On Sat, Dec 19, 2009 at 1:35 PM, Jim Klimov <jimkli...@cos.ru> wrote: > I'm looking forward to implementing Sun VDI sometime when 3.1.1 with > COMSTAR support is released. One important feature of Sun VDI is > that it can "ssh" into an OpenSolaris storage host as root to manage > (clone, etc.) ZFS volume datasets which are exported as iSCSI drives > for VDI virtual machines.
Can it ssh in as someone other than root? If so, let's go with that. If it can't, can it ssh in using a specific key? If so, then a bit of magic with a command="..." line in authorized_keys and a shell script that looks at the SSH_* environment variables can be used to do su - $someuser -c "<original command sent over ssh>" > > To cut it short, I don't want it messing as root with my generic ZFS > pool in its entirety with all its filesystem datasets. I want to > constrain it to one branch of the hierarchy (i.e. all datasets under > "pool/vdi") which in turn I'd like to delegate into a local zone and > then manage as its local root and serve over iSCSI from this local > zone. > > I have no problem with delegating and managing in the local zone, > but I wonder if the iSCSI servers can already be run in one? So far > I found a discussion pointing that as of May 2009 they could not... > > If this is still the case, what would the esteemed community > suggest? I.e. can I delegate management of one ZFS hierarchy and > iSCSI to an unprivileged user in the global zone? Is that > trustworthy not to corrupt data in other datasets? :) > You can delegate ZFS operations to individual users (such as the non-root user mentioned above) or groups at a dataset level. I haven't tried this with iSCSI, but I would imagine it should work as well. I think that this would have pretty much all the benefits of delegating a dataset to a zone. http://docs.sun.com/app/docs/doc/817-2271/gfkco?a=view Alternatively, you could set up RBAC to allow the non-root user I mentioned above to do operations that you want to allow. The magical script called due to the command= directive in authorized_keys can be useful to filter the commands allowed if RBAC isn't fine enough for you. -- Mike Gerdts http://mgerdts.blogspot.com/ _______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
