On 2009.07.22 12:32:01 -0700, Steve Lawrence wrote:
> The issue is that from the global zone context (non-zlogin), stuff like
> symbolic links to something like /etc could copy files from the global
I don't understand it. cpio preserves symlinks, so symlinks will appear
just like symlinks in NGZ and files as a files. That means no mapping/no
risk. Am I right?
> I'm not sure why this is dangerous in this case, as we are only reading
> from the zone, as cpio does not traverse/open sym links, it just copes the
> link itself.
That's what I think.
> Does this all end up going through zlogin one byte at a time?
Yes, the whole stream goes through zlogin from NGZ to GZ where it is
What would be the problem if we wouldn't use any zlogin? Just a cpio on
zone root to a cpio to other zone root? What is the risk there?
> On Wed, Jul 22, 2009 at 04:57:47PM +0200, Martin Rehak wrote:
> > Hi,
> > I am trying to get Live Upgrade better by reimplementing some parts of
> > the code. What I am not sure of is whether is it safe to do a copy of
> > non global zone imports (filesystems dedicated to a zone in its config)
> > from the global zone.
> > This is existing code (lucopy.sh:1808, install-nv-clone):
> > http://grok.czech.sun.com:8080/source/xref/install-nv-clone/usr/src/cmd/inst/liveupgrade/scripts/lucopy.sh
> > 1808 (
> > 1809 fgrep -xv $mountpoint /tmp/lucopy.zonefs.$$
> > 1810 cat /tmp/lucopy.zoneipd.$$
> > 1811 ) | sed 's+.*+^&/+' |
> > 1812 zlogin $ozonename \
> > 1813 "cat > /tmp/lucopy.excl.$$; \
> > 1814 (
> > 1815 if [ -s /tmp/lucopy.excl.$$ ]; then
> > 1816 cd $zroot$mountpoint && \
> > 1817 find . -depth -print | \
> > 1818 egrep -vf /tmp/lucopy.excl.$$ | \
> > 1819 cpio -ocmP@
> > 1820 else
> > 1821 cd $zroot$mountpoint && \
> > 1822 find . -depth -print | cpio -ocmP@
> > 1823 fi
> > 1824 )" |
> > 1825 ( cd $tdir && cpio -icdmP@ )
> > 1826 lulib_unmount_pathname $tdir
> > To describe it, I would say that it will zlogin into the non global
> > zone, generates there a listing which it sends onto stdin of cpio which
> > writes an archive on its stdout. That archive is directed to the
> > stdin of cpio running _OUTSIDE_ the zone (in the global zone) which
> > finally expands it and writes it to a target directory.
> > Unfortunatelly few lines above there is this comment:
> > 1769 # Mount each non-lofs zone import in a temporary location
> > 1770 # and copy over the bits that belong there, extracted from
> > 1771 # the running zone. We are now reaching through zone-
> > 1772 # controlled paths and thus must be extremely careful.
> > 1773 # Direct copies are not safe.
> > And the question is: What can happen if I simply will not generate the
> > listing and the archive inside the zone but will do it in the global
> > zone and using 'cpio -p'?
> > If I generalize the problem a little bit more I would like to know your
> > opinion about my idea of copying whole BE including zones in just one
> > 'cpio -p'. Why it wouldn't work, please?
> > Thank you very much for your any reply
> > --
> > Martin Rehak
> > _______________________________________________
> > zones-discuss mailing list
> > firstname.lastname@example.org
zones-discuss mailing list