www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

When shutting down the zone via console from the global zone I noticed the following error,

[Connected to zone 'ist-app5' console]

istur1app5 console login: svc.startd: The system is coming down.  Please wait.
svc.startd: 44 system services are now being stopped.
Jun 28 11:17:29 svc.startd[4567]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Jun 28 11:17:29 svc.startd[4567]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Jun 28 11:17:29 svc.startd[4567]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Jun 28 11:17:29 svc.startd[4567]: network/ipsec/policy:default failed: transitioned to maintenance (see 'svcs -xv' for details)
svc.startd: The system is down.

[NOTICE: Zone halted]

Checking the service,

svcs -xv network/ipsec/policy
svc:/network/ipsec/policy:default (IPsec policy initialization)
 State: online since Tue Jun 28 11:18:55 2011
   See: man -M /usr/share/man -s 1M ipsecconf
   See: /var/svc/log/network-ipsec-policy:default.log
Impact: None.

view /var/svc/log/network-ipsec-policy:default.log
[ Jun 28 11:17:29 Stopping because service disabled. ]
[ Jun 28 11:17:29 Executing stop method ("/usr/sbin/ipsecconf -F") ]
ipsecconf: (loading pf_policy) socket:: Permission denied
ipsecconf: unable to open policy socket: Permission denied
[ Jun 28 11:17:29 Method "stop" exited with status 1 ]
[ Jun 28 11:17:29 Executing stop method ("/usr/sbin/ipsecconf -F") ]
ipsecconf: (loading pf_policy) socket:: Permission denied
ipsecconf: unable to open policy socket: Permission denied
[ Jun 28 11:17:29 Method "stop" exited with status 1 ]
[ Jun 28 11:17:29 Executing stop method ("/usr/sbin/ipsecconf -F") ]
ipsecconf: (loading pf_policy) socket:: Permission denied
ipsecconf: unable to open policy socket: Permission denied
[ Jun 28 11:17:29 Method "stop" exited with status 1 ]
[ Jun 28 11:18:50 Enabled. ]
[ Jun 28 11:18:55 Executing start method ("/usr/sbin/ipsecconf -q -a /etc/inet/ipsecinit.conf") ]
Policy configuration file (/etc/inet/ipsecinit.conf) does not exist.
IPsec policy not configured.
[ Jun 28 11:18:55 Method "start" exited with status 0 ]

Google found only one article in 2009, http://forums.oracle.com/forums/thread.jspa?threadID=1917986&tstart=240 with no response.

The poster also indicated that the problem happens with both sparse and whole root zones and presented an assessment of the cause and an interim solution,

Looking at the release notes for 05/09 update 7 it mentions that "IP security (IPsec) is now managed by the following Solaris Management Facility (SMF) services" which seems to fit with the error I am getting.

Although I can prevent the error messages by disabling the service in each zone with svcadm it is a bit annoying and would like to have a better solution. Does anyone know how I can prevent this service from being enabled when I create a new zone?

I (Tin) experience this error on my home built Solaris from a few years ago and also at work on a very up to date Cluster Patch, "10_Recommended_2011-06.zip".

So what is the long term fix? Is this a serious error?

  • No labels