I've been playing around with how zones are integrated in a system running a /support (default publisher) version of OpenSolaris 2009.06. It seems when a new zone is installed, the SSL keys are also copied over to the zone (at least that's what the zone install messages seem to show - sorry didn't get a chance to actual verify what keys are copied over etc...).
This is a bad thing, if we are providing the zone to a user/customer who does not have root access to the global zone. They would have access to the keys, free to distribute and use. What is a solution to this? If I set the default publisher of the global zone to be /release right before installing zone, then the zone and the global zone bits are different. But this does prevent the keys from being copied. Once installed, I could set it back to /support. All of that sounds a bit of a hack and would rather not do that in the hopes of keeping the zones and the global zone in sync with the same bits. But then how can I get Sun support (patches) and also prevent this problem? If there is no good solution at this point, I guess I will just have to stick with /release for now. -- This message posted from opensolaris.org _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
