I posted an earlier reply to zones-discuss, but I didn't copy all of the forums 
in the original posting. I'm doing so now. I am also correcting some errors in 
my earlier reply:

Yes, it is possible to share a zfs dataset that has been added to a labeled 
zone. 

Set the mountpoint property of your dataset zone/data to be within the 
restricted zone's root. For example:

   # zfs set mountpoint=/zone/needtoknow/root/zone/data zone/data

Then you should specify, using zonecfg, that the dataset is associated with the 
zone.

   zonecfg:zone-name> add dataset
   zonecfg:zone-name:dataset> set name=zone/data
   zonecfg:zone-name:dataset> end

I previously stated that you didn't need to specify the dataset via zonecfg, if 
the zone is already running. However, in the general case, you should do so. If 
the dataset is mounted before the zone has been booted, zoneadm will fail to 
boot the zone because its file namespace it not empty.

 Then you should be able to share it via NFS, by editing the approriate dfstab 
file in the global zone. In this case, the dfstab file would be:

  /zone/restricted/etc/dfs/dfstab

When the zone is booted,  the dataset will be mounted automatically as a 
read-write 
mount point in the restricted zone with the correct label.

A few subtle points:

1. Setting the zfs mountpoint property has the side-effect of settting 
its label if the mountpoint corresponds to a labeled zone. Only the global zone 
can do this.

2. The dataset will only be accessible while the restricted zone is ready or 
running. Note that it can be shared (via NFS) even when the zone is in the 
ready state.

3. Labeled zones which dominate the restricted zone (if any) can gain read-only 
access via NFS mounts (specifying an non-shared global zone IP address and the 
full pathname of the mounted dataset as viewed from the global zone. For 
example:

    /net/gz-name/zone/restricted/root/zone/data

The second "zone" in the pathname is there because it was specified in the 
original posting, but you can rework the example without it.

--Glenn
 
 
This message posted from opensolaris.org
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to