Robert Gordon wrote: > > On Feb 14, 2007, at 12:47 PM, Jeff Victor wrote: > >> Robert Gordon wrote: >>> So could we all agree that: >>> An NFS Server in a zone means that the namespace it exports is >>> restricted >>> to that zone only. By that i mean no global zone access to that >>> namespace, >> >> Unless I misunderstand you, we have no choice - the global zone's >> namespace is separate from a non-global zone's namespace. The only >> way to change that is to use a network-based directory service. >> >> This is a key design point of zones. > > so lets say /export/z1 is the root of zone1; and it contains a directory > that is called export. Zone1 exports it's /export, which is in reality > the global zones /export/z1/export. > > I'm asserting that the global zone will not be allowed to NFS export > anything below /export/z1; I'd even go further and say that any user > in the global zone would not have access to /export/z1. (but then i am > also an advocate that if there is something shared, solaris should > disallow > local access to that share point (and below) period... :) ) > > Robert.. > > PS; should we move the discussion to just nfs-discuss (or > zones-discuss) rather > than continue to cross-post ? > > _______________________________________________ > appliances-discuss mailing list > appliances-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/appliances-discuss Yes, I've trimmed this down. If you are on one of the other discussion lists, you can go to the nfs-discuss archives on opensloaris.org.
I would agree that the global zone should not be allowed to NFS export something for a child zone. I think I misread this initially, but any zone should be allowed to mount something exported from another zone. I.e., if zone1 exports something, the global zone can not get to it locally, but it can via NFS. At one point (and it still might) Data ONTAP enforced that the pfiler (think global zone) could not traverse down into the vfiler's (think local zone) filesystems. Since the filer does not have local access, this was via NFS.
