Darren J Moffat wrote On 02/14/07 14:30,:
Menno Lageman wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace
On Wed, Feb 14, 2007 at 05:55:12PM -0800, Glenn Faden wrote:
> >3) I know we've talked about a zone not being able to share stuff
> >outside of its namespace, but I wonder if we should further restrict
> >this to sharing storage that's fully administered in the zone, e.g.
> >you can't share a files
Robert Thurlow wrote:
In a related area, and to address an earlier question I raised, I don't
think getting a filesystem via a lofs mount should entitle you to share
it - you should have device access delegated to your zone in order to do
that. Zones folks may disagree.
Rob,
In general we rec
On Thu, 15 Feb 2007 06:19:10 +0100, Mahesh Siddheshwar
<[EMAIL PROTECTED]> wrote:
Robert Thurlow wrote:
Glenn Faden wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in
Robert Thurlow wrote:
Glenn Faden wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in your use case, is it that this will
be a problem, i.e. will your boxes be in the posi
Robert Thurlow wrote:
Glenn Faden wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in your use case, is it that this will
be a problem, i.e. will your boxes be in the posi
Glenn Faden wrote:
4) A bug currently prevents a client instance and a server instance
from being safe to use on the same box (apologies, can't quote the
bugid from here). How likely, in your use case, is it that this will
be a problem, i.e. will your boxes be in the position where a zone
needs
On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:
i would refine your second point though because it doesn't take into
account lofs mounts.
ex, if i have /export/foo in the global zone and then in zonecfg i
configure a "filesystem" resource such that this directory is also
lofs mounted in
[EMAIL PROTECTED] wrote:
I tend to agree, and the basic "server consolidation" target just makes
sense. I want to pretend a zone is the box I used to have and not have
to bump my nose on a funny behaviour or exceptions.
However, there are some wrinkles:
2) Due to the above, it seems like the
Edward Pilatowicz wrote:
On Thu, Feb 15, 2007 at 12:28:40AM +, Darren J Moffat wrote:
Nicolas Williams wrote:
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with
Octave Orgeron wrote:
Hi Robert,
Excellent point! I think this is a good example of why the same
physical path can't be shared from a zone and the global zone at the
same time. Perhaps excluding any zonepaths from being shared at the
global zone is desirable if the nfs switch for that zone is tu
Nicolas Williams wrote:
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then alon
Robert Gordon wrote:
it seems to me that both the local zone and the global zone
should be able to export it (or not export it) independantly.
ed
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really nee
Hi Robert,
Excellent point! I think this is a good example of why the same
physical path can't be shared from a zone and the global zone at the
same time. Perhaps excluding any zonepaths from being shared at the
global zone is desirable if the nfs switch for that zone is turned on?
Octave
--- Ro
Nicolas Williams wrote:
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then alon
Robert Gordon wrote:
On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:
this all makes logical sense to me.
i would refine your second point though because it doesn't take into
account lofs mounts.
ex, if i have /export/foo in the global zone and then in zonecfg i
configure a "filesyste
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
> There maybe a conflicting security requirement here. Lets say
> I'm SA of the zone and i have exported /export/foo with krb5i
> (since my foo really needs tight security :) ) to a limited
> set of clients. Then along comes Mr Global S
On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:
On Wed, Feb 14, 2007 at 08:26:48PM +0100, Menno Lageman wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zon
Trusted Exensions already includes this functionality, although the
implementation is not exactly what is being requested in this thread. In
the case of Trusted Extensions, the global zone administrator determines
which labeled zone directories may be exported via NFS. There is unique
dfstab fi
On Wed, Feb 14, 2007 at 07:30:05PM +, Darren J Moffat wrote:
> and also that the NFSMAPID_DOMAIN may be different for each zone.
> and all security modes are available to all zones, in particular each
> zone that is an NFS server maybe in a different Kerberos REALM.
IMO these reasons alone ar
On Wed, Feb 14, 2007 at 01:11:06PM -0600, Robert Gordon wrote:
> so lets say /export/z1 is the root of zone1; and it contains a directory
> that is called export. Zone1 exports it's /export, which is in reality
> the global zones /export/z1/export.
>
> I'm asserting that the global zone will not b
Menno Lageman wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server zo
Robert Gordon wrote:
...
I'd even go further and say that any user
in the global zone would not have access to /export/z1.
...
This is already the case. The mode on the final zonepath
directory must be 700. This is set when zoneadm installs
the zone and verified when you do normal zone admini
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server zone
instance ?
I have
On Feb 14, 2007, at 12:47 PM, Jeff Victor wrote:
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
Unless I misunderstand you, we have no
Robert Gordon wrote:
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is restricted
to that zone only. By that i mean no global zone access to that namespace,
Unless I misunderstand you, we have no choice - the global zone's namespace is
separate fro
So could we all agree that:
An NFS Server in a zone means that the namespace it exports is
restricted
to that zone only. By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server zone
instance ?
btw: Team NFS is acutely a
>
> However, I think there's a need to take a few steps back...
>
> The requirements you list are things that seems to me to be: once
> we
> have decided that we want an NFS server in a zone, these are
> important
> things that should be true of the delivered product.
>
> But I'm not yet se
Calum Mackay wrote:
hi Octave, thanks much for the comments.
scrap projects. Probably the most common idea for having a zone NFS
server is for Jumpstart or home directories. As things stand today,
it's not doable.
Right, but these things are easily done (of course) using a server in
the glo
29 matches
Mail list logo
