Peter Memishian wrote:
> I agree this is compelling, and very much philosophically in-line with the
> Clearview vanity naming model. However, I am not sure how to make it
> administratively "approachable", unless we're comfortable saying that
> links in local zones are not visible from the global zone. My
> recollection is that restriction *would* be consistent with the
> administrative model for stack instances (e.g., that one must log into the
> zone to administer its networking stack) -- if so, this might not be
> conceptually problematic.
You administer L3 from inside the zone.
L2 is done in the global zone; dladm/wificonfig etc.
Doing partial L2 inside a zone would require some care. For instance, if
zoneA has been given bge1 and bge2 could it safely use dladm to create
an aggregation of bge1 and bge2? Not if that creates /dev/aggr0 in the
global zone.
FWIW "stack instances" is better named "exclusive IP zones"; it is IP
that is separated, which includes the pieces that are part of IP (IPsec,
IP filter) as well as those that do direct function calls into IP (TCP,
etc).
Erik
> However, it does seem a bit at-odds with things like ps(1), which allows
> processes from all zones to be manipulated. But that approach is also not
> without its problems (e.g., if different zones are running different name
> services, a ps(1) in the global zone may return some misleading results).
> Perhaps we should touch base with the Zones team.
>
