Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Share Directories From a Labeled Zone

As in the Solaris OS, the Mounts and Shares tool in the Solaris Management Console is used to share and mount files from the global zone. The tool cannot be used to mount or share directories that originate in labeled zones. Create a dfstab file at the label of the zone, and then restart the zone to share the labeled directories.


Caution – Caution –

Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.


Before You Begin

You must be superuser, or in the System Administrator role in the global zone on the file server.

  1. Create a workspace at the label of the directory that is going to be shared.

    For details, see How to Add a Workspace at a Particular Label in Solaris Trusted Extensions User’s Guide.

  2. Create a dfstab file in at the label of that zone.

    For each zone that will share a directory, repeat the following steps:

    1. Create the /etc/dfs directory in the zone.


      # mkdir -p /zone/zone-name/etc/dfs
      
    2. Open the trusted editor.

      For details, see How to Edit Administrative Files in Trusted Extensions.

    3. Type the full pathname of the dfstab file into the editor.


      # /zone/zone-name/etc/dfs/dfstab
    4. Add an entry to share a directory from that zone.

      The entry describes the directory from the perspective of the zone root path. For example, the following entry shares an application's files at the label of the containing zone:


      share -F nfs -o ro /viewdir/viewfiles
      
  3. For each zone, share the directories by starting the zone.

    In the global zone, run one of the following commands for each zone. Each zone can share its directories in any of these ways. The actual sharing occurs when each zone is brought into the ready or running state.

    • If the zone is not in the running state and you do not want users to log in to the server at the label of the zone, set the zone state to ready.


      # zoneadm -z zone-name ready
    • If the zone is not in the running state and users are allowed to log in to the server at the label of the zone, boot the zone.


      # zoneadm -z zone-name boot
    • If the zone is already running, reboot the zone.


      # zoneadm -z zone-name reboot
  4. Display the directories that are shared from your system.


    # showmount -e
    
  5. To enable the client to mount the exported files, see How to NFS Mount Files in a Labeled Zone.


Example 17–2 Sharing the /export/share Directory at the PUBLIC Label

For applications that run at the label PUBLIC, the system administrator enables users to read the documentation in the /export/share directory of the public zone. The zone named public runs at the label PUBLIC.

First, the administrator creates a public workspace and edits the dfstab file.


# mkdir -p /zone/public/etc/dfs
# /usr/dt/bin/trusted_edit /zone/public/etc/dfs/dfstab

In the file, the administrator adds the following entry:


## Sharing PUBLIC user manuals
share -F nfs -o ro /export/appdocs

The administrator leaves the public workspace and returns to the Trusted Path workspace. Because users are not allowed to log in to this system, the administrator shares the files by putting the zone in the ready state:


# zoneadm -z public ready

Users can access the shared directories once the directories are mounted on the users' systems.