On Thu, 15 Feb 2007 06:19:10 +0100, Mahesh Siddheshwar
[EMAIL PROTECTED] wrote:
Robert Thurlow wrote:
Glenn Faden wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in
Robert Thurlow wrote:
In a related area, and to address an earlier question I raised, I don't
think getting a filesystem via a lofs mount should entitle you to share
it - you should have device access delegated to your zone in order to do
that. Zones folks may disagree.
Rob,
In general we
On Wed, Feb 14, 2007 at 05:55:12PM -0800, Glenn Faden wrote:
3) I know we've talked about a zone not being able to share stuff
outside of its namespace, but I wonder if we should further restrict
this to sharing storage that's fully administered in the zone, e.g.
you can't share a filesystem
Darren J Moffat wrote On 02/14/07 14:30,:
Menno Lageman wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that
hi Octave, thanks much for the comments.
However, I think there's a need to take a few steps back...
The requirements you list are things that seems to me to be: once we
have decided that we want an NFS server in a zone, these are important
things that should be true of the delivered product.
Hi,
Read below..
--- Calum Mackay [EMAIL PROTECTED] wrote:
hi Octave, thanks much for the comments.
However, I think there's a need to take a few steps back...
The requirements you list are things that seems to me to be: once we
have decided that we want an NFS server in a zone, these
Calum Mackay wrote:
hi Octave, thanks much for the comments.
scrap projects. Probably the most common idea for having a zone NFS
server is for Jumpstart or home directories. As things stand today,
it's not doable.
Right, but these things are easily done (of course) using a server in
the
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server zone
instance ?
btw: Team NFS is acutely
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is restricted
to that zone only. By that i mean no global zone access to that namespace,
Unless I misunderstand you, we have no choice - the global zone's namespace is
separate
It sounds like we're saying that NFS is just a basic system service that
we want to provide from our already existing - and independently-managed
- zones, rather than setting up zones specifically to provide separate
NFS services (with the various exceptions e.g. Jumpstart testing).
That
On Feb 14, 2007, at 12:47 PM, Jeff Victor wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
Unless I misunderstand you, we have
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server zone
instance ?
I
Robert Gordon wrote:
...
I'd even go further and say that any user
in the global zone would not have access to /export/z1.
...
This is already the case. The mode on the final zonepath
directory must be 700. This is set when zoneadm installs
the zone and verified when you do normal zone
Menno Lageman wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server
On Wed, Feb 14, 2007 at 01:11:06PM -0600, Robert Gordon wrote:
so lets say /export/z1 is the root of zone1; and it contains a directory
that is called export. Zone1 exports it's /export, which is in reality
the global zones /export/z1/export.
I'm asserting that the global zone will not be
Calum Mackay wrote:
It sounds like we're saying that NFS is just a basic system service that
we want to provide from our already existing - and independently-managed
- zones, rather than setting up zones specifically to provide separate
NFS services (with the various exceptions e.g. Jumpstart
[EMAIL PROTECTED] wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in your use case, is it that this will
be a problem, i.e. will your boxes be in the position where a
Trusted Exensions already includes this functionality, although the
implementation is not exactly what is being requested in this thread. In
the case of Trusted Extensions, the global zone administrator determines
which labeled zone directories may be exported via NFS. There is unique
dfstab
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA
Robert Gordon wrote:
On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:
this all makes logical sense to me.
i would refine your second point though because it doesn't take into
account lofs mounts.
ex, if i have /export/foo in the global zone and then in zonecfg i
configure a
Hi,
--- [EMAIL PROTECTED] wrote:
1) I think there are a variety of use cases that may have disjoint
requirements from consolidation, and I want to hear about them, too.
One example we had awhile back - SAS shares some of its data via NFS,
and loses this ability in a zone. Do they need
Hi Robert,
Excellent point! I think this is a good example of why the same
physical path can't be shared from a zone and the global zone at the
same time. Perhaps excluding any zonepaths from being shared at the
global zone is desirable if the nfs switch for that zone is turned on?
Octave
---
Robert Gordon wrote:
it seems to me that both the local zone and the global zone
should be able to export it (or not export it) independantly.
ed
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really
Octave Orgeron wrote:
Hi Robert,
Excellent point! I think this is a good example of why the same
physical path can't be shared from a zone and the global zone at the
same time. Perhaps excluding any zonepaths from being shared at the
global zone is desirable if the nfs switch for that zone is
Edward Pilatowicz wrote:
On Thu, Feb 15, 2007 at 12:28:40AM +, Darren J Moffat wrote:
Nicolas Williams wrote:
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo
[EMAIL PROTECTED] wrote:
I tend to agree, and the basic server consolidation target just makes
sense. I want to pretend a zone is the box I used to have and not have
to bump my nose on a funny behaviour or exceptions.
However, there are some wrinkles:
2) Due to the above, it seems like the
On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:
i would refine your second point though because it doesn't take into
account lofs mounts.
ex, if i have /export/foo in the global zone and then in zonecfg i
configure a filesystem resource such that this directory is also
lofs mounted in
Octave Orgeron wrote:
--- [EMAIL PROTECTED] wrote:
2) Since NFS is mostly an in-kernel service, unlike something like
Apache, if you have some kind of issue with NFS stability, you lose
the whole box, not just the zone. This lack of fault isolation isn't
always something that people are
Robert Thurlow wrote:
Glenn Faden wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in your use case, is it that this will
be a problem, i.e. will your boxes be in the
29 matches
Mail list logo
