On 1/6/17 0:54 , Matthias Goetzke wrote: > > Does anyone here know whether its possible to create a zpool on top of > lofiadm / mkfile inside a smartos and/or LX zone ? > > Basically I am looking at something similar to this: > https://getpocket.com/a/read/141369096 . I get the first steps working but a > normal zone root user does not have permission to create a new pool (even if > it is just a local one). Can I give permission ? If yes what security risks > would this expose ? > mkdir szpools > cd szpools > mkfile 1g szpool_1 szpool_2 > > lofiadm -c aes-256-cbc -a szpools/szpool_1 > Enter passphrase: > Re-enter passphrase: > /dev/lofi/1 > > lofiadm -c aes-256-cbc -a szpools/szpool_2 > Enter passphrase: > Re-enter passphrase: > /dev/lofi/2 > > zpool create szpool raid-z2 /dev/lofi/1 /dev/lofi/2
Unfortunately your pocket link doesn't seem to work without using pocket itself, so I'm not sure what the article is. In general, the security issues are around the fact that ZFS trusts the disks and doesn't really handle validly checksummed, but bogus data on disks that well. As such, you could likely manipulate these virtual disks to panic the system or probably worse. I would just ask do you trust the stuff in the zone like you do the GZ? I think you should be able to give the zone the appropriate privileges. You'll need to grant the SYS_CONFIG privilege at least. You'll want to review http://illumos.org/man/5/privileges for more information on what else that grants. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
