Trusted Extensions Configuration and Administration

Exit Print View

Updated: July 2014
 
 

How to Share a ZFS Dataset From a Labeled Zone

In this procedure, you mount a ZFS dataset with read/write permissions in a labeled zone. Because all commands are executed in the global zone, the global zone administrator controls the addition of ZFS datasets to labeled zones.

At a minimum, the labeled zone must be in the ready state to share a dataset. The zone can be in the running state.

Before You Begin

To configure the zone with the dataset, you must first halt the zone. You must be in the root role in the global zone.

  1. Create the ZFS dataset.
    # zfs create datasetdir/subdir

    The name of the dataset can include a directory, such as zone/data.

  2. In the global zone, halt the labeled zone.
    # zoneadm -z labeled-zone-name halt
  3. Set the mount point of the dataset.
    # zfs set mountpoint=legacy datasetdir/subdir

    Setting the ZFS mountpoint property sets the label of the mount point when the mount point corresponds to a labeled zone.

  4. Enable the dataset to be shared.
    # zfs set sharenfs=on datasetdir/subdir
  5. Add the dataset to the zone as a file system.
    # zonecfg -z labeled-zone-name
    # zonecfg:labeled-zone-name> add fs
    # zonecfg:labeled-zone-name:dataset> set dir=/subdir
    # zonecfg:labeled-zone-name:dataset> set special=datasetdir/subdir
    # zonecfg:labeled-zone-name:dataset> set type=zfs
    # zonecfg:labeled-zone-name:dataset> end
    # zonecfg:labeled-zone-name> exit

    By adding the dataset as a file system, the dataset is mounted at /data in the zone. This step ensures that the dataset is not mounted before the zone is booted.

  6. Boot the labeled zone.
    # zoneadm -z labeled-zone-name boot

    When the zone is booted, the dataset is mounted automatically as a read/write mount point in the labeled-zone-name zone with the label of the labeled-zone-name zone.

Example 13-4  Sharing and Mounting a ZFS Dataset From Labeled Zones

In this example, the administrator adds a ZFS dataset to the needtoknow zone and shares the dataset. The dataset, zone/data, is currently assigned to the /mnt mount point. Users in the restricted zone can view the dataset.

First, the administrator halts the zone.

# zoneadm -z needtoknow halt

Because the dataset is currently assigned to a different mount point, the administrator removes the previous assignment, then sets the new mount point.

# zfs set zoned=off zone/data
# zfs set mountpoint=legacy zone/data

Then, the administrator shares the dataset.

# zfs set sharenfs=on zone/data

Next, in the zonecfg interactive interface, the administrator explicitly adds the dataset to the needtoknow zone.

# zonecfg -z needtoknow
# zonecfg:needtoknow> add fs
# zonecfg:needtoknow:dataset> set dir=/data
# zonecfg:needtoknow:dataset> set special=zone/data
# zonecfg:needtoknow:dataset> set type=zfs
# zonecfg:needtoknow:dataset> end
# zonecfg:needtoknow> exit

Next, the administrator boots the needtoknow zone.

# zoneadm -z needtoknow boot

The dataset is now accessible.

Users in the restricted zone, which dominates the needtoknow zone, can view the mounted dataset by changing to the /data directory. They use the full path to the mounted dataset from the perspective of the global zone. In this example, machine1 is the host name of the system that includes the labeled zone. The administrator assigned this host name to a non-shared IP address.

# cd /net/machine1/zone/needtoknow/root/data

Troubleshooting

If the attempt to reach the dataset from the higher label returns the error not found or No such file or directory, the administrator must restart the automounter service by running the svcadm restart autofs command.