Re: [zones-discuss] Possible to create a thin zone?
On 11/29/10 11:41 AM, Orvar Korvar wrote: I wonder if it is possible to create a really thin zone? I mean, a zone where all software is used directly from the global zone, where only /var is duplicated in the local zone? As of now, lots of files are copied from the global zone. For instance, /usr/bin/ls is copied from the global zone. Why can not the local zone use a link to the global zone's /usr directory instead? What you describe is a Solaris sparse root zone. Anything using IPS packaging (OpenSolaris or Solaris 11 Express) does not support sparse root zones. With ZFS clones, very little is actually copied when creating a new zone. One created recently only has 151K allocated to its dataset. And, in my global zone /usr directory I have several other programs that did not got copied to the local zone. Why is that? Such as? Not all packages in the global zone are coped to the new zone. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Possible to create a thin zone?
I wonder if it is possible to create a really thin zone? I mean, a zone where all software is used directly from the global zone, where only /var is duplicated in the local zone? As of now, lots of files are copied from the global zone. For instance, /usr/bin/ls is copied from the global zone. Why can not the local zone use a link to the global zone's /usr directory instead? And, in my global zone /usr directory I have several other programs that did not got copied to the local zone. Why is that? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, thank you for your clarification. I think I prefer Crossbow because it is a "modern" approach. Regarding threat model, I prefer to have as much separated traffic as possible, therefore I prefer exclusive-ip instead of shared ip. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 11/28/10 14:50, Orvar Korvar wrote: > Sorry, I didnt really get that. Could you explain a bit what you did, for a > solaris noob? You just shut down the global NIC, and the local zone NIC still > works? Yes? > > A question: I see that you use shared ip. Isn't that less safe than > exclusive-ip because several zones share the same NIC in your case? If you > want to separate traffic maximally, you should use exclusive-ip, yes? "Safe" is better defined if you have some sort of threat model in mind. It's unclear (at least to me) what that is. With an exclusive IP instance, the non-global zone itself has more access than with a shared IP instance, because the zone has to configure its own interface. With shared IP instance, the zone has no ability to control the interface in any way at all -- it can't set the address or (at least by default) send raw data. There are trade-offs in each approach. > If I use exclusive IP, I must configure virtual nics with crossbow - yes? No. If you use exclusive IP instances, you need to have separate interfaces. One way to get there is with virtual NICs. Another is by using separate VLANs on a single NIC. Still another is by using multiple NICs. It's not a requirement to use virtual NICs, but it's one more thing that you _can_ do. > I am actually trying this, but can not my zone to ping the world. The local > zone exclusive-IP NIC does not work. When I get this scenario to work, I will > post everything here, how to do it. So others can follow. But I need help > during this research phase. Please help me answer my questions above? Check the usual things -- such as the subnet mask configured on the interface and the routes. With exclusive IP instances, the zone itself must set up the routes it needs. With shared IP instances, all routing is done in the global zone alone. -- James Carlson 42.703N 71.076W ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Sorry, I didnt really get that. Could you explain a bit what you did, for a solaris noob? You just shut down the global NIC, and the local zone NIC still works? Yes? A question: I see that you use shared ip. Isn't that less safe than exclusive-ip because several zones share the same NIC in your case? If you want to separate traffic maximally, you should use exclusive-ip, yes? If I use exclusive IP, I must configure virtual nics with crossbow - yes? I am actually trying this, but can not my zone to ping the world. The local zone exclusive-IP NIC does not work. When I get this scenario to work, I will post everything here, how to do it. So others can follow. But I need help during this research phase. Please help me answer my questions above? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
