This post is found in https://www.veritas.com/support/en_US/article.000032145, very useful for anyone who mitigate the problem in accessing the raw Veritas Volume Manager from Non-global zones.
Problem
Workaround to access raw Veritas Volume Manager volumes from Non-global zones
Solution
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Important Note about this Workaround: The information in this TechNote does not apply to the Veritas Storage Foundation (SF) 5.0 Maintenance Pack 1 Rolling Patch 5 (MP1 RP5) and 5.0 Maintenance Pack 3 (MP3) releases. For non-global zone information relevant to the SF 5.0 MP1 RP5 and 5.0 MP3 releases, see the appendix regarding Veritas Storage Foundation support for Solaris Zones in the Veritas Volume Manager 5.0 MP3 Administrator's Guide.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Non global zone users do not have direct access to raw Veritas Volume Manager (VxVM) volumes even if the zoneadm device property is used to export these volumes to the non global zone.
The workaround below can be used to grant access to VxVM raw volumes from a non global zone.
Warning: If access to a raw volume is granted to a non global zone, you must ensure that the raw volume is used appropriately to prevent the possibility of data corruption or system failure. In particular, pay attention to any file system that is configured on top of a raw volume in a zone. Data corruption can result if you write directly to the raw volume (for example, by using a utility such as dd). If data corruption occurs in UFS metadata, this can result in a system wide panic. Potentially, a zone administrator in one zone could disrupt all zones. It is therefore not recommended that UFS file systems be configured on raw volumes. Instead, a Veritas File System file system is recommended, as it is more tolerant of I/O errors on metadata. For more information, see the ioerror section of the mount_vxfs(1M) manual page.
All VxVM configuration changes, including changes to raw volumes, must be performed in the global zone.
Workaround
Warning: Exporting raw devices is a security risk. Customers using this workaround should ensure that the non global zone has permission to access the global raw devices. It is your responsibility to ensure that the proper security is applied for data protection.
To access VxVM volumes in the global zone from a non global zone:
1. If the non global zone does not already exist, create a zone path with appropriate permissions and use the zonecfg command to create the non-global zone
The following example shows how to use the zonecfg command to create a non global zone named "myzone":
# zonecfg -z myzone
myzone: No such zone configured
Use 'create' to begin configuring a new zone.
# zonecfg:myzone> create
# zonecfg:myzone> set zonepath=/myzone
# zonecfg:myzone> set autoboot=true
# zonecfg:myzone> verify
# zonecfg:myzone> commit
# zonecfg:myzone> exit
2. Install the non global zone and verify that its status is shown as "installed":
# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
- myzone installed /myzone
3. Boot the non global zone and verify that its status is shown as "running":
# zoneadm -z myzone boot
# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
1 myzone running /myzone
3. Use the ls -l command to find out the major and minor numbers of the raw volume
In this example, the volume v1 is in the tcrundg disk group within the global zone. The raw device in the global zone that corresponds to v1 is /dev/vx/rdsk/tcrundg/v1.
Running the ls -l command on this device shows that the major number is 289, and the minor number is 45000:
# ls -l /dev/vx/rdsk/tcrundg
crw------- 1 root root 289, 45000 Aug 24 11:13 v1
4. Use the mknod command to create an entry for the VxVM volume in the non global zone. In this example, the major number is 289 and the minor number is 45000:
# cd /myzone/dev
# mknod v1 c 289 45000
5. Log into the non global zone and check the device entry for the volume:
# zlogin -l root myzone
[Connected to zone 'myzone' pts/6]
Last login: Thu Aug 24 14:31:41 on pts/5
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# ls -l /dev/v1
crw-r--r-- 1 root root 289, 45000 Aug 24 16:10 /dev/v1
6. Verify that you can perform I/O with the device entry in the non global zone:
# dd if=/dev/v1 of=/dev/null
2048+0 records in
2048+0 records out
The iostat command can also be used to observe I/O activity in both the global and non global zones.
Source : https://www.veritas.com/support/en_US/article.000032145
Problem
Workaround to access raw Veritas Volume Manager volumes from Non-global zones
Solution
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Important Note about this Workaround: The information in this TechNote does not apply to the Veritas Storage Foundation (SF) 5.0 Maintenance Pack 1 Rolling Patch 5 (MP1 RP5) and 5.0 Maintenance Pack 3 (MP3) releases. For non-global zone information relevant to the SF 5.0 MP1 RP5 and 5.0 MP3 releases, see the appendix regarding Veritas Storage Foundation support for Solaris Zones in the Veritas Volume Manager 5.0 MP3 Administrator's Guide.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Non global zone users do not have direct access to raw Veritas Volume Manager (VxVM) volumes even if the zoneadm device property is used to export these volumes to the non global zone.
The workaround below can be used to grant access to VxVM raw volumes from a non global zone.
Warning: If access to a raw volume is granted to a non global zone, you must ensure that the raw volume is used appropriately to prevent the possibility of data corruption or system failure. In particular, pay attention to any file system that is configured on top of a raw volume in a zone. Data corruption can result if you write directly to the raw volume (for example, by using a utility such as dd). If data corruption occurs in UFS metadata, this can result in a system wide panic. Potentially, a zone administrator in one zone could disrupt all zones. It is therefore not recommended that UFS file systems be configured on raw volumes. Instead, a Veritas File System file system is recommended, as it is more tolerant of I/O errors on metadata. For more information, see the ioerror section of the mount_vxfs(1M) manual page.
All VxVM configuration changes, including changes to raw volumes, must be performed in the global zone.
Workaround
Warning: Exporting raw devices is a security risk. Customers using this workaround should ensure that the non global zone has permission to access the global raw devices. It is your responsibility to ensure that the proper security is applied for data protection.
To access VxVM volumes in the global zone from a non global zone:
1. If the non global zone does not already exist, create a zone path with appropriate permissions and use the zonecfg command to create the non-global zone
The following example shows how to use the zonecfg command to create a non global zone named "myzone":
# zonecfg -z myzone
myzone: No such zone configured
Use 'create' to begin configuring a new zone.
# zonecfg:myzone> create
# zonecfg:myzone> set zonepath=/myzone
# zonecfg:myzone> set autoboot=true
# zonecfg:myzone> verify
# zonecfg:myzone> commit
# zonecfg:myzone> exit
2. Install the non global zone and verify that its status is shown as "installed":
# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
- myzone installed /myzone
3. Boot the non global zone and verify that its status is shown as "running":
# zoneadm -z myzone boot
# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
1 myzone running /myzone
3. Use the ls -l command to find out the major and minor numbers of the raw volume
In this example, the volume v1 is in the tcrundg disk group within the global zone. The raw device in the global zone that corresponds to v1 is /dev/vx/rdsk/tcrundg/v1.
Running the ls -l command on this device shows that the major number is 289, and the minor number is 45000:
# ls -l /dev/vx/rdsk/tcrundg
crw------- 1 root root 289, 45000 Aug 24 11:13 v1
4. Use the mknod command to create an entry for the VxVM volume in the non global zone. In this example, the major number is 289 and the minor number is 45000:
# cd /myzone/dev
# mknod v1 c 289 45000
5. Log into the non global zone and check the device entry for the volume:
# zlogin -l root myzone
[Connected to zone 'myzone' pts/6]
Last login: Thu Aug 24 14:31:41 on pts/5
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# ls -l /dev/v1
crw-r--r-- 1 root root 289, 45000 Aug 24 16:10 /dev/v1
6. Verify that you can perform I/O with the device entry in the non global zone:
# dd if=/dev/v1 of=/dev/null
2048+0 records in
2048+0 records out
The iostat command can also be used to observe I/O activity in both the global and non global zones.
Source : https://www.veritas.com/support/en_US/article.000032145