On Wed, May 03, 2006 at 03:52:39PM -0700, Craig Cory wrote: > I, too, am late to this thread but I caught something that didn't seem right > to me in this specific example. For the administration of the non-global > zones, SunEducation (for whom I am an instructor) is stressing that the ng > zones are "Software Virtualizations" (my quotes) and that the hardware and > infrastructure are managed by the global zone admin. In this case, the ngz > admins would not have access or permission to corrupt their filesystems at the > zpool/zfs level. Unless zfs is to offer a different management model, I don't > suspect we will need to differentiate the (incapacitated) ngz admins from the > gz admins.
Regardless of whether global zone admins _should_ corrupt non-global zone software state, it will forever remain that they _can_. For example, nothing prevents a global zone admin today from removing /<zonepath>/root/etc/passwd. Nor should this level of restriction be enforced - as long as the global zone adminsitrator has all privileges, there is nothing he or she can or cannot do to destroy local zone state. Similarly, the global zone administrator can choose to export devices to the local zone that would give them access to physical hardware. It's just not the recommended method of operation. The pool history provides a means for verifying that this philosophical boundary hasn't been crossed. Even ignoring this fact, the hierarchical nature of ZFS datasets allows for changes to parent filesystems to be reflected in the local zone dataset. Imagine the global zone administrator turns compression on for the whole pool - now the local zone administrator will have compression on unless they've explicitly set it locally. - Eric -- Eric Schrock, Solaris Kernel Development http://blogs.sun.com/eschrock _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
