The biggest problem with running a service in the global zone is that if compromised, it may be used to get privileged access to the non-global zones as well.
IMHO if you plan to deploy non-global zones you are best off (from a security perspective) to run only the minimum necessary services (ssh) and install only the minimum number of software packages in the global zone. My global zone typically only runs ssh and has less than 200 packages. If a non-global zones require SUNW packages, then I make the non-global zone a whole root zone (e.g. don't read-only mount/inherit /usr, /lib, /sbin, and /platform from the global zone). Otherwise I just create sparse root zones. The biggest problem with this methodology is that you have to manually determine the package dependencies when installing SUNW packages in your non-global zone. One day Sun will resolve this issue and get package dependencies automagicly resolved like apt/yum/pkg-get works today. Until then its still a manual process. Having said that, the software/service that you may want to run may be available via the Blastwave package repository. In that case install a sparse zone and use pkg-get to install the desired software from blastwave.org. On this topic, I have made it very convenient in the Zone Manager to install any Blastwave package with -G <pkg> when creating or modifying a non-global zone. For example, you can create and install a sparse root non-global zone called z1 and install mysql5 from Blastwave with the following command: # zonemgr -a add -n z1 -z /zones -P pw \ -I “192.168.0.10|hme0|24|z1” -G mysql5 \ -C /etc/nsswitch.conf -C /etc/resolv.conf More info on the Zone Manager available here: http://opensolaris.org/os/project/zonemgr/ Regards, Brad On Wed, 2007-02-14 at 12:36 -0800, Brad Bowling wrote: > Are there any pros/cons to using a global zone to host a service/app > just as you do on the local zones (i.e. the global zone serves as just > another host with the added responsibility of managing local zones)? > Are there any pros/cons to using the global zone only as an > administrative zone, serving no other purpose but to manage local > zones? > _______________________________________________ > zones-discuss mailing list > zones-discuss@opensolaris.org _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org