On Thu, Jul 16, 2009 at 5:30 PM, Peter Tribble<peter.trib...@gmail.com> wrote:
> On Tue, Jul 14, 2009 at 1:15 PM, Harry Putnam<rea...@newsguy.com> wrote:
>> Alexander Skwar <alexanders.mailinglists+nos...@gmail.com> writes:
>>> What he plans can be done easily using NGZ (non-global zones).
>>> An NGZ also adds just a little bit of overhead (if any at all) to the
>>> system - unlike vbox.
>> So you're saying a zone to handle all backup work is a sensible way to
>> go at it...
>> Can you tell me what would be the advantage of creating a zone for
>> that as against just doing thru the normal os... no zones.
> Personally, I wouldn't use zones for this. Zones give you isolation - either
> for security or to run multiple instances. (Amongst other things.)  A bit of
> complexity for no benefit.
> Isolating the mail server in a zone, on the other hand, makes more sense.
> Anything you expose to incoming traffic from outside is good.
> Nameservice I'm not sure: what acts as nameservice to the global zone?

Something that has the best security possible. If the GZ only needs to
know about a few machines on the LAN, you could just use
/etc/inet/hosts in the global zone, and put the nameserver in a zone.
In some situations, that would be very helpful, e.g. if the nameserver
is talking to the Internet for DNS resolution. In other situations,
e.g. the system should be talking to the Internet, putting the
nameserver in a zone would not help much.

> One thing I've found to be true though: either a machine is all zoned, or not.
> It gets horribly confusing to have real activity in the global zone,
> where you can half see the non-global zones, so if you have zones on a 
> machine then it's
> easier to run nothing in the global zone and just use it as an administrative
> container.

Further, Sun's recommendation is limit GZ use to platform management
tasks - managing the zones - and put all apps in zones. The system
benefits from the isolation mentioned earlier and the immutability of
operating system binaries. No Trojan Horses in sparse-root zones!

zones-discuss mailing list

Reply via email to