Managing ZFS Properties Within a Zone
After a dataset is delegated to a zone, the zone administrator can control specific dataset properties. After a dataset is delegated to a zone, all its ancestors are visible as read-only datasets, while the dataset itself is writable, as are all of its descendants. For example, consider the following configuration:
global$ zfs list -Ho name
system1
system1/home
system1/data
system1/data/matrix
system1/data/zion
system1/data/zion/home
If system1/data/zion
were added to a zone with the default zion
alias, each dataset would have the following properties.
Dataset | Visible | Writable | Immutable Properties |
---|---|---|---|
|
No |
- |
- |
|
No |
- |
- |
|
No |
- |
- |
|
Yes |
Yes |
|
|
Yes |
Yes |
|
Note that every parent of system1/zone/zion
is invisible and all descendants are writable. The zone administrator cannot change the zoned
property because doing so would expose a security risk that described in the next section.
Privileged users in the zone can change any other settable property, except for quota
and reservation
properties. This behavior allows the global zone administrator to control the disk space consumption of all datasets used by the native zone.
In addition, the share.nfs
and mountpoint
properties cannot be changed by the global zone administrator after a dataset has been delegated to a native zone.