James Carlson wrote:
I would like to have users on a zone, but we use pidentd to control some network connections.
It seems that pidentd doesn not work on zones as it can't open kmem.

Is there any way to make it work ?

Essentially, no.

Opening /dev/kmem in the zone wouldn't be a good thing to do --
there's only one kernel, and that would break the security model.
Besides, everything visible via /dev/kmem is just an implementation
artifact; anything that depends on it hasn't been designed correctly
and may fail at any time as the internal kernel code evolves.

The right thing to do is to create a set of stable interfaces to get
PID lists for sockets.  We don't currently have such a thing in
Solaris, but it looks like this is something that other programs (such
as lsof) need.

One might be able to build an approximation using what is in the recent MIB additions in Nevada (and comming to S10U4) which are in <inet/mib2.h>:
        (and tcp6, udp6 variants)

It would be an approximation since it doesn't handle the case when a socket is handed from one process to another, nor sockets that are used by multiple processes.

Note that netstat doesn't display the above.


zones-discuss mailing list

Reply via email to