sun.com   |  docs.sun.com
How To Buy  |   My Sun  |   Worldwide Sites
        
 
Sun Microsystems
 Products & Services
 		 Support & Training
 
 
ZFS Administration Guide >> 8.  Advanced Topics >> 8.2 Using ZFS on a Solaris System With Zones Installed 

Previous Previous     Contents     Next Next

8.2.6 Understanding the zoned Property

When a dataset is added to a non-global zone, it must be specially marked so that certain properties are not interpreted within the context of the global zone. Once a dataset has been added to a non-global zone under the control of a zone administrator, its contents can no longer be trusted. As with any filesystem, there may be setuid binaries, symbolic links, or otherwise questionable contents that may adverse affect the security of the global zone. In addition, the mountpoint property cannot be interpreted in the context of the global zone, or else the zone administrator could affect the global zone's namespace. To address the latter, ZFS uses the zoned property to indicate that a dataset has been delegated to a non-global zone at one point in time.

The zoned property is a boolean value that is automatically turned on when a zone containing a ZFS dataset is first booted. An administrator should never need to manually turn this property on. If the zoned property is set, the dataset cannot be mounted or shared in the global zone, and is ignored when the zfs share -a command or the zfs mount -a command is executed. In the following example, tank/zone/zion has been added to a zone, while tank/zone/global has not:

# zfs list -o name,zoned,mountpoint -r tank/zone
NAME                  ZONED  MOUNTPOINT
tank/zone/global        off  /tank/zone/global
tank/zone/zion           on  /tank/zone/zion
# zfs mount
tank/zone/global           /tank/zone/global
tank/zone/zion             /export/zone/zion/root/tank/zone/zion

Note the difference between the mountpoint property and the directory where the tank/zone/zion dataset is currently mounted. The mountpoint property reflects the property as stored on disk, not where it is currently mounted on the system.

When a dataset is removed from a zone or a zone is destroyed, the zoned property is not automatically cleared. This is due to the inherent security risks associated with this tasks. Since an untrusted user has had complete access to the dataset and its children, the mountpoint property may be set to bad values, or setuid binaries may exist on the filesystems.

In order to prevent accidental security risks, the zoned property must be manually cleared by the administrator if you want to reuse the dataset in any way. Before setting the zoned property to off, you should make sure that the mountpoint property for the dataset and all its children are set to reasonable values, and that no setuid binaries exist or turn the setuid property off.

Once you have verified that there are no security vulnerabilities left, the zoned property can be turned off with the zfs set or zfs inherit commands. If the zoned property is turned off while a dataset is in use within a zone, the system might behave in unpredictable ways -- only change the property if you are sure the dataset is no longer in use by a non-global zone.

8.3 ZFS Alternate Root Pools

When creating pools, the pool is intrinsically tied to the host system. The host system keeps knowledge about the pool, so that it can detect when the pool is otherwise unavailable. While useful for normal operation, this can prove a hindrance when booting from alternate media, or creating a pool on removable media. To solve this problem, ZFS has the notion of an 'alternate root' pool. An alternate root pool does not persist across system reboots, and all mountpoints are modified to be relative to the root of the pool.

8.3.1 Creating ZFS Alternate Root Pools

The most common use for creating an alternate root pool is for use on removable media. In these circumstances, the user typically wants a single filesystem, and they want it to be mounted wherever they choose on the target system. When an alternate root pool is created using the -R option, the mount point of the root filesystem automatically is set to /,, which is the equivalent of the alternate root itself.

# zpool create -R /mnt morpheus c0t0d0
# zfs list morpheus
NAME                   USED  AVAIL  REFER  MOUNTPOINT
morpheus              32.5K  33.5G     8K  /mnt/morpheus

Note that there is a single filesystem (morpheus) whose mount point is the alternate root of the pool, /mnt. It is important to note that the mount point as stored on disk is really /, and that the full path to /mnt is interpreted only by nature of the alternate root. This filesystem can then be exported and imported using under an arbitrary alternate root on a different system.

8.3.2 Importing Alternate Root Pools

Pools can also be imported using an alternate root. This allows for recovery situations, where the mount points should not be interpreted in context of the current root, but under some temporary directory where repairs can be performed. This also can be used when mounting removable media as described above. The usage is similar to the create case:

# zpool import -R /mnt morpheus
# zpool list morpheus
NAME                    SIZE    USED   AVAIL    CAP  HEALTH     ALTROOT
morpheus               33.8G   68.0K   33.7G     0%  ONLINE     /mnt
# zfs list morpheus
NAME                   USED  AVAIL  REFER  MOUNTPOINT
morpheus              32.5K  33.5G     8K  /mnt/morpheus

8.4 ZFS Rights Profiles

If you want to perform ZFS management tasks without using the superuser (root) account, you will need to assume a role with either of the following profiles to perform ZFS administration tasks:

  • ZFS Storage Management - Ability to create, destroy, and manipulate devices within a ZFS storage pool

  • ZFS Filesystem Management - Ability to create, destroy, and modify ZFS filesystems

For more information about creating or assigning roles, see System Administration Guide: Security Services.

Previous Previous     Contents     Next Next
 
Copyright 1994-2005 Sun Microsystems