Access to NFS Mounted File Systems in Trusted Extensions

To make lower-level directories that are NFS-mounted visible to users in a higher-level zone, requires the following preparation:

• Server configuration – On the NFS server, you export the ZFS file system by setting its share properties. For the procedure, see How to Share File Systems From a Labeled Zone.

• Client configuration – The net_mac_aware privilege must be specified in the zone configuration file that is used during initial zone configuration. So, a user who is permitted to view all lower-level home directories must have the net_mac_aware privilege in every zone, except the lowest zone. For an example, see How to NFS Mount Files in a Labeled Zone.

Home Directory Creation in Trusted Extensions

Home directories are a special case in Trusted Extensions. You need to make sure that the home directories are created in every zone that a user can use. Also, the home directory mount points must be created in the zones on the user's system. For NFS-mounted home directories to work correctly, the conventional location for directories, /export/home, must be used. In Trusted Extensions, the automounter has been modified to handle home directories in every zone, that is, at every label. For details, see Changes to the Automounter in Trusted Extensions.

Home directories are created when users are created. However, the home directories are created in the global zone of the home directory server. On that server, the directories are mounted by LOFS. Home directories are automatically created by the automounter if they are specified as LOFS mounts.

However, the automounter cannot automatically create home directories on remote NFS servers. Either the user must first log in to the NFS server or administrative intervention is required. To create home directories for users, see How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server.

Changes to the Automounter in Trusted Extensions

In Trusted Extensions, each label requires a separate home directory mount. The automount command has been modified to handle these labeled automounts. For each zone, the automounter, autofs, mounts an auto_home_zone-name file. For example, the following is the entry for the global zone in the auto_home_global file:

+auto_home_global
*       -fstype=lofs    :/export/home/&

When a zone that permits lower-level zones to be mounted is booted, the following occurs. The home directories of lower-level zones are mounted read only under /zone/zone-name/export/home. The auto_home_zone-name map specifies the /zone path as the source directory for an lofs remount onto /zone/zone-name/home/username.

For example, the following is an auto_home_public entry in an auto_home_zone-at-higher-level map that is generated from a higher-level zone:

+auto_home_public
*   public-zone-IP-address:/export/home/&

The txzonemgr script sets up this PUBLIC entry in the auto_master file in the global zone:

+auto_master
/net        -hosts        -nosuid,nobrowse
/home        auto_home    -nobrowse
/zone/public/home      auto_home_public      -nobrowse

When a home directory is referenced and the name does not match any entries in the auto_home_zone-name map, the map tries to match this loopback mount specification. The software creates the home directory when the following two conditions are met:

1. The map finds the match of the loopback mount specification

2. The home directory name matches a valid user whose home directory does not yet exist in zone-name

For details on changes to the automounter, see the automount(1M) man page.