Jim Klimov wrote:
Hello SunRay-Users,
After answering on this list and personally to some colleagues
for several times the mantra "SRSS shouldn't work in a local zone
because [a number of reasons goes here]", I got myself wondering:
why not? SSGD for example has some capabilities in a local zone
(afaik only drive mapping is missing due to NFS server issues).
So I ask the question I repelled so many times - is there some
substantial reason that keeps SRSS from being supported in a local
zone?
Device creation is a big reason - perhaps the major one.
Most of our users aren't interested in running in environments where
devices are unavailable - they might as well be using VNC for such
situations...
You can have it both ways. I sometimes run x11vnc within my Sun Ray
session and access it remotely via vncviewer when I'm in a pinch.
That's particularly valuable for demos/remote presos ('x11vnc -many
-shared -viewonly' on the server, 'vncviewer UseLocalCursor=0 <server>'
on the clients). You can drop "-viewonly" and to obtain a useful
collaboration session for something like trouble-shooting (e.g. giving
root access to somebody while you "look over their shoulder"), as long
as all parties are well-behaved regarding "who's driving" :)
There are also significant security issues if SRSS is running as
non-root - how can it protect the session-ids or CALLBACK_COOKIEs
currently published in /var/opt/SUNWut/displays/*? Any services can
join and do all sorts of things in the session environment if they know
the session-id. If somebody knows your session-id and CALLBACK_COOKIE,
they can redirect your Sun Ray to a different server. They can even
spoof your user-id to create a logged in session in certain environments
if they have that information. It's very sensitive info, and therefore
well-protected in SRSS, but we require root privs to do so.
-Bob
And is it technically possible (in anyone's experience) to
get it running in a zone?
For example, we have a number of software engineers who can be
given their own working environments as Solaris zones with their
favorite Java IDEs installed, with different versions of Python
or Perl, etc. - whatever they need customized.
They don't need USB stick support, nor sound emulation - only
the graphical desktop. Even the DHCP/BOOTP services can be hosted
elsewhere (including a global zone).
Instead of Xnest'ing or using XDMCP to log into their zones,
or logging in to global zone and zlogin'ing, or SSHing to their
zone and using "export DISPLAY", these software engineers would
just utswitch to their zone's SRSS (i.e. via smartcard binding
Kiosk scripts) and have the more optimal graphics stack, etc.
Unlike working in a global zone, they would be roots if needed
in terms of software management or RBAC, but won't we capable
of breaking anything in networking or hardware setup.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
