I've been playing around with how zones are integrated in a system running a 
/support (default publisher) version of OpenSolaris 2009.06. It seems when a 
new zone is installed, the SSL keys are also copied over to the zone (at least 
that's what the zone install messages seem to show - sorry didn't get a chance 
to actual verify what keys are copied over etc...). 

This is a bad thing, if we are providing the zone to a user/customer who does 
not have root access to the global zone. They would have access to the keys, 
free to distribute and use.

What is a solution to this?

If I set the default publisher of the global zone to be /release right before 
installing zone, then the zone and the global zone bits are different. But this 
does prevent the keys from being copied. Once installed, I could set it back to 

All of that sounds a bit of a hack and would rather not do that in the hopes of 
keeping the zones and the global zone in sync with the same bits.

But then how can I get Sun support (patches) and also prevent this problem? If 
there is no good solution at this point, I guess I will just have to stick with 
/release for now.
This message posted from opensolaris.org
zones-discuss mailing list

Reply via email to