By this, I mean running a single afsd (client) mounted at /afs/ in the
global zone, but also sharing it across local zones.
The tricks to this are:
- Use
lofsto mount/afs/within the zone - Use a
deviceresource and itsmatchproperty to make/dev/afsavailable in the zone
Making /dev/afs available is only required if you want to perform pioctl-based actions, such as using fs or aklog. If read-only /afs/ is sufficient, /dev/afs is not required.
IMPORTANT NOTE on security
With no special precautions, a user’s tokens are shared across all zones. Essentially, this means that you must use pagsh to obtain a PAG before acquiring tokens.
zonecfg example
Here’s an example of a zone where this works well as of OpenAFS 1.8.7 and OmniOSCE r151036:
$ zonecfg -z atest export
create -b
set zonepath=/zones/atest
set brand=lipkg
set autoboot=false
set limitpriv=default
set ip-type=exclusive
add fs
set dir="/opt/openafs"
set special="/opt/openafs"
set type="lofs"
add options ro,nodevices
end
add fs
set dir="/afs"
set special="/afs"
set type="lofs"
add options
end
add net
set physical="atest0"
set mac-addr="0:0:0f:0f:0f:0f"
set global-nic="private0"
end
add device
set match="/dev/afs"
end
add attr
set name="resolvers"
set type="string"
set value="4.2.2.1,8.8.8.8"
end