Bug #11894


zonecfg export should quote strings

Added by Brian Bennett over 3 years ago. Updated over 3 years ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:
External Bug:


Context for this is that SmartOS base64 encodes alias names, and when the value needs to be padded "zonecfg import" will choke on the value.


Actions #1

Updated by Brian Bennett over 3 years ago

I did a bunch of testing, and there doesn't seem to be a valid way to have a double quote in the middle of a string for a zone attribute. I tried every way I can think of to escape it, and zonecfg never accepts it. The best I could do was to get a truncated string, if it wasn't outright rejected. Maybe it's possible to hand edit a zone xml file after zone creation in such a way that would have a double quote in the middle of a string, but exporting and importing that would not work as it is today.

Because of this, I feel confident that we can safely just quote the values on export.

Actions #2

Updated by Brian Bennett over 3 years ago

Some follow up from Jerry via the mailing list:

I took a look at this for Brian and I am pretty confident that we cannot have an embedded single quote character inside of a string. The syntax for zonecfg is defined by the yacc and lex definitions in usr/src/cmd/zonecfg. In zonecfg_lex.l there are a set of rules for a token. A token represents the value associated with a keyword such as zonename, bootargs, etc. A simple token is an unquoted string which cannot include an embedded quote character ("). This is defined at lines 376-389. A quoted string token is defined at lines 391-410. In this set of rules we can see the string begins with a quote character and can include any set of characters except another quote character or newline, and the token terminates with a quote character or newline. There is no provision here for escaping a quote character within the string.

Actions #3

Updated by Brian Bennett over 3 years ago

A user reported to Joyent an error they were having while trying to migrate a zone across compute nodes. They would do a zonecfg export, zfs send/recv, then zonecfg import on the destination.

Unfortunately this cased a problem with many zones because SmartOS base64 encodes the zone alias, a value provided by zone tenants. In one case, the zone had the following attribute:

add attr
set name=alias
set type=string
set value=c291cC1iaHl2ZQ==

and zonecfg would return an error attempting to parse the value.

# zonecfg -z 1f73c20e-926c-604c-bb5a-e0d8d5f2083b -f 1f73c20e-926c-604c-bb5a-e0d8d5f2083b.zcfg
syntax error on line 99 at ‘='

Editing the zone file before import and either quoting the entire string or removing the b64 padding characters (the "=" chars at the end of the string) let them import the zone.

Considering that zonecfg doesn't consider the padding characters valid syntax, quoting attributes during export seems like the easiest solution. Research from John Levon, Jerry Jelinek and myself shows that indiscriminately quoting, whether it's strictly necessary or not, is safe.

Actions #4

Updated by Electric Monk over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit c8236ea6ad6caec3ccd52d13b0345b7881f0c12c

commit  c8236ea6ad6caec3ccd52d13b0345b7881f0c12c
Author: Brian Bennett <>
Date:   2019-12-17T15:23:37.000Z

    11894 zonecfg export should quote strings
    Reviewed by: Jerry Jelinek <>
    Reviewed by: John Levon <>
    Reviewed by: Mike Gerdts <>
    Approved by: Dan McDonald <>


Also available in: Atom PDF