.  Suppose that you want to replace /usr/bin/zcat with the
123# Nevada /usr/bin/zcat binary.  Then you should do the following:
124#
125#	1.  Go to the section below labeled "STEP ONE" and add the following
126#	    two lines:
127#
128#		safe_dir /usr
129#		safe_dir /usr/bin
130#
131#	    These lines ensure that both /usr and /usr/bin are directories
132#	    within the booting zone that can be safely accessed by the global
133#	    zone.
134#	2.  Go to the section below labeled "STEP TWO" and add the following
135#	    line:
136#
137#		replace_with_native /usr/bin/zcat 0555 root:bin
138#
139# Details about the binary replacement procedure can be found in the Solaris 10
140# Containers Developer Guide.
141#
142
143#
144# STEP ONE
145#
146# Validate that the zone filesystem looks like we expect it to.
147#
148safe_dir /lib
149safe_dir /lib/svc
150safe_dir /lib/svc/method
151safe_dir /lib/svc/share
152safe_dir /usr
153safe_dir /usr/bin
154safe_dir /usr/lib
155safe_dir /usr/lib/autofs
156safe_dir /usr/lib/fs
157safe_dir /usr/lib/fs/autofs
158safe_dir /usr/lib/fs/ufs
159safe_dir /usr/lib/fs/zfs
160safe_dir /usr/lib/inet
161safe_dir /usr/lib/zfs
162safe_dir /usr/sbin
163if [ -n "$ARCH32" ]; then
164	safe_dir /usr/lib/ipf/$ARCH32
165	safe_dir /usr/sbin/$ARCH32
166fi
167if [ -n "$ARCH64" ]; then
168	safe_dir /usr/lib/ipf/$ARCH64
169	safe_dir /usr/sbin/$ARCH64
170fi
171safe_dir /sbin
172safe_dir /var
173safe_dir /var/svc
174safe_dir /var/svc/manifest
175safe_dir /var/svc/manifest/network
176
177#
178# Some of the native networking daemons such as in.mpathd are
179# expected under /lib/inet
180#
181mkdir -m 0755 -p $ZONEROOT/lib/inet
182chown root:bin $ZONEROOT/lib/inet
183safe_dir /lib/inet
184
185#
186# STEP TWO
187#
188# Replace Solaris 10 binaries with Nevada binaries.
189#
190
191#
192# Replace various network-related programs with native wrappers.
193#
194replace_with_native /sbin/dhcpagent 0555 root:bin
195replace_with_native /sbin/dhcpinfo 0555 root:bin
196replace_with_native /sbin/ifconfig 0555 root:bin
197replace_with_native /usr/bin/netstat 0555 root:bin
198replace_with_native /usr/lib/inet/in.ndpd 0555 root:bin
199replace_with_native /usr/sbin/in.routed 0555 root:bin
200replace_with_native /usr/sbin/ndd 0555 root:bin
201replace_with_native /usr/sbin/snoop 0555 root:bin
202replace_with_native /usr/sbin/if_mpadm 0555 root:bin
203
204#
205# Replace IPFilter commands with native wrappers
206#
207replace_with_native /usr/lib/ipf/ipftest 0555 root:bin
208replace_with_native /usr/sbin/ipf 0555 root:bin
209replace_with_native /usr/sbin/ipfs 0555 root:bin
210replace_with_native /usr/sbin/ipfstat 0555 root:bin
211replace_with_native /usr/sbin/ipmon 0555 root:bin
212replace_with_native /usr/sbin/ipnat 0555 root:bin
213replace_with_native /usr/sbin/ippool 0555 root:bin
214
215#
216# Replace in.mpathd daemon at /usr/lib/inet by native wrapper
217#
218if [ ! -h $ZONEROOT/usr/lib/inet -a -d $ZONEROOT/usr/lib/inet ]; then
219	safe_replace $ZONEROOT/usr/lib/inet/in.mpathd \
220	    /lib/inet/in.mpathd 0555 root:bin remove
221fi
222
223#
224# Create wrapper at /lib/inet/in.mpathd as well because native ifconfig
225# looks up in.mpathd under /lib/inet.
226#
227wrap_with_native /lib/inet/in.mpathd 0555 root:bin
228
229# Create native wrapper for /sbin/ipmpstat
230wrap_with_native /sbin/ipmpstat 0555 root:bin
231
232#
233# Create ipmgmtd wrapper to native binary in s10 container
234# and copy ipmgmt service manifest and method.
235#
236wrap_with_native /lib/inet/ipmgmtd 0555 root:bin
237safe_copy /lib/svc/manifest/network/network-ipmgmt.xml \
238    $ZONEROOT/var/svc/manifest/network/network-ipmgmt.xml
239safe_copy /lib/svc/method/net-ipmgmt \
240    $ZONEROOT/lib/svc/method/net-ipmgmt
241
242#
243# To handle certain IPMP configurations, we need updated
244# net-physical method script and native net_include.sh
245#
246filename=$ZONEROOT/lib/svc/method/net-physical
247safe_backup $filename $filename.pre_p2v
248safe_copy /usr/lib/brand/solaris10/s10_net_physical $filename
249filename=$ZONEROOT/lib/svc/share/net_include.sh
250safe_backup $filename $filename.pre_p2v
251safe_copy /lib/svc/share/net_include.sh $filename
252
253#
254# PSARC 2009/306 removed the ND_SET/ND_GET ioctl's for modifying
255# IP/TCP/UDP/SCTP/ICMP tunables. If S10 ndd(8) is used within an
256# S10 container, the kernel will return EINVAL. So we need this.
257#
258replace_with_native /usr/sbin/ndd 0555 root:bin
259
260#
261# Replace various ZFS-related programs with native wrappers.  These commands
262# either link with libzfs, dlopen libzfs or link with libraries that link
263# or dlopen libzfs.  Commands which fall into these categories but which can
264# only be used in the global zone are not wrapped.  The libdiskmgt dm_in_use
265# code uses libfs, but only the zpool_in_use() -> zpool_read_label() code path.
266# That code does not issue ioctls on /dev/zfs and does not need wrapping.
267#
268replace_with_native /sbin/zfs 0555 root:bin
269replace_with_native /sbin/zpool 0555 root:bin
270replace_with_native /usr/lib/fs/ufs/quota 0555 root:bin
271replace_with_native /usr/lib/fs/zfs/fstyp 0555 root:bin
272replace_with_native /usr/lib/zfs/availdevs 0555 root:bin
273replace_with_native /usr/sbin/df 0555 root:bin
274replace_with_native /usr/sbin/zstreamdump 0555 root:bin
275
276#
277# Replace automount and automountd with native wrappers.
278#
279replace_with_native /usr/lib/fs/autofs/automount 0555 root:bin
280replace_with_native /usr/lib/autofs/automountd 0555 root:bin
281
282#
283# The class-specific dispadmin(8) and priocntl(1) binaries must be native
284# wrappers, and we must have all of the ones the native zone does.  This
285# allows new scheduling classes to appear without causing dispadmin and
286# priocntl to be unhappy.
287#
288rm -rf $ZONEROOT/usr/lib/class
289mkdir $ZONEROOT/usr/lib/class || exit 1
290
291find /usr/lib/class -type d -o -type f | while read x; do
292	[ -d $x ] && mkdir -p -m 755 $ZONEROOT$x
293	[ -f $x ] && wrap_with_native $x 0555 root:bin
294done
295
296#
297# END OF STEP TWO
298#
299
300#
301# Replace add_drv and rem_drv with /usr/bin/true so that pkgs/patches which
302# install or remove drivers will work.  NOTE: add_drv and rem_drv are hard
303# linked to isaexec so we want to remove the current executable and
304# then copy true so that we don't clobber isaexec.
305#
306filename=$ZONEROOT/usr/sbin/add_drv
307[ ! -f $filename.pre_p2v ] && safe_backup $filename $filename.pre_p2v
308rm -f $filename
309safe_copy $ZONEROOT/usr/bin/true $filename
310
311filename=$ZONEROOT/usr/sbin/rem_drv
312[ ! -f $filename.pre_p2v ] && safe_backup $filename $filename.pre_p2v
313rm -f $filename
314safe_copy $ZONEROOT/usr/bin/true $filename
315
316exit 0
317