Re: [zones-discuss] A seperate /usr/local/

2007-05-04 Thread Bernd Finger - Sun Germany
Hi, DJR wrote: I installed my zones, in a sparse zone format. question is, is there a way to NOT use /usr/local from the global zone and use a local copy or start with a clean /usr/local on the zone besides in a whole root format where it copies the global over to the zone. I do not want to

[zones-discuss] pidentd

2007-05-04 Thread goudal
Hello, I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn not work on zones as it can't open kmem. Is there any way to make it work ? f.g. ___ zones-discuss mailing list

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn not work on zones as it can't open kmem. Is there any way to make it work ? Essentially, no. Opening /dev/kmem in the zone wouldn't be a good

Re: [zones-discuss] pidentd

2007-05-04 Thread goudal
James Carlson [EMAIL PROTECTED] Cc: zones-discuss@opensolaris.org Date: Fri, 04 May 2007 07:04:14 EDT Subject: Re: [zones-discuss] pidentd [EMAIL PROTECTED] writes: I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
That's a real pain as that prevent us to use zones as hosting servers for users : - we are a school and we just want to identify connections. Starting with mail sending. Zones would break our identification model. It would be real nice if some solution could be found. I've done some work

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: I've done some work on pidentd prior to the new IP instances code using the ability to intercept calls for all zones in the global zone with the SO_ALLZONES socket option (which may not work anymore after the IP instances putback) Nifty! Not sure about the socket

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
Not sure about the socket option (should still work ... ?), but IP Instances did nuke the symbols that pidentd was reading out of the kernel, so that utility is now broken. I also have no idea about that option and how it is affected by the IP instances project. I am assuming it is now

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: I'd sort of like to know how it does that reliably ... does it fork and enter the zone? It does not resolve names local to the local zones; but it can easily find all the appropriate uids and processes. No different from traditional Solaris with multiple

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
[EMAIL PROTECTED] writes: I'd sort of like to know how it does that reliably ... does it fork and enter the zone? It does not resolve names local to the local zones; but it can easily find all the appropriate uids and processes. No different from traditional Solaris with multiple

Re: [zones-discuss] A seperate /usr/local/

2007-05-04 Thread Jeff Victor
Hi Bernd, That is interesting, both in good and bad ways. That method weakens the security of the system. For example, if the global zone's root user has /usr/local in its $PATH, a non-global zone root user could insert a trojan horse into an existing script or program in /usr/local. This

Re: [zones-discuss] A seperate /usr/local/

2007-05-04 Thread Bernd Finger - Sun Germany
Jeff, If there is a link pointing from /usr/local to /_usr_local, this link will be present in each zone and pointing to directory _usr_local in the / file system of that zone only. Example: After logging in to local zone z_01 (with zonepath /zone/z_01) and creating a file /usr/local/test1,

Re: [zones-discuss] pidentd

2007-05-04 Thread David . Comay
Oh. I though that pidentd was supposed to resolve UIDs locally. That's one of the features of the protocol; it provides here's who *I* think the user is information back to the requester. Of course, that's why I thought IDENT was a fairly bogus mechanism since you're asking the remote system

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: Oh. I though that pidentd was supposed to resolve UIDs locally. That's one of the features of the protocol; it provides here's who *I* think the user is information back to the requester. Of course, that's why I thought IDENT was a fairly bogus mechanism since

Re: [zones-discuss] pidentd

2007-05-04 Thread Erik Nordmark
James Carlson wrote: [EMAIL PROTECTED] writes: I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn not work on zones as it can't open kmem. Is there any way to make it work ? Essentially, no. Opening /dev/kmem in the

[zones-discuss] Best practice - mounting file system on local zone

2007-05-04 Thread Ramesh Mudradi
Hello, Can some one shed some light on pros/cons on various ways of mounting a file system onto local zone ? I believe there are four different ways to mount a device/file system on loca zone as per the below url, but it is not very clear how they are different.