Can't jumpstart a machine when NFS is "secured"
Hi folks,
I have a perfectly good working Jumpstart solution in place but now the security compliance department states that NFS mounts cannot be exported with root access.
A jumpstart installation works fine with:
share -F nfs -o ro,anon=0 <directory> in the etc/dfs/dfstab.....
......but change this anon=0 to anon=1 or anon=2 and the
"ok boot net - install"just stalls.
There seems to be no alternative in the documentation for that line in the /etc/dfs/dfstab. Does anybody have a workaround for this?
Thanks,
J.
# 1
May be you can get an exception.
Just point out to them that the share is export read-only "ro". The files would never be writable to root. (Never!). What are writable are files like /dev/console which if they know unix will not be a security problem since that is not a regular file and would just wirte to the console (You can tell them you will burn the console when you are finished so that the information on the screen would get out ;-) ).
P.S. when explaining to them try to make it look as if it is an obviously simply case of someone who lack NFS knowlege tried to create this stupid rule. It might make them embarrase and give in quicker.
cg
# 2
It's silly when Security wants to implement checks and balances within an internal network that will be accessed by internal users only. I've seen this pattern in way too many organizations -- trying to fix something that ain't broken!
That too on networks that are several firewalls away from the DMZ!
:0
Incidentally, if your organization uses only flash-based deployments, you can eliminate the need for NFS by exporting the flash archive(s) on an HTTP server (set up Apache and publish the flash archive directory of the jumpstart server).
