Robert.Thurlow at sun.com wrote: > ... > 2) Due to the above, it seems like the global zone admin should have > a knob to turn to enable or disable the ability of a zone to share > out files via NFS. Do people agree? > > 2.5) Is this related to whether the global zone can share a resource? > > 3) I know we've talked about a zone not being able to share stuff > outside of its namespace, but I wonder if we should further restrict > this to sharing storage that's fully administered in the zone, e.g. > you can't share a filesystem you got via lofs, but you can share > from a /dev/dsk/cxtxdx or a zpool that had been fully delegated to > you. Opinions?
I think you can tie both (2) and (3) together if the mechansim used to enable this is a new command like this: set zone-nfsshare-root = /export/z1/export If this setting is absent from a l-z's config then it doesn't get to export anything via NFS and is otherwise limited to sharing out directories thare are under the one set in the config (this would include "." too.) This idea needs some work on it, however, if there was going to be sharing from multiple top level directories (e.g. a zone wants to export both /export and /usr/share and we want to enforce that restriction from the g-z.) Oh, the implication is that if this setting is not present in the l-z's config that nfs sharing in is disabled. Darren
