From this, I add the "usual" Enterprise Systems requirements: It has to be
That just leaves the "secure" requirement. There's lots of "interesting" opportunities there, though...
I think ideally the zone would be a mininmally installed zone (with just enough software to make apache and ftpd work) with everything mounted read-only from the global zone, and with a helper zone (only accessible to the LAN-side) having read-write access to the space (accessed via scp), with firewall rules allowing only (anyone->dlserver:80,443, and ftp) and (lan->helper:22) Oh yeah, and with traffic shaping to prevent this from eating too much of our outbound internet feed.
The firewall rules are easy... that's someone else's problem. "They" don't do traffic shaping, however, so I get to figure out the Solaris IPQOS functionality, if I get that far.
So how do you create a minimalist zone? Answers as I find them...