It's neat, but is it useful?
By Scottdickson-Oracle on May 15, 2006
Sometimes weird ideas occur to me while I'm on airplanes. The other day, while flying to a customer engagement, I was thinking about the fact that customers often ask about how to manage usernames and passwords between the global zone and non-global zones in Solaris 10. Certainly, you can use a centrally managed solution such as LDAP or NIS, but many of these customers don't have anything like that. Moreover, they only have a few users on any particular system and want all of the users in the global zone to be known in the non-global zones as well.
So, this got me to thinking. What if we use loopback mounts for things like
/etc/shadow? Hey, yeah! That's the ticket! That might work! If I make a readonly mount of these files, I bet I can access them in the non-global zone. If I make then read-only, they end up being managed from the global zone, and less likely to be a security problem.
And what about
/etc/hosts? Well, probably there's DNS, but not necessarily. I have customers who have 50,000+ line host files. They would love to share these, too. So, why not mount
/etc/inet while we're at it?
Here's what I did. I have a zone called z4 whose zoneroot is located at /zones/z4. I had already created this zone previously, so I will just use zonecfg to make some modifications to the existing zone:
global# mv /zones/z4/root/etc/passwd /zones/z4/root/etc/passwd.safe global# mv /zones/z4/root/etc/shadow /zones/z4/root/etc/shadow.safe zonecfg -z z4 zonecfg:z4> add fs zonecfg:z4:fs> set dir=/etc/passwd zonecfg:z4:fs> set special=/etc/passwd zonecfg:z4:fs> set type=lofs zonecfg:z4:fs> add options [ro,nodevices] zonecfg:z4:fs> end zonecfg:z4> add fs zonecfg:z4:fs> set dir=/etc/shadow zonecfg:z4:fs> set special=/etc/shadow zonecfg:z4:fs> set type=lofs zonecfg:z4:fs> add options [ro,nodevices] zonecfg:z4:fs> end zonecfg:z4> add fs zonecfg:z4:fs> set dir=/etc/inet zonecfg:z4:fs> set special=/etc/inet zonecfg:z4:fs> set type=lofs zonecfg:z4:fs> add options [ro,nodevices] zonecfg:z4:fs> end zonecfg:z4> verify zonecfg:z4> commit zonecfg:z4> \^D
When I boot up the zone and take a look at what's mounted, I now see this:
# uname -a SunOS z4 5.10 Generic_Patch i86pc i386 i86pc # zonename z4 # df -h Filesystem size used avail capacity Mounted on / 5.9G 3.5G 2.3G 61% / /dev 5.9G 3.5G 2.3G 61% /dev /etc/inet 5.9G 3.5G 2.3G 61% /etc/inet /etc/passwd 5.9G 3.5G 2.3G 61% /etc/passwd /etc/shadow 5.9G 3.5G 2.3G 61% /etc/shadow /lib 5.9G 3.5G 2.3G 61% /lib /opt 3.9G 1.6G 2.3G 42% /opt /platform 5.9G 3.5G 2.3G 61% /platform /sbin 5.9G 3.5G 2.3G 61% /sbin /usr 5.9G 3.5G 2.3G 61% /usr proc 0K 0K 0K 0% /proc ctfs 0K 0K 0K 0% /system/contract swap 1.5G 240K 1.5G 1% /etc/svc/volatile mnttab 0K 0K 0K 0% /etc/mnttab /usr/lib/libc/libc_hwcap2.so.1 5.9G 3.5G 2.3G 61% /lib/libc.so.1 fd 0K 0K 0K 0% /dev/fd swap 1.5G 0K 1.5G 0% /tmp swap 1.5G 16K 1.5G 1% /var/run
Now, I can log directly into the zone using the same username and password as the global zone. This seems like it could be pretty cool.
/etc/inet are all mount points from the global zone.I am not sure that it's really useful. What does anyone else think? Is this a technique that should be strongly discouraged? Or something that we need to document and encourage?
One thing that this makes me think of is a potential RFE for zonecfg. It would be nice to be able to somehow have an include operator, so that you can pull in common segments to be added to each zone configuration. But maybe the right way to do this is to just do this in a script.