Re: [zones-discuss] Recommendations for utilizing global zones

2007-02-14 Thread John Clingan 
In addition, if you can run that ssh service in the global zone on an interface 
on an "admin network".  I try to give the global zone an interface on the admin 
network only with public interfaces reserved for non-global zones only.

John Clingan
Sun Microsystems

Sent from mobile phone.

-Original Message-

From:  Brad Diggs <[EMAIL PROTECTED]>
Subj:  Re: [zones-discuss] Recommendations for utilizing global zones
Date:  Wed Feb 14, 2007 2:10 pm
Size:  2K
To:  Brad Bowling <[EMAIL PROTECTED]>
cc:  zones-discuss@opensolaris.org

The biggest problem with running a service in the global zone is 
that if compromised, it may be used to get privileged access to the
non-global zones as well.

IMHO if you plan to deploy non-global zones you are best off (from a
security perspective) to run only the minimum necessary services (ssh) 
and install only the minimum number of software packages in the global
zone.  My global zone typically only runs ssh and has less than 200
packages.  If a non-global zones require SUNW packages, then I make 
the non-global zone a whole root zone (e.g. don't read-only
mount/inherit /usr, /lib, /sbin, and /platform from the global zone).
Otherwise I just create sparse root zones.

The biggest problem with this methodology is that you have to manually
determine the package dependencies when installing SUNW packages in
your non-global zone.  One day Sun will resolve this issue and get 
package dependencies automagicly resolved like apt/yum/pkg-get works
today.  Until then its still a manual process.

Having said that, the software/service that you may want to run may 
be available via the Blastwave package repository.  In that case
install a sparse zone and use pkg-get to install the desired software
from blastwave.org.   On this topic, I have made it very convenient
in the Zone Manager to install any Blastwave package with -G 
when creating or modifying a non-global zone.  

For example, you can create and install a sparse root non-global 
zone called z1 and install mysql5 from Blastwave with the following
command:

# zonemgr -a add -n z1 -z /zones -P pw \
   -I “192.168.0.10|hme0|24|z1” -G mysql5 \
   -C /etc/nsswitch.conf -C /etc/resolv.conf 

More info on the Zone Manager available here:
http://opensolaris.org/os/project/zonemgr/

Regards,
Brad

On Wed, 2007-02-14 at 12:36 -0800, Brad Bowling wrote:
> Are there any pros/cons to using a global zone to host a service/app
> just as you do on the local zones (i.e. the global zone serves as just
> another host with the added responsibility of managing local zones)?
> Are there any pros/cons to using the global zone only as an
> administrative zone, serving no other purpose but to manage local
> zones?
> ___
> zones-discuss mailing list
> zones-discuss@opensolaris.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Recommendations for utilizing global zones

2007-02-14 Thread Brad Diggs 
The biggest problem with running a service in the global zone is 
that if compromised, it may be used to get privileged access to the
non-global zones as well.

IMHO if you plan to deploy non-global zones you are best off (from a
security perspective) to run only the minimum necessary services (ssh) 
and install only the minimum number of software packages in the global
zone.  My global zone typically only runs ssh and has less than 200
packages.  If a non-global zones require SUNW packages, then I make 
the non-global zone a whole root zone (e.g. don't read-only
mount/inherit /usr, /lib, /sbin, and /platform from the global zone).
Otherwise I just create sparse root zones.

The biggest problem with this methodology is that you have to manually
determine the package dependencies when installing SUNW packages in
your non-global zone.  One day Sun will resolve this issue and get 
package dependencies automagicly resolved like apt/yum/pkg-get works
today.  Until then its still a manual process.

Having said that, the software/service that you may want to run may 
be available via the Blastwave package repository.  In that case
install a sparse zone and use pkg-get to install the desired software
from blastwave.org.   On this topic, I have made it very convenient
in the Zone Manager to install any Blastwave package with -G 
when creating or modifying a non-global zone.  

For example, you can create and install a sparse root non-global 
zone called z1 and install mysql5 from Blastwave with the following
command:

# zonemgr -a add -n z1 -z /zones -P pw \
   -I “192.168.0.10|hme0|24|z1” -G mysql5 \
   -C /etc/nsswitch.conf -C /etc/resolv.conf 

More info on the Zone Manager available here:
http://opensolaris.org/os/project/zonemgr/

Regards,
Brad

On Wed, 2007-02-14 at 12:36 -0800, Brad Bowling wrote:
> Are there any pros/cons to using a global zone to host a service/app
> just as you do on the local zones (i.e. the global zone serves as just
> another host with the added responsibility of managing local zones)?
> Are there any pros/cons to using the global zone only as an
> administrative zone, serving no other purpose but to manage local
> zones?
> ___
> zones-discuss mailing list
> zones-discuss@opensolaris.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org