By this, I mean running a single
afsd (client) mounted at
/afs/ in the
global zone, but also sharing it across local zones.
The tricks to this are:
/afs/within the zone
- Use a
deviceresource and its
matchproperty to make
/dev/afsavailable in the zone
/dev/afs available is only required if you want to perform
pioctl-based actions, such as using
aklog. If read-only
/afs/ is sufficient,
/dev/afs is not required.
IMPORTANT NOTE on security
With no special precautions, a user’s tokens are shared across all zones. Essentially, this means that you must use
pagsh to obtain a PAG before acquiring tokens.
Here’s an example of a zone where this works well as of OpenAFS 1.8.7 and OmniOSCE r151036:
$ zonecfg -z atest export create -b set zonepath=/zones/atest set brand=lipkg set autoboot=false set limitpriv=default set ip-type=exclusive add fs set dir="/opt/openafs" set special="/opt/openafs" set type="lofs" add options ro,nodevices end add fs set dir="/afs" set special="/afs" set type="lofs" add options end add net set physical="atest0" set mac-addr="0:0:0f:0f:0f:0f" set global-nic="private0" end add device set match="/dev/afs" end add attr set name="resolvers" set type="string" set value="126.96.36.199,188.8.131.52" end