Re: [zones-discuss] NFS exports from global zone holding local zone mount points open
On Thu, Jan 18, 2007 at 04:21:47PM -0500, Tillman, Gregory wrote: > Thanks, this looks feasible, although awkward. I also considered simply > moving the filesystem to the global zone's vfstab, and set it to mount > under /zones/my_zone/root (ie mount it into the local zone). This is > probably a bad idea, but I'm not entirely sure why. This will cause booting myzone to fail, as there would be an existing mountpoint in a subdirectory of the zone's root: # zoneadm -z myzone boot zoneadm: zone 'myzone': These file-systems are mounted on subdirectories of /zones/myzone/root: zoneadm: zone 'myzone': /zones/myzone/root/logdir zoneadm: zone 'myzone': call to zoneadmd failed I need to dig up the reason for why this restriction exists. On initial inspection, it looks like halting a zone unmounts everything under the zone's root. If we did not have this restriction, then a non-global zone root user could cause a umount in the global zone of a filesystem that existed prior to the zone's existance. scenerio: - mount made under /zones/myzone/root/logdir by global zone root. - myzone is attached/booted - myzone is halted by non-global zone root, umounting all under /zones/myzone/root - This umounts /zones/myzone/root/logdir in the global zone. This seems like it would be bad. To lift this restriction, zone halt would need to be enhanced to know which filesystems under the zone's root should NOT be umounted on halt. This could be non-trivial. You can do the mount AFTER creating myzone. From global zone: zoneadm -z myzone ready mount /zones/myzone/root/logdir share /zones/myzone/root/logdir zoneadm -z myzone boot But then you have to keep in mind that each time the zone is halted, /zones/myzone/root/logdir will become unmounted. If the zone reboots on its own, then it will unmount /zones/myzone/root/logdir during halt, boot up again without mounting /zones/myzone/root/logdir, and start loggin in the wrong place. Not good. -Steve > > - greg > > -Original Message- > From: Steve Lawrence [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 18, 2007 4:16 PM > To: Glenn Faden > Cc: Tillman, Gregory; zones-discuss@opensolaris.org > Subject: Re: [zones-discuss] NFS exports from global zone holding local > zone mount points open > > I'm guessing your zonecfg for myzone looks something like: > > fs: > dir: /logdir > special: /dev/dsk/c0t1d0s0 > raw: /dev/rdsk/c0t1d0s0 > type: ufs > options: [] > > If you want to share the filesystem from the global zone, mount the > device in the global zone, and in the non-global zone, just use a lofs > mount to the global zone: > > In global /etc/vfstab: > /dev/dsk/c0t1d0s0 /dev/rdsk/c0t1d0s0 /zones/zone_logs/myzone_logdir ufs > - yes - > > In global /etc/dfs/dfstab > share -F nfs -o ro=stats.lmig.com /zones/zone_logs/myzone_logdir > > In zonecfg for myzone: > fs: > dir: /logdir > special: /zones/zone_logs/myzone_logdir > type: lofs > options: [] > > I tested this using the solaris express developer release, and it works. > This most likely works on the latest s10 update, but please check. > > -Steve L. > > On Thu, Jan 18, 2007 at 11:07:19AM -0800, Glenn Faden wrote: > > This feature is not supported with standard Solaris. It is only > > supported in Trusted Extensions. There are at least two problems in > > standard Solaris. As you pointed out, the NFS sharing should not take > > place until the zone is booted, and it should be unshared when the > > zone is halted. TX does the share and unshare operations automatically > > > at the right time (within zoneadmd). TX maintains separate dftstab > > files for each zone. > > > > Secondly, the pathname, e.g. /zones/myzone, is not searchable except > > by root.. So anything that was exported would not be available anyway. > > > This is also fixed in TX by special casing the zonepath permissions > for NFS. > > > > --Glenn > > > > Tillman, Gregory wrote: > > > > >I understand that NFS-exports need to be done in the global zone, so > > >I dutifully added: > > > > > >share -F nfs -o ro=stats.lmig.com /zones/myzone/root/logdir > > > > > >to /etc/dfs/dfstab of my global zone. > > > > > >But when the master system rebooted, the NFS export happened before > > >the local zone could boot. So the zone could not mount this > > >filesystem, because the mount point was busy, and the zone boot > > >failed. The problem may also occur with a simple r
RE: [zones-discuss] NFS exports from global zone holding local zone mount points open
Thanks, this looks feasible, although awkward. I also considered simply moving the filesystem to the global zone's vfstab, and set it to mount under /zones/my_zone/root (ie mount it into the local zone). This is probably a bad idea, but I'm not entirely sure why. - greg -Original Message- From: Steve Lawrence [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 4:16 PM To: Glenn Faden Cc: Tillman, Gregory; zones-discuss@opensolaris.org Subject: Re: [zones-discuss] NFS exports from global zone holding local zone mount points open I'm guessing your zonecfg for myzone looks something like: fs: dir: /logdir special: /dev/dsk/c0t1d0s0 raw: /dev/rdsk/c0t1d0s0 type: ufs options: [] If you want to share the filesystem from the global zone, mount the device in the global zone, and in the non-global zone, just use a lofs mount to the global zone: In global /etc/vfstab: /dev/dsk/c0t1d0s0 /dev/rdsk/c0t1d0s0 /zones/zone_logs/myzone_logdir ufs - yes - In global /etc/dfs/dfstab share -F nfs -o ro=stats.lmig.com /zones/zone_logs/myzone_logdir In zonecfg for myzone: fs: dir: /logdir special: /zones/zone_logs/myzone_logdir type: lofs options: [] I tested this using the solaris express developer release, and it works. This most likely works on the latest s10 update, but please check. -Steve L. On Thu, Jan 18, 2007 at 11:07:19AM -0800, Glenn Faden wrote: > This feature is not supported with standard Solaris. It is only > supported in Trusted Extensions. There are at least two problems in > standard Solaris. As you pointed out, the NFS sharing should not take > place until the zone is booted, and it should be unshared when the > zone is halted. TX does the share and unshare operations automatically > at the right time (within zoneadmd). TX maintains separate dftstab > files for each zone. > > Secondly, the pathname, e.g. /zones/myzone, is not searchable except > by root.. So anything that was exported would not be available anyway. > This is also fixed in TX by special casing the zonepath permissions for NFS. > > --Glenn > > Tillman, Gregory wrote: > > >I understand that NFS-exports need to be done in the global zone, so > >I dutifully added: > > > >share -F nfs -o ro=stats.lmig.com /zones/myzone/root/logdir > > > >to /etc/dfs/dfstab of my global zone. > > > >But when the master system rebooted, the NFS export happened before > >the local zone could boot. So the zone could not mount this > >filesystem, because the mount point was busy, and the zone boot > >failed. The problem may also occur with a simple reboot of the local > >zone, I haven't tried that yet. > > > >This must be a common problem, so I wondered if there is a > >recommended solution. > > > >Thanks > > > >- greg > >___ > >zones-discuss mailing list > >zones-discuss@opensolaris.org > > > > > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] NFS exports from global zone holding local zone mount points open
I'm guessing your zonecfg for myzone looks something like: fs: dir: /logdir special: /dev/dsk/c0t1d0s0 raw: /dev/rdsk/c0t1d0s0 type: ufs options: [] If you want to share the filesystem from the global zone, mount the device in the global zone, and in the non-global zone, just use a lofs mount to the global zone: In global /etc/vfstab: /dev/dsk/c0t1d0s0 /dev/rdsk/c0t1d0s0 /zones/zone_logs/myzone_logdir ufs - yes - In global /etc/dfs/dfstab share -F nfs -o ro=stats.lmig.com /zones/zone_logs/myzone_logdir In zonecfg for myzone: fs: dir: /logdir special: /zones/zone_logs/myzone_logdir type: lofs options: [] I tested this using the solaris express developer release, and it works. This most likely works on the latest s10 update, but please check. -Steve L. On Thu, Jan 18, 2007 at 11:07:19AM -0800, Glenn Faden wrote: > This feature is not supported with standard Solaris. It is only > supported in Trusted Extensions. There are at least two problems in > standard Solaris. As you pointed out, the NFS sharing should not take > place until the zone is booted, and it should be unshared when the zone > is halted. TX does the share and unshare operations automatically at the > right time (within zoneadmd). TX maintains separate dftstab files for > each zone. > > Secondly, the pathname, e.g. /zones/myzone, is not searchable except by > root.. So anything that was exported would not be available anyway. This > is also fixed in TX by special casing the zonepath permissions for NFS. > > --Glenn > > Tillman, Gregory wrote: > > >I understand that NFS-exports need to be done in the global zone, so I > >dutifully added: > > > >share -F nfs -o ro=stats.lmig.com /zones/myzone/root/logdir > > > >to /etc/dfs/dfstab of my global zone. > > > >But when the master system rebooted, the NFS export happened before the > >local zone could boot. So the zone could not mount this filesystem, > >because the mount point was busy, and the zone boot failed. The problem > >may also occur with a simple reboot of the local zone, I haven't tried > >that yet. > > > >This must be a common problem, so I wondered if there is a recommended > >solution. > > > >Thanks > > > >- greg > >___ > >zones-discuss mailing list > >zones-discuss@opensolaris.org > > > > > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] NFS exports from global zone holding local zone mount points open
This feature is not supported with standard Solaris. It is only supported in Trusted Extensions. There are at least two problems in standard Solaris. As you pointed out, the NFS sharing should not take place until the zone is booted, and it should be unshared when the zone is halted. TX does the share and unshare operations automatically at the right time (within zoneadmd). TX maintains separate dftstab files for each zone. Secondly, the pathname, e.g. /zones/myzone, is not searchable except by root.. So anything that was exported would not be available anyway. This is also fixed in TX by special casing the zonepath permissions for NFS. --Glenn Tillman, Gregory wrote: I understand that NFS-exports need to be done in the global zone, so I dutifully added: share -F nfs -o ro=stats.lmig.com /zones/myzone/root/logdir to /etc/dfs/dfstab of my global zone. But when the master system rebooted, the NFS export happened before the local zone could boot. So the zone could not mount this filesystem, because the mount point was busy, and the zone boot failed. The problem may also occur with a simple reboot of the local zone, I haven't tried that yet. This must be a common problem, so I wondered if there is a recommended solution. Thanks - greg ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] NFS exports from global zone holding local zone mount points open
I understand that NFS-exports need to be done in the global zone, so I dutifully added: share -F nfs -o ro=stats.lmig.com /zones/myzone/root/logdir to /etc/dfs/dfstab of my global zone. But when the master system rebooted, the NFS export happened before the local zone could boot. So the zone could not mount this filesystem, because the mount point was busy, and the zone boot failed. The problem may also occur with a simple reboot of the local zone, I haven't tried that yet. This must be a common problem, so I wondered if there is a recommended solution. Thanks - greg ___ zones-discuss mailing list zones-discuss@opensolaris.org
