Sorry I meant this http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools (when inserting the link in the email client, it did not show the underlying link without hovering on it)
Thanks for the tip with the privileges, will have a look. I do trust the zones since they are also built and managed by us. They contain application servers with only our code. For security conscious clients we could offer local encryption of data with encrypted sync if we hosted the customers data inside encrypted files. Mirroring would not even be strictly necessary of course. From: Robert Mustacchi Sent: Freitag, 6. Januar 2017 20:26 To: [email protected] Subject: Re: [smartos-discuss] lofiadm / zpool create inside a zone On 1/6/17 0:54 , Matthias Goetzke wrote: > > Does anyone here know whether its possible to create a zpool on top of > lofiadm / mkfile inside a smartos and/or LX zone ? > > Basically I am looking at something similar to this: > https://getpocket.com/a/read/141369096 . I get the first steps working but a > normal zone root user does not have permission to create a new pool (even if > it is just a local one). Can I give permission ? If yes what security risks > would this expose ? > mkdir szpools > cd szpools > mkfile 1g szpool_1 szpool_2 > > lofiadm -c aes-256-cbc -a szpools/szpool_1 > Enter passphrase: > Re-enter passphrase: > /dev/lofi/1 > > lofiadm -c aes-256-cbc -a szpools/szpool_2 > Enter passphrase: > Re-enter passphrase: > /dev/lofi/2 > > zpool create szpool raid-z2 /dev/lofi/1 /dev/lofi/2 Unfortunately your pocket link doesn't seem to work without using pocket itself, so I'm not sure what the article is. In general, the security issues are around the fact that ZFS trusts the disks and doesn't really handle validly checksummed, but bogus data on disks that well. As such, you could likely manipulate these virtual disks to panic the system or probably worse. I would just ask do you trust the stuff in the zone like you do the GZ? I think you should be able to give the zone the appropriate privileges. You'll need to grant the SYS_CONFIG privilege at least. You'll want to review http://illumos.org/man/5/privileges for more information on what else that grants. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
