By this, I mean running a single afsd (client) mounted at /afs/ in the global zone, but also sharing it across local zones.

The tricks to this are:

  1. Use lofs to mount /afs/ within the zone
  2. Use a device resource and its match property to make /dev/afs available in the zone

Making /dev/afs available is only required if you want to perform pioctl-based actions, such as using fs or aklog. If read-only /afs/ is sufficient, /dev/afs is not required.

IMPORTANT NOTE on security

With no special precautions, a user’s tokens are shared across all zones. Essentially, this means that you must use pagsh to obtain a PAG before acquiring tokens.

zonecfg example

Here’s an example of a zone where this works well as of OpenAFS 1.8.7 and OmniOSCE r151036:

$ zonecfg -z atest export
create -b
set zonepath=/zones/atest
set brand=lipkg
set autoboot=false
set limitpriv=default
set ip-type=exclusive
add fs
set dir="/opt/openafs"
set special="/opt/openafs"
set type="lofs"
add options ro,nodevices
add fs
set dir="/afs"
set special="/afs"
set type="lofs"
add options 
add net
set physical="atest0"
set mac-addr="0:0:0f:0f:0f:0f"
set global-nic="private0"
add device
set match="/dev/afs"
add attr
set name="resolvers"
set type="string"
set value=","