Re: [zones-discuss] Re: [nfs-discuss] NFS server in zones
Tom Haynes wrote: What about the case where the customer wants to administer the zone they purchased and they do not want the global zone admins to have local access to their data? That would violate basics of the zones model. The global zone admin has complete access to all devices attached to the system. How would you prevent the GZ admin from halting the zone, manually mounting the non-global zone's disk partitions into the global zone, and accessing the data? Preventing the global zone from accessing certain hardware components would "open a very large can of worms." -- Jeff VICTOR Sun Microsystemsjeff.victor @ sun.com OS AmbassadorSr. Technical Specialist Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Re: [nfs-discuss] NFS server in zones
Tom Haynes wrote: What about the case where the customer wants to administer the zone they purchased and they do not want the global zone admins to have local access to their data? Well, there is a tradition in Zones of making the global zone substantially more equal than others. Remember that the global zone admin can observe network traffic from local zones and can access any files in local zones. Rob T ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Re: [nfs-discuss] NFS server in zones
On Wed, Feb 14, 2007 at 02:03:09PM -0600, Tom Haynes wrote: > What about the case where the customer wants to administer the zone they > purchased > and they do not want the global zone admins to have local access to > their data? The global zone admin (all privileged user) can do _anything_ (e.g., load a kernel module and go from there). ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Re: [nfs-discuss] NFS server in zones
Nicolas Williams wrote: I'd even go further and say that any user in the global zone would not have access to /export/z1. [...] But if we resolve loopback NFS mount issues then any zone could access any other zone's NFS shares provided they have logical or physical connectivity between them. So why not allow global zone access then, mediated, perhaps, by NFSv4-style ID mapping? Nico What about the case where the customer wants to administer the zone they purchased and they do not want the global zone admins to have local access to their data? I'd say make it simple - in order to get access, you must be able to mount the export and abide both by the share level machine access rules and either the UID mapping (NFSv3) or ID mapping (NFSv4) rules. Let the owner of the zone explicitly control the access to their data. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Re: [nfs-discuss] NFS server in zones
And here is a link to the bug which is tracking NFS in zones: http://bugs.opensolaris.org/view_bug.do?bug_id=4964859 Note that the description sucks right now as far as OpenSolaris is concerned. I'll get the relevant comments back into the description. BTW: I crossposted to all of the discussion groups to get as much feedback as possible. I'm willing to pull back to just the nfs-discuss group and point the other groups to it. ___ zones-discuss mailing list zones-discuss@opensolaris.org