It's neat, but is it useful?

Sometimes weird ideas occur to me while I'm on airplanes. The other day, while flying to a customer engagement, I was thinking about the fact that customers often ask about how to manage usernames and passwords between the global zone and non-global zones in Solaris 10. Certainly, you can use a centrally managed solution such as LDAP or NIS, but many of these customers don't have anything like that. Moreover, they only have a few users on any particular system and want all of the users in the global zone to be known in the non-global zones as well.


So, this got me to thinking. What if we use loopback mounts for things like /etc/passwd and /etc/shadow? Hey, yeah! That's the ticket! That might work! If I make a readonly mount of these files, I bet I can access them in the non-global zone. If I make then read-only, they end up being managed from the global zone, and less likely to be a security problem.


And what about /etc/hosts? Well, probably there's DNS, but not necessarily. I have customers who have 50,000+ line host files. They would love to share these, too. So, why not mount /etc/inet while we're at it?


Here's what I did. I have a zone called z4 whose zoneroot is located at /zones/z4. I had already created this zone previously, so I will just use zonecfg to make some modifications to the existing zone:



global# mv /zones/z4/root/etc/passwd /zones/z4/root/etc/passwd.safe
global# mv /zones/z4/root/etc/shadow /zones/z4/root/etc/shadow.safe
zonecfg -z z4
zonecfg:z4> add fs
zonecfg:z4:fs> set dir=/etc/passwd
zonecfg:z4:fs> set special=/etc/passwd
zonecfg:z4:fs> set type=lofs
zonecfg:z4:fs> add options [ro,nodevices]
zonecfg:z4:fs> end
zonecfg:z4> add fs
zonecfg:z4:fs> set dir=/etc/shadow
zonecfg:z4:fs> set special=/etc/shadow
zonecfg:z4:fs> set type=lofs
zonecfg:z4:fs> add options [ro,nodevices]
zonecfg:z4:fs> end
zonecfg:z4> add fs
zonecfg:z4:fs> set dir=/etc/inet
zonecfg:z4:fs> set special=/etc/inet
zonecfg:z4:fs> set type=lofs
zonecfg:z4:fs> add options [ro,nodevices]
zonecfg:z4:fs> end
zonecfg:z4> verify
zonecfg:z4> commit
zonecfg:z4> \^D

When I boot up the zone and take a look at what's mounted, I now see this:



# uname -a
SunOS z4 5.10 Generic_Patch i86pc i386 i86pc
# zonename
z4
# df -h
Filesystem             size   used  avail capacity  Mounted on
/                      5.9G   3.5G   2.3G    61%    /
/dev                   5.9G   3.5G   2.3G    61%    /dev
/etc/inet              5.9G   3.5G   2.3G    61%    /etc/inet
/etc/passwd            5.9G   3.5G   2.3G    61%    /etc/passwd
/etc/shadow            5.9G   3.5G   2.3G    61%    /etc/shadow
/lib                   5.9G   3.5G   2.3G    61%    /lib
/opt                   3.9G   1.6G   2.3G    42%    /opt
/platform              5.9G   3.5G   2.3G    61%    /platform
/sbin                  5.9G   3.5G   2.3G    61%    /sbin
/usr                   5.9G   3.5G   2.3G    61%    /usr
proc                     0K     0K     0K     0%    /proc
ctfs                     0K     0K     0K     0%    /system/contract
swap                   1.5G   240K   1.5G     1%    /etc/svc/volatile
mnttab                   0K     0K     0K     0%    /etc/mnttab
/usr/lib/libc/libc_hwcap2.so.1
                       5.9G   3.5G   2.3G    61%    /lib/libc.so.1
fd                       0K     0K     0K     0%    /dev/fd
swap                   1.5G     0K   1.5G     0%    /tmp
swap                   1.5G    16K   1.5G     1%    /var/run

Now, I can log directly into the zone using the same username and password as the global zone. This seems like it could be pretty cool. /etc/passwd, /etc/shadow, and /etc/inet are all mount points from the global zone.I am not sure that it's really useful. What does anyone else think? Is this a technique that should be strongly discouraged? Or something that we need to document and encourage?


One thing that this makes me think of is a potential RFE for zonecfg. It would be nice to be able to somehow have an include operator, so that you can pull in common segments to be added to each zone configuration. But maybe the right way to do this is to just do this in a script.


Thoughts? Comments?

Comments:

Post a Comment:
Comments are closed for this entry.
About

Interesting bits about Solaris, Virtualization, and Ops Center

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today