Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-31 Thread Volker A. Brandt 
Dan McDonald writes:
> > On Mar 31, 2017, at 6:54 AM, Andy Fiddaman  wrote:
> >
> > I don't want the zone root user to be able to change
> > the IP address.
> 
> Well, so far, that seems to be the case, so it's looking like not changing 
> anything is a good thing.

When I did a demo using a Centos 7.3 LX branded zone last week, I used
VirtualBox and it's built-in DHCP server for the OmniOS Bloody host.

I simply omitted the IP address when I configured the zone.  From the
zone console, I then used the native "ipadm create-addr -T dhcp ..." to
obtain an address from within the zone.  I can provide details if anyone
would like to see them.

Worked Just Fine(tm). :-)


Regards -- Volker
-- 

Volker A. Brandt   Consulting and Support for Oracle Solaris
Brandt & Brandt Computer GmbH   WWW: http://www.bb-c.de/
Am Wiesenpfad 6, 53340 Meckenheim, GERMANYEmail: v...@bb-c.de
Handelsregister: Amtsgericht Bonn, HRB 10513  Schuhgröße: 46
Geschäftsführer: Rainer J.H. Brandt und Volker A. Brandt

"When logic and proportion have fallen sloppy dead"
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-31 Thread Dominik Hassler 



On 03/30/2017 10:00 AM, Andy Fiddaman wrote:



On Thu, 30 Mar 2017, Ludovic Orban wrote:

; I personally don't need ipadm in my LX zones, nerver missed it and I'm
; pretty certain I wouldn't use it even if it was available.

Same here.


+1
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-31 Thread Andy Fiddaman 


On Thu, 30 Mar 2017, Dan McDonald wrote:

;
; > On Mar 30, 2017, at 5:11 PM, Brian Hechinger  wrote:
; >
; > I'd like to see a way that network configuration can be disabled from 
within the zone so that it's set by the host admin and not the zone admin 
(assuming they are different people).
;
; I thought more people would be in agreement with you, but that appears not to 
be the case.
;
; Rewriting lxinit & friends to allow this sort of admin model is going to be 
harder than I thought, and since r151022 is already late relative to prior 
releases (it's a cadence-breaker thanks to Loader, Python2.7, and 
Kayak-for-ISO), I don't know if getting ipadm(1M) for LX zones would work.  
You're the strongest endorser of doing it so far.

I read Brian's comment as wanting to stop network configuration from within
the zone => no ipadm. That's what I want too - if I set up a Linux zone and
hand control over, I don't want the zone root user to be able to change
the IP address.

Andy

-- 
Citrus IT Limited | +44 (0)870 199 8000 | enquir...@citrus-it.co.uk
Rock House Farm | Green Moor | Wortley | Sheffield | S35 7DQ
Registered in England and Wales | Company number 4899123

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-31 Thread Peter Tribble 
On Fri, Mar 31, 2017 at 3:38 AM, Dan McDonald  wrote:

>
> > On Mar 30, 2017, at 5:11 PM, Brian Hechinger  wrote:
> >
> > I'd like to see a way that network configuration can be disabled from
> within the zone so that it's set by the host admin and not the zone admin
> (assuming they are different people).
>
> I thought more people would be in agreement with you, but that appears not
> to be the case.
>

Well that's what I want, absolutely.

Although it's not just LX, I would also like global-zone configuration of
native exclusive-ip zones, which is not necessarily the same problem.


> Rewriting lxinit & friends to allow this sort of admin model is going to
> be harder than I thought, and since r151022 is already late relative to
> prior releases (it's a cadence-breaker thanks to Loader, Python2.7, and
> Kayak-for-ISO), I don't know if getting ipadm(1M) for LX zones would work.
> You're the strongest endorser of doing it so far.
>
> Dan
>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>



-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-31 Thread Joshua M. Clulow 
On 30 March 2017 at 14:46, Bob Friesenhahn  wrote:
> Something I see is that with normal Solaris zones, one can provide root
> access to a relatively untrusted third-party since everything important can
> be locked-down.  This approach should currently not be used with LX Zones.

Why is that?  There shouldn't be any difference between a native zone
and an LX zone with respect to untrusted workloads.  The containment
model is the same in both cases.


Cheers.

-- 
Joshua M. Clulow
UNIX Admin/Developer
http://blog.sysmgr.org
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Dan McDonald 

> On Mar 30, 2017, at 5:11 PM, Brian Hechinger  wrote:
> 
> I'd like to see a way that network configuration can be disabled from within 
> the zone so that it's set by the host admin and not the zone admin (assuming 
> they are different people).

I thought more people would be in agreement with you, but that appears not to 
be the case.

Rewriting lxinit & friends to allow this sort of admin model is going to be 
harder than I thought, and since r151022 is already late relative to prior 
releases (it's a cadence-breaker thanks to Loader, Python2.7, and 
Kayak-for-ISO), I don't know if getting ipadm(1M) for LX zones would work.  
You're the strongest endorser of doing it so far.

Dan

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Bob Friesenhahn 

On Thu, 30 Mar 2017, Paul B. Henson wrote:



Linux DHCP can overwrite files at any time, possibly weeks after boot.


You can configure it not to; for example, with dhcpcd, you would use the
option '--nohook resolv.conf'. Other clients have similar options.


This is all very true.

Something I see is that with normal Solaris zones, one can provide 
root access to a relatively untrusted third-party since everything 
important can be locked-down.  This approach should currently not be 
used with LX Zones.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Paul B. Henson 
On Thu, Mar 30, 2017 at 04:02:52PM -0500, Bob Friesenhahn wrote:

> Linux DHCP can overwrite files at any time, possibly weeks after boot.

You can configure it not to; for example, with dhcpcd, you would use the
option '--nohook resolv.conf'. Other clients have similar options.
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Brian Hechinger 
I'd like to see a way that network configuration can be disabled from
within the zone so that it's set by the host admin and not the zone admin
(assuming they are different people).

Is this a possibility?

On Mar 30, 2017 5:04 PM, "Dan McDonald"  wrote:

>
> > On Mar 30, 2017, at 5:02 PM, Bob Friesenhahn <
> bfrie...@simple.dallas.tx.us> wrote:
> >
> > On Thu, 30 Mar 2017, Dan McDonald wrote:
> >
> >>
> >>> On Mar 30, 2017, at 4:26 PM, Bob Friesenhahn <
> bfrie...@simple.dallas.tx.us> wrote:
> >>>
> >>> The only way it could possibly work is if /etc/resolv.conf gets
> updated in the zone.  This is because native user-space apps/libraries take
> care of the DNS lookups rather than kernel code.
> >>
> >> Check out /usr/lib/brand/lx/lx_boot_zone_*.  Those scripts scribble
> resolv.conf at zone boot time.
> >
> > Linux DHCP can overwrite files at any time, possibly weeks after boot.
>
> Interesting.
>
> Given "lxinit" does DHCP too, you probably shouldn't be using any Linux
> DHCP client in an LX zone.
>
> Dan
>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Dan McDonald 

> On Mar 30, 2017, at 5:02 PM, Bob Friesenhahn  
> wrote:
> 
> On Thu, 30 Mar 2017, Dan McDonald wrote:
> 
>> 
>>> On Mar 30, 2017, at 4:26 PM, Bob Friesenhahn  
>>> wrote:
>>> 
>>> The only way it could possibly work is if /etc/resolv.conf gets updated in 
>>> the zone.  This is because native user-space apps/libraries take care of 
>>> the DNS lookups rather than kernel code.
>> 
>> Check out /usr/lib/brand/lx/lx_boot_zone_*.  Those scripts scribble 
>> resolv.conf at zone boot time.
> 
> Linux DHCP can overwrite files at any time, possibly weeks after boot.

Interesting.

Given "lxinit" does DHCP too, you probably shouldn't be using any Linux DHCP 
client in an LX zone.

Dan

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Bob Friesenhahn 

On Thu, 30 Mar 2017, Dan McDonald wrote:




On Mar 30, 2017, at 4:26 PM, Bob Friesenhahn  
wrote:

The only way it could possibly work is if /etc/resolv.conf gets updated in the 
zone.  This is because native user-space apps/libraries take care of the DNS 
lookups rather than kernel code.


Check out /usr/lib/brand/lx/lx_boot_zone_*.  Those scripts scribble resolv.conf 
at zone boot time.


Linux DHCP can overwrite files at any time, possibly weeks after boot.

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Dan McDonald 

> On Mar 30, 2017, at 4:26 PM, Bob Friesenhahn  
> wrote:
> 
> The only way it could possibly work is if /etc/resolv.conf gets updated in 
> the zone.  This is because native user-space apps/libraries take care of the 
> DNS lookups rather than kernel code.

Check out /usr/lib/brand/lx/lx_boot_zone_*.  Those scripts scribble resolv.conf 
at zone boot time.

Dan

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Bob Friesenhahn 

On Thu, 30 Mar 2017, Michael Talbott wrote:

I have experienced the same /etc/resolv.conf issue in a CentOS 6 and 
7 LX zones. No DNS servers get propagated from zonecfg.


The only way it could possibly work is if /etc/resolv.conf gets 
updated in the zone.  This is because native user-space apps/libraries 
take care of the DNS lookups rather than kernel code.


The Linux dhcp client is likely to overwrite the content of 
/etc/resolv.conf if the dhcp client is enabled (typical default). 
Anything written when the zone is configured would be overwritten.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Volker A. Brandt 
Michael Talbott writes:
> I have experienced the same /etc/resolv.conf issue in a CentOS 6 and 7 LX
> zones. No DNS servers get propagated from zonecfg.

Me, too.  The default search domain does get set, however.  Maybe it
is a trivial thing.


Regards -- Volker
-- 

Volker A. Brandt   Consulting and Support for Oracle Solaris
Brandt & Brandt Computer GmbH   WWW: http://www.bb-c.de/
Am Wiesenpfad 6, 53340 Meckenheim, GERMANYEmail: v...@bb-c.de
Handelsregister: Amtsgericht Bonn, HRB 10513  Schuhgröße: 46
Geschäftsführer: Rainer J.H. Brandt und Volker A. Brandt

"When logic and proportion have fallen sloppy dead"
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Michael Talbott 
I have experienced the same /etc/resolv.conf issue in a CentOS 6 and 7 LX 
zones. No DNS servers get propagated from zonecfg.

Oh, and I am on the same boat with ipadm. Would likely never use it inside an 
LX zone.

Michael


> On Mar 30, 2017, at 12:21 PM, Dan McDonald  wrote:
> 
> 
>> On Mar 30, 2017, at 3:19 AM, Guenther Alka  wrote:
>> 
>> Setting ip properties atthe virtualisation layer
>> seems not straight forward to me. Lately I was
>> asked about the problem where DNS onUbuntu 16
>> was not working despite the setting in the zone.cfg
>> (Configurating /etc/resolv in Linux was needed)
> 
> Yeah, that may be some distro weirdness.  It may also be something that our 
> install or boot scripts need help with as well.
> 
>> I would prefer a more ESXi like behaviour where settings
>> about hardware like (lofi) disks, CPU, RAM, vnics are zone
>> settings while network configuration is done by the VM
>> itself with the different but regular Linux tools and ways.
> 
> Oh I didn't say "linux tools".  I said "ipadm(1M)" which is in /native/sbin 
> and works like it does in the global zone or an ipkg/lipkg zone.
> 
>> A related question
>> Exclusive ip access over a dedicated vnic is working.
>> I had problems with shared/ bridged access to a physical nic
>> that is in use by OmniOS itself or a different zone. Is that possible?
> 
> Shared-stack IP is not allowed with LX zones.
> 
>> And is there a property to limit RAM or CPU of an LX zone?
> 
> Should work like any other zone brand.
> 
> Dan
> 
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Dan McDonald 

> On Mar 30, 2017, at 3:19 AM, Guenther Alka  wrote:
> 
> Setting ip properties atthe virtualisation layer
> seems not straight forward to me. Lately I was
> asked about the problem where DNS onUbuntu 16
> was not working despite the setting in the zone.cfg
> (Configurating /etc/resolv in Linux was needed)

Yeah, that may be some distro weirdness.  It may also be something that our 
install or boot scripts need help with as well.

> I would prefer a more ESXi like behaviour where settings
> about hardware like (lofi) disks, CPU, RAM, vnics are zone
> settings while network configuration is done by the VM
> itself with the different but regular Linux tools and ways.

Oh I didn't say "linux tools".  I said "ipadm(1M)" which is in /native/sbin and 
works like it does in the global zone or an ipkg/lipkg zone.

> A related question
> Exclusive ip access over a dedicated vnic is working.
> I had problems with shared/ bridged access to a physical nic
> that is in use by OmniOS itself or a different zone. Is that possible?

Shared-stack IP is not allowed with LX zones.

> And is there a property to limit RAM or CPU of an LX zone?

Should work like any other zone brand.

Dan

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Bob Friesenhahn 

On Thu, 30 Mar 2017, Guenther Alka wrote:


I would prefer a more ESXi like behaviour where settings
about hardware like (lofi) disks, CPU, RAM, vnics are zone
settings while network configuration is done by the VM
itself with the different but regular Linux tools and ways.


The "regular Linux tools and ways" are not likely to work due to the 
LX Zone actually still being Illumos and lacking support for netlink 
sockets, which is how modern facilities like 'ip' are implemented. 
Perhaps primitive utilities as provided by Busybox (e.g. Alpine) might 
work due to being based on deprecated ioctl interfaces.


It could be possible to provide alternate work-alike "native" Linux 
tools but these would need to be provided in source form, or in Linux 
distribution-specific binary packages.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Andy Fiddaman 


On Thu, 30 Mar 2017, Ludovic Orban wrote:

; I personally don't need ipadm in my LX zones, nerver missed it and I'm
; pretty certain I wouldn't use it even if it was available.

Same here.

Andy

-- 
Citrus IT Limited | +44 (0)870 199 8000 | enquir...@citrus-it.co.uk
Rock House Farm | Green Moor | Wortley | Sheffield | S35 7DQ
Registered in England and Wales | Company number 4899123

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] Ang: LX Zones question: Do you miss ipadm(1M)?

2017-03-30 Thread Ludovic Orban 
I personally don't need ipadm in my LX zones, nerver missed it and I'm
pretty certain I wouldn't use it even if it was available. I'd *much*
prefer to have 7388 though (sorry for insisting, I couldn't resist ;-))

On Thu, Mar 30, 2017 at 9:19 AM, Guenther Alka  wrote:

> Setting ip properties atthe virtualisation layer
> seems not straight forward to me. Lately I was
> asked about the problem where DNS onUbuntu 16
> was not working despite the setting in the zone.cfg
> (Configurating /etc/resolv in Linux was needed)
>
> I would prefer a more ESXi like behaviour where settings
> about hardware like (lofi) disks, CPU, RAM, vnics are zone
> settings while network configuration is done by the VM
> itself with the different but regular Linux tools and ways.
>
> A related question
> Exclusive ip access over a dedicated vnic is working.
> I had problems with shared/ bridged access to a physical nic
> that is in use by OmniOS itself or a different zone. Is that possible?
>
> And is there a property to limit RAM or CPU of an LX zone?
>
> Gea
>
>
>
> Am 30.03.2017 um 07:30 schrieb Johan Kragsterman:
>
>> Hi!
>>
>>
>>
>> -"OmniOS-discuss"  skrev:
>> -
>> Till: OmniOS-discuss 
>> Från: Dan McDonald
>> Sänt av: "OmniOS-discuss"
>> Datum: 2017-03-30 02:12
>> Ärende: [OmniOS-discuss] LX Zones question: Do you miss ipadm(1M)?
>>
>> One of the checkbox-items for this bloody *was* "ipadm for LX zones".
>> After having some conversations with Joyent, and noticing a lack of
>> enthusiasm here, I'm wondering if I should even bother with it for this
>> bloody & r151022.
>>
>> Please speak up if you have ANY opinion on this subject.  I'm honestly
>> not sure, so I wouldn't be taking sides or advocating one way or the other.
>>
>> Thanks,
>> Dan
>>
>>
>>
>> ipadm is a nice and versatile tool, and I would for sure like to see it
>> in LX zones. Though the priority of the development is another question,
>> WHEN to put it there.
>> r151022 is an LTS release, and I believe it would be nice to have ipadm
>> in there, but if you can't get it there before release, due to other
>> priorities, perhaps you can backport it later?
>>
>> Rgrds Johan
>>
>>
>>
>>
>>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss