On Thu, Oct 30, 2008 at 10:04:00AM -0500, Nicolas Williams wrote:
> On Thu, Oct 30, 2008 at 01:52:15AM -0700, Tony Nguyen wrote:
> > In absence of Enhance Profiles, however, I'm very curious how NWAM will
> > implement switching of profiles and locations, w.r.t SMF properties. Are
> > user's customizations (service's enabled state and property values)
> > preserved when profiles and locations deliver different values?
>
> Right, but...
>
> > >The question is: is it reasonable to deliver NWAM locations *before*
> > >delivering Enhanced SMF Profiles. Without the host-based firewall in
> > >the picture I'd say "yes, but it's asking for trouble." With the
> > >host-based firewall in the picture I'd say "trouble's here." :(
> > >
> > As Renee described in an earlier email, we can configure location
> > specific IPfilter rules as services' firewall configurations and apply
> > those firewall configuration (change services' firewall properties) when
> > a location is activated. This is equivalent to applying a profile,
> > setting enable state of services. Do you still see troubles?
>
> ...as long as you have a plan to move away from pre-Enhanced SMF
> Profiles per-{FMRI, location} filters, I see no trouble.
>
> To me that means:
>
> - NWAM locations -> Enhanced SMF Profiles
> - make sure nothing in the various interfaces prevents this
It is absolutely our intention to make NWAM locations instances of
Enhanced SMF Profiles, when that's possible. Until then, an NWAM
location is a set of configuration variables. Some (most, actually)
of these are values for SMF service properties; those will be applied
by updating the service property values and restarting or refreshing
(or enabling or disabling) the appropriate services.
For more details, refer to
http://www.opensolaris.org/os/project/nwam/p1spec/Location_Spec/
Note that this has not been updated to take into account the host-based
firewall, but it should give you an idea of how locations are meant to
work.
-renee
> - don't expose location-based naming of firewall rule properties
> (see previous bullet point)
>
> Nico
> --
