On Wed, Feb 14, 2007 at 05:55:12PM -0800, Glenn Faden wrote: > >3) I know we've talked about a zone not being able to share stuff > >outside of its namespace, but I wonder if we should further restrict > >this to sharing storage that's fully administered in the zone, e.g. > >you can't share a filesystem you got via lofs, but you can share > >from a /dev/dsk/cxtxdx or a zpool that had been fully delegated to > >you. Opinions? > > This seems like a good idea. Of course the zone's root directory is a > special kind of lofs mount that is established during zone_create, so > directories in that filesystem should be sharable. Even if the zone is > created using zfs, the dataset's root is not in the zone.
Further, zones should not be able to share filesystems that aren't wholly owned by them -- whether the zone gets it by lofs mounting or by having its root directory as a sub-directory of a larger filesystem that has other sub-directories available to other zones or in the global zone. This to avoid issues with NFSv3 file handles for files in the same filesystem but outside the sharing zone being accessible through it. Nico --
