Hi all,
we are running some zones on encrypted ZFS datasets. They have been created in Solaris 11.3 by applying the following commands:
- Generating the PKCS11 keystore:
pktool setpin keystore=pkcs11
- Generating the symmetric key used for encryption:
pktool genkey keystore=pkcs11 keytype=aes keylen=256 label=zone-mintaka
- Creating the encrypted dataset for the zone:
zfs create -o encryption=on -o keysource=raw,pkcs11:object=zone-mintaka ypool/zones/mintaka
- Installing the zone:
zoneadm -z mintaka install
- Booting the zone:
zoneadm -z mintaka boot
Whenever "zoneadm" needed the PKCS11 PIN, it asked for it. Zones created like this have been migrated to 11.4 (SRU 8) and are working without any problems so far.
Now I tried to do the same steps in Solaris 11.4 SRU 8 to create another zone on an encrypted ZFS dataset. Unfortunately, it doesn't work. The "zoneadm -z zonename install" command breaks with the following results:
root@solaris:/export/home/steffen# zfs key -l -r rpool/zones/test
Enter PKCS#11 token PIN for 'rpool/zones/test':
root@solaris:/export/home/steffen# zoneadm -z test install
/zones/test must not be group readable.
/zones/test must not be group executable.
/zones/test must not be world readable.
/zones/test must not be world executable.
changing zonepath permissions to 0700.
Progress being logged to /var/log/zones/zoneadm.20190619T065135Z.test.install
Image: Preparing at /zones/test/root.
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool':
Install Log: /system/volatile/install.2381/install_log
AI Manifest: /tmp/manifest.xml.v02lcb
SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Zonename: test
Installation: Starting ...
Error occurred during execution of 'target-instantiation' checkpoint.
Failed Checkpoints:
target-instantiation
Checkpoint execution error:
ZfsRADError(err_type = ZfsRADErrType(value = libzfs_err), libzfs_errcode = 2078, libzfs_errstr = 'PKCS#11 token object not found.', info = 'zfs_create() failed', location = 'rad_zpool_create_dataset')
Installation: Failed. See install log at /system/volatile/install.2381/install_log
ERROR: auto-install failed. AI manifest /tmp/manifest.xml.v02lcb preserved.
zoneadm: zone 'test': ERROR: installation failed: zone switching to configured state
"Zoneadm" in 11.4 does only ask for the PKCS11 PIN when trying to create rpool/zones/test/rpool, while in Solaris 11.3 it asked for the PIN several times when installing the zone. The errors logged to /system/volatile/install.2381/install_log also indicate that "zoneadm" does just not now about the symmetric key stored in the PKCS11 when trying to create rpool/zones/test/rpool/ROOT and below.
In Solaris 11.3 SRU 35 it behaves this way:
root@solaris:/export/home/steffen# zoneadm -z test install
Progress being logged to /var/log/zones/zoneadm.20190619T071133Z.test.install
Image: Preparing at /zones/test/root.
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool':
Install Log: /system/volatile/install.2889/install_log
AI Manifest: /tmp/manifest.xml.0E5yWd
SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Zonename: test
Installation: Starting ...
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool/ROOT':
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool/ROOT/solaris':
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool/ROOT/solaris/var':
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool/export':
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool/export/home':
Enter PKCS#11 token PIN for 'rpool/zones/test/rpool/VARSHARE':
Creating IPS image
Startup linked: 1/1 done
Installing packages from:
solaris
[...]
Therefore I am sure that the behavior of "zoneadm" has been changed between Solaris 11.3 SRU 35 and Solaris 11.4 SRU 8. Is there any simple solution to it? How can I install new zones on an encrypted dataset when storing the key in a PKCS11 keystore?
Pre-creating the ZFS datasets manually doesn't seem to work as "zoneadm" does not like it to install a zone into an existing hierarchy. Preloading the key by issuing a zfs key -l -r rpool/zones/test also doesn't work as the datasets to be created are not there, yet.
Thank you very much in advance for any helpful hints!
Kind regards,
Steffen