David Edmondson wrote: > On Fri, Mar 02, 2007 at 10:43:07PM +0800, Cathy Zhou wrote: >>>> I agree. But what kind of operation is seen as a manipulation of the >>>> link.? For example, whether global zone can create a VLAN or a >>>> aggregation over a physical link after the link is assigned to an >>>> exclusive zone? Whether a global zone can export a VLAN over this >>>> physical link to anther zone (which currently is valid operation)? >>> A zone would not be able to create new links that are derivatives or >>> composites of links that are not part of the zone's "immediate" >>> namespace (where "immediate" means "without the zone name prefix"). >>> This restriction would apply to all zones (i.e. including the global >>> zone). >>> >> If I understand correctly, two examples I gave should not be >> allowed. Is that right? > > The first example (global zone creates a VLAN over a physical link > which had been assigned to a non-global zone) would not be allowed. > > The second example (global zone creates a VLAN over a physical link > and assigns the VLAN link to a non-global zone) would be allowed. > Maybe my question wasn't clear. But I mean if a physical link is already assigned to an exclusive zone, whether the global zone can assign a VLAN over this physical link to another zone. I think this is completely a valid operation today. But in the future, if we allows the local zone administrators to create its own VLANs, aggregations, it will cause problem.
> The first case is the global zone attempting to create a derivative of > a link that is outside its' namespace. The second case is the global > zone creating a derivative of a link that is inside its' namespace. > It can then assign the derivative link to another zone (at which point > the derivative link would be removed from the namespace of the global > zone and added to that of the non-global zone). > Assuming the global zone assigns bge1001 to zone a, so that bge1001 should be deleted from the global zone link namespace, but bge1 should still exist in the global zone link namespace, and bge1 cannot be assigned to any other local zones. Is that right? >>> If the split is clear then I don't see why non-global zone created >>> links would not be shown in the global zone (with the non-global zone >>> prefix, obviously). >>> >> Except the dladm show-link operation, in your mind what other >> operation could see local zone links in a global zone? > > Most of me wants to say "none". I didn't look at how zoneadmd and IP > instances interact, but perhaps that could would also need to be able > to manipulate non-global zone link somehow. > > Perhaps there are also some observability tools that a global zone > administrator may wish to use without "entering" the non-global zone. > What I want to understand is that what information the global zone care about a local-zone created link, and how the global zone use that information. Thanks - Cathy
