Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone?
Hi Niko, this thread had 150 hits in the last three weeks, the topic is in the FAQ since 2005, and the question comes about every 9 months or so. So it seems it would be a desired feature! I expect it would be most utilized in shops who have thousands of automount map entries, and hundreds or thousands of boxes they would like to put in branded-zones. People would otherwise ask why not just run (solaris: automountd) or linux: autofs4? well, autofs4 crashes, autofs5 does not seem to work with the brandz fake-kernel, and well, it's just plain silly to run 100 seperate autofs daemons under containers, when lofs and some idmapd like thing would satisfy the problem. [...on with the advocacy hat...] Resource-controls on a brand-z container, minimal OS overhead, and 64 bit support someday. I think those are the keys needed win a bakeoff with an outcome of linux containers under Solaris is 200% more efficient than any other virtualization when consolidating 100 vm's to one physical machine. To demonstrate this, imagine a Linux (or Solaris) image with a 5000 entry automount map, and 100 VM's kicking the automount daemon every 15 minutes to scan for new mounts, running 100 Kernels and name service daemons under vmware or xen Think of the I/O and CPU overhead for an otherwise idle system. I would pay for Subscriptions Support for Opensolaris 2009.6 if it had it today. Regards, Rob -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Parallel mount question
Need a help with a problem. We have VxFS file system, created in a global zone, and mounted under non-global zone as LOFS. Later, two new zones were created on the same server, that needed access to the very same file system. Someone decided to NFS-shareout this file system from the global zone, and NFS mount it on these two new zones. This (to my understanding) after few weeks corrupted bravely the file system, and today we experienced the same for second time. My question is - can I keep the file system in the global zone, loop back it (with LOFS) to all three zones, providing r/w access to all of them, without risk to corrupt it again? Thanks in advance for the help! Vladi ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone?
The answer is no. 5065254 NFS/UFS deadlock when system is both NFS server and client Use LOFS. John -Original Message- From: zones-discuss-boun...@opensolaris.org [mailto:zones-discuss-boun...@opensolaris.org] On Behalf Of Rob Mallory Sent: Monday, June 29, 2009 12:01 PM To: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone? Hi Niko, this thread had 150 hits in the last three weeks, the topic is in the FAQ since 2005, and the question comes about every 9 months or so. So it seems it would be a desired feature! I expect it would be most utilized in shops who have thousands of automount map entries, and hundreds or thousands of boxes they would like to put in branded-zones. People would otherwise ask why not just run (solaris: automountd) or linux: autofs4? well, autofs4 crashes, autofs5 does not seem to work with the brandz fake-kernel, and well, it's just plain silly to run 100 seperate autofs daemons under containers, when lofs and some idmapd like thing would satisfy the problem. [...on with the advocacy hat...] Resource-controls on a brand-z container, minimal OS overhead, and 64 bit support someday. I think those are the keys needed win a bakeoff with an outcome of linux containers under Solaris is 200% more efficient than any other virtualization when consolidating 100 vm's to one physical machine. To demonstrate this, imagine a Linux (or Solaris) image with a 5000 entry automount map, and 100 VM's kicking the automount daemon every 15 minutes to scan for new mounts, running 100 Kernels and name service daemons under vmware or xen Think of the I/O and CPU overhead for an otherwise idle system. I would pay for Subscriptions Support for Opensolaris 2009.6 if it had it today. Regards, Rob -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
Hello Vladi, Yes you can use LOFS to all your zones to share the file system providing r/w access. I would even say that this is your BEST option. NFS mount in your local zones of a file system shared by the global zone is absolutely not supported (including autofs access of course). HTH, William. On 06/29/09 18:25, Yanakiev, Vladimir wrote: Need a help with a problem. We have VxFS file system, created in a global zone, and mounted under non-global zone as LOFS. Later, two new zones were created on the same server, that needed access to the very same file system. Someone decided to NFS-shareout this file system from the global zone, and NFS mount it on these two new zones. This (to my understanding) after few weeks corrupted bravely the file system, and today we experienced the same for second time. My question is - can I keep the file system in the global zone, loop back it (with LOFS) to all three zones, providing r/w access to all of them, without risk to corrupt it again? Thanks in advance for the help! Vladi ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Networkless zones getting access to NFS data
Hi! I have a project where I need to run untrusted code contained in a local zone. As the code is untrusted the less resources I give to such a zone the safer I feel. Networking in general, is one such resource. I don't want zone to have access to anything but a loopback interface. Unfortunately, the data for an untrusted code comes from a r/o NFS mount. I know that I can't mount NFS shares into roots of the zones directly (nor can I use lofs). What options do I still have left? Any ideas? Thanks, Roman. P.S. And just out of curiosity: what is the actual reason for not allowing NFS mounts into local zone roots? With all the traffic devoted to this feature I'm yet to see an explanation of why it wasn't allowed in the first place. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
On Mon, Jun 29, 2009 at 08:00:28PM +0200, William Roche wrote: Hello Vladi, Yes you can use LOFS to all your zones to share the file system providing r/w access. I would even say that this is your BEST option. NFS mount in your local zones of a file system shared by the global zone is absolutely not supported (including autofs access of course). I think each zone's automounter is smart enough to use lofs instead of nfs for mounts from a non-global to a global zone. -Steve L. HTH, William. On 06/29/09 18:25, Yanakiev, Vladimir wrote: Need a help with a problem. We have VxFS file system, created in a global zone, and mounted under non-global zone as LOFS. Later, two new zones were created on the same server, that needed access to the very same file system. Someone decided to NFS-shareout this file system from the global zone, and NFS mount it on these two new zones. This (to my understanding) after few weeks corrupted bravely the file system, and today we experienced the same for second time. My question is - can I keep the file system in the global zone, loop back it (with LOFS) to all three zones, providing r/w access to all of them, without risk to corrupt it again? Thanks in advance for the help! Vladi ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
Steve Lawrence wrote: I think each zone's automounter is smart enough to use lofs instead of nfs for mounts from a non-global to a global zone. Please explain how this is possible. How can the automounter convert an nfs specification of a global zone pathname into a pathname which can be expressed using the non-global zone's lofs semantics? --Glenn ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone?
Hi Rob, Le 29 juin 09 à 18:01, Rob Mallory a écrit : Hi Niko, this thread had 150 hits in the last three weeks, the topic is in the FAQ since 2005, and the question comes about every 9 months or so. So it seems it would be a desired feature! Well, it's something that any old-styled Solaris sysadmin (like me) can't live without. I expect it would be most utilized in shops who have thousands of automount map entries, and hundreds or thousands of boxes they would like to put in branded-zones. Why hundreds ? People would otherwise ask why not just run (solaris: automountd) or linux: autofs4? well, autofs4 crashes, autofs5 does not seem to work with the brandz fake-kernel, and well, it's just plain silly to run 100 seperate autofs daemons under containers, when lofs and some idmapd like thing would satisfy the problem. [...on with the advocacy hat...] Resource-controls on a brand-z container, minimal OS overhead, and 64 bit support someday. I think those are the keys needed win a bakeoff with an outcome of linux containers under Solaris is 200% more efficient than any other virtualization when consolidating 100 vm's to one physical machine. To demonstrate this, imagine a Linux (or Solaris) image with a 5000 entry automount map, and 100 VM's kicking the automount daemon every 15 minutes to scan for new mounts, running 100 Kernels and name service daemons under vmware or xen Think of the I/O and CPU overhead for an otherwise idle system. I would pay for Subscriptions Support for Opensolaris 2009.6 if it had it today. Hey ? Thanks a lot Rob for this message ! I was feeling alone before that. smime.p7s Description: S/MIME cryptographic signature ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone?
Le 29 juin 09 à 18:37, John Lorenzon a écrit : The answer is no. 5065254 NFS/UFS deadlock when system is both NFS server and client We don't use UFS. ;-) Use LOFS. Easy to tell... smime.p7s Description: S/MIME cryptographic signature ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone?
On Mon, 2009-06-29 at 20:56 +0200, Nicolas Dorfsman wrote: Hi Rob, Le 29 juin 09 à 18:01, Rob Mallory a écrit : Hi Niko, this thread had 150 hits in the last three weeks, the topic is in the FAQ since 2005, and the question comes about every 9 months or so. So it seems it would be a desired feature! Well, it's something that any old-styled Solaris sysadmin (like me) can't live without. Should we star a petition? Given that I have a Sun badge I can offer petitioning quite physically ;-) Thanks, Roman. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
On Mon, Jun 29, 2009 at 11:31:20AM -0700, Glenn Faden wrote: Steve Lawrence wrote: I think each zone's automounter is smart enough to use lofs instead of nfs for mounts from a non-global to a global zone. Please explain how this is possible. How can the automounter convert an nfs specification of a global zone pathname into a pathname which can be expressed using the non-global zone's lofs semantics? Well, it doesn't have to be possible. Instead it should be possible to have the mount(2) syscall detect the loopback NFS and convert it into a lofs mount if, say, a flag is set in the arguments, or even by default. That would work transparently for the automounter. Though it the automounter were not calling mount(2) directly, but instead passing back mount info to the autofs kernel module caller (which it does for some fs types), then the autofs module would need to know how to convert the mount to a lofs mount. Nico -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
Vladi, You can mount the filesystem tree that you want to share anywhere in your local zone(s). You can do it in the zone configuration (using zonecfg) but you'll need to reboot the zone to take it into account; or using a mount command from the global zone to have the data appear in a running zone. Practically: For the zonecfg case, as in the zonecfg(1M) man page: zonecfg:myzone3 add fs zonecfg:myzone3:fs set dir=/appl/fs zonecfg:myzone3:fs set special=/export/appl/fs zonecfg:myzone3:fs set type=lofs zonecfg:myzone3:fs add options [rw,nodevices] zonecfg:myzone3:fs end The result is: when you are logged in the local zone you'll see an /appl/fs directory showing the content of the /export/appl/fs directory from the global zone. You'll be allowed to write to this directory as you want. And you can share this same directory the same way in any other local zone in parallel. I guess this is what you are asking for. -=-=-=- Now about the automounter, I share Nico's point of view, but as far as I know nothing like that already exist, and No, the automounter or a mount request isn't 'clever' enough (or customized enough) yet to handle NFS data shared by the global zone and translate the mount request into an LOFS mount. So be careful with NFS share from the global zone when you have local zones on the same machine. HTH, Cheers, William. On 06/29/09 20:51, Yanakiev, Vladimir wrote: Thanks, William! Let me ask one more question - inside the non-global zones, their automounters will still loopback this same file system one more time - if in the non global zone we see /export/appl/fs, it will be looped back as /appl/fs. My understanding is, this should be fine - am I right? Vladi This e-mail and its attachments are confidential and solely for the intended addressee(s). Do not share or use them without Fannie Mae's approval. If received in error, contact the sender and delete them. -Original Message- From: william.ro...@sun.com [mailto:william.ro...@sun.com] Sent: Monday, June 29, 2009 2:00 PM To: Yanakiev, Vladimir Cc: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] Parallel mount question Hello Vladi, Yes you can use LOFS to all your zones to share the file system providing r/w access. I would even say that this is your BEST option. NFS mount in your local zones of a file system shared by the global zone is absolutely not supported (including autofs access of course). HTH, William. On 06/29/09 18:25, Yanakiev, Vladimir wrote: Need a help with a problem. We have VxFS file system, created in a global zone, and mounted under non-global zone as LOFS. Later, two new zones were created on the same server, that needed access to the very same file system. Someone decided to NFS-shareout this file system from the global zone, and NFS mount it on these two new zones. This (to my understanding) after few weeks corrupted bravely the file system, and today we experienced the same for second time. My question is - can I keep the file system in the global zone, loop back it (with LOFS) to all three zones, providing r/w access to all of them, without risk to corrupt it again? Thanks in advance for the help! Vladi ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a non-global zone mount an NFS file system from its own global zone?
On Jun 29, 2009, at 2:58 PM, Nicolas Dorfsman n...@unikservice.eu wrote: Le 29 juin 09 à 18:37, John Lorenzon a écrit : The answer is no. 5065254 NFS/UFS deadlock when system is both NFS server and client We don't use UFS. ;-) That might not be enough to save you. The bug is a complicated (and rare) VM/FS/NFS deadlock. Best advice is just to avoid the situation. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
On Jun 29, 2009, at 2:31 PM, Glenn Faden glenn.fa...@sun.com wrote: Steve Lawrence wrote: I think each zone's automounter is smart enough to use lofs instead of nfs for mounts from a non-global to a global zone. Please explain how this is possible. How can the automounter convert an nfs specification of a global zone pathname into a pathname which can be expressed using the non-global zone's lofs semantics? It'd have to be a helper out in the global zone that sets up the correct lofs mount. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
Nicolas Williams wrote: On Mon, Jun 29, 2009 at 11:31:20AM -0700, Glenn Faden wrote: Steve Lawrence wrote: I think each zone's automounter is smart enough to use lofs instead of nfs for mounts from a non-global to a global zone. Please explain how this is possible. How can the automounter convert an nfs specification of a global zone pathname into a pathname which can be expressed using the non-global zone's lofs semantics? Well, it doesn't have to be possible. Instead it should be possible to have the mount(2) syscall detect the loopback NFS and convert it into a lofs mount if, say, a flag is set in the arguments, or even by default. I've thought about doing this in the past, but wasn't sure that it would work. The automounter is has some special processing for NFS, and I don't know what would happen if a requested NFS mount got turned into sa LOFS mount. For example, the automounter attempts to unmount anything it mounted that is no longer busy. So, it might also be necessary to modify the umount syscall to translate NFS umounts to LOFS umounts. Then there is the issue of the automounter looking up entries in /etc/mnttab. It might get confused when looking for NFS entries that were turned into LOFS. That would work transparently for the automounter. Though it the automounter were not calling mount(2) directly, but instead passing back mount info to the autofs kernel module caller (which it does for some fs types), then the autofs module would need to know how to convert the mount to a lofs mount. Note that cross-zone LOFS mounts have a fictitious value for special when viewed in the zone's /etc/mnttab. Instead of the actaul global zone pathname, the special is represented as a duplicate of the zone-relative mountpoint. So it's not obvious how the automounter can do a useful conversion. For this to work, the kernel would have to internally do a LOFS mount but somehow make it appear externally that it is an NFS mount. --Glenn ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Parallel mount question
James Carlson wrote: On Jun 29, 2009, at 2:31 PM, Glenn Faden glenn.fa...@sun.com wrote: Steve Lawrence wrote: I think each zone's automounter is smart enough to use lofs instead of nfs for mounts from a non-global to a global zone. Please explain how this is possible. How can the automounter convert an nfs specification of a global zone pathname into a pathname which can be expressed using the non-global zone's lofs semantics? It'd have to be a helper out in the global zone that sets up the correct lofs mount. Jim, You may remember that during the early days of the Trusted Extensions project I tried to get the global zone automounter to act as such a helper process. This was before the automounter used doors, and I couldn't get the TLI code to work across zones reliably. There were synchronization issues since the global zone automounter wasn't aware of individual zone states. Maybe a better helper program might be the zoneadmd process that is associated with each zone. --Glenn ___ zones-discuss mailing list zones-discuss@opensolaris.org
