Board index Solaris

Zones within a Zone?

Zones within a Zone?

Post by Wes William » Thu, 22 Dec 2005 09:24:13



I honestly haven't tried this to completion, but would it be possible?
All the commands seem to be there and I don't see anything to prevent this.

What I was thinking...

I have a friend that doesn't have spare hardware at the present time to
install Solaris on for learning purposes.  If I were to grant him root
access to one standard zone, it would seem he could create any zones
within that zone.  Does anyone know of any limits here?  From my quick
test, I'd suspect the zones are so versitale that any limits would be
hardware related...and that's a lot of zones if John's site is any
indication! (http://blogs.sun.com/roller/page/jclingan)

 
 
 
Top

Zones within a Zone?

Post by Lion- » Thu, 22 Dec 2005 10:24:15


Quote:> I honestly haven't tried this to completion, but would it be possible?

No.

Quote:> All the commands seem to be there and I don't see anything to prevent this.

First of all there are the credentials to be dealt with, an administrator in a
non-global zone can't influence the global zone (hint: its all 1 kernel
spawning several processes).

And second...  Why not give it a try and you'll soon see for yourself.

--
Groetjes, Peter

.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

 
 
 
Top

Zones within a Zone?

Post by Andrew Gabri » Thu, 22 Dec 2005 18:54:48




Quote:> I honestly haven't tried this to completion, but would it be possible?
> All the commands seem to be there and I don't see anything to prevent this.

> What I was thinking...

> I have a friend that doesn't have spare hardware at the present time to
> install Solaris on for learning purposes.  If I were to grant him root
> access to one standard zone, it would seem he could create any zones
> within that zone.  Does anyone know of any limits here?  From my quick
> test, I'd suspect the zones are so versitale that any limits would be
> hardware related...and that's a lot of zones if John's site is any
> indication! (http://blogs.sun.com/roller/page/jclingan)

You can only create a zone from the global zone.
Also, you can nest zone root filesystems.

--
Andrew Gabriel

 
 
 
Top

Zones within a Zone?

Post by Wes William » Thu, 22 Dec 2005 21:06:50



>>I honestly haven't tried this to completion, but would it be possible?

> No.

>>All the commands seem to be there and I don't see anything to prevent this.

> First of all there are the credentials to be dealt with, an administrator in a
> non-global zone can't influence the global zone (hint: its all 1 kernel
> spawning several processes).

> And second...  Why not give it a try and you'll soon see for yourself.

Thanks for the insight.  After looking at it from that point I can see
some of the security concerns that would affect most Solaris users.

Just for fun, I'll probably try anyway later tonight.

 
 
 
Top

Zones within a Zone?

Post by James Carlso » Thu, 22 Dec 2005 21:33:57



> > I have a friend that doesn't have spare hardware at the present time to
> > install Solaris on for learning purposes.  If I were to grant him root
> > access to one standard zone, it would seem he could create any zones
> > within that zone.  Does anyone know of any limits here?  From my quick
> > test, I'd suspect the zones are so versitale that any limits would be
> > hardware related...and that's a lot of zones if John's site is any
> > indication! (http://blogs.sun.com/roller/page/jclingan)

> You can only create a zone from the global zone.
> Also, you can nest zone root filesystems.

               ^ not

lofs, though, does work to share things; see "add fs" in zonecfg.

--

Sun Microsystems / 1 Network Drive         71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

 
 
 
Top

Zones within a Zone?

Post by Andrew Gabri » Thu, 22 Dec 2005 21:46:12





>> > I have a friend that doesn't have spare hardware at the present time to
>> > install Solaris on for learning purposes.  If I were to grant him root
>> > access to one standard zone, it would seem he could create any zones
>> > within that zone.  Does anyone know of any limits here?  From my quick
>> > test, I'd suspect the zones are so versitale that any limits would be
>> > hardware related...and that's a lot of zones if John's site is any
>> > indication! (http://blogs.sun.com/roller/page/jclingan)

>> You can only create a zone from the global zone.
>> Also, you can nest zone root filesystems.
>                ^ not

Oops -- I would miss out the most important word in
the sentence, wouldn't I? ;-)

Quote:> lofs, though, does work to share things; see "add fs" in zonecfg.

--
Andrew Gabriel
 
 
 
Top

Zones within a Zone?

Post by Wes William » Fri, 23 Dec 2005 07:44:04




>> And second...  Why not give it a try and you'll soon see for yourself.

> Thanks for the insight.  After looking at it from that point I can see
> some of the security concerns that would affect most Solaris users.

> Just for fun, I'll probably try anyway later tonight.

Ha!  That didn't take very long and was stopped much sooner than I
expected, which is good.

NOTE:  192.168.1.3 is already a zone in the global zone...

= = =

Password:
Last login: Tue Dec 20 19:17:57 2005 from 192.168.1.2
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# mkdir -p /zones/webzone
# zonecfg -z webzone
zonecfg can only be run from the global zone.
#
= = =

 
 
 
Top

Zones within a Zone?

Post by Lion- » Fri, 23 Dec 2005 09:14:54


Quote:>> Just for fun, I'll probably try anyway later tonight.

> Ha!  That didn't take very long and was stopped much sooner than I expected,
> which is good.
> # zonecfg -z webzone
> zonecfg can only be run from the global zone.

That looks familiar indeed.

Been there and done that too, thats why I suggested doing it. Just don't tell
anyone else, ok ? ;-)

--
Groetjes, Peter

.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

 
 
 
Top

Zones within a Zone?

Post by Wes William » Fri, 23 Dec 2005 09:21:03



>>>Just for fun, I'll probably try anyway later tonight.

>>Ha!  That didn't take very long and was stopped much sooner than I expected,
>>which is good.

>># zonecfg -z webzone
>>zonecfg can only be run from the global zone.

> That looks familiar indeed.

> Been there and done that too, thats why I suggested doing it. Just don't tell
> anyone else, ok ? ;-)

As always, thanks for all of your well-informed comments and suggestions
Lion-O.  You'd be surprised how often I find answers to my questions
using Google pointing to one of your prior posts on one of the many forums.
 
 
 
Top

1. Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Hi!

----

Is it possible to create a Solaris "zone" from another (=not the
"global" one) zone ?
For example: Can I create a zone for a user and permit the user to
create another bunch of zones which inherit from his current zone (and
that user permits his users to create their own "zones", too) ?

Example:

global_zone
   |
   |
   +--user_zone_1
         |
         |
         +-- user_zone_1__1
         |
         |
         |
         +--user_zone_1__2
         |     |
         |     |
         |     +--user_zone_1__2__1
         |     |     |
         |     |     |
         |     |     +--user_zone_1__2__1__1
         |     |     |
         |     .     .
         |     .     .
         |     .     .
         |     .
         |     .
         |
         |
         |
         +--user_zone_1__3
         |
         |
         .
         .
         .

----

Bye,
Roland

--
  __ .  . __

  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 2426 901568 FAX +49 2426 901569
 (;O/ \/ \O;)

2. DOS-programmes under WINE

3. Advice sought: global zone pkgs vs. local zone pkgs

4. another mail question

5. Configuring packages from zone to zone

6. VESA Support

7. zone file for single IP zone?

8. what is darwin?? is it apple linux??

9. BIND forwarding zone / Proxy zone? How?

10. zones - problem with configuring another, new zone

11. Solaris 10 zones - communication between zones

12. DNS ZONE

13. Linux time zone problem?


All times are UTC
Board index