On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:

On Wed, Feb 14, 2007 at 08:26:48PM +0100, Menno Lageman wrote:
Robert Gordon wrote:

So could we all agree that:

An NFS Server in a zone means that the namespace it exports is restricted
to that zone only.  By that i mean no global zone access to that
namespace,
nor would that namespace be re-exported within another NFS Server zone
instance ?

I have some trouble parsing that, but my perception of the desired
behaviour is:
- a zone can only export resources that are within that zone (i.e.
everything below it's zonepath),
- a resource exported from a zone, may not at the same time be exported
from the global zone; i.e. if zone a exports /export/foo then
/zones/a/root/export/foo may not be exported by the global zone)
- zone A and zone B may both export their own /export/foo since those
are two distinct resources.


this all makes logical sense to me.

i would refine your second point though because it doesn't take into
account lofs mounts.

ex,  if i have /export/foo in the global zone and then in zonecfg i
configure a "filesystem" resource such that this directory is also
lofs mounted in the zone at /export/foo, then who should be able
to export the filesystem?

it seems to me that both the local zone and the global zone
should be able to export it (or not export it) independantly.

ed

There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA and exports it
with auth_sys to any old nfs client..

seems like that might be an issue ?

Robert.
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to