I've been playing around with how zones are integrated in a system running a
/support (default publisher) version of OpenSolaris 2009.06. It seems when a
new zone is installed, the SSL keys are also copied over to the zone (at least
that's what the zone install messages seem to show - sorry didn't get a chance
to actual verify what keys are copied over etc...).
This is a bad thing, if we are providing the zone to a user/customer who does
not have root access to the global zone. They would have access to the keys,
free to distribute and use.
What is a solution to this?
If I set the default publisher of the global zone to be /release right before
installing zone, then the zone and the global zone bits are different. But this
does prevent the keys from being copied. Once installed, I could set it back to
All of that sounds a bit of a hack and would rather not do that in the hopes of
keeping the zones and the global zone in sync with the same bits.
But then how can I get Sun support (patches) and also prevent this problem? If
there is no good solution at this point, I guess I will just have to stick with
/release for now.
This message posted from opensolaris.org
zones-discuss mailing list