Backing Up, Sharing, and Mounting Labeled Files (Task Map)

The following task map describes common tasks that are used to back up and restore data from labeled file systems, and to share and mount file systems that are labeled.

Task	Description	For Instructions
Back up files.	Archives your data while preserving labels.	How to Back Up Files in Trusted Extensions
Restore data.	Restores labeled data from a backup.	How to Restore Files in Trusted Extensions
Share a labeled file system.	Allows a labeled file system to be accessed by users on other systems.	How to Share File Systems From a Labeled Zone
Mount a file system that is shared by a labeled zone.	Allows the contents of a file system to be mounted read-write in a labeled zone at the same label. When a higher-level zone mounts the shared directory, the directory mounts read-only.	How to NFS Mount Files in a Labeled Zone
Create home directory mount points.	Creates mount points for every user at every label. This task enables users to access their home directory at every label on a system that is not the NFS home directory server.	How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server
Hide lower-level information from a user who is working at a higher label.	Prevents the viewing of lower-level information from a higher level.	How to Disable the Mounting of Lower-Level Files
Troubleshoot file system mounting problems.	Resolves problems with mounting a file system.	How to Troubleshoot Mount Failures in Trusted Extensions

How to Back Up Files in Trusted Extensions

Before You Begin

You must be assigned the Media Backup rights profile. You are in the global zone.

Perform a backup that preserves labels.
The following commands preserve labels.
- zfs send -r | -R filesystem@snap for major backups
  
  For available methods, including sending the backup to a remote server, see Sending and Receiving ZFS Data in Oracle Solaris 11.1 Administration: ZFS File Systems.
- /usr/sbin/tar cT for small backups
  
  For details on the T option to the tar command, see the tar(1) man page.
- A script that calls the zfs or tar backup commands

How to Restore Files in Trusted Extensions

Before You Begin

You are in the root role in the global zone.

Restore a labeled backup.
The following commands can restore labeled backups.
- zfs receive -vF filesystem@snap for major restores
  
  For available methods, including restoring backups from a remote server, see Sending and Receiving ZFS Data in Oracle Solaris 11.1 Administration: ZFS File Systems.
- /usr/sbin/tar xT for small restores
  
  For details on the T option to the tar command, see the tar(1) man page.
- A script that calls the zfs or tar restore commands

How to Share File Systems From a Labeled Zone

To mount or share directories that originate in labeled zones, set the appropriate ZFS share properties on the file system, and then restart the zone to share the labeled directories.

Caution - Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.

Before You Begin

You must be assigned the ZFS File System Management rights profile.

Create a workspace at the label of the file system that is going to be shared.
For details, see How to Add a Workspace at Your Minimum Label in Trusted Extensions User’s Guide.
In the zone, create the file system.
```
# zfs create rpool/wdocs1
```
Share the file system by setting ZFS share properties.
For example, the following set of commands shares a documentation file system for writers. The file system is shared read-write so that writers can modify their documents on this server. setuid programs are disallowed.
```
# zfs set share=name=wdocs1,path=/wdocs1,prot=nfs,setuid=off,
exec=off,devices=off rpool/wdocs1
# zfs set sharenfs=on rpool/wdocs1
```
The command line is wrapped for display purposes.
For each zone, share the directories by starting the zone.
In the global zone, run one of the following commands for each zone. Each zone can share its file systems in any of these ways. The actual sharing occurs when each zone is brought into the ready or running state.
- If the zone is not in the running state and you do not want users to log in to the server at the label of the zone, set the zone state to ready.
```
# zoneadm -z zone-name ready
```
- If the zone is not in the running state and users are allowed to log in to the server at the label of the zone, boot the zone.
```
# zoneadm -z zone-name boot
```
- If the zone is already running, reboot the zone.
```
# zoneadm -z zone-name reboot
```
Display the file systems that are shared from your system.
In the root role in the global zone, run the following command:
```
# zfs get all rpool
```
For more information, see Querying ZFS File System Information in Oracle Solaris 11.1 Administration: ZFS File Systems
To enable the client to mount the shared file system, see How to NFS Mount Files in a Labeled Zone.

Example 14-1 Sharing the /export/share File System at the PUBLIC Label

For applications that run at the label PUBLIC, the system administrator enables users to read the documentation in the /export/reference file system of the public zone.

First, the administrator changes the workspace label to public workspace and opens a terminal window. In the window, the administrator sets selected share properties on the /reference file system. The following command is wrapped for display purposes.

# zfs set share=name=reference,path=/reference,prot=nfs,
setuid=off,exec=off,devices=off,rdonly=on rpool/wdocs1

Then, the administrator shares the file system.

# zfs set sharenfs=on rpool/reference

The administrator leaves the public workspace and returns to the Trusted Path workspace. Because users are not allowed to log in to this file server, the administrator shares the file system by putting the zone in the ready state:

# zoneadm -z public ready

Users can access the shared file system once it is mounted on the users' systems.

How to NFS Mount Files in a Labeled Zone

In Trusted Extensions, a labeled zone manages the mounting of files in its zone. File systems from unlabeled and labeled hosts can be mounted on a Trusted Extensions labeled system. The system must have a route to the file server at the label of the mounting zone.

To mount the files read-write from a single-label host, the assigned label of the remote host must match the label of the mounting zone. Two remote host configurations are possible.
- The untrusted remote host is assigned the same label as the mounting zone.
- The trusted remote host is a multilevel server that includes the label of the mounting zone.
File systems that are mounted by a higher-level zone are read-only.
In Trusted Extensions, the auto_home configuration file is customized per zone. The file is named by zone name. For example, a system with a global zone and a public zone has two auto_home files, auto_home_global and auto_home_public.

Trusted Extensions uses the same mounting interfaces as Oracle Solaris:

By default, file systems are mounted at boot.
To mount file systems dynamically, use the mount command in the labeled zone.
To automount home directories, use the auto_home_zone-name files.
To automount other directories, use the standard automount maps.

Before You Begin

You must be on the client system, in the zone at the label of the files that you want to mount. Verify that the file system that you want to mount is shared. Unless you are using the automounter, you must be assigned the File System Management rights profile. To mount from lower-level servers, the zone on this client must be configured with the net_mac_aware privilege.

To NFS mount files in a labeled zone, use the following procedures.
Most procedures include creating a workspace at a particular label. To create a workspace, see How to Add a Workspace at Your Minimum Label in Trusted Extensions User’s Guide.
- Mount files dynamically.
  In the labeled zone, use the mount command.
- Mount files when the zone boots.
- Mount home directories for systems that are administered with files.
  1. Create and populate an /export/home/auto_home_lowest-labeled-zone-name file.
  2. Edit the /etc/auto_home_lowest-labeled-zone-name file to point to the newly populated file.
  3. Modify the /etc/auto_home_lowest-labeled-zone-name file in every higher-level zone to point to the file that you created in Step a.

How to Troubleshoot Mount Failures in Trusted Extensions

Before You Begin

You must be in the zone at the label of the file system that you want to mount. You must be the root role.

Verify that the file systems on the NFS server are shared.
Check the security attributes of the NFS server.
1. Use the tninfo or tncfg command to find the IP address of the server or a range of IP addresses that includes the NFS server.
  The address might be directly assigned, or indirectly assigned through a wildcard mechanism. The address can be in a labeled or unlabeled template.
2. Check the label that the template assigns to the NFS server.
  The label must be consistent with the label at which you are trying to mount the files.
Check the label of the current zone.
If the label is higher than the label of the mounted file system, then you cannot write to the mount even if the remote file system is exported with read/write permissions. You can only write to the mounted file system at the label of the mount.
To mount file systems from an NFS server that is running earlier versions of Trusted Solaris software, do the following:
- For a Trusted Solaris 1 NFS server, use the vers=2 and proto=udp options to the mount command.
- For a Trusted Solaris 2.5.1 NFS server, use the vers=2 and proto=udp options to the mount command.
- For a Trusted Solaris 8 NFS server, use the vers=3 and proto=udp options to the mount command.
To mount file systems from any of these servers, the server must be assigned to an unlabeled template.

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library