Robert Gordon wrote:
it seems to me that both the local zone and the global zone
should be able to export it (or not export it) independantly.
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA and exports it
with auth_sys to any old nfs client..
seems like that might be an issue ?
Exactly why this should not be allowed. Only a single NFS server should
ever be exporting a given local file system. Even it it isn't krb5 vs
sys it could be two different krb5 realms and different NFSMAPID_DOMAINS.
It can be either the global or local zone but not both at the same time.
If a zone has been delegated the ability to be an NFS server (which IMO
should NOT be the default - just like today with IP stack instances)
then the global zone must not be able to share out the zones filesystems.
Darren J Moffat
zones-discuss mailing list