Most Popular in Unix
-
netstat showing lots of errors
-
-
-
-
-
-
-
-
-
In the Zone, but where
I got an IM from a friend at work, he had logged into a zone. When he got the trouble ticket, no one mentioned that the system was in a Solaris 10 zone. After a few minutes of testing he finally figured out that he was in a zone, and found the problem required access to the bare metal (globalzone) to fix so he needed to know what was the name or ip address of the global zone on the box, as usual the asset management system had no information. Well the Solaris/Sun programmers didn't make it quite that easy. After trying the usual, prtdiag, prtconf, zoneadm list, ifconfig -a, snoop. Still no luck. Well my friend being a very busy guy, gave up and send an email to the submitter of the trouble ticket asking for more information, but that makes for a boring blog entry. I decided I was going to find a way to get the information. Knowing Sun programmers and QA people as well as I do. I realized the easiest was to observe from the outside, something an intruder shouldn't be able to do.
just in case you don't have a zone handy there is typical output of the commands I tested.
# snoop
snoop: No network interface devices found
#
# prtdiag
prtdiag can only be run in the global zone
#
# prtconf
System Configuration: Sun Microsystems sun4u
Memory size: 2048 Megabytes
System Peripherals (Software Nodes):
prtconf: devinfo facility not available
# uname -av
SunOS t1 5.11 snv_69 sun4u sparc SUNW,Ultra-2
#
Here is my solution.
From inside the zone, use ifconfig to the ip address and network, notice there is no MAC/host address.
# ifconfig -a
lo0:1: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
qfe0:1: flags=1000843 mtu 1500 index 3
inet 192.168.3.202 netmask ffffff00 broadcast 192.168.3.255
now open another terminal and log into another box on the same subnet, and become root. snoop the interface looking for any packet from that host... actually we will help it along, go back to the zone, and ping the host you logged into.
frankenstein:~# snoop -d qfe0 -v from 192.168.3.202
Using device qfe0 (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 12:16:33.29232
ETHER: Packet size = 98 bytes
ETHER: Destination = 8:0:20:bc:6c:ec, Sun
ETHER: Source = 8:0:20:8f:a1:28, Sun
ETHER: Ethertype = 0800 (IP)
---- SNIP ----
there we have what we need. Copy the source entry it is the MAC address, the hardware address that every nic has and hopefully it matches the one that is on the primary nic in the global zone, it is rare to change, actually I don't know if ip aliases can have a different MAC address, i'm sure some network guru will comment one way or the other.
Stop the current snoop command and issue, adding a zero to the MAC address as described in the snoop man page for host addresses. Then open another terminal session and broadcast ping the subnet, ping -s 192.168.1.255 in this case. Hopefully the global and all zones will reply to the and snoop will print the ones with the matching MAC/host address. Hopefully It isn't a SunFire box with 250 or so zones on it, we can now login or run a distributed shell script across the ip#'s we get from this command and get its zonename, the one that responds global to "zonename" is the answer to our question.
frankenstein:~# snoop -d qfe0 from 08:0:20:8f:a1:28
Using device qfe0 (promiscuous mode)
---- SNIP ----
192.168.3.230 -> frankenstein3 ICMP Echo reply (ID: 1384 Sequence number: 0)
192.168.3.202 -> frankenstein3 ICMP Echo reply (ID: 1384 Sequence number: 1)
----- SNIP -----
Of course there are ways to configure Solaris so that this solution won't work, turn off ping responses from the global zone, don't configure an address on the primary interface put it in on a different subnet, firewall.
three quarters the way through writing this entry I did find a way to get the hostname of the global zone at least on solaris latest updates and Solaris Express.Which of course will be removed as soon as word of its existence gets out. kstat provides way too much information from inside the zone, and this will probably change. kstat | less to see.
--- SNIP ---
module: iscsi instance: 0
name: iscsi_hba_1 class: iscsi_hba
_alias enterprise.themagicbus
_cntr_sess 0
_name
crtime 147.468882603
snaptime 219875.678668575
--- SNIP ----
The iscsi alias is the hostname of the global zone, ssh or a quick nslookup/dig lookup will give you the ip address of the global zone.
just in case you don't have a zone handy there is typical output of the commands I tested.
# snoop
snoop: No network interface devices found
#
# prtdiag
prtdiag can only be run in the global zone
#
# prtconf
System Configuration: Sun Microsystems sun4u
Memory size: 2048 Megabytes
System Peripherals (Software Nodes):
prtconf: devinfo facility not available
# uname -av
SunOS t1 5.11 snv_69 sun4u sparc SUNW,Ultra-2
#
Here is my solution.
From inside the zone, use ifconfig to the ip address and network, notice there is no MAC/host address.
# ifconfig -a
lo0:1: flags=2001000849
inet 127.0.0.1 netmask ff000000
qfe0:1: flags=1000843
inet 192.168.3.202 netmask ffffff00 broadcast 192.168.3.255
now open another terminal and log into another box on the same subnet, and become root. snoop the interface looking for any packet from that host... actually we will help it along, go back to the zone, and ping the host you logged into.
frankenstein:~# snoop -d qfe0 -v from 192.168.3.202
Using device qfe0 (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 12:16:33.29232
ETHER: Packet size = 98 bytes
ETHER: Destination = 8:0:20:bc:6c:ec, Sun
ETHER: Source = 8:0:20:8f:a1:28, Sun
ETHER: Ethertype = 0800 (IP)
---- SNIP ----
there we have what we need. Copy the source entry it is the MAC address, the hardware address that every nic has and hopefully it matches the one that is on the primary nic in the global zone, it is rare to change, actually I don't know if ip aliases can have a different MAC address, i'm sure some network guru will comment one way or the other.
Stop the current snoop command and issue, adding a zero to the MAC address as described in the snoop man page for host addresses. Then open another terminal session and broadcast ping the subnet, ping -s 192.168.1.255 in this case. Hopefully the global and all zones will reply to the and snoop will print the ones with the matching MAC/host address. Hopefully It isn't a SunFire box with 250 or so zones on it, we can now login or run a distributed shell script across the ip#'s we get from this command and get its zonename, the one that responds global to "zonename" is the answer to our question.
frankenstein:~# snoop -d qfe0 from 08:0:20:8f:a1:28
Using device qfe0 (promiscuous mode)
---- SNIP ----
192.168.3.230 -> frankenstein3 ICMP Echo reply (ID: 1384 Sequence number: 0)
192.168.3.202 -> frankenstein3 ICMP Echo reply (ID: 1384 Sequence number: 1)
----- SNIP -----
Of course there are ways to configure Solaris so that this solution won't work, turn off ping responses from the global zone, don't configure an address on the primary interface put it in on a different subnet, firewall.
three quarters the way through writing this entry I did find a way to get the hostname of the global zone at least on solaris latest updates and Solaris Express.Which of course will be removed as soon as word of its existence gets out. kstat provides way too much information from inside the zone, and this will probably change. kstat | less to see.
--- SNIP ---
module: iscsi instance: 0
name: iscsi_hba_1 class: iscsi_hba
_alias enterprise.themagicbus
_cntr_sess 0
_name
crtime 147.468882603
snaptime 219875.678668575
--- SNIP ----
The iscsi alias is the hostname of the global zone, ssh or a quick nslookup/dig lookup will give you the ip address of the global zone.
More Stories in Unix Admin Corner
- Checking Dolly?s Paternity
- Steps to Clone a VMWARE guest on a ZFS NFS share
- The ZFS pipe is clogged
- DeDup will get faster on lowend machines
- Feeling Old yet?
- VMware Lab updates
- GNS3 rocks
- Top 10 things I learned about using a DL380 G3 as a ESXi LAB
- Bad Disk and destroying the pool, back up in less than 5 hours.
- Tieing a stick to a Dell 2716
Most Popular Stories
Billboard nominates music app awards
Postage Stamps Go High-Tech With QR Code-Like Stamp Readable by Apps [IPhone Apps]