>> we also discussed about dladm operation within a zone and think there >> are still lots of questions need to be answerer. At this time, we'd >> rather not to include that in the scope of the Clearview project, that >> we just support implicit iptun creation to preserve the backward >> compatibility with current Nevada. > > Interestingly, allowing "ifconfig plumb ip.tun0" from within a > non-global zone makes it automatically possible for someone within that > zone to do "dladm create-iptun -T ipv4 ip.tun0". They call the same API > and execute the same code. We'd have to go out of our way to restrict > the use of dladm. As such, I'm not sure if we can avoid having this > discussion. > Hmm, maybe it is not a fair comparison, but in my implementation, allowing ifconfig bge1000 plumb but not allowing dladm create-vlan -d bge0 -v 1 is not very difficult, as it goes through different code-path.
>> One question we talked about is that when the global zone assigns a >> physical link to a exclusive local zone, say zone a, does that mean >> that in zone a, one can create VLANs and aggregations over this >> physical link? Note that today, the global zone can assign a VLAN over >> the same physical link to another exclusive zone, say zone b. Because >> of this, the administrator in zone a might see random errors when >> creating VLANs aggregations in that local zone. > > My feeling is that once we overcome the technical hurdles in the way of > allowing "ifconfig plumb ip.tun0" to work within a non-global zone (one > of which is node creation in /dev/net), then we'll be able to easily > implement VLAN and aggregation creation from within a non-global zones. > I might miss something, but to create /dev/net nodes in a local zone is not difficult. Actually yesterday in my prototype I can create VLAN using ifconfig plumb bge1000 in a exlusive zone with no problem. I only add the restriction code to disallow creation of the /dev/net/bge1000 in a local zone today. The code has been putback to the clearview-uv gate, you can have a look and see whether it will help to create the /dev/net node for iptuns. But I think the questions I mentioned still need to be answered. >> There surely are some questions that need some more thoughts. For >> example, do we start linkmgmtd in each exlusive local zone? and if so, >> how to manage the link id name spaces etc. But I think this discussion >> can be a start. > > linkmgmtd coordination is interesting. Perhaps a single daemon in the > global zone with a doors interface that non-global zones can access is > one possibility? > I'd like to see the discussion result of this thread, especially how the link name namespace in global zone would look like. Thanks - Cathy
