On 05/25/11 17:27, Jens Elkner wrote: > On Wed, May 25, 2011 at 03:31:56PM -0400, James Carlson wrote: >> Jens Elkner wrote: >>> Well, actually we have "jumpstart" scripts for ~ 70 types of service >>> zones which all use pkgadd -R /rpool/zones/$zname/root -d >>> /net/$bla/install ... to supply the SW the zones need and to mangle the >>> configs etc., so that when the zones come up we _know_ they are working >>> as expected and can be used immediately. Never had any problems with >>> that approach and wish to have the same functionallity wrt. IPS! >> >> Understandable desire, but I don't think using -R that way was >> supported. pkgadd(1M) says this: >> >> Note - The root file system of any non- >> global zones must not be referenced >> with the -R option. Doing so might >> damage the global zone's file sys- >> tem, might compromise the security >> of the global zone, and might damage >> the non-global zone's file system. >> See zones(5). >> >> That's from a Solaris 10 11/06 system (S10u3), and the same note is >> still there on OpenSolaris. > > Yes and might be the case for running zones or malicious packages. > But actually it is, what LU does all the time ;-)
No, it's not. I wrote that part of the code. ;-} LU actually enters the zone and runs the pkgadd command inside the zone. It uses undocumented interfaces to bring the zones up to a "mounted" state when administering zones that are present in an alternate root environment. It does not just set -R to point to the zone's root and let fly. > Anyway, the scripts > gets tested on test machines, to minimize the risk, that something > strange happens in production... I guess, the author didn't further > comment this note to avoid another whitepaper and leave a door open, > to throw back the ball ;-) Actually, I read the that initial reply you got much differently. Rather than being insulting, it was a request to get at the higher-level goals. As a developer, it's a common problem. Users try to work around weaknesses and other flaws in the systems they have, and they get themselves into awkward positions as a result. They then call support and ask for help with just that awkward part, but they leave out all the background information. If the developer just focuses on the awkward part, nothing ever really improves. And that's a bad result. So, it's not uncommon for a developer to ask a person reporting a problem to take a step back and describe the original problem being solved. I certainly don't take it as any sort of insult or as any absurdist plea for a pie-in-the-sky whitepaper or whatever else it is that might concern you. It's a request for information. -- James Carlson 42.703N 71.076W <carls...@workingcode.com> _______________________________________________ install-discuss mailing list install-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/install-discuss
