On Sun, Aug 14, 2016 at 6:27 PM, Dan McDonald <[email protected]> wrote:
> > > On Aug 14, 2016, at 1:20 PM, Michael Rasmussen <[email protected]> wrote: > > > > - All network configuration can be done outside the zone giving the > > opportunity to hand out LX zones to users with a locked down network > > configuration. > > That's naive. An admin on even a SmartOS zone can invoke: > > /native/sbin/ifconfig <stuff> > > and wreak havoc. :) > Modulo any ip-spoofing protections in place. > > - Admins can script everything and have total control of LX zones > > Also, by "admins" you mean "global zone admins", right? > It's unfortunate that the lx brand doesn't support shared-ip stacks. I can't see whether there's a fundamental technical reason, but having shared-ip does make it much easier to simply configure everything in the global zone and prevent the zone fiddling with it. The problem with exclusive-ip is that you can't manage it from the global zone at all. If the zone isn't running, you obviously can't do anything, but as soon as the zone is running (or even ready) it steals the interface away so the global zone can do nothing. (Docker networking behaves like traditional shared-ip, from what I can see.) -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
_______________________________________________ OmniOS-discuss mailing list [email protected] http://lists.omniti.com/mailman/listinfo/omnios-discuss
