--On Tuesday, January 27, 2009 04:46:53 PM -0800 Jan Parcel <jan.parcel at sun.com> wrote:
> >> That said, I can't think of any better answers, short of loopback >> mounting all of /etc into each zone in some alternate location, and >> then making /etc/passwd and /etc/shadow (and maybe other things) be >> symlinks. Of course, you'd want to remove /usr/bin/passwd in that >> case, but that's a good idea anyway, for reasons you already described. > > How would we get around the fact that the global zone /etc might have > information we do not want the local zones to have? > > ike keys, ipsec information, possibly some hostnames and addresses, > configuration in /etc/dt, apache configuration, lots of things come to > mind. I didn't say that was a good answer, only that I couldn't think of anything better. Oh, hm, but I can - punt on having a passwd file in the local zones at all, and instead handle passwd/shadow lookups via a door call to the global zone. This could be handled by an NSS backend used in place of the usual files backend, and could use either a dedicated server that looks only in /etc/passwd, or just call the global zone nscd. -- Jeff
