xref: /titanic_44/usr/src/cmd/tsol/misc/txzonemgr.sh (revision 628e3cbed6489fa1db545d8524a06cd6535af456)
1#!/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25#
26
27# This script provides a simple GUI for managing labeled zones.
28# It takes no arguments, but provides contextual menus which
29# provide appropriate choices. It must be run in the global
30# zone as root.
31
32NSCD_PER_LABEL=0
33NSCD_INDICATOR="/var/tsol/doors/nscd_per_label"
34export NSCD_PER_LABEL
35export NSCD_INDICATOR
36if [ -f $NSCD_INDICATOR ] ; then
37	NSCD_PER_LABEL=1
38fi
39PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
40title="Labeled Zone Manager"
41maxlabel=`chk_encodings -X 2>/dev/null`
42if [[ ! -n $maxlabel ]]; then
43	maxlabel=0x000a-08-f8
44fi
45zonename=""
46export zonename
47config=/tmp/zfg.$$ ;
48
49consoleCheck() {
50	zconsole=`pgrep -f "zlogin -C $zonename"`
51	if [ $? != 0 ]; then
52		console="Zone Console...\n"
53	fi
54}
55
56labelCheck() {
57	hexlabel=`/bin/grep "^$zonename:" \
58	    /etc/security/tsol/tnzonecfg|cut -d ":" -f2`;
59	if [ $hexlabel ] ; then
60		label=
61		curlabel=`hextoalabel $hexlabel`
62	else
63		label="Select Label...\n"
64		curlabel=...
65	fi
66}
67
68snapshotCheck() {
69	filesystem=`zfs list -t snapshot |grep $ZDSET/$zonename |cut -d " " -f1`
70	if [[ -n $filesystem ]]; then
71		snapshot="Create Snapshot\n"
72	fi
73}
74
75copyCheck() {
76	zonelist=""
77	for p in `zoneadm list -ip`; do
78		q=`echo $p|cut -d ":" -f2`
79		if [ $q != $zonename ]; then
80			zonelist="$zonelist $q"
81		fi
82	done
83	if [[ -n $zonelist ]]; then
84		copy="Copy...\n"; \
85		clone="Clone\n"; \
86	fi
87}
88
89relabelCheck() {
90	macstate=`zonecfg -z $zonename info|grep win_mac_write`
91	if [[ -n $macstate ]]; then
92		permitrelabel="Deny Relabeling\n"
93	else
94		permitrelabel="Permit Relabeling\n"
95	fi
96}
97
98selectLabel() {
99	labelList=""
100	for p in `lslabels -h $maxlabel`; do
101		hexlabel=`/bin/grep :$p: /etc/security/tsol/tnzonecfg`
102		if [ $? != 0 ]; then
103			newlabel=`hextoalabel $p`
104			labelList="$labelList $newlabel\n"
105		fi
106	done
107	alabel=$(echo $labelList|zenity --list \
108	    --title="$title" \
109	    --height=300 \
110	    --width=400 \
111	    --column="Available Sensitivity Labels")
112
113	if [[ -n $alabel ]]; then
114		newlabel=`atohexlabel "$alabel" 2>/dev/null`
115		if [[ -n $newlabel ]]; then
116			echo $zonename:$newlabel:0:: >> /etc/security/tsol/tnzonecfg
117		else
118			x=$(zenity --error \
119			    --title="$title" \
120			    --text="$alabel is not valid")
121		fi
122	fi
123}
124
125resolveXdisplay() {
126	export ZONE_PATH
127	export ZONE_ETC_DIR
128	export IPNODES
129	export LIST
130	ERRORLIST=""
131	export ERRORLIST
132	# if using nscd-per-label then we have to be sure the global zone's
133	# hostname resolves because it is used for DISPLAY in X
134	ghostname=`hostname`
135	export ghostname
136
137	if [[ -n "$1" ]] ; then
138		LIST=`zoneadm list -ip | grep ":$1:"`
139	else
140		LIST=`zoneadm list -ip | grep -v "global"`
141	fi
142
143	gipaddress=`getent hosts $ghostname|cut -f1`
144	for i in $LIST; do
145		ZONE_PATH=`echo "$i" |cut -d ":" -f4`
146		ZONE_ETC_DIR=$ZONE_PATH/root/etc
147		IPNODES=${ZONE_ETC_DIR}/inet/ipnodes
148
149		# Rather than toggle on and off with NSCD_PER_LABEL, put the
150		# information in there and a sysadmin can remove it if necessary
151		# $DISPLAY will not work in X without global hostname
152		ENTRY=`grep $ghostname $IPNODES`
153		case "$ENTRY" in
154			127.0.0.1* )
155				if [[ -z $ERRORLIST ]] ; then
156					ERRORLIST="$ghostname address 127.0.0.1 found in:\n"
157				fi
158				ERRORLIST="$ERRORLIST $IPNODES\n"
159				;;
160			"")
161				gipaddress=`getent hosts $ghostname|cut -f1`
162				echo "$gipaddress\t$ghostname" >>  $IPNODES
163				;;
164			*)
165				continue
166				;;
167
168		esac
169	done
170	if [[ -n "$ERRORLIST" ]] ; then
171		x=$(zenity --error \
172		    --title="$title" \
173		    --text="WARNING:\n\n\n$ERRORLIST\n\n")
174	fi
175}
176
177clone() {
178	image=`zfs list -t snapshot |grep snapshot|cut -d " " -f1| \
179	    zenity --list \
180		--title="$title" \
181	        --height=300 \
182		--column="ZFS Zone Snapshots"`
183	if [[ -n $image ]]; then
184		dataset=`zfs list |grep $ZDSET/$zonename |cut -d " " -f1`
185		if [[ -n $dataset ]]; then
186			/usr/sbin/zfs destroy $ZDSET/$zonename
187		fi
188		/usr/sbin/zfs clone $image $ZDSET/$zonename
189		/usr/sbin/zfs set mountpoint=/zone/$zonename  $ZDSET/$zonename
190
191		/usr/sbin/zoneadm -z $zonename attach -F
192		if [ ! -f /var/ldap/ldap_client_file ]; then
193			if [ $NSCD_PER_LABEL = 0 ] ; then
194				sharePasswd
195			else
196				unsharePasswd
197				resolveXdisplay
198			fi
199		fi
200	fi
201}
202
203copy() {
204
205	image=`zenity --list \
206	    --title="$title: Copy From" \
207	    --height=300 \
208	    --column="Installed Zones" $zonelist`
209
210	/usr/bin/gnome-terminal \
211	    --title="$title: Copying $image to $zonename zone" \
212	    --command "zoneadm -z $zonename clone -m copy $image" \
213	    --disable-factory \
214	    --hide-menubar
215
216	if [ ! -f /var/ldap/ldap_client_file ]; then
217		if [ $NSCD_PER_LABEL = 0 ] ; then
218			sharePasswd
219		else
220			unsharePasswd
221			resolveXdisplay
222		fi
223	fi
224}
225
226initialize() {
227	hostname=`hostname`
228	hostname=$(zenity --entry \
229	    --title="$title" \
230	    --text="Enter Host Name: " \
231	    --entry-text $hostname)
232	if [ $? != 0 ]; then
233		exit 1
234	fi
235
236	ZONE_PATH=`zoneadm list -ip|grep ":${zonename}:"|cut -d ":" -f4`
237	if [ -z "$ZONE_PATH" ] ; then
238		x=$(zenity --error \
239		    --title="$title" \
240		    --text="$zonename is not an installed zone")
241		exit 1
242	fi
243	ZONE_ETC_DIR=$ZONE_PATH/root/etc
244	ipaddress=`getent hosts $hostname|cut -f1`
245	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
246
247	if [ -f /var/ldap/ldap_client_file ]; then
248		ldapaddress=`ldapclient list | \
249		    /bin/grep "^NS_LDAP_SERVERS" | cut -d " " -f2`
250		echo "name_service=LDAP {" > ${SYSIDCFG}
251		domain=`domainname`
252		echo "domain_name=$domain" >> ${SYSIDCFG}
253		profName=`ldapclient list | \
254		    /bin/grep "^NS_LDAP_PROFILE" | cut -d " " -f2`
255		proxyPwd=`ldapclient list | \
256		    /bin/grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2`
257		proxyDN=`ldapclient list | \
258		    /bin/grep "^NS_LDAP_BINDDN" | cut -d " " -f 2`
259		if [ "$proxyDN" ]; then
260			echo "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
261			echo "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
262		fi
263		echo "profile=$profName" >> ${SYSIDCFG}
264		echo "profile_server=$ldapaddress }" >> ${SYSIDCFG}
265		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
266	else
267		echo "name_service=NONE" > ${SYSIDCFG}
268		if [ $NSCD_PER_LABEL = 0 ] ; then
269			sharePasswd
270		else
271			# had to put resolveXdisplay lower down for this case
272			unsharePasswd
273		fi
274	fi
275
276	echo "security_policy=NONE" >> ${SYSIDCFG}
277	locale=`locale|grep LANG | cut -d "=" -f2`
278	if [[ -z $locale ]]; then
279		locale="C"
280	fi
281	echo "system_locale=$locale" >> ${SYSIDCFG}
282	timezone=`/bin/grep "^TZ" /etc/TIMEZONE|cut -d "=" -f2`
283	echo "timezone=$timezone" >> ${SYSIDCFG}
284	echo "terminal=vt100" >> ${SYSIDCFG}
285	rootpwd=`/bin/grep "^root:" /etc/shadow|cut -d ":" -f2`
286	echo "root_password=$rootpwd" >> ${SYSIDCFG}
287	echo "network_interface=PRIMARY {" >> ${SYSIDCFG}
288	echo "protocol_ipv6=no" >> ${SYSIDCFG}
289	echo "hostname=$hostname" >> ${SYSIDCFG}
290	echo "ip_address=$ipaddress }" >> ${SYSIDCFG}
291	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
292	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
293	if [ $NSCD_PER_LABEL = 1 ] ; then
294		resolveXdisplay
295	fi
296}
297
298install() {
299	# if there is a zfs pool for zone
300	# create a new dataset for the zone
301	# This step is done automatically by zonecfg
302	# in Solaris Express 8/06 or newer
303
304	if [ $ZDSET != none ]; then
305		zfs create -o mountpoint=/zone/$zonename \
306		    $ZDSET/$zonename
307		chmod 700 /zone/$zonename
308	fi
309
310	/usr/bin/gnome-terminal \
311	    --title="$title: Installing $zonename zone" \
312	    --command "zoneadm -z $zonename install" \
313	    --disable-factory \
314	    --hide-menubar
315
316	initialize
317}
318
319delete() {
320	# if there is an entry for this zone in tnzonecfg, remove it
321	# before deleting the zone.
322
323	tnzone=`egrep "^$zonename:" /etc/security/tsol/tnzonecfg 2>/dev/null`
324	if [ -n "${tnzone}" ]; then
325		sed -e "/^$tnzone:*/d" /etc/security/tsol/tnzonecfg > \
326		    /tmp/tnzonefg.$$ 2>/dev/null
327		mv /tmp/tnzonefg.$$ /etc/security/tsol/tnzonecfg
328	fi
329	zonecfg -z $zonename delete -F
330	dataset=`zfs list |grep $ZDSET/$zonename |cut -d " " -f1`
331	if [[ -n $dataset ]]; then
332		/usr/sbin/zfs destroy $ZDSET/$zonename
333	fi
334	zonename=
335}
336
337getNIC(){
338
339	nics=
340	for i in `ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK`
341	do
342		echo $i |grep "^[a-z].*:" >/dev/null 2>&1
343		if [ $? -eq 1 ]; then
344			continue
345		fi
346		i=${i%:} # Remove colon after interface name
347		echo $i |grep ":" >/dev/null 2>&1
348		if [ $? -eq 0 ]; then
349			continue
350		fi
351		nics="$nics $i"
352	done
353
354	nic=$(zenity --list \
355	    --title="$title" \
356	    --column="Interface" \
357	    $nics)
358}
359
360getNetmask() {
361
362	cidr=
363	nm=$(zenity --entry \
364	    --title="$title" \
365	    --text="$ipaddr: Enter netmask: " \
366	    --entry-text 255.255.255.0)
367	if [ $? != 0 ]; then
368	       return;
369	fi
370
371	cidr=`perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm`
372}
373
374addNet() {
375	getNIC
376	if [[ -z $nic ]]; then
377		return;
378	fi
379	getIPaddr
380	if [[ -z $ipaddr ]]; then
381		return;
382	fi
383	getNetmask
384	if [[ -z $cidr ]]; then
385		return;
386	fi
387	zcfg="
388add net
389set address=${ipaddr}/${cidr}
390set physical=$nic
391end
392commit
393"
394	echo "$zcfg" > $config ;
395	zonecfg -z $zonename -f $config ;
396	rm $config
397}
398
399getAttrs() {
400	zone=global
401	type=ignore
402	for j in `ifconfig $nic`
403	do
404		case $j in
405			inet) type=$j;;
406			zone) type=$j;;
407			all-zones) zone=all-zones;;
408			flags*) flags=$j;;
409			*) case $type in
410				inet) ipaddr=$j ;;
411				zone) zone=$j ;;
412				*) continue ;;
413			   esac;\
414			   type=ignore;;
415		esac
416	done
417	if [ $ipaddr != 0.0.0.0 ]; then
418		template=`tninfo -h $ipaddr|grep Template| cut -d" " -f3`
419	else
420		template="..."
421		ipaddr="..."
422	fi
423}
424
425updateTnrhdb() {
426	tnctl -h ${ipaddr}:$template
427	x=`grep "^${ipaddr}[^0-9]" /etc/security/tsol/tnrhdb`
428	if [ $? = 0 ]; then
429		sed s/$x/${ipaddr}:$template/g /etc/security/tsol/tnrhdb \
430		    > /tmp/txnetmgr.$$
431		mv /tmp/txnetmgr.$$ /etc/security/tsol/tnrhdb
432	else
433		echo ${ipaddr}:$template >> /etc/security/tsol/tnrhdb
434	fi
435}
436
437getIPaddr() {
438        hostname=$(zenity --entry \
439            --title="$title" \
440            --text="$nic: Enter hostname: ")
441
442        if [ $? != 0 ]; then
443               return;
444	fi
445
446	ipaddr=`getent hosts $hostname|cut -f1`
447        if [[ -z $ipaddr ]]; then
448
449		ipaddr=$(zenity --entry \
450		    --title="$title" \
451		    --text="$nic: Enter IP address: " \
452		    --entry-text a.b.c.d)
453		if [ $? != 0 ]; then
454		       return;
455		fi
456	fi
457
458}
459
460addHost() {
461	# Update hosts and ipnodes
462        if [[ -z $ipaddr ]]; then
463               return;
464	fi
465	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
466	if [ $? -eq 1 ]; then
467		echo "$ipaddr\t$hostname" >> /etc/inet/hosts
468	fi
469
470	grep "^${ipaddr}[^0-9]" /etc/inet/ipnodes >/dev/null
471	if [ $? -eq 1 ]; then
472		echo "$ipaddr\t$hostname" >> /etc/inet/ipnodes
473	fi
474
475	template=cipso
476	updateTnrhdb
477
478	ifconfig $nic $ipaddr netmask + broadcast +
479	echo $hostname > /etc/hostname.$nic
480}
481
482getTemplate() {
483	templates=$(cat /etc/security/tsol/tnrhtp|\
484	    grep "^[A-z]"|grep "type=cipso"|cut -f1 -d":")
485
486	while [ 1 -gt 0 ]; do
487		t_cmd=$(zenity --list \
488		    --title="$title" \
489		    --height=300 \
490		    --column="Network Templates" \
491		    $templates)
492
493		if [ $? != 0 ]; then
494		       break;
495		fi
496
497		t_label=$(tninfo -t $t_cmd | grep sl|zenity --list \
498		    --title="$title" \
499		    --height=300 \
500		    --width=450 \
501		    --column="Click OK to associate $t_cmd template with $ipaddr" )
502
503		if [ $? != 0 ]; then
504			continue
505		fi
506		template=$t_cmd
507		updateTnrhdb
508		break
509	done
510}
511
512createInterface() {
513	msg=`ifconfig $nic addif 0.0.0.0`
514	$(zenity --info \
515	    --title="$title" \
516	    --text="$msg" )
517}
518
519shareInterface() {
520	ifconfig $nic all-zones;\
521	if_file=/etc/hostname.$nic
522	sed q | sed -e "s/$/ all-zones/" < $if_file >/tmp/txnetmgr.$$
523	mv /tmp/txnetmgr.$$ $if_file
524}
525
526setMacPrivs() {
527	zcfg="
528set limitpriv=default,win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,file_downgrade_sl,file_upgrade_sl,sys_trans_label
529commit
530"
531	echo "$zcfg" > $config ;
532	zonecfg -z $zonename -f $config ;
533	rm $config
534}
535
536resetMacPrivs() {
537	zcfg="
538set limitpriv=default
539commit
540"
541	echo "$zcfg" > $config ;
542	zonecfg -z $zonename -f $config ;
543	rm $config
544}
545
546unsharePasswd() {
547	for i in `zoneadm list -i | grep -v global`; do
548		zonecfg -z $i remove fs dir=/etc/passwd 2>&1 | grep -v such
549		zonecfg -z $i remove fs dir=/etc/shadow 2>&1 | grep -v such
550	done
551}
552
553sharePasswd() {
554	if [ $NSCD_PER_LABEL -ne 0 ] ; then
555		return
556	fi
557	passwd=`zonecfg -z $zonename info|grep /etc/passwd`
558	if [[ $? -eq 1 ]]; then
559		zcfg="
560add fs
561set special=/etc/passwd
562set dir=/etc/passwd
563set type=lofs
564add options ro
565end
566add fs
567set special=/etc/shadow
568set dir=/etc/shadow
569set type=lofs
570add options ro
571end
572commit
573"
574		echo "$zcfg" > $config ;
575		zonecfg -z $zonename -f $config ;
576		rm $config
577	fi
578}
579
580# This routine is a toggle -- if we find it configured for global nscd,
581# change to nscd-per-label and vice-versa.
582#
583# The user was presented with only the choice to CHANGE the existing
584# configuration.
585
586manageNscd() {
587	if [ $NSCD_PER_LABEL -eq 0 ] ; then
588		# this MUST be a regular file for svc-nscd to detect
589		touch $NSCD_INDICATOR
590		NSCD_PER_LABEL=1
591		unsharePasswd
592		resolveXdisplay
593	else
594		export zonename
595		rm -f $NSCD_INDICATOR
596		NSCD_PER_LABEL=0
597		for i in `zoneadm list -i | grep -v global`; do
598			zonename=$i
599			sharePasswd
600		done
601		zonename=
602	fi
603}
604
605manageNets() {
606	while [ 1 -gt 0 ]; do
607		attrs=
608		for i in `ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK`
609		do
610			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
611			if [ $? -eq 1 ]; then
612				continue
613			fi
614			nic=${i%:} # Remove colon after interface name
615			getAttrs
616			attrs="$nic $zone $ipaddr $template Up $attrs"
617		done
618
619		for i in `ifconfig -ad4 |grep  "^[a-z].*:" |grep -v LOOPBACK`
620		do
621			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
622			if [ $? -eq 1 ]; then
623				continue
624			fi
625			nic=${i%:} # Remove colon after interface name
626			getAttrs
627			attrs="$nic $zone $ipaddr $template Down $attrs"
628		done
629
630		nic=$(zenity --list \
631		    --title="$title" \
632		    --height=300 \
633		    --width=450 \
634		    --column="Interface" \
635		    --column="Zone Name" \
636		    --column="IP Address" \
637		    --column="Template" \
638		    --column="State" \
639		    $attrs)
640
641		if [[ -z $nic ]]; then
642			return
643		fi
644
645		getAttrs
646
647		# Clear list of commands
648
649		share=
650		setipaddr=
651		settemplate=
652		newlogical=
653		unplumb=
654		bringup=
655		bringdown=
656
657		# Check for physical interface
658
659		hascolon=`echo $nic |grep :`
660		if [ $? != 0 ]; then
661			newlogical="Create Logical Interface\n";
662		else
663			up=`echo $flags|grep "UP,"`
664			if [ $? != 0 ]; then
665				unplumb="Remove Logical Interface\n"
666				if [ $ipaddr != "..." ]; then
667					bringup="Bring Up\n"
668				fi
669			else
670				bringdown="Bring Down\n"
671			fi
672		fi
673
674		if [ $ipaddr = "..." ]; then
675			setipaddr="Set IP address...\n";
676		else
677			settemplate="View Templates...\n"
678			if [ $zone = global ]; then
679				share="Share\n"
680			fi
681		fi
682
683		command=$(echo ""\
684		    $share \
685		    $setipaddr \
686		    $settemplate \
687		    $newlogical \
688		    $unplumb \
689		    $bringup \
690		    $bringdown \
691		    | zenity --list \
692		    --title="$title" \
693		    --height=300 \
694		    --column "Interface: $nic" )
695
696		case $command in
697		    " Create Logical Interface")\
698			createInterface;;
699		    " Set IP address...")\
700			getIPaddr
701			addHost;;
702		    " Share")\
703			shareInterface;;
704		    " View Templates...")\
705			getTemplate;;
706		    " Remove Logical Interface")\
707			ifconfig $nic unplumb;\
708			rm -f /etc/hostname.$nic;;
709		    " Bring Up")\
710			ifconfig $nic up;;
711		    " Bring Down")\
712			ifconfig $nic down;;
713		    *) continue;;
714		esac
715	done
716}
717
718createLDAPclient() {
719	ldaptitle="$title: Create LDAP Client"
720	ldapdomain=$(zenity --entry \
721	    --width=400 \
722	    --title="$ldaptitle" \
723	    --text="Enter Domain Name: ")
724	ldapserver=$(zenity --entry \
725	    --width=400 \
726	    --title="$ldaptitle" \
727	    --text="Enter Hostname of LDAP Server: ")
728	ldapserveraddr=$(zenity --entry \
729	    --width=400 \
730	    --title="$ldaptitle" \
731	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
732	ldappassword=""
733	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]]; do
734	    ldappassword=$(zenity --entry \
735		--width=400 \
736		--title="$ldaptitle" \
737		--hide-text \
738		--text="Enter LDAP Proxy Password:")
739	    ldappasswordconfirm=$(zenity --entry \
740		--width=400 \
741		--title="$ldaptitle" \
742		--hide-text \
743		--text="Confirm LDAP Proxy Password:")
744	done
745	ldapprofile=$(zenity --entry \
746	    --width=400 \
747	    --title="$ldaptitle" \
748	    --text="Enter LDAP Profile Name: ")
749	whatnext=$(zenity --list \
750	    --width=400 \
751	    --height=250 \
752	    --title="$ldaptitle" \
753	    --text="Proceed to create LDAP Client?" \
754	    --column=Parameter --column=Value \
755	    "Domain Name" "$ldapdomain" \
756	    "Hostname" "$ldapserver" \
757	    "IP Address" "$ldapserveraddr" \
758	    "Password" "`echo "$ldappassword" | sed 's/./*/g'`" \
759	    "Profile" "$ldapprofile")
760	if [ $? != 0 ]; then
761		return
762	fi
763
764	/bin/grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
765	if [ $? -eq 1 ]; then
766		/bin/echo "$ldapserveraddr $ldapserver" >> /etc/hosts
767	fi
768
769	/bin/grep "${ldapserver}:" /etc/security/tsol/tnrhdb > /dev/null
770	if [ $? -eq 1 ]; then
771		/bin/echo "# ${ldapserver} - ldap server" \
772		    >> /etc/security/tsol/tnrhdb
773		/bin/echo "${ldapserveraddr}:cipso" \
774		    >> /etc/security/tsol/tnrhdb
775		/usr/sbin/tnctl -h "${ldapserveraddr}:cipso"
776	fi
777
778	proxyDN=`echo $ldapdomain|awk -F"." \
779	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }"`
780
781	zenity --info \
782	    --title="$ldaptitle" \
783	    --width=500 \
784	    --text="global zone will be LDAP client of $ldapserver"
785
786	ldapout=/tmp/ldapclient.$$
787
788	ldapclient init -a profileName="$ldapprofile" \
789	    -a domainName="$ldapdomain" \
790	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
791	    -a proxyPassword="$ldappassword" \
792	    "$ldapserveraddr" >$ldapout 2>&1
793
794	if [ $? -eq 0 ]; then
795	    ldapstatus=Success
796	else
797	    ldapstatus=Error
798	fi
799
800	zenity --text-info \
801	    --width=700 \
802	    --height=300 \
803	    --title="$ldaptitle: $ldapstatus" \
804	    --filename=$ldapout
805
806	rm -f $ldapout
807
808
809}
810
811# Loop for single-zone menu
812singleZone() {
813
814	while [ "${command}" != Exit ]; do
815		if [[ ! -n $zonename ]]; then
816			x=$(zenity --error \
817			    --title="$title" \
818			    --text="zonename \"$zonename\" is not valid")
819			return
820		fi
821		# Clear list of commands
822
823		console=
824		label=
825		start=
826		reboot=
827		stop=
828		clone=
829		copy=
830		install=
831		ready=
832		uninstall=
833		delete=
834		snapshot=
835		addnet=
836		deletenet=
837		permitrelabel=
838
839		zonestate=`zoneadm -z $zonename list -p | cut -d ":" -f 3`
840
841		consoleCheck;
842		labelCheck;
843		delay=0
844
845		case $zonestate in
846			running) ready="Ready\n"; \
847			       reboot="Reboot\n"; \
848			       stop="Halt\n"; \
849			;;
850			ready) start="Boot\n"; \
851			       stop="Halt\n" \
852			;;
853			installed)
854				if [[ -z $label ]]; then \
855					ready="Ready\n"; \
856					start="Boot\n"; \
857				fi; \
858				uninstall="Uninstall\n"; \
859				snapshotCheck; \
860				relabelCheck;
861				addnet="Add Network...\n"
862			;;
863			configured) install="Install...\n"; \
864				copyCheck; \
865				delete="Delete\n"; \
866				console=; \
867			;;
868			incomplete) delete="Delete\n"; \
869			;;
870			*)
871			;;
872		esac
873
874		command=$(echo ""\
875		    $console \
876		    $label \
877		    $start \
878		    $reboot \
879		    $stop \
880		    $clone \
881		    $copy \
882		    $install \
883		    $ready \
884		    $uninstall \
885		    $delete \
886		    $snapshot \
887		    $addnet \
888		    $deletenet \
889		    $permitrelabel \
890		    "Return to Main Menu" \
891		    | zenity --list \
892		    --title="$title" \
893		    --height=300 \
894		    --column "$zonename: $zonestate" )
895
896		case $command in
897		    " Zone Console...")
898			delay=2; \
899			/usr/bin/gnome-terminal \
900			    --title="Zone Terminal Console: $zonename" \
901			    --command "/usr/sbin/zlogin -C $zonename" &;;
902
903		    " Select Label...")
904			selectLabel;;
905
906		    " Ready")
907			zoneadm -z $zonename ready ;;
908
909		    " Boot")
910			zoneadm -z $zonename boot ;;
911
912		    " Halt")
913			zoneadm -z $zonename halt ;;
914
915		    " Reboot")
916			zoneadm -z $zonename reboot ;;
917
918		    " Install...")
919			install;;
920
921		    " Clone")
922			clone ;;
923
924		    " Copy...")
925			copy ;;
926
927		    " Uninstall")
928			zoneadm -z $zonename uninstall -F;;
929
930		    " Delete")
931			delete
932			return ;;
933
934		    " Create Snapshot")
935			zfs snapshot $ZDSET/${zonename}@snapshot;;
936
937		    " Add Network...")
938			addNet ;;
939
940		    " Permit Relabeling")
941			setMacPrivs ;;
942
943		    " Deny Relabeling")
944			resetMacPrivs ;;
945
946		    *)
947			zonename=
948			return ;;
949		esac
950		sleep $delay;
951	done
952}
953
954# Main loop for top-level window
955#
956
957
958ZDSET=none
959# are there any zfs pools?
960zpool iostat 1>/dev/null 2>&1
961if [ $? = 0 ]; then
962	# is there a zfs pool named "zone"?
963	zpool list -H zone 1>/dev/null 2>&1
964	if [ $? = 0 ]; then
965		# yes
966		ZDSET=zone
967	else
968		# no, but is there a root pool?
969		rootfs=`df -n / | awk '{print $3}'`
970		if [ $rootfs = "zfs" ]; then
971			# yes, use it
972			ZDSET=`zfs list -Ho name / | cut -d/ -f 1`/zones
973			zfs list -H $ZDSET 1>/dev/null 2>&1
974			if [ $? = 1 ]; then
975				zfs create -o mountpoint=/zone $ZDSET
976			fi
977		fi
978	fi
979fi
980
981export NSCD_OPT
982while [ "${command}" != Exit ]; do
983	zonelist=""
984	for p in `zoneadm list -cp |grep -v global:`; do
985		zonename=`echo $p|cut -d : -f2`
986		state=`echo $p|cut -d : -f3`
987		labelCheck
988		zonelist="$zonelist$zonename\n$state\n$curlabel\n"
989	done
990
991	if [ $NSCD_PER_LABEL -eq 0 ]  ; then
992		NSCD_OPT="Configure per-zone name service"
993	else
994		NSCD_OPT="Unconfigure per-zone name service"
995	fi
996	zonelist=${zonelist}"Manage Network Interfaces...\n\n\n"
997	zonelist=${zonelist}"Create a new zone...\n\n\n"
998	zonelist=${zonelist}"${NSCD_OPT}"
999	zonelist=${zonelist}"\n\n\nCreate LDAP Client...\n\n\n"
1000	zonelist=${zonelist}"Exit\n\n"
1001
1002	zonename=""
1003	topcommand=$(echo $zonelist|zenity --list \
1004	    --title="$title" \
1005	    --height=300 \
1006	    --width=500 \
1007	    --column="Zone Name" \
1008	    --column="Status" \
1009	    --column="Sensitivity Label" \
1010	    )
1011
1012	if [[ ! -n $topcommand ]]; then
1013		command=Exit
1014		exit
1015	fi
1016
1017	if [ "$topcommand" = "$NSCD_OPT" ]; then
1018		topcommand=
1019		manageNscd
1020		continue
1021	elif [ "$topcommand" = "Manage Network Interfaces..." ]; then
1022		topcommand=
1023		manageNets
1024		continue
1025	elif [ "$topcommand" = "Exit" ]; then
1026		command=Exit
1027		exit
1028	elif [ "$topcommand" = "Create a new zone..." ]; then
1029		zonename=$(zenity --entry \
1030		    --title="$title" \
1031		    --entry-text="" \
1032		    --text="Enter Zone Name: ")
1033
1034		if [[ ! -n $zonename ]]; then
1035			continue
1036		fi
1037
1038		zcfg="
1039create -t SUNWtsoldef
1040set zonepath=/zone/$zonename
1041commit
1042"
1043		echo "$zcfg" > $config ;
1044		zonecfg -z $zonename -f $config ;
1045		rm $config
1046		# Now, go to the singleZone menu, using the global
1047		# variable zonename, and continue with zone creation
1048		singleZone
1049		continue
1050	elif [ "$topcommand" = "Create LDAP Client..." ]; then
1051		command=LDAPclient
1052		createLDAPclient
1053		continue
1054	fi
1055	# if the menu choice was a zonename, pop up zone menu
1056	zonename=$topcommand
1057	singleZone
1058done
1059