On Tue 17 Apr 2007 at 09:22PM, Mike Gerdts wrote: > > Surely I am missing something else. What is it? Any interesting > complications with patching and/or live upgrade?
Setting aside patching and live upgrade... The key thing here is to try to wrap your head around what I think of as "NFS identity conflict". Because zones look to the outside world like separate hosts, the solution suggested creates an identity crisis-- is traffic from the zone's "/" coming from the global zone? Or the non-global zone? NFSv4 complicates this, as well, because of the way it uses credentials (I think unlike V3 which just uses UIDs, v4 has the idea of a mapping an identity into your local UID-space-- hence nfsmapid(1m)) and so when your zone is in a different name service domain, this won't work at all. We go to some lengths to prevent the problems which can arise from this problem today: processes which try to zone_enter(2) are examined to see if they have any NFS backed pages (see the kernel routine files_can_change_zones()). If so, the zone_enter(2) will fail. So: if you can figure out a way to get a zone to mount its "/" *for itself* (so that identity is preserved) before it is really booted, and then boot it up, you'd have this mostly solved, I think. I don't have a clear idea of how to make that happen at the moment. This *is* a priority, but at this moment it is not our top priority. It is my hope that we will have some solution for this into Nevada in 2007. If folks from the community would like to take a swing at solving this, I think Jerry, Steve, Ed and I would try to be as supportive as possible. -dp -- Daniel Price - Solaris Kernel Engineering - [EMAIL PROTECTED] - blogs.sun.com/dp _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org