I have a project where I need to run untrusted code
contained in a local zone. As the code is untrusted
the less resources I give to such a zone the safer
I feel. Networking in general, is one such resource.
I don't want zone to have access to anything but
a loopback interface.
Unfortunately, the data for an untrusted code comes
from a r/o NFS mount.
I know that I can't mount NFS shares into roots
of the zones directly (nor can I use lofs). What
options do I still have left?
P.S. And just out of curiosity: what is the actual
reason for not allowing NFS mounts into local zone
roots? With all the traffic devoted to this feature
I'm yet to see an explanation of why it wasn't
allowed in the first place.
zones-discuss mailing list