3107
3108 if ((dllinks = malloc(dlnum * sizeof (datalink_id_t))) == NULL) {
3109 zerror(zlogp, B_TRUE, "memory allocation failed");
3110 return (-1);
3111 }
3112 if (zone_list_datalink(zoneid, &dlnum, dllinks) != 0) {
3113 zerror(zlogp, B_TRUE, "unable to list network interfaces");
3114 free(dllinks);
3115 return (-1);
3116 }
3117
3118 for (i = 0, dllink = dllinks; i < dlnum; i++, dllink++) {
3119 char dlerr[DLADM_STRSIZE];
3120
3121 dlstatus = dladm_set_linkprop(dld_handle, *dllink,
3122 "protection", NULL, 0, DLADM_OPT_ACTIVE);
3123 if (dlstatus == DLADM_STATUS_NOTFOUND) {
3124 /* datalink does not belong to the GZ */
3125 continue;
3126 }
3127 if (dlstatus != DLADM_STATUS_OK) {
3128 zerror(zlogp, B_FALSE,
3129 dladm_status2str(dlstatus, dlerr));
3130 free(dllinks);
3131 return (-1);
3132 }
3133 dlstatus = dladm_set_linkprop(dld_handle, *dllink,
3134 "allowed-ips", NULL, 0, DLADM_OPT_ACTIVE);
3135 if (dlstatus != DLADM_STATUS_OK) {
3136 zerror(zlogp, B_FALSE,
3137 dladm_status2str(dlstatus, dlerr));
3138 free(dllinks);
3139 return (-1);
3140 }
3141 }
3142 free(dllinks);
3143 return (0);
3144 }
3145
3146 static int
3147 unconfigure_exclusive_network_interfaces(zlog_t *zlogp, zoneid_t zoneid)
3148 {
3149 int dlnum = 0;
3150
3151 /*
3152 * The kernel shutdown callback for the dls module should have removed
3153 * all datalinks from this zone. If any remain, then there's a
3154 * problem.
3155 */
3156 if (zone_list_datalink(zoneid, &dlnum, NULL) != 0) {
3157 zerror(zlogp, B_TRUE, "unable to list network interfaces");
3158 return (-1);
3159 }
3160 if (dlnum != 0) {
3161 zerror(zlogp, B_FALSE,
3162 "datalinks remain in zone after shutdown");
3163 return (-1);
3164 }
3165 return (0);
3166 }
3167
3168 static int
3169 tcp_abort_conn(zlog_t *zlogp, zoneid_t zoneid,
3170 const struct sockaddr_storage *local, const struct sockaddr_storage *remote)
3171 {
3172 int fd;
3173 struct strioctl ioc;
3174 tcp_ioc_abort_conn_t conn;
3175 int error;
3176
3177 conn.ac_local = *local;
3178 conn.ac_remote = *remote;
3179 conn.ac_start = TCPS_SYN_SENT;
3180 conn.ac_end = TCPS_TIME_WAIT;
3181 conn.ac_zoneid = zoneid;
3182
3183 ioc.ic_cmd = TCP_IOC_ABORT_CONN;
3184 ioc.ic_timout = -1; /* infinite timeout */
3185 ioc.ic_len = sizeof (conn);
3186 ioc.ic_dp = (char *)&conn;
3187
3188 if ((fd = open("/dev/tcp", O_RDONLY)) < 0) {
5141 goto error;
5142 }
5143 if (zonecfg_find_scratch(fp, zone_name, zonecfg_get_root(),
5144 kernzone, sizeof (kernzone)) != 0) {
5145 zerror(zlogp, B_FALSE, "unable to find scratch zone");
5146 zonecfg_close_scratch(fp);
5147 goto error;
5148 }
5149 zonecfg_close_scratch(fp);
5150 kzone = kernzone;
5151 }
5152
5153 if ((zoneid = getzoneidbyname(kzone)) == ZONE_ID_UNDEFINED) {
5154 if (!bringup_failure_recovery)
5155 zerror(zlogp, B_TRUE, "unable to get zoneid");
5156 if (unmount_cmd)
5157 (void) lu_root_teardown(zlogp);
5158 goto error;
5159 }
5160
5161 if (remove_datalink_pool(zlogp, zoneid) != 0) {
5162 zerror(zlogp, B_FALSE, "unable clear datalink pool property");
5163 goto error;
5164 }
5165
5166 if (remove_datalink_protect(zlogp, zoneid) != 0) {
5167 zerror(zlogp, B_FALSE,
5168 "unable clear datalink protect property");
5169 goto error;
5170 }
5171
5172 /*
5173 * The datalinks assigned to the zone will be removed from the NGZ as
5174 * part of zone_shutdown() so that we need to remove protect/pool etc.
5175 * before zone_shutdown(). Even if the shutdown itself fails, the zone
5176 * will not be able to violate any constraints applied because the
5177 * datalinks are no longer available to the zone.
5178 */
5179 if (zone_shutdown(zoneid) != 0) {
5180 zerror(zlogp, B_TRUE, "unable to shutdown zone");
5181 goto error;
5182 }
5183
5184 /* Get the zonepath of this zone */
5185 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
5186 zerror(zlogp, B_FALSE, "unable to determine zone path");
5187 goto error;
5188 }
5189
5190 /* Get a handle to the brand info for this zone */
5222 "ip-type");
5223 goto error;
5224 }
5225 } else {
5226 if (flags & ZF_NET_EXCL)
5227 iptype = ZS_EXCLUSIVE;
5228 else
5229 iptype = ZS_SHARED;
5230 }
5231
5232 switch (iptype) {
5233 case ZS_SHARED:
5234 if (unconfigure_shared_network_interfaces(zlogp,
5235 zoneid) != 0) {
5236 zerror(zlogp, B_FALSE, "unable to unconfigure "
5237 "network interfaces in zone");
5238 goto error;
5239 }
5240 break;
5241 case ZS_EXCLUSIVE:
5242 if (unconfigure_exclusive_network_interfaces(zlogp,
5243 zoneid) != 0) {
5244 zerror(zlogp, B_FALSE, "unable to unconfigure "
5245 "network interfaces in zone");
5246 goto error;
5247 }
5248 status = dladm_zone_halt(dld_handle, zoneid);
5249 if (status != DLADM_STATUS_OK) {
5250 zerror(zlogp, B_FALSE, "unable to notify "
5251 "dlmgmtd of zone halt: %s",
5252 dladm_status2str(status, errmsg));
5253 }
5254 break;
5255 }
5256 }
5257
5258 if (!unmount_cmd && tcp_abort_connections(zlogp, zoneid) != 0) {
5259 zerror(zlogp, B_TRUE, "unable to abort TCP connections");
5260 goto error;
5261 }
5262
5263 if (unmount_filesystems(zlogp, zoneid, unmount_cmd) != 0) {
5264 zerror(zlogp, B_FALSE,
5265 "unable to unmount file systems in zone");
5266 goto error;
5267 }
|
3107
3108 if ((dllinks = malloc(dlnum * sizeof (datalink_id_t))) == NULL) {
3109 zerror(zlogp, B_TRUE, "memory allocation failed");
3110 return (-1);
3111 }
3112 if (zone_list_datalink(zoneid, &dlnum, dllinks) != 0) {
3113 zerror(zlogp, B_TRUE, "unable to list network interfaces");
3114 free(dllinks);
3115 return (-1);
3116 }
3117
3118 for (i = 0, dllink = dllinks; i < dlnum; i++, dllink++) {
3119 char dlerr[DLADM_STRSIZE];
3120
3121 dlstatus = dladm_set_linkprop(dld_handle, *dllink,
3122 "protection", NULL, 0, DLADM_OPT_ACTIVE);
3123 if (dlstatus == DLADM_STATUS_NOTFOUND) {
3124 /* datalink does not belong to the GZ */
3125 continue;
3126 }
3127 if (dlstatus != DLADM_STATUS_OK)
3128 zerror(zlogp, B_FALSE,
3129 "clear 'protection' link property: %s",
3130 dladm_status2str(dlstatus, dlerr));
3131
3132 dlstatus = dladm_set_linkprop(dld_handle, *dllink,
3133 "allowed-ips", NULL, 0, DLADM_OPT_ACTIVE);
3134 if (dlstatus != DLADM_STATUS_OK)
3135 zerror(zlogp, B_FALSE,
3136 "clear 'allowed-ips' link property: %s",
3137 dladm_status2str(dlstatus, dlerr));
3138 }
3139 free(dllinks);
3140 return (0);
3141 }
3142
3143 static int
3144 tcp_abort_conn(zlog_t *zlogp, zoneid_t zoneid,
3145 const struct sockaddr_storage *local, const struct sockaddr_storage *remote)
3146 {
3147 int fd;
3148 struct strioctl ioc;
3149 tcp_ioc_abort_conn_t conn;
3150 int error;
3151
3152 conn.ac_local = *local;
3153 conn.ac_remote = *remote;
3154 conn.ac_start = TCPS_SYN_SENT;
3155 conn.ac_end = TCPS_TIME_WAIT;
3156 conn.ac_zoneid = zoneid;
3157
3158 ioc.ic_cmd = TCP_IOC_ABORT_CONN;
3159 ioc.ic_timout = -1; /* infinite timeout */
3160 ioc.ic_len = sizeof (conn);
3161 ioc.ic_dp = (char *)&conn;
3162
3163 if ((fd = open("/dev/tcp", O_RDONLY)) < 0) {
5116 goto error;
5117 }
5118 if (zonecfg_find_scratch(fp, zone_name, zonecfg_get_root(),
5119 kernzone, sizeof (kernzone)) != 0) {
5120 zerror(zlogp, B_FALSE, "unable to find scratch zone");
5121 zonecfg_close_scratch(fp);
5122 goto error;
5123 }
5124 zonecfg_close_scratch(fp);
5125 kzone = kernzone;
5126 }
5127
5128 if ((zoneid = getzoneidbyname(kzone)) == ZONE_ID_UNDEFINED) {
5129 if (!bringup_failure_recovery)
5130 zerror(zlogp, B_TRUE, "unable to get zoneid");
5131 if (unmount_cmd)
5132 (void) lu_root_teardown(zlogp);
5133 goto error;
5134 }
5135
5136 if (remove_datalink_pool(zlogp, zoneid) != 0)
5137 zerror(zlogp, B_FALSE, "unable clear datalink pool property");
5138
5139 if (remove_datalink_protect(zlogp, zoneid) != 0)
5140 zerror(zlogp, B_FALSE,
5141 "unable clear datalink protect property");
5142
5143 /*
5144 * The datalinks assigned to the zone will be removed from the NGZ as
5145 * part of zone_shutdown() so that we need to remove protect/pool etc.
5146 * before zone_shutdown(). Even if the shutdown itself fails, the zone
5147 * will not be able to violate any constraints applied because the
5148 * datalinks are no longer available to the zone.
5149 */
5150 if (zone_shutdown(zoneid) != 0) {
5151 zerror(zlogp, B_TRUE, "unable to shutdown zone");
5152 goto error;
5153 }
5154
5155 /* Get the zonepath of this zone */
5156 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
5157 zerror(zlogp, B_FALSE, "unable to determine zone path");
5158 goto error;
5159 }
5160
5161 /* Get a handle to the brand info for this zone */
5193 "ip-type");
5194 goto error;
5195 }
5196 } else {
5197 if (flags & ZF_NET_EXCL)
5198 iptype = ZS_EXCLUSIVE;
5199 else
5200 iptype = ZS_SHARED;
5201 }
5202
5203 switch (iptype) {
5204 case ZS_SHARED:
5205 if (unconfigure_shared_network_interfaces(zlogp,
5206 zoneid) != 0) {
5207 zerror(zlogp, B_FALSE, "unable to unconfigure "
5208 "network interfaces in zone");
5209 goto error;
5210 }
5211 break;
5212 case ZS_EXCLUSIVE:
5213 status = dladm_zone_halt(dld_handle, zoneid);
5214 if (status != DLADM_STATUS_OK) {
5215 zerror(zlogp, B_FALSE, "unable to notify "
5216 "dlmgmtd of zone halt: %s",
5217 dladm_status2str(status, errmsg));
5218 }
5219 break;
5220 }
5221 }
5222
5223 if (!unmount_cmd && tcp_abort_connections(zlogp, zoneid) != 0) {
5224 zerror(zlogp, B_TRUE, "unable to abort TCP connections");
5225 goto error;
5226 }
5227
5228 if (unmount_filesystems(zlogp, zoneid, unmount_cmd) != 0) {
5229 zerror(zlogp, B_FALSE,
5230 "unable to unmount file systems in zone");
5231 goto error;
5232 }
|