xref: /titanic_51/usr/src/cmd/tsol/misc/txzonemgr.sh (revision 53a7b6b6763f5865522a76e5e887390a8f4777d7)
1#!/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25#
26
27# This script provides a simple GUI for managing labeled zones.
28# It takes no arguments, but provides contextual menus which
29# provide appropriate choices. It must be run in the global
30# zone as root.
31
32NSCD_PER_LABEL=0
33NSCD_INDICATOR="/var/tsol/doors/nscd_per_label"
34export NSCD_PER_LABEL
35export NSCD_INDICATOR
36if [ -f $NSCD_INDICATOR ] ; then
37	NSCD_PER_LABEL=1
38fi
39PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
40title="Labeled Zone Manager"
41maxlabel=`chk_encodings -X 2>/dev/null`
42if [[ ! -n $maxlabel ]]; then
43	maxlabel=0x000a-08-f8
44fi
45zonename=""
46export zonename
47config=/tmp/zfg.$$ ;
48
49consoleCheck() {
50	zconsole=`pgrep -f "zlogin -C $zonename"`
51	if [ $? != 0 ]; then
52		console="Zone Console...\n"
53	fi
54}
55
56labelCheck() {
57	hexlabel=`/bin/grep "^$zonename:" \
58	    /etc/security/tsol/tnzonecfg|cut -d ":" -f2`;
59	if [ $hexlabel ] ; then
60		label=
61		curlabel=`hextoalabel $hexlabel`
62	else
63		label="Select Label...\n"
64		curlabel=...
65	fi
66}
67
68snapshotCheck() {
69	filesystem=`zfs list -t snapshot |grep $ZDSET/$zonename |cut -d " " -f1`
70	if [[ $filesystem = '' ]]; then
71		snapshot="Create Snapshot\n"
72	fi
73}
74
75copyCheck() {
76	zonelist=""
77	for p in `zoneadm list -ip`; do
78		q=`echo $p|cut -d ":" -f2`
79		if [ $q != $zonename ]; then
80			zonelist="$zonelist $q"
81		fi
82	done
83	if [[ -n $zonelist ]]; then
84		copy="Copy...\n"; \
85		clone="Clone\n"; \
86	fi
87}
88
89relabelCheck() {
90	macstate=`zonecfg -z $zonename info|grep win_mac_write`
91	if [[ -n $macstate ]]; then
92		permitrelabel="Deny Relabeling\n"
93	else
94		permitrelabel="Permit Relabeling\n"
95	fi
96}
97
98selectLabel() {
99	labelList=""
100	for p in `lslabels -h $maxlabel`; do
101		hexlabel=`/bin/grep :$p: /etc/security/tsol/tnzonecfg`
102		if [ $? != 0 ]; then
103			newlabel=`hextoalabel $p`
104			labelList="$labelList $newlabel\n"
105		fi
106	done
107	alabel=$(echo $labelList|zenity --list \
108	    --title="$title" \
109	    --height=300 \
110	    --width=400 \
111	    --column="Available Sensitivity Labels")
112
113	if [[ -n $alabel ]]; then
114		newlabel=`atohexlabel "$alabel" 2>/dev/null`
115		if [[ -n $newlabel ]]; then
116			echo $zonename:$newlabel:0:: >> /etc/security/tsol/tnzonecfg
117		else
118			x=$(zenity --error \
119			    --title="$title" \
120			    --text="$alabel is not valid")
121		fi
122	fi
123}
124
125resolveXdisplay() {
126	export ZONE_PATH
127	export ZONE_ETC_DIR
128	export IPNODES
129	export LIST
130	ERRORLIST=""
131	export ERRORLIST
132	# if using nscd-per-label then we have to be sure the global zone's
133	# hostname resolves because it is used for DISPLAY in X
134	ghostname=`hostname`
135	export ghostname
136
137	if [[ -n "$1" ]] ; then
138		LIST=`zoneadm list -ip | grep ":$1:"`
139	else
140		LIST=`zoneadm list -ip | grep -v "global"`
141	fi
142
143	gipaddress=`getent hosts $ghostname|cut -f1`
144	for i in $LIST; do
145		ZONE_PATH=`echo "$i" |cut -d ":" -f4`
146		ZONE_ETC_DIR=$ZONE_PATH/root/etc
147		IPNODES=${ZONE_ETC_DIR}/inet/ipnodes
148
149		# Rather than toggle on and off with NSCD_PER_LABEL, put the
150		# information in there and a sysadmin can remove it if necessary
151		# $DISPLAY will not work in X without global hostname
152		ENTRY=`grep $ghostname $IPNODES`
153		case "$ENTRY" in
154			127.0.0.1* )
155				if [[ -z $ERRORLIST ]] ; then
156					ERRORLIST="$ghostname address 127.0.0.1 found in:\n"
157				fi
158				ERRORLIST="$ERRORLIST $IPNODES\n"
159				;;
160			"")
161				gipaddress=`getent hosts $ghostname|cut -f1`
162				echo "$gipaddress\t$ghostname" >>  $IPNODES
163				;;
164			*)
165				continue
166				;;
167
168		esac
169	done
170	if [[ -n "$ERRORLIST" ]] ; then
171		x=$(zenity --error \
172		    --title="$title" \
173		    --text="WARNING:\n\n\n$ERRORLIST\n\n")
174	fi
175}
176
177clone() {
178	image=`zfs list -t snapshot |grep snapshot|cut -d " " -f1| \
179	    zenity --list \
180		--title="$title" \
181	        --height=300 \
182		--column="ZFS Zone Snapshots"`
183	if [[ -n $image ]]; then
184		dataset=`zfs list |grep $ZDSET/$zonename |cut -d " " -f1`
185		if [[ -n $dataset ]]; then
186			/usr/sbin/zfs destroy $ZDSET/$zonename
187		fi
188		/usr/sbin/zfs clone $image $ZDSET/$zonename
189		/usr/sbin/zfs set mountpoint=/zone/$zonename  $ZDSET/$zonename
190
191		/usr/sbin/zoneadm -z $zonename attach -F
192		if [ ! -f /var/ldap/ldap_client_file ]; then
193			if [ $NSCD_PER_LABEL = 0 ] ; then
194				sharePasswd
195			else
196				unsharePasswd
197				resolveXdisplay
198			fi
199		fi
200	fi
201}
202
203copy() {
204
205	image=`zenity --list \
206	    --title="$title: Copy From" \
207	    --height=300 \
208	    --column="Installed Zones" $zonelist`
209
210	/usr/bin/gnome-terminal \
211	    --title="$title: Copying $image to $zonename zone" \
212	    --command "zoneadm -z $zonename clone -m copy $image" \
213	    --disable-factory \
214	    --hide-menubar
215
216	if [ ! -f /var/ldap/ldap_client_file ]; then
217		if [ $NSCD_PER_LABEL = 0 ] ; then
218			sharePasswd
219		else
220			unsharePasswd
221			resolveXdisplay
222		fi
223	fi
224}
225
226initialize() {
227	hostname=`hostname`
228	hostname=$(zenity --entry \
229	    --title="$title" \
230	    --text="Enter Host Name: " \
231	    --entry-text $hostname)
232	if [ $? != 0 ]; then
233		exit 1
234	fi
235
236	ZONE_PATH=`zoneadm list -ip|grep ":${zonename}:"|cut -d ":" -f4`
237	if [ -z "$ZONE_PATH" ] ; then
238		x=$(zenity --error \
239		    --title="$title" \
240		    --text="$zonename is not an installed zone")
241		exit 1
242	fi
243	ZONE_ETC_DIR=$ZONE_PATH/root/etc
244	ipaddress=`getent hosts $hostname|cut -f1`
245	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
246
247	if [ -f /var/ldap/ldap_client_file ]; then
248		ldapaddress=`ldapclient list | \
249		    /bin/grep "^NS_LDAP_SERVERS" | cut -d " " -f2`
250		echo "name_service=LDAP {" > ${SYSIDCFG}
251		domain=`domainname`
252		echo "domain_name=$domain" >> ${SYSIDCFG}
253		profName=`ldapclient list | \
254		    /bin/grep "^NS_LDAP_PROFILE" | cut -d " " -f2`
255		proxyPwd=`ldapclient list | \
256		    /bin/grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2`
257		proxyDN=`ldapclient list | \
258		    /bin/grep "^NS_LDAP_BINDDN" | cut -d " " -f 2`
259		if [ "$proxyDN" ]; then
260			echo "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
261			echo "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
262		fi
263		echo "profile=$profName" >> ${SYSIDCFG}
264		echo "profile_server=$ldapaddress }" >> ${SYSIDCFG}
265		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
266	else
267		echo "name_service=NONE" > ${SYSIDCFG}
268		if [ $NSCD_PER_LABEL = 0 ] ; then
269			sharePasswd
270		else
271			# had to put resolveXdisplay lower down for this case
272			unsharePasswd
273		fi
274	fi
275
276	echo "security_policy=NONE" >> ${SYSIDCFG}
277	locale=`locale|grep LANG | cut -d "=" -f2`
278	if [[ -z $locale ]]; then
279		locale="C"
280	fi
281	echo "system_locale=$locale" >> ${SYSIDCFG}
282	timezone=`/bin/grep "^TZ" /etc/TIMEZONE|cut -d "=" -f2`
283	echo "timezone=$timezone" >> ${SYSIDCFG}
284	echo "terminal=vt100" >> ${SYSIDCFG}
285	rootpwd=`/bin/grep "^root:" /etc/shadow|cut -d ":" -f2`
286	#echo "root_password=$rootpwd" >> ${SYSIDCFG}
287	echo "nfs4_domain=dynamic" >> ${SYSIDCFG}
288	echo "network_interface=PRIMARY {" >> ${SYSIDCFG}
289	echo "protocol_ipv6=no" >> ${SYSIDCFG}
290	echo "hostname=$hostname" >> ${SYSIDCFG}
291	echo "ip_address=$ipaddress }" >> ${SYSIDCFG}
292	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
293	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
294	if [ $NSCD_PER_LABEL = 1 ] ; then
295		resolveXdisplay
296	fi
297}
298
299install() {
300	# if there is a zfs pool for zone
301	# create a new dataset for the zone
302	# This step is done automatically by zonecfg
303	# in Solaris Express 8/06 or newer
304
305	if [ $ZDSET != none ]; then
306		zfs create -o mountpoint=/zone/$zonename \
307		    $ZDSET/$zonename
308		chmod 700 /zone/$zonename
309	fi
310
311	/usr/bin/gnome-terminal \
312	    --title="$title: Installing $zonename zone" \
313	    --command "zoneadm -z $zonename install" \
314	    --disable-factory \
315	    --hide-menubar
316
317	initialize
318}
319
320delete() {
321	# if there is an entry for this zone in tnzonecfg, remove it
322	# before deleting the zone.
323
324	tnzone=`egrep "^$zonename:" /etc/security/tsol/tnzonecfg 2>/dev/null`
325	if [ -n "${tnzone}" ]; then
326		sed -e "/^$tnzone:*/d" /etc/security/tsol/tnzonecfg > \
327		    /tmp/tnzonefg.$$ 2>/dev/null
328		mv /tmp/tnzonefg.$$ /etc/security/tsol/tnzonecfg
329	fi
330	zonecfg -z $zonename delete -F
331	dataset=`zfs list |grep $ZDSET/$zonename |cut -d " " -f1`
332	if [[ -n $dataset ]]; then
333		/usr/sbin/zfs destroy $ZDSET/$zonename
334	fi
335	zonename=
336}
337
338getNIC(){
339
340	nics=
341	for i in `ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK`
342	do
343		echo $i |grep "^[a-z].*:" >/dev/null 2>&1
344		if [ $? -eq 1 ]; then
345			continue
346		fi
347		i=${i%:} # Remove colon after interface name
348		echo $i |grep ":" >/dev/null 2>&1
349		if [ $? -eq 0 ]; then
350			continue
351		fi
352		nics="$nics $i"
353	done
354
355	nic=$(zenity --list \
356	    --title="$title" \
357	    --column="Interface" \
358	    $nics)
359}
360
361getNetmask() {
362
363	cidr=
364	nm=$(zenity --entry \
365	    --title="$title" \
366	    --text="$ipaddr: Enter netmask: " \
367	    --entry-text 255.255.255.0)
368	if [ $? != 0 ]; then
369	       return;
370	fi
371
372	cidr=`perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm`
373}
374
375addNet() {
376	getNIC
377	if [[ -z $nic ]]; then
378		return;
379	fi
380	getIPaddr
381	if [[ -z $ipaddr ]]; then
382		return;
383	fi
384	getNetmask
385	if [[ -z $cidr ]]; then
386		return;
387	fi
388	zcfg="
389add net
390set address=${ipaddr}/${cidr}
391set physical=$nic
392end
393commit
394"
395	echo "$zcfg" > $config ;
396	zonecfg -z $zonename -f $config ;
397	rm $config
398}
399
400getAttrs() {
401	zone=global
402	type=ignore
403	for j in `ifconfig $nic`
404	do
405		case $j in
406			inet) type=$j;;
407			zone) type=$j;;
408			all-zones) zone=all-zones;;
409			flags*) flags=$j;;
410			*) case $type in
411				inet) ipaddr=$j ;;
412				zone) zone=$j ;;
413				*) continue ;;
414			   esac;\
415			   type=ignore;;
416		esac
417	done
418	if [ $ipaddr != 0.0.0.0 ]; then
419		template=`tninfo -h $ipaddr|grep Template| cut -d" " -f3`
420	else
421		template="..."
422		ipaddr="..."
423	fi
424}
425
426updateTnrhdb() {
427	tnctl -h ${ipaddr}:$template
428	x=`grep "^${ipaddr}[^0-9]" /etc/security/tsol/tnrhdb`
429	if [ $? = 0 ]; then
430		sed s/$x/${ipaddr}:$template/g /etc/security/tsol/tnrhdb \
431		    > /tmp/txnetmgr.$$
432		mv /tmp/txnetmgr.$$ /etc/security/tsol/tnrhdb
433	else
434		echo ${ipaddr}:$template >> /etc/security/tsol/tnrhdb
435	fi
436}
437
438getIPaddr() {
439        hostname=$(zenity --entry \
440            --title="$title" \
441            --text="$nic: Enter hostname: ")
442
443        if [ $? != 0 ]; then
444               return;
445	fi
446
447	ipaddr=`getent hosts $hostname|cut -f1`
448        if [[ -z $ipaddr ]]; then
449
450		ipaddr=$(zenity --entry \
451		    --title="$title" \
452		    --text="$nic: Enter IP address: " \
453		    --entry-text a.b.c.d)
454		if [ $? != 0 ]; then
455		       return;
456		fi
457	fi
458
459}
460
461addHost() {
462	# Update hosts and ipnodes
463        if [[ -z $ipaddr ]]; then
464               return;
465	fi
466	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
467	if [ $? -eq 1 ]; then
468		echo "$ipaddr\t$hostname" >> /etc/inet/hosts
469	fi
470
471	grep "^${ipaddr}[^0-9]" /etc/inet/ipnodes >/dev/null
472	if [ $? -eq 1 ]; then
473		echo "$ipaddr\t$hostname" >> /etc/inet/ipnodes
474	fi
475
476	template=cipso
477	updateTnrhdb
478
479	ifconfig $nic $ipaddr netmask + broadcast +
480	echo $hostname > /etc/hostname.$nic
481}
482
483getTemplate() {
484	templates=$(cat /etc/security/tsol/tnrhtp|\
485	    grep "^[A-z]"|grep "type=cipso"|cut -f1 -d":")
486
487	while [ 1 -gt 0 ]; do
488		t_cmd=$(zenity --list \
489		    --title="$title" \
490		    --height=300 \
491		    --column="Network Templates" \
492		    $templates)
493
494		if [ $? != 0 ]; then
495		       break;
496		fi
497
498		t_label=$(tninfo -t $t_cmd | grep sl|zenity --list \
499		    --title="$title" \
500		    --height=300 \
501		    --width=450 \
502		    --column="Click OK to associate $t_cmd template with $ipaddr" )
503
504		if [ $? != 0 ]; then
505			continue
506		fi
507		template=$t_cmd
508		updateTnrhdb
509		break
510	done
511}
512
513createInterface() {
514	msg=`ifconfig $nic addif 0.0.0.0`
515	$(zenity --info \
516	    --title="$title" \
517	    --text="$msg" )
518}
519
520shareInterface() {
521	ifconfig $nic all-zones;\
522	if_file=/etc/hostname.$nic
523	sed q | sed -e "s/$/ all-zones/" < $if_file >/tmp/txnetmgr.$$
524	mv /tmp/txnetmgr.$$ $if_file
525}
526
527setMacPrivs() {
528	zcfg="
529set limitpriv=default,win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,file_downgrade_sl,file_upgrade_sl,sys_trans_label
530commit
531"
532	echo "$zcfg" > $config ;
533	zonecfg -z $zonename -f $config ;
534	rm $config
535}
536
537resetMacPrivs() {
538	zcfg="
539set limitpriv=default
540commit
541"
542	echo "$zcfg" > $config ;
543	zonecfg -z $zonename -f $config ;
544	rm $config
545}
546
547unsharePasswd() {
548	for i in `zoneadm list -i | grep -v global`; do
549		zonecfg -z $i remove fs dir=/etc/passwd 2>&1 | grep -v such
550		zonecfg -z $i remove fs dir=/etc/shadow 2>&1 | grep -v such
551	done
552}
553
554sharePasswd() {
555	if [ $NSCD_PER_LABEL -ne 0 ] ; then
556		return
557	fi
558	passwd=`zonecfg -z $zonename info|grep /etc/passwd`
559	if [[ $? -eq 1 ]]; then
560		zcfg="
561add fs
562set special=/etc/passwd
563set dir=/etc/passwd
564set type=lofs
565add options ro
566end
567add fs
568set special=/etc/shadow
569set dir=/etc/shadow
570set type=lofs
571add options ro
572end
573commit
574"
575		echo "$zcfg" > $config ;
576		zonecfg -z $zonename -f $config ;
577		rm $config
578	fi
579}
580
581# This routine is a toggle -- if we find it configured for global nscd,
582# change to nscd-per-label and vice-versa.
583#
584# The user was presented with only the choice to CHANGE the existing
585# configuration.
586
587manageNscd() {
588	if [ $NSCD_PER_LABEL -eq 0 ] ; then
589		# this MUST be a regular file for svc-nscd to detect
590		touch $NSCD_INDICATOR
591		NSCD_PER_LABEL=1
592		unsharePasswd
593		resolveXdisplay
594	else
595		export zonename
596		rm -f $NSCD_INDICATOR
597		NSCD_PER_LABEL=0
598		for i in `zoneadm list -i | grep -v global`; do
599			zonename=$i
600			sharePasswd
601		done
602		zonename=
603	fi
604}
605
606manageNets() {
607	while [ 1 -gt 0 ]; do
608		attrs=
609		for i in `ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK`
610		do
611			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
612			if [ $? -eq 1 ]; then
613				continue
614			fi
615			nic=${i%:} # Remove colon after interface name
616			getAttrs
617			attrs="$nic $zone $ipaddr $template Up $attrs"
618		done
619
620		for i in `ifconfig -ad4 |grep  "^[a-z].*:" |grep -v LOOPBACK`
621		do
622			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
623			if [ $? -eq 1 ]; then
624				continue
625			fi
626			nic=${i%:} # Remove colon after interface name
627			getAttrs
628			attrs="$nic $zone $ipaddr $template Down $attrs"
629		done
630
631		nic=$(zenity --list \
632		    --title="$title" \
633		    --height=300 \
634		    --width=450 \
635		    --column="Interface" \
636		    --column="Zone Name" \
637		    --column="IP Address" \
638		    --column="Template" \
639		    --column="State" \
640		    $attrs)
641
642		if [[ -z $nic ]]; then
643			return
644		fi
645
646		getAttrs
647
648		# Clear list of commands
649
650		share=
651		setipaddr=
652		settemplate=
653		newlogical=
654		unplumb=
655		bringup=
656		bringdown=
657
658		# Check for physical interface
659
660		hascolon=`echo $nic |grep :`
661		if [ $? != 0 ]; then
662			newlogical="Create Logical Interface\n";
663		else
664			up=`echo $flags|grep "UP,"`
665			if [ $? != 0 ]; then
666				unplumb="Remove Logical Interface\n"
667				if [ $ipaddr != "..." ]; then
668					bringup="Bring Up\n"
669				fi
670			else
671				bringdown="Bring Down\n"
672			fi
673		fi
674
675		if [ $ipaddr = "..." ]; then
676			setipaddr="Set IP address...\n";
677		else
678			settemplate="View Templates...\n"
679			if [ $zone = global ]; then
680				share="Share\n"
681			fi
682		fi
683
684		command=$(echo ""\
685		    $share \
686		    $setipaddr \
687		    $settemplate \
688		    $newlogical \
689		    $unplumb \
690		    $bringup \
691		    $bringdown \
692		    | zenity --list \
693		    --title="$title" \
694		    --height=300 \
695		    --column "Interface: $nic" )
696
697		case $command in
698		    " Create Logical Interface")\
699			createInterface;;
700		    " Set IP address...")\
701			getIPaddr
702			addHost;;
703		    " Share")\
704			shareInterface;;
705		    " View Templates...")\
706			getTemplate;;
707		    " Remove Logical Interface")\
708			ifconfig $nic unplumb;\
709			rm -f /etc/hostname.$nic;;
710		    " Bring Up")\
711			ifconfig $nic up;;
712		    " Bring Down")\
713			ifconfig $nic down;;
714		    *) continue;;
715		esac
716	done
717}
718
719createLDAPclient() {
720	ldaptitle="$title: Create LDAP Client"
721	ldapdomain=$(zenity --entry \
722	    --width=400 \
723	    --title="$ldaptitle" \
724	    --text="Enter Domain Name: ")
725	ldapserver=$(zenity --entry \
726	    --width=400 \
727	    --title="$ldaptitle" \
728	    --text="Enter Hostname of LDAP Server: ")
729	ldapserveraddr=$(zenity --entry \
730	    --width=400 \
731	    --title="$ldaptitle" \
732	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
733	ldappassword=""
734	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]]; do
735	    ldappassword=$(zenity --entry \
736		--width=400 \
737		--title="$ldaptitle" \
738		--hide-text \
739		--text="Enter LDAP Proxy Password:")
740	    ldappasswordconfirm=$(zenity --entry \
741		--width=400 \
742		--title="$ldaptitle" \
743		--hide-text \
744		--text="Confirm LDAP Proxy Password:")
745	done
746	ldapprofile=$(zenity --entry \
747	    --width=400 \
748	    --title="$ldaptitle" \
749	    --text="Enter LDAP Profile Name: ")
750	whatnext=$(zenity --list \
751	    --width=400 \
752	    --height=250 \
753	    --title="$ldaptitle" \
754	    --text="Proceed to create LDAP Client?" \
755	    --column=Parameter --column=Value \
756	    "Domain Name" "$ldapdomain" \
757	    "Hostname" "$ldapserver" \
758	    "IP Address" "$ldapserveraddr" \
759	    "Password" "`echo "$ldappassword" | sed 's/./*/g'`" \
760	    "Profile" "$ldapprofile")
761	if [ $? != 0 ]; then
762		return
763	fi
764
765	/bin/grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
766	if [ $? -eq 1 ]; then
767		/bin/echo "$ldapserveraddr $ldapserver" >> /etc/hosts
768	fi
769
770	/bin/grep "${ldapserver}:" /etc/security/tsol/tnrhdb > /dev/null
771	if [ $? -eq 1 ]; then
772		/bin/echo "# ${ldapserver} - ldap server" \
773		    >> /etc/security/tsol/tnrhdb
774		/bin/echo "${ldapserveraddr}:cipso" \
775		    >> /etc/security/tsol/tnrhdb
776		/usr/sbin/tnctl -h "${ldapserveraddr}:cipso"
777	fi
778
779	proxyDN=`echo $ldapdomain|awk -F"." \
780	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }"`
781
782	zenity --info \
783	    --title="$ldaptitle" \
784	    --width=500 \
785	    --text="global zone will be LDAP client of $ldapserver"
786
787	ldapout=/tmp/ldapclient.$$
788
789	ldapclient init -a profileName="$ldapprofile" \
790	    -a domainName="$ldapdomain" \
791	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
792	    -a proxyPassword="$ldappassword" \
793	    "$ldapserveraddr" >$ldapout 2>&1
794
795	if [ $? -eq 0 ]; then
796	    ldapstatus=Success
797	else
798	    ldapstatus=Error
799	fi
800
801	zenity --text-info \
802	    --width=700 \
803	    --height=300 \
804	    --title="$ldaptitle: $ldapstatus" \
805	    --filename=$ldapout
806
807	rm -f $ldapout
808
809
810}
811
812# Loop for single-zone menu
813singleZone() {
814
815	while [ "${command}" != Exit ]; do
816		if [[ ! -n $zonename ]]; then
817			x=$(zenity --error \
818			    --title="$title" \
819			    --text="zonename \"$zonename\" is not valid")
820			return
821		fi
822		# Clear list of commands
823
824		console=
825		label=
826		start=
827		reboot=
828		stop=
829		clone=
830		copy=
831		install=
832		ready=
833		uninstall=
834		delete=
835		snapshot=
836		addnet=
837		deletenet=
838		permitrelabel=
839
840		zonestate=`zoneadm -z $zonename list -p | cut -d ":" -f 3`
841
842		consoleCheck;
843		labelCheck;
844		delay=0
845
846		case $zonestate in
847			running) ready="Ready\n"; \
848			       reboot="Reboot\n"; \
849			       stop="Halt\n"; \
850			;;
851			ready) start="Boot\n"; \
852			       stop="Halt\n" \
853			;;
854			installed)
855				if [[ -z $label ]]; then \
856					ready="Ready\n"; \
857					start="Boot\n"; \
858				fi; \
859				uninstall="Uninstall\n"; \
860				snapshotCheck; \
861				relabelCheck;
862				addnet="Add Network...\n"
863			;;
864			configured) install="Install...\n"; \
865				copyCheck; \
866				delete="Delete\n"; \
867				console=; \
868			;;
869			incomplete) delete="Delete\n"; \
870			;;
871			*)
872			;;
873		esac
874
875		command=$(echo ""\
876		    $console \
877		    $label \
878		    $start \
879		    $reboot \
880		    $stop \
881		    $clone \
882		    $copy \
883		    $install \
884		    $ready \
885		    $uninstall \
886		    $delete \
887		    $snapshot \
888		    $addnet \
889		    $deletenet \
890		    $permitrelabel \
891		    "Return to Main Menu" \
892		    | zenity --list \
893		    --title="$title" \
894		    --height=300 \
895		    --column "$zonename: $zonestate" )
896
897		case $command in
898		    " Zone Console...")
899			delay=2; \
900			/usr/bin/gnome-terminal \
901			    --title="Zone Terminal Console: $zonename" \
902			    --command "/usr/sbin/zlogin -C $zonename" &;;
903
904		    " Select Label...")
905			selectLabel;;
906
907		    " Ready")
908			zoneadm -z $zonename ready ;;
909
910		    " Boot")
911			zoneadm -z $zonename boot ;;
912
913		    " Halt")
914			zoneadm -z $zonename halt ;;
915
916		    " Reboot")
917			zoneadm -z $zonename reboot ;;
918
919		    " Install...")
920			install;;
921
922		    " Clone")
923			clone ;;
924
925		    " Copy...")
926			copy ;;
927
928		    " Uninstall")
929			zoneadm -z $zonename uninstall -F;;
930
931		    " Delete")
932			delete
933			return ;;
934
935		    " Create Snapshot")
936			zfs snapshot $ZDSET/${zonename}@snapshot;;
937
938		    " Add Network...")
939			addNet ;;
940
941		    " Permit Relabeling")
942			setMacPrivs ;;
943
944		    " Deny Relabeling")
945			resetMacPrivs ;;
946
947		    *)
948			zonename=
949			return ;;
950		esac
951		sleep $delay;
952	done
953}
954
955# Main loop for top-level window
956#
957
958
959ZDSET=none
960# are there any zfs pools?
961zpool iostat 1>/dev/null 2>&1
962if [ $? = 0 ]; then
963	# is there a zfs pool named "zone"?
964	zpool list -H zone 1>/dev/null 2>&1
965	if [ $? = 0 ]; then
966		# yes
967		ZDSET=zone
968	else
969		# no, but is there a root pool?
970		rootfs=`df -n / | awk '{print $3}'`
971		if [ $rootfs = "zfs" ]; then
972			# yes, use it
973			ZDSET=`zfs list -Ho name / | cut -d/ -f 1`/zones
974			zfs list -H $ZDSET 1>/dev/null 2>&1
975			if [ $? = 1 ]; then
976				zfs create -o mountpoint=/zone $ZDSET
977			fi
978		fi
979	fi
980fi
981
982export NSCD_OPT
983while [ "${command}" != Exit ]; do
984	zonelist=""
985	for p in `zoneadm list -cp |grep -v global:`; do
986		zonename=`echo $p|cut -d : -f2`
987		state=`echo $p|cut -d : -f3`
988		labelCheck
989		zonelist="$zonelist$zonename\n$state\n$curlabel\n"
990	done
991
992	if [ $NSCD_PER_LABEL -eq 0 ]  ; then
993		NSCD_OPT="Configure per-zone name service"
994	else
995		NSCD_OPT="Unconfigure per-zone name service"
996	fi
997	zonelist=${zonelist}"Manage Network Interfaces...\n\n\n"
998	zonelist=${zonelist}"Create a new zone...\n\n\n"
999	zonelist=${zonelist}"${NSCD_OPT}"
1000	zonelist=${zonelist}"\n\n\nCreate LDAP Client...\n\n\n"
1001	zonelist=${zonelist}"Exit\n\n"
1002
1003	zonename=""
1004	topcommand=$(echo $zonelist|zenity --list \
1005	    --title="$title" \
1006	    --height=300 \
1007	    --width=500 \
1008	    --column="Zone Name" \
1009	    --column="Status" \
1010	    --column="Sensitivity Label" \
1011	    )
1012
1013	if [[ ! -n $topcommand ]]; then
1014		command=Exit
1015		exit
1016	fi
1017
1018	if [ "$topcommand" = "$NSCD_OPT" ]; then
1019		topcommand=
1020		manageNscd
1021		continue
1022	elif [ "$topcommand" = "Manage Network Interfaces..." ]; then
1023		topcommand=
1024		manageNets
1025		continue
1026	elif [ "$topcommand" = "Exit" ]; then
1027		command=Exit
1028		exit
1029	elif [ "$topcommand" = "Create a new zone..." ]; then
1030		zonename=$(zenity --entry \
1031		    --title="$title" \
1032		    --entry-text="" \
1033		    --text="Enter Zone Name: ")
1034
1035		if [[ ! -n $zonename ]]; then
1036			continue
1037		fi
1038
1039		zcfg="
1040create -t SUNWtsoldef
1041set zonepath=/zone/$zonename
1042commit
1043"
1044		echo "$zcfg" > $config ;
1045		zonecfg -z $zonename -f $config ;
1046		rm $config
1047		# Now, go to the singleZone menu, using the global
1048		# variable zonename, and continue with zone creation
1049		singleZone
1050		continue
1051	elif [ "$topcommand" = "Create LDAP Client..." ]; then
1052		command=LDAPclient
1053		createLDAPclient
1054		continue
1055	fi
1056	# if the menu choice was a zonename, pop up zone menu
1057	zonename=$topcommand
1058	singleZone
1059done
1060