Updated doc. I believe this incorporates all feedback
from last week while I was out.
Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI
This information is Copyright (c) 2010, Oracle and/or its affiliates. All
rights reserved.
1. Introduction
1.1. Project/Component Working Name:
NFS Instances
1.2. Name of Document Author/Supplier:
Author: Robert Gordon, Jeff A. Smith
1.3 Date of This Document:
27 July, 2010
4. Technical Description
Minor binding is requested; there are no plans to backport
any of the proposed changes.
The proposed changes are needed to support an NFS server in a
non-global zone (NGZ); however, the changes are not specific
to NFS. They would also be used when enabling any file sharing
protocol (ie. CIFS) server for non-global zones.
PRIV_SYS_SHARE
--------------
Currently, establishing a share enforces PRIV_SYS_CONFIG
in sharefs. For ZFS shares, libshare contains an additional
check to enforce full privileges. These privilege checks
will never succeed in a NGZ because they are prohibited
by the Zones security model. The current checks will be
replaced by the proposed (new) PRIV_SYS_SHARE.
Each sharing protocol in Solaris (NFS and CIFS/SMB) has its
own system privilege, and it is currently enforced when
protocol mounts or (GZ) shares are established.
The protocol-specific privileges are not sufficient to preserve
the current Solaris behavior of allowing protocol mounts but
disallowing protocol shares. Some customers prefer the
current behavior which does not permit sharing within NGZ.
The project team feels that a mechanism must be provided
for the GZ admin to preserve current behavior by preventing
all protocol shares on a per-zone basis while allowing
protocol mounts.
PRIV_SYS_SHARE is a new system privilege proposed to
disable sharing on a per-zone basis. Because PRIV_SYS_SHARE
is enforced within sharefs (where all protocol shares
begin), the GZ admin can completely disable shares
within a zone by adding PRIV_SYS_SHARE to the zone's set
of prohibited privileges.
Enforcement of the protocol-specific privileges
(PRIV_SYS_NFS and PRIV_SYS_SMB) will not be changed.
To establish a share, both PRIV_SYS_SHARE (to modify
sharefs) and the protocol-specific privilege are required.
VFS Share Ownership and References
----------------------------------
A file system may only be shared by a single NFS server instance.
File systems are assigned to zones with "add_dataset" and "add_fs" zone
config resources. The assigned file systems are only mounted in their zone,
and therefore can only be shared by the NFS server running in the zone.
However, a zone's root dataset is problematic because it is mounted both
within the global zone and its non-global zone. To ensure that a file
system can never be shared by multiple NFS server instances, the notion of
VFS share ownership is introduced.
Enforcement of VFS share ownership prevents the global zone from sharing an
active non-global zone's root dataset.
Two new vfs_t fields (vfs_share_owner, vfs_share_count) are used to
track VFS shares and VFS share ownership, and they are managed with
the following interfaces:
int vfs_share_ref(vfs_t *, zone_t *);
void vfs_share_unref(vfs_t *, zone_t *);
For each share, the NFS server establishes a share reference on the VFS
containing the shared object. The reference is removed when the object is
unshared. VFS share reference and VFS ownership changes are coordinated with
a new vfs_t lock: vfs_share_owner_lock.
When the zone_t * argument for vfs_share_ref() is not the current
zone owner of the VFS, EBUSY is returned because the VFS is shared
by another server instance. Otherwise, the reference count is
bumped, and optionally, the zone owner is set.
EXPORTED INTERFACES:
|Proposed |Specified |
|Stability |in what |
Interface Name |Classification |Document? | Comments
==============================================================================
| | |
PRIV_SYS_SHARE |Committed |This | Share Privilege
| |Document |
| | |
vfs_share_ref() |Consolidation |This | VFS
vfs_share_unref() |Private |Document | Share Ownership.
| | |
| | |
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
