Skip to Main Content
Forums

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

More Zone limitations? JumpStart server in a non-global Zone?

807559Nov 10 2005 — edited Apr 16 2006
(Solaris 10 03/05, fully patched as of just a couple days ago)

The bulk of what I'm trying to accomplish is a hardened global zone (no network access, console-only logins from very limited staff, etc.) and all (virtual) servers isolated from each-other in their own non-global zones.
I'd expect the reasoning for this to be obvious:
o The global zone can see any processes as well as data in the filesystems of the non-global zones. If the global zone is compromised, the entire system is.
o Conversely, if a non-global zone is compromised, the rest of the system is effectively invisible to it.

That said, the very first thing I tried to do is set up a JumpStart server in a non-global zone. It's integral with Solaris, does not require placing the ethernet interfaces into promiscuous mode... it should work.
Nope. I can't even export an NFS filesystem (something that I really don't want to do in the global zone): 
share_nfs: Cannot share filesystems in non-global zones: /export/jumpstart
Now I've seen this thread, but the last information posted by someone who appears to work for Sun was over a year ago.

Is this still considered a notime_table_ future feature?
Or am I missing something?

Considering that Sun is pushing Zones heavily for consolidation, I'm shocked that serving NFS is not zone-able.

I also saw this thread discussing JumpStart in non-global zones, but it seems to be more of an argument about "why", rather than "how" or "if". The problem this person ran into is in.rarpd... which I haven't tried yet.


I've been pushing Solaris 10's Zones as a cost-saving measure for a project to deploy a number of these systems out over our (worldwide) network.
I have plans for at least 3 non-global zones, each with its own security risks and configuration, and I'm really starting to wonder what other brick-walls I'm going to run into... not to mention if this project is even possible.
I saw another thread where a person found out (the hard way) that Sun Ray Server won't run properly in a zone... that shoots down another project I was planning to propose.

Does anyone know if there's a workaround for this?
Maybe some GPLed (obviously non-kernel mode) NFS server and rarp server software that might actually run in a zone?

Thank you,
Kevin
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 14 2006
Added on Nov 10 2005
#oracle-solaris, #solaris-zones
12 comments
286 views