[OmniOS-discuss] LX for OmniOS update
Peter Tribble
peter.tribble at gmail.com
Sun Aug 14 19:04:54 UTC 2016
On Sun, Aug 14, 2016 at 6:27 PM, Dan McDonald <danmcd at omniti.com> wrote:
>
> > On Aug 14, 2016, at 1:20 PM, Michael Rasmussen <mir at miras.org> wrote:
> >
> > - All network configuration can be done outside the zone giving the
> > opportunity to hand out LX zones to users with a locked down network
> > configuration.
>
> That's naive. An admin on even a SmartOS zone can invoke:
>
> /native/sbin/ifconfig <stuff>
>
> and wreak havoc. :)
>
Modulo any ip-spoofing protections in place.
> > - Admins can script everything and have total control of LX zones
>
> Also, by "admins" you mean "global zone admins", right?
>
It's unfortunate that the lx brand doesn't support shared-ip stacks.
I can't see whether there's a fundamental technical reason, but having
shared-ip does make it much easier to simply configure everything in
the global zone and prevent the zone fiddling with it.
The problem with exclusive-ip is that you can't manage it from the global
zone at all. If the zone isn't running, you obviously can't do anything, but
as soon as the zone is running (or even ready) it steals the interface away
so the global zone can do nothing.
(Docker networking behaves like traditional shared-ip, from what I can see.)
--
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160814/110ea25b/attachment-0001.html>
More information about the OmniOS-discuss
mailing list