In this procedure, you mount a ZFS dataset with read/write permissions in a labeled zone. Because all commands are executed in the global zone, the global zone administrator controls the addition of ZFS datasets to labeled zones.
At a minimum, the labeled zone must be in the ready state to share a dataset. The zone can be in the running state.
Before You Begin
To configure the zone with the dataset, you must first halt the zone. You must be in the root role in the global zone.
# zfs create datasetdir/subdir
The name of the dataset can include a directory, such as zone/data.
# zoneadm -z labeled-zone-name halt
# zfs set mountpoint=legacy datasetdir/subdir
Setting the ZFS mountpoint property sets the label of the mount point when the mount point corresponds to a labeled zone.
# zfs set sharenfs=on datasetdir/subdir
# zonecfg -z labeled-zone-name # zonecfg:labeled-zone-name> add fs # zonecfg:labeled-zone-name:dataset> set dir=/subdir # zonecfg:labeled-zone-name:dataset> set special=datasetdir/subdir # zonecfg:labeled-zone-name:dataset> set type=zfs # zonecfg:labeled-zone-name:dataset> end # zonecfg:labeled-zone-name> exit
By adding the dataset as a file system, the dataset is mounted at /data in the zone. This step ensures that the dataset is not mounted before the zone is booted.
# zoneadm -z labeled-zone-name boot
When the zone is booted, the dataset is mounted automatically as a read/write mount point in the labeled-zone-name zone with the label of the labeled-zone-name zone.
In this example, the administrator adds a ZFS dataset to the needtoknow zone and shares the dataset. The dataset, zone/data, is currently assigned to the /mnt mount point. Users in the restricted zone can view the dataset.
First, the administrator halts the zone.
# zoneadm -z needtoknow halt
Because the dataset is currently assigned to a different mount point, the administrator removes the previous assignment, then sets the new mount point.
# zfs set zoned=off zone/data # zfs set mountpoint=legacy zone/data
Then, the administrator shares the dataset.
# zfs set sharenfs=on zone/data
Next, in the zonecfg interactive interface, the administrator explicitly adds the dataset to the needtoknow zone.
# zonecfg -z needtoknow # zonecfg:needtoknow> add fs # zonecfg:needtoknow:dataset> set dir=/data # zonecfg:needtoknow:dataset> set special=zone/data # zonecfg:needtoknow:dataset> set type=zfs # zonecfg:needtoknow:dataset> end # zonecfg:needtoknow> exit
Next, the administrator boots the needtoknow zone.
# zoneadm -z needtoknow boot
The dataset is now accessible.
Users in the restricted zone, which dominates the needtoknow zone, can view the mounted dataset by changing to the /data directory. They use the full path to the mounted dataset from the perspective of the global zone. In this example, system1 is the host name of the system that includes the labeled zone. The administrator assigned this host name to a non-shared IP address.
# cd /net/system1/zone/needtoknow/root/data
If the attempt to reach the dataset from the higher label returns the error not found or No such file or directory, the administrator must restart the automounter service by running the svcadm restart autofs command.