Lower-level directories can be made visible to users in a higher-level zone. The NFS server for the lower-level directories can be a Trusted Extensions system or an untrusted system.
The trusted system requires server configuration. The untrusted system requires client configuration.
NFS server configuration on a trusted system – To make lower-level directories from a trusted system visible in a labeled zone, you must configure the server.
In the global zone on the NFS server, you must configure the NFS service as a multilevel service.
From the global zone, you must add the net_bindmlp privilege to the limitpriv privilege set of the labeled zone.
In the labeled zone, you export the ZFS file system by setting its share properties. When the status of the labeled zone is running, the file system is shared at the label of the zone. For the procedure, see How to Share File Systems From a Labeled Zone.
NFS client configuration for an untrusted NFS server – Because the server is not trusted, the NFS client must be trusted. The net_mac_aware privilege must be specified in the zone configuration file that is used during initial zone configuration. So, a user who is permitted to view all lower-level home directories must have the net_mac_aware privilege in every zone, except the lowest zone. For an example, see How to NFS Mount Files in a Labeled Zone.
Home directories are a special case in Trusted Extensions.
You need to make sure that the home directories are created in every zone that a user can use.
Also, the home directory mount points must be created in the zones on the user's system.
For NFS-mounted home directories to work correctly, the conventional location for directories, /export/home, must be used.
In Trusted Extensions, the automounter has been modified to handle home directories in every zone, that is, at every label. For details, see Changes to the Automounter in Trusted Extensions.
Home directories are created when users are created. However, the home directories are created in the global zone of the home directory server. On that server, the directories are mounted by LOFS. Home directories are automatically created by the automounter if they are specified as LOFS mounts.
However, the automounter cannot automatically create home directories on remote NFS servers. Either the user must first log in to the NFS server or administrative intervention is required. To create home directories for users, see How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server.
In Trusted Extensions, each label requires a separate home directory mount. The automount command has been modified to handle these labeled automounts. For each zone, the automounter, autofs, mounts an auto_home_zone-name file. For example, the following is the entry for the global zone in the auto_home_global file:
+auto_home_global * -fstype=lofs :/export/home/&
When a zone that permits lower-level zones to be mounted is booted, the following occurs. The home directories of lower-level zones are mounted read only under /zone/zone-name/export/home. The auto_home_zone-name map specifies the /zone path as the source directory for an lofs remount onto /zone/zone-name/home/username.
For example, the following is an auto_home_public entry in an auto_home_zone-at-higher-level map that is generated from a higher-level zone:
+auto_home_public * public-zone-IP-address:/export/home/&
The txzonemgr script sets up this PUBLIC entry in the auto_master file in the global zone:
+auto_master /net -hosts -nosuid,nobrowse /home auto_home -nobrowse /zone/public/home auto_home_public -nobrowse
When a home directory is referenced and the name does not match any entries in the auto_home_zone-name map, the map tries to match this loopback mount specification. The software creates the home directory when the following two conditions are met:
The map finds the match of the loopback mount specification
The home directory name matches a valid user whose home directory does not yet exist in zone-name
For details on changes to the automounter, see the automount(1M) man page.