Darren Reed wrote: >> With the introduction of TX there is a type of Solaris Zone even >> lighter eight than the default sparse root one. > > > I need to do some reading and experimenting when S10U3 becomes available.
You don't need to wait for S10u3 at all you can run snv_43 or higher and play with this now. >> Maybe I should ask what the real problem you are trying to solve is ? >> The fact that mention chroot hints that there is an isolation >> requirement, this is something zones are very good at. > > > Indeed. In this case, the task is to completely isolate processes involved > with talking to the Internet from those that talk to the Intranet. That is EXACTLY what Trusted Extensions are designed to do. You have two labels: INTRANET, INTERNET and TX will ensure complete process isolation and network isolation between them. It will even enforce copy/paste between them in the GUI. In TX a Zone does not need to have its own IP address (but you can if you wish). > Having to > add an entire zone for the sake of a single process seems like an unfair > administrative burden. See TX, the zones admin burden is very different to what Zones were at S10 FCS. The highly recommended way to use TX is to use ZFS and zone cloning. Glenn Faden has just recently posted a zenity(1) based admin tool for doing the zone cloning. -- Darren J Moffat
