Hi Robert, Excellent point! I think this is a good example of why the same physical path can't be shared from a zone and the global zone at the same time. Perhaps excluding any zonepaths from being shared at the global zone is desirable if the nfs switch for that zone is turned on?
Octave --- Robert Gordon <[EMAIL PROTECTED]> wrote: > > On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote: > > > On Wed, Feb 14, 2007 at 08:26:48PM +0100, Menno Lageman wrote: > >> Robert Gordon wrote: > >>> > >>> So could we all agree that: > >>> > >>> An NFS Server in a zone means that the namespace it exports is > >>> restricted > >>> to that zone only. By that i mean no global zone access to that > >>> namespace, > >>> nor would that namespace be re-exported within another NFS Server > > >>> zone > >>> instance ? > >> > >> I have some trouble parsing that, but my perception of the desired > >> behaviour is: > >> - a zone can only export resources that are within that zone (i.e. > >> everything below it's zonepath), > >> - a resource exported from a zone, may not at the same time be > >> exported > >> from the global zone; i.e. if zone a exports /export/foo then > >> /zones/a/root/export/foo may not be exported by the global zone) > >> - zone A and zone B may both export their own /export/foo since > those > >> are two distinct resources. > >> > > > > this all makes logical sense to me. > > > > i would refine your second point though because it doesn't take > into > > account lofs mounts. > > > > ex, if i have /export/foo in the global zone and then in zonecfg i > > configure a "filesystem" resource such that this directory is also > > lofs mounted in the zone at /export/foo, then who should be able > > to export the filesystem? > > > > it seems to me that both the local zone and the global zone > > should be able to export it (or not export it) independantly. > > > > ed > > There maybe a conflicting security requirement here. Lets say > I'm SA of the zone and i have exported /export/foo with krb5i > (since my foo really needs tight security :) ) to a limited > set of clients. Then along comes Mr Global SA and exports it > with auth_sys to any old nfs client.. > > seems like that might be an issue ? > > Robert. > _______________________________________________ > zones-discuss mailing list > zones-discuss@opensolaris.org > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Octave J. Orgeron Solaris Systems Engineer http://www.opensolaris.org/os/community/sysadmin/ http://unixconsole.blogspot.com [EMAIL PROTECTED] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
