ZFS is the best approach, but I agree with Mark, it would be best to send the domU a *raw* device (target) from the SAN, rather than a zvol if possible.
I have several other ideas about the "shared" home directories, but totally understand where you are coming from with all the firewall complex stuff, so I will let that be. When I used zones, I had one /export/home per physical server, with xVM I have one per virtual machine in my firewall complex, and I haven't sorted out what I want to do there yet. Good luck! Tommy On Jan 26, 2010, at 8:49 PM, Kent Watsen wrote: > Tommy/Mark, > > Thank you so much for your thoughts, you have helped me immensely crystalize > my own... > > First off, I don't think I can use the NFS based solution in part because, as > Mark says, I don't want to put the load on my NIC but, more importantly, > because that assumes the SAN and the and the DomU are in the firewall zone. > In this case, my SAN/Dom0 is in my "management" subnet and my DomU is in my > "private" network. The machine physically has two NICs, one which is bound > to the Dom0 and the other bridged for the DomUs - the ethernet cables for > each plug into different VLANs isolated by my firewall. I know some may > question if it makes sense to firewall off a DomU from its Dom0, as exploits > in the virtualization layer could render useless such precautions, but it's > what I'm doing anyway. > > That leaves me with passing a block-device that I can either mount directly > (i.e. a UFS formatted disk?) or via ZFS (i.e. a ZFS formatted disk). Since > neither of you identified any major concern with my current ZFS approach, I > think I'll stick with it. > > Mark - what did mean by "and of course, you need to think about migration, > etc.. "? - that sound ominous... > > Tommy - thanks for the awesome line by line review! > > Thanks, > Kent > _______________________________________________ xen-discuss mailing list [email protected]
