Nicolas Williams wrote:
What about the case where the customer wants to administer the zone they
and they do not want the global zone admins to have local access to
I'd even go further and say that any user
in the global zone would not have access to /export/z1. [...]
But if we resolve loopback NFS mount issues then any zone could access
any other zone's NFS shares provided they have logical or physical
connectivity between them. So why not allow global zone access then,
mediated, perhaps, by NFSv4-style ID mapping?
I'd say make it simple - in order to get access, you must be able to
mount the export
and abide both by the share level machine access rules and either the
(NFSv3) or ID mapping (NFSv4) rules.
Let the owner of the zone explicitly control the access to their data.
zones-discuss mailing list