On Tue 17 Apr 2007 at 09:22PM, Mike Gerdts wrote:
> Surely I am missing something else. What is it? Any interesting
> complications with patching and/or live upgrade?
Setting aside patching and live upgrade...
The key thing here is to try to wrap your head around what I think of as
"NFS identity conflict".
Because zones look to the outside world like separate hosts, the
solution suggested creates an identity crisis-- is traffic from the
zone's "/" coming from the global zone? Or the non-global zone? NFSv4
complicates this, as well, because of the way it uses credentials (I
think unlike V3 which just uses UIDs, v4 has the idea of a mapping an
identity into your local UID-space-- hence nfsmapid(1m)) and so when
your zone is in a different name service domain, this won't work at all.
We go to some lengths to prevent the problems which can arise from
this problem today: processes which try to zone_enter(2) are examined to
see if they have any NFS backed pages (see the kernel routine
files_can_change_zones()). If so, the zone_enter(2) will fail.
So: if you can figure out a way to get a zone to mount its "/" *for
itself* (so that identity is preserved) before it is really booted, and
then boot it up, you'd have this mostly solved, I think. I don't
have a clear idea of how to make that happen at the moment.
This *is* a priority, but at this moment it is not our top priority.
It is my hope that we will have some solution for this into Nevada
in 2007. If folks from the community would like to take a swing
at solving this, I think Jerry, Steve, Ed and I would try to be as
supportive as possible.
Daniel Price - Solaris Kernel Engineering - [EMAIL PROTECTED] - blogs.sun.com/dp
zones-discuss mailing list