RE: [smartos-discuss] lofiadm / zpool create inside a zone

Sun, 08 Jan 2017 23:40:59 -0800 

Thanks for the feedback. The link was supposed to link to 
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools. 
(Pasting it in from pocket hid the getpocket link)

I tried updating the vm with a number of different privileges, but with no 
success. sys_config for example fails  stating invalid privilege

    vmadm update f62ecc2d-825f-4df9-b5e1-e95207831d52 
limit_priv=default,sys_config
    Command failed: On line 1 of /tmp/zonecfg.58411.tmp:
    f62ecc2d-825f-4df9-b5e1-e95207831d52: invalid privilege

sys_admin works but doesn’t have any effect.

http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/6mhahup91/index.html
 mentions that sys_config etc are not allowed in zones in solaris. Sadly I 
don’t know how to see which privilege is being denied. Maybe if somebody could 
tell me that I proceed without guessing.




From: Robert Mustacchi
Sent: Friday, January 6, 2017 20:26
To: [email protected]
Subject: Re: [smartos-discuss] lofiadm / zpool create inside a zone

On 1/6/17 0:54 , Matthias Goetzke wrote:
> 
> Does anyone here know whether its possible to create a zpool on top of 
> lofiadm / mkfile inside a smartos and/or LX zone ?
> 
> Basically I am looking at something similar to this: 
> https://getpocket.com/a/read/141369096 . I get the first steps working but a 
> normal zone root user does not have permission to create a new pool (even if 
> it is just a local one). Can I give permission ? If yes what security risks 
> would this expose ? 
> mkdir szpools
> cd szpools
>  mkfile 1g szpool_1 szpool_2 
> 
> lofiadm -c aes-256-cbc -a szpools/szpool_1
>   Enter passphrase: 
>   Re-enter passphrase: 
>   /dev/lofi/1
> 
> lofiadm -c aes-256-cbc -a szpools/szpool_2
>   Enter passphrase: 
>   Re-enter passphrase: 
>   /dev/lofi/2
> 
> zpool create szpool raid-z2 /dev/lofi/1 /dev/lofi/2
 
 Unfortunately your pocket link doesn't seem to work without using pocket
 itself, so I'm not sure what the article is.
 
 In general, the security issues are around the fact that ZFS trusts the
 disks and doesn't really handle validly checksummed, but bogus data on
 disks that well. As such, you could likely manipulate these virtual
 disks to panic the system or probably worse. I would just ask do you
 trust the stuff in the zone like you do the GZ?
 
 I think you should be able to give the zone the appropriate privileges.
 You'll need to grant the SYS_CONFIG privilege at least. You'll want to
 review http://illumos.org/man/5/privileges for more information on what
 else that grants.
 
 Robert
 



-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Reply via email to