[zones-discuss] Mounting /var and /opt as filesystem in container
Hi experts Is there anyway we can mount /var and /opt in a zone in a separate filesystem, noting that /var and /opt within a zone is not empty. I had tried assigning zpool devices to the zone like this: #zfs create diskpool c0t0d0 #zfs create diskpool/web #zfs create diskpool/web/var #zonecfg -z web #zonecfg:web add fs #zonecfg:web set dir=/var #zonecfg:web special=diskpool/web/var #zonecfg:web set type=zfs #zonecfg:web end #zonecfg:web exit When I tried to verify and install the zone, it gives an error saying /opt and /var can't be created and verified. Any ideas how can we achieve this feat?? rgds shawn ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Mounting /var and /opt as filesystem in container
My hint: Missing / in zonecfg:web instead of #zonecfg:web special=diskpool/web/var using #zonecfg:web special=/diskpool/web/var Ivan On Wednesday 20 December 2006 10:53, Shawn LEE C. H. wrote: Hi experts Is there anyway we can mount /var and /opt in a zone in a separate filesystem, noting that /var and /opt within a zone is not empty. I had tried assigning zpool devices to the zone like this: #zfs create diskpool c0t0d0 #zfs create diskpool/web #zfs create diskpool/web/var #zonecfg -z web #zonecfg:web add fs #zonecfg:web set dir=/var #zonecfg:web special=diskpool/web/var #zonecfg:web set type=zfs #zonecfg:web end #zonecfg:web exit When I tried to verify and install the zone, it gives an error saying /opt and /var can't be created and verified. Any ideas how can we achieve this feat?? rgds shawn ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Mounting /var and /opt as filesystem in container
Ivan thks for the reply... Actually, i tried both, still cannot...with / and without Ivan Buetler wrote: My hint: Missing / in zonecfg:web instead of #zonecfg:web special=diskpool/web/var using #zonecfg:web special=/diskpool/web/var Ivan On Wednesday 20 December 2006 10:53, Shawn LEE C. H. wrote: Hi experts Is there anyway we can mount /var and /opt in a zone in a separate filesystem, noting that /var and /opt within a zone is not empty. I had tried assigning zpool devices to the zone like this: #zfs create diskpool c0t0d0 #zfs create diskpool/web #zfs create diskpool/web/var #zonecfg -z web #zonecfg:web add fs #zonecfg:web set dir=/var #zonecfg:web special=diskpool/web/var #zonecfg:web set type=zfs #zonecfg:web end #zonecfg:web exit When I tried to verify and install the zone, it gives an error saying /opt and /var can't be created and verified. Any ideas how can we achieve this feat?? rgds shawn ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Mounting /var and /opt as filesystem in container
I think you have to mount the zfs as legacy mount point via /etc/vfstab, before you can add fs this to a zone. (I remember that I've seen this in the manual, but have'nt tried this by myself.) Detlef On 12/20/06 14:06, Shawn LEE C.H. wrote: Ivan thks for the reply... Actually, i tried both, still cannot...with / and without Ivan Buetler wrote: My hint: Missing / in zonecfg:web instead of #zonecfg:web special=diskpool/web/var using #zonecfg:web special=/diskpool/web/var Ivan On Wednesday 20 December 2006 10:53, Shawn LEE C. H. wrote: Hi experts Is there anyway we can mount /var and /opt in a zone in a separate filesystem, noting that /var and /opt within a zone is not empty. I had tried assigning zpool devices to the zone like this: #zfs create diskpool c0t0d0 #zfs create diskpool/web #zfs create diskpool/web/var #zonecfg -z web #zonecfg:web add fs #zonecfg:web set dir=/var #zonecfg:web special=diskpool/web/var #zonecfg:web set type=zfs #zonecfg:web end #zonecfg:web exit When I tried to verify and install the zone, it gives an error saying /opt and /var can't be created and verified. Any ideas how can we achieve this feat?? rgds shawn ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Detlef Drewanz Systems Engineer/OS Ambassador Sun Microsystems GmbH Phone: (+49 30) 747096 856 Komturstrasse 18a mailto:[EMAIL PROTECTED] D-12099 Berlin http://blogs.sun.com/solarium ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Mounting /var and /opt as filesystem in container
Detlef, To be specific, do you mean that within the global zone, you have to do the following: 1. Add the zfs filesystem as legacy filesystem. 2. Manually add entry into /etc/vfstab (please provide example as I don't see one anywhere). 3. Mount the zfs filesystem in the global zone. 4. Create the zone with the legacy mode zfs (type=zfs) as a part of the zone config. 5. Install the zone. 6. Umount the zfs filesystem from the global zone. Is that about it? If you will provide of a working vfstab entry, I will try it out here in my lab. Thanks in advance, Brad On Wed, 2006-12-20 at 16:47 +0100, Detlef Drewanz wrote: I think you have to mount the zfs as legacy mount point via /etc/vfstab, before you can add fs this to a zone. (I remember that I've seen this in the manual, but have'nt tried this by myself.) Detlef On 12/20/06 14:06, Shawn LEE C.H. wrote: Ivan thks for the reply... Actually, i tried both, still cannot...with / and without Ivan Buetler wrote: My hint: Missing / in zonecfg:web instead of #zonecfg:web special=diskpool/web/var using #zonecfg:web special=/diskpool/web/var Ivan On Wednesday 20 December 2006 10:53, Shawn LEE C. H. wrote: Hi experts Is there anyway we can mount /var and /opt in a zone in a separate filesystem, noting that /var and /opt within a zone is not empty. I had tried assigning zpool devices to the zone like this: #zfs create diskpool c0t0d0 #zfs create diskpool/web #zfs create diskpool/web/var #zonecfg -z web #zonecfg:web add fs #zonecfg:web set dir=/var #zonecfg:web special=diskpool/web/var #zonecfg:web set type=zfs #zonecfg:web end #zonecfg:web exit When I tried to verify and install the zone, it gives an error saying /opt and /var can't be created and verified. Any ideas how can we achieve this feat?? rgds shawn ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow
[EMAIL PROTECTED] wrote: Erik, Here are my belated comments on the IP Instances design. And here are my belated responses. But we've already acted on the comments that affect the design and code, and I'll make sure the Zones documentation covers the other documentation items. There are two documents which describe the design si-interfaces - a high-level design focusing on the problem the project solves, and what the user-visible changes are A general comment that in both documents page numbers seem to be missing. Good point. But I suspect the remaining shelf-life of the design document is very limited. I'll definitely take your comments on missing pieces in the documents as strong hints that we should ensure that the zones book be clear on these points. Figures 1 and 2 - I think the pictures are a little misleading the second picture displays an example of two applications (web servers?) both binding to INADDR_ANY on port 80. Of course, that's also a very viable example for the current zones model. Perhaps a better example might be one of those applications designated as Internet facing and another might be Intranet-facing or Internal. Figure 1 shows how zones can be used today. Figure 2 shows what customers want from IP-level isolation between VLANs (and the white space between the two instances of IP is critical). Clearly zones today doesn't provide that isolation. Even if we ignore that (a bit foolish it might be), in figure two the two different zones use different IP subnets and as a side effect they need to use different (default or otherwise) routes. AFAIK we don't actually claim to support different routes for different zones. Do you still think this is misleading? Page 6, Section 4 - I'm not sure if this is the proper place for a discussion on security or if it warrants a separate section, but I think the document should discuss the security implications of a zone using a shared stack versus an exclusive stack. For example, I think including the table you had sent in private email some time ago which documented the various attack vectors and how each type of zone addresses the type of attack would be helpful in understanding the trade-offs. We'll put this in the zones book. We need to describe the tradeoffs between using shared-IP and exclusive-IP zones there, and the network security differences is one part of that. Page 6, Section 5 - In the second paragraph, you mention there are no planned layer two changes. Does that mean for the initial design that there will be no filtering done at that layer? Again, perhaps this merits discussion in a separate Security section but it's important to understand what sorts of capabilities a privileged user in an exclusive stack zone has versus one in a zone using the shared stack. Correct. I'll make sure the zones book covers this topic. Page 7, Section 6 - In #4, leveraging zonename(1) in this way does seem strange. I know we discussed at one time a command to retrieve and interpret the values of ZONE_ATTR_* kernel attributes although in this particular case, it seems the only one that makes sense from inside the zone itself is whether this zone is tied to an exclusive stack. We've discussed this in a separate email thread. As your college indicated given that this is a private interface it isn't a big deal. If some new general command for getting ZONE_ATTR_* is created we can just switch to using that instead. (The only place which calls zonename -t is in smf_include.sh thus it would be easy to change when that day comes.) What about using /sbin/netstrategy and smf_netstrategy() in /lib/svc/share/smf_include.sh for this purpose? Overloading them would probably be a mistake. We also have Xen adding its own mechanisms to net-physical. Once we get a perspective across all of the virtualization technologies then we can try to refactor how we do configuration. Page 7, Section 7 - Given the recent discussion with a customer, would it make sense to make it clear here that there is a *single* shared IP and the project does not allow for islands of shared IP instances? Will do in the zones book. Page 8, Section 9 - When does the enforcement of only allowing a physical property for exclusive IP zones? Does it occur when one tries to complete the addition of a net resource by specifying end subcommand? Or does it occur when verify is performed on the whole configuration (either the explicit command or the implicit verification that takes place prior to commit?) The latter. (It is done is the verify command in zonecfg.) In the example given for the shared IP zone, I would specify add the /24 prefix length to the address parameter (it's not required but definitely encourage it) and also the missing end subcommand. In the example given for the exclusive IP zone, there is also a missing end subcommand. I'll make sure the examples in the zones book are correct on these points. Page 9,
re: [zones-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow
Should these functions be dealing with link names rather than interfaces to avoid confusion with the interfaces that ifconfig(1M) deals with? Good point. We've renamed them to have datalink in their names. Jerry also pointed out that we should be more careful about terminology like ifname and interface name in the code, so we have done that as well. (Basically the general concept which corresponds to physical=bge0 is something we call network interface (name). Those could be for shared-, or exclusive-IP zones. But when it comes to adding a datalink name for an exclusive IP zone we call the zone_add_datalink() syscall.) Glad to hear this. Consistent and correct use of these terms will be increasingly important given upcoming technologies like datalink vanity naming and VNICs (among others). -- meem ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Advice wanted - sharing file systems across multiple zones
Hi.. After searching hi low, I cannot find the answer for what I want to do (or at least understand how to do it). I am hopeful somebody can point me in the right direction. I have (2) non global zones (samba www) I want to be able to have all user home dir's served from zone samba AND be visable under zone www as the users public_html dir. I have looked at delegating a dataset to samba and creating a new fs for each user but then I cannot share that with www. I also tried creating the fs under the global zone and mounting that via lofs but that did not seem to carry over each underlying fs and lost the quota capability. I cannot share via NFS since non global zones cannot mount from the same server. How can I achieve what I want to do? The requirements are: User Quotas (needs a file system for each user) Share file systems across multiple non global zones (rw) I have close to 3000 users so it must be a manageable approach and hopefully allow me to use the root preexec of samba to auto create user dir's. tia for any help, Daren This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Re: Note about Zones and Solaris 10 11/06
Phil Freund wrote: Hi Jeff, Thanks for posting this info. I had to look real hard to find it in the Release Notes even knowing it existed. The link within the FAQ goes to a blank page. Apologies for the outdated link. The new link is http://docs.sun.com/app/docs/doc/817-1592/6mhahuovm?a=view . I looked at the notes both from the link in the message and in the Release Notes and still need some clarification about the lofs situation. I mount all of my application directories for local zones via lofs. For example, here is a definition in one zone.xml file that is consistent with the way I do the mounts in all 46 of my zones: filesystem special=/appmounts/cludaep900o/psep90 directory=/psep90 type=lofs/ Will I have a problem with the upgrade and have to use the workaround? If yes, why? Yes, you must use the workaround. There is a bug in the installer (upgrade software) that gets confused if a zone has one or more LOFS mounts. There is a fix for the bug, but the fix was not available at the time the final 11/06 bits were created and put through final testing. Fortunately, most of the workaround can be scripted. -- Jeff VICTOR Sun Microsystemsjeff.victor @ sun.com OS AmbassadorSr. Technical Specialist Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
