[indiana-discuss] zones issues with SSL publisher (to get Sun support or not)

[Anil]

I've been playing around with how zones are integrated in a system running a /support (default publisher) version of OpenSolaris 2009.06. It seems when a new zone is installed, the SSL keys are also copied over to the zone (at least that's what the zone install messages seem to show - sorry didn't get a chance to actual verify what keys are copied over etc...). 

This is a bad thing, if we are providing the zone to a user/customer who does not have root access to the global zone. They would have access to the keys, free to distribute and use.

What is a solution to this?

If I set the default publisher of the global zone to be /release right before installing zone, then the zone and the global zone bits are different. But this does prevent the keys from being copied. Once installed, I could set it back to /support.

All of that sounds a bit of a hack and would rather not do that in the hopes of keeping the zones and the global zone in sync with the same bits.

But then how can I get Sun support (patches) and also prevent this problem? If there is no good solution at this point, I guess I will just have to stick with /release for now.
-- 
This message posted from opensolaris.org