On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote: > On Wed, Feb 14, 2007 at 08:26:48PM +0100, Menno Lageman wrote: >> Robert Gordon wrote: >>> >>> So could we all agree that: >>> >>> An NFS Server in a zone means that the namespace it exports is >>> restricted >>> to that zone only. By that i mean no global zone access to that >>> namespace, >>> nor would that namespace be re-exported within another NFS Server >>> zone >>> instance ? >> >> I have some trouble parsing that, but my perception of the desired >> behaviour is: >> - a zone can only export resources that are within that zone (i.e. >> everything below it's zonepath), >> - a resource exported from a zone, may not at the same time be >> exported >> from the global zone; i.e. if zone a exports /export/foo then >> /zones/a/root/export/foo may not be exported by the global zone) >> - zone A and zone B may both export their own /export/foo since those >> are two distinct resources. >> > > this all makes logical sense to me. > > i would refine your second point though because it doesn't take into > account lofs mounts. > > ex, if i have /export/foo in the global zone and then in zonecfg i > configure a "filesystem" resource such that this directory is also > lofs mounted in the zone at /export/foo, then who should be able > to export the filesystem? > > it seems to me that both the local zone and the global zone > should be able to export it (or not export it) independantly. > > ed
There maybe a conflicting security requirement here. Lets say I'm SA of the zone and i have exported /export/foo with krb5i (since my foo really needs tight security :) ) to a limited set of clients. Then along comes Mr Global SA and exports it with auth_sys to any old nfs client.. seems like that might be an issue ? Robert.
