Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI
This information is Copyright (c) 2010, Oracle and/or its affiliates. All
rights reserved.
1. Introduction
1.1. Project/Component Working Name:
lofi(7D) in non global zones
1.2. Name of Document Author/Supplier:
Author: John Levon
1.3 Date of This Document:
23 April, 2010
4. Technical Description
1. Introduction
This case enables the safe use of the lofi(7d) driver and utilities
within a non-global zone.
A patch binding is requested.
2. Device visibility
Currently, it's not possible to usefully create lofi devices inside
a non-global zone. This project modifies the lofi(7d) driver and
related code such that each lofi node is owned by a particular zone.
The zone owner of each node is stored as a DDI property "zone", for
example:
# prtconf -v /dev/lofi/1
lofi, instance #0
Device Minor Nodes:
dev=(144,1)
....
Minor properties:
name='zone' type=string items=1 dev=(144,1)
value='ozone'
....
This property is looked up by the devnames zone profile code in
order to filter visibility of lofi nodes within the zone's mounted
/dev instance.
Within each zone, lofiadm(1m) is only allowed to see, or modify,
the nodes it has created. The global zone can access all nodes,
however, for example:
# lofiadm
Block Device File Options
/dev/lofi/1 /rpool/zones/ozone/root/var/lofi/lofi_file_736429_44 -
...
If the path cannot be resolved from the global zone (for example,
it may reside on an NGZ-mounted NFS path), the File column displays
"?".
When a zone is shut down, all its lofi devices (and any mounts on
top) are unmapped and destroyed.
As today, only root users may access and modify lofi devices.
3. Resource limits
Currently, lofi has a limit of 128 devices. This case removes this
limit as it is not extendable to the multi-zone case. Instead, the
number of lofi devices is restricted by each device's associated
taskq: the lofi taskq is created as zsched thread, and the zone
resource control max-lwps applies.
lofiadm traditionally allows direct specification of the minor
number to use when creating a mapping. Since direct lofi mounts,
this feature is a lot less useful; however, this case continues to
support it. A maximum minor number of 65536 is enforced.
Note that the minor number space is not virtualized across all
zones, thus a non-global zone can observe minor number allocation.
However it cannot request mapping information or modify other nodes.
4. Mounting lofi devices
The direct mount support introduced in PSARC 2008/290 works as
expected in non-global zones.
Allowing lofi devices into non-global zones introduces a security
issue. Some filesystems (notably UFS) are not sufficiently protected
against corrupted or maliciously constructed filesystem images,
which lofi allows the zone root user to modify. This could
potentially lead to a non-global zone panicking the kernel.
Therefore, mounts within a non-global zone are restricted to a
given allowed list of filesystems, as described in Section 5 and
Section 6. This applies to all mounts not just lofi ones.
5. New vfs flag VSW_ZMOUNT
The default list of allowed filesystems is based upon a new vfsdef_t
flag VSW_ZMOUNT. If set, then the filesytem may be mounted within a
zone, regardless of the fs-allowed value.
This flag is Consolidation Private.
Today, this flag is set for pseudo filesystems such as proc, network
filesystems such as NFS, plus the hsfs filesystem. Future work may
enable other filesystems by default.
Currently, a non-global zone can create a ZFS volume, but it is not
visible inside the zone's /dev. This case doesn't attempt to fix
this, although future work may enable it.
6. fs-allowed zone property
Although we cannot guarantee the safety of this, this case also
defines a new zone property to allow the administrator to add
filesystems to this approved list. The property "fs-allowed" is a
list of filesystem names that may be mounted from within the zone,
in addition to the ones already allowed. For example, to also allow
access to pcfs and ufs mounts:
# zonecfg -z ozone
zonecfg:ozone> set fs-allowed=ufs,pcfs
This property does not affect zone mounts administrated by the
global zone via "add fs" or "add dataset".
This property applies to all zone brands except lx, where it is not
allowed to be set.
This propety is Committed.
6. References
PSARC 1999/463 lofi - fast-track
PSARC 2008/290 lofi mount
6354954 lofi support in non-global zones
6946536 would like zvol support in non-global zones
7. Manual page differences
--- lofi.man Mon Apr 19 06:38:32 2010
+++ lofi.new Mon Apr 19 06:44:15 2010
@@ -117,15 +117,6 @@
For compatibility purposes, a raw device is also exported
with the block device. (For example, newfs(1M)).
-
- The lofi driver isn't available in a zone and will not work
- inside a zone.
-
-
-
-
-
-
SunOS 5.11 Last change: 25 Nov 2008 2
@@ -1816,7 +1826,7 @@
svcadm(1M), sysidtool(1M), zfs(1M), zoneadm(1M),
priv_str_to_set(3C), kstat(3KSTAT), vfstab(4), attri-
butes(5), brands(5), fnmatch(5), lx(5), privileges(5),
- resource_controls(5), zones(5)
+ resource_controls(5), zones(5), hsfs(7fs)
System Administration Guide: Solaris Containers-Resource
--- hsfs.man Mon Apr 19 06:38:28 2010
+++ hsfs.new Mon Apr 19 06:39:59 2010
@@ -204,7 +204,7 @@
SEE ALSO
- mount(1M), mount_hsfs(1M), vfstab(4)
+ mount(1M), mount_hsfs(1M), vfstab(4), zonecfg(1M)
N. V. Phillips and Sony Corporation, System Description Com-
@@ -301,6 +301,7 @@
Sierra or ISO 9660 format CD-ROMs; only directory and file
names are subject to interpretation by HSFS.
+ By default, zones may mount this filesystem.
--- lofiadm.man Mon Apr 19 06:38:21 2010
+++ lofiadm.new Mon Apr 19 10:57:51 2010
@@ -77,9 +77,11 @@
later.
- The lofi driver is not available and will not work inside a
- zone.
+ In the global zone, lofiadm can be used on both the global
+ zone devices and all devices owned by other non-global zones
+ on the system.
+
OPTIONS
The following options are supported:
@@ -224,6 +226,9 @@
until the block device is used, so it will never be
written to if the block device is only opened read-only.
+ Note that the filename may appear as "?" if it is not
+ possible to resolve the path in the current context (for
+ example, if it's an NFS path in a non-global zone).
file
--- zonecfg.man Mon Apr 19 06:38:47 2010
+++ zonecfg.new Thu Apr 22 05:43:19 2010
@@ -379,7 +379,10 @@
scheduling-class
+ (global)
+ fs-allowed
+
fs
dir, special, raw, type, options
@@ -613,6 +616,20 @@
digits are acceptable.
+ global: fs-allowed
+
+ A comma-separated list of additional filesystems that may
+ be mounted within the zone; for example "ufs,pcfs". By
+ default, only hsfs(7fs) and network filesystems can be
+ mounted.
+
+ This property does not apply to filesystems mounted into
+ the zone via "add fs" or "add dataset".
+
+ WARNING: allowing filesystem mounts other than the default
+ may allow the zone administrator to compromise the system
+ with a bogus filesystem image, and is not supported.
+
fs: dir, special, raw, type, options
Values needed to determine how, where, and so forth to
@@ -1816,7 +1833,7 @@
svcadm(1M), sysidtool(1M), zfs(1M), zoneadm(1M),
priv_str_to_set(3C), kstat(3KSTAT), vfstab(4), attri-
butes(5), brands(5), fnmatch(5), lx(5), privileges(5),
- resource_controls(5), zones(5)
+ resource_controls(5), zones(5), hsfs(7fs)
System Administration Guide: Solaris Containers-Resource
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
_______________________________________________
opensolaris-arc mailing list
[email protected]
