On Tue, Dec 28, 2010 at 06:45:00AM -0800, Orvar Korvar wrote:
My advice to the paranoid regarding regarding VMs would be to disable
extensions allowing the guest broader communication channels to services
on the host...
I didnt understand. You mean, for each local zone: disabling ssh and
On Tue, Dec 28, 2010 at 11:31:20AM -0800, Octave Orgeron wrote:
I would argue that even with VMware you have certain risks to consider when
you're depending on an underlining kernel or hypervisor that can actually see
into a guest memory or I/O space. And while there are add-ons like vSafe
On Wed, Apr 14, 2010 at 06:34:58PM +0100, Matt Harrison wrote:
Firstly, and this is a fairly basic thing but something I've always had
problems with: No matter what terminal setting I choose when I first
configure the zone, terminal applications such as Vim don't display
normally. When
On Mon, Apr 12, 2010 at 10:37:55AM -0700, Gregory Hicks wrote:
Used my google foo on induce solaris kernel panic and right near
the top was a pointer to docs.sun.com discussing Kernel Destructive
Action that contained this tidbit at this URL:
On Mon, Apr 12, 2010 at 06:49:02PM +0100, Ben Lavery wrote:
If an application was poorly written and caused the kernel to panic in
the g-zone, are you saying that the same application shouldn't be able
to cause a kernel panic in the ng-zone as it wouldn't be able to load
kernel modules, etc in
On Tue, Jun 30, 2009 at 10:13:34AM -0400, Moore, Joe wrote:
The global zone could be the one running automount. Since it knows
what host is local, it'll convert the nfs mounts to lofs
automagically.
For each zone, add the zone's automount entries to
global:/etc/auto_master as
On Tue, Jun 30, 2009 at 02:12:57PM -0700, Roman V Shaposhnik wrote:
On Tue, 2009-06-30 at 13:46 -0700, Glenn Faden wrote:
My personal question now is : why didn't I find it by myself ! :-)
Because it doesn't work. See:
On Tue, Jun 30, 2009 at 02:53:30PM -0700, Roman V Shaposhnik wrote:
On Tue, 2009-06-30 at 16:31 -0500, Nicolas Williams wrote:
also prevents one from sharing an autofs mount to more than one zone,
which cannot work out well since it would allow a filesystem mounted by
one zone to be visible
On Mon, Jun 29, 2009 at 11:31:20AM -0700, Glenn Faden wrote:
Steve Lawrence wrote:
I think each zone's automounter is smart enough to use lofs instead of nfs
for
mounts from a non-global to a global zone.
Please explain how this is possible. How can the automounter convert an
nfs
On Mon, Dec 08, 2008 at 10:14:26AM -0700, Jerry Jelinek wrote:
Yes, not everything that runs in the global zone works in a
non-global zone. NFS serving or non-global zones are the most obvious
examples.
For SMF services, the services to be deleted are the the ones
delivered in SVr4 pkgs
On Mon, Dec 08, 2008 at 12:37:48PM -0500, James Carlson wrote:
I am not planning on making any automated changes to the privileges
available
to the zone. If this turns out to be an important issue, then we could
look at that as a possible future enhancement. The problem I see is that
On Mon, Dec 08, 2008 at 01:30:18PM -0500, James Carlson wrote:
Nicolas Williams writes:
On Mon, Dec 08, 2008 at 12:37:48PM -0500, James Carlson wrote:
I suppose it'd be possible to look through the SMF 'privileges' for
the services that are still enabled, and then attempt to union those
On Tue, Oct 21, 2008 at 01:17:29PM -0700, Ben Rockwood wrote:
Jason King wrote:
I haven't found any documentation (yet, still looking), that says
anything either way, but I'm wondering to facilitate zone migration if
you can place a zone root on an NFS filesystem? Obviously would only
be
On Sat, Oct 04, 2008 at 01:14:59PM +0100, Nick Kew wrote:
Note also that (with no disrespect meant to Nick) a common newbie
behavior is to latch onto some random interface and attempt to bend it
to solve the problem at hand, whether or not it's the intended way to
solve that problem.
That
On Fri, Oct 03, 2008 at 03:27:38PM +0100, Nick Kew wrote:
In the past, we've had some efforts to improve separation, based on
worker children running under different user IDs. See for example
the perchild MPM at apache.org. There's a lot of demand for
perchild-like solutions, but no really
On Fri, Oct 03, 2008 at 04:18:23PM -0500, Nicolas Williams wrote:
- You probably don't actually need zones for this. Just being able to
isolate processes by making them run as different UIDs will suffice.
- Though, of course, to the extent that different sites hosted
On Fri, Oct 03, 2008 at 02:37:28PM -0700, Jordan Brown wrote:
Nick is trying to isolate virtual systems, not users. I've seen this
That was, obviously, not the impression tat I got. It's trivial to
separate virtual systems by just running them in zones. But if I
misread what Nick was asking,
On Mon, Sep 01, 2008 at 07:13:56PM +0200, Renaud Manus wrote:
Sure :-)
Both Sun Cluster and AVS introduce new services. Some of them
(eg. global-devices system/nws_scm) are dependent on
milestone/single-user and add filesystem/local as their dependent.
If we were to move filesystem/local
On Fri, Jun 20, 2008 at 09:59:31AM -0400, James Carlson wrote:
Darren Reed writes:
2) it would seem the next place worth going is:
zoneadm subcommand [all options]
3) but what I'd rather do is:
zoneadm subcommand zonename [all-options-except -z]
You might want to review the CLIP
On Thu, Jun 19, 2008 at 09:36:15AM +0200, Joerg Barfurth wrote:
Take all the unstated (in the original post) syntax changes into
account, I agree that it seems possible to have a (CLIP compliant)
syntax of the form
zoneadm subcommand [all-options] [zonename [operands]]
and that this is
On Thu, Jun 19, 2008 at 06:19:30PM +0200, Joerg Barfurth wrote:
Nicolas Williams schrieb:
zoneadm subcommand [all-options]
That surely is a much easier change - and easy to do compatibly, if you
allow global options both before and after the subcommand.
But Darren apparently much prefers
See also:
6475075 zlogin i/o loop needs work
6263984 zlogin's i/o loop can sometimes drop data on child death
On Wed, May 28, 2008 at 11:53:18AM -0500, Nicolas Williams wrote:
On Tue, May 27, 2008 at 08:48:17AM -0600, Jerry Jelinek wrote:
This includes the changes for the feedback I have
On Fri, Sep 28, 2007 at 09:41:27PM +0100, Peter Tribble wrote:
On 9/26/07, Nicolas Williams [EMAIL PROTECTED] wrote:
Why do you think we limit usernames to 8 characters still? It's because
of things like ps(1) and ls(1) that like to use fixed-width columns.
But they aren't limited to 8
On Wed, Sep 26, 2007 at 08:35:24PM -0700, Hugh McIntyre wrote:
How about a variant of:
ps -o zone,user,pid,args -u fred
Indeed my copy of the man page says to use ps -o if you want longer
zone names.
Oh goody.
___
zones-discuss mailing list
On Wed, Sep 26, 2007 at 09:52:29PM +0100, Peter Tribble wrote:
Isn't this as easy as changing the format specifier from %8.8s to %8s?
OK, so then the columns don't line up. How much is this a problem?
It's a big problem. Personally, I think ps needs an option to output
non-column oriented
On Wed, Aug 29, 2007 at 03:52:49PM -0700, Dan Price wrote:
On Wed 29 Aug 2007 at 03:47PM, Erik Nordmark wrote:
Fixing the above CR requires changing how locking is done across the ZSD
callbacks. The new design is to determine what callbacks are needed
while holding the usual locks, but
On Wed, Jul 18, 2007 at 05:25:17PM -0400, Christine Tran wrote:
Customer wants to know if several sparse-root zones share some library
or text segments, and an application in a zone dumps core, could there
be cases where there are leaks in the core file, containing
information from other
On Mon, Jun 25, 2007 at 07:07:14AM -0600, Jerry Jelinek wrote:
Nicolas Williams wrote:
I've a customer who wants to be able to attach a downrev zone and patch
it. They want to know when (and in what S10 update) this will be
possible.
This is
6480464 RFE: zoneadm attach should patch
On Tue, Apr 17, 2007 at 09:31:53PM -0700, Dan Price wrote:
On Tue 17 Apr 2007 at 09:22PM, Mike Gerdts wrote:
Surely I am missing something else. What is it? Any interesting
complications with patching and/or live upgrade?
Setting aside patching and live upgrade...
The key thing
On Wed, Feb 14, 2007 at 05:55:12PM -0800, Glenn Faden wrote:
3) I know we've talked about a zone not being able to share stuff
outside of its namespace, but I wonder if we should further restrict
this to sharing storage that's fully administered in the zone, e.g.
you can't share a filesystem
On Thu, Feb 15, 2007 at 01:30:44PM -0800, [EMAIL PROTECTED] wrote:
Luke Scharf wrote:
Why not just run a userland NFS daemon in the zones -- and follow the
existing security model?
That makes all of the security model questions fall away -- and it
also gets fault isolation. There's a
On Thu, Feb 15, 2007 at 03:58:38PM -0600, Nicolas Williams wrote:
(Hmmm, much of ZFS runs in user-land,
I meant that much ZFS code compiles and can run in user-land, not that
it actually works that way
On Thu, Feb 15, 2007 at 03:58:38PM -0600, Nicolas Williams wrote:
Of course, you still need an implementation of NFS in user-land...
Speaking of which, IIRC Sun had a Java NFSv4 server (written by Brent
Callaghan, as I recall) that was used during development of the
protocol, and there's
On Wed, Feb 14, 2007 at 01:11:06PM -0600, Robert Gordon wrote:
so lets say /export/z1 is the root of zone1; and it contains a directory
that is called export. Zone1 exports it's /export, which is in reality
the global zones /export/z1/export.
I'm asserting that the global zone will not be
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA
35 matches
Mail list logo
