Ellard Roush wrote:
This document provides a lot of useful information.
The section "solaris10 Brand: What's Not Emulated"
you repeat some old information that is no longer correct.
"One point to note is that TX will continue to
be incompatible with branded zones."
That statement probably dates to the time when the
"lx" brand was the only branded zone other than "native".
Solaris Trusted Extensions (TX) does not support "lx"
and so it was correct at that time to state that TX does
not support branded zones.
The BrandZ framework now supports multiple kinds of zones,
including the "native" brand zone.
The BrandZ framework provides a powerful mechanism for
tailoring the behavior of a zone.
The Sun Cluster organization has taken the "native" brand
zone and used the BrandZ framework to add callbacks for
notifying Sun Cluster software about various zone changes.
This "cluster" brand zone is a branded zone, but is
really a "native" zone with cluster hooks. Our goal
is make this "cluster" brand zone behave as much as
possible just like the "native" brand zone.
We have recently been successful in getting
Sun Cluster to work with TX using the "cluster"
brand zone. The Zone Cluster provides a "cluster-wide
security container". :)
So please revise your statement
about TX not being able to work with zones other than
the "native" zone.
TX is incompatible with branded zones which actually
implement emulation with a brand module. The cluster
brand and the labeled brand do not do this, so since
those brands only use the simple user-level hooks, they
can co-exist. Brands such as lx, solaris8, solaris9
or solaris10 which need emulation support within the kernel
cannot co-exist with TX. See the brand_register_zone()
function in usr/src/uts/common/os/brand.c. I'll add some
text to clarify this.
Thanks for looking it over,
zones-discuss mailing list