Peter Memishian wrote:
> > If so, I'd think we can also do dladm create-aggr (and any other L2
> > administrative command) inside a local zone.
>
> Yes -- and I think this makes sense, but Erik said that this sort stuff
> was out-of-scope for stack instances, so I'm sure he'll disagree :-)
I think I said "when != now".
Whether this makes sense it the future is a question.
Does it make sense to extend the dladm/GLDv3 model so that when combined
with stack instances the non-global zone can do a subset of the
operations that can be done in the global zone?
The subset would have to be safe in the sense that it can't upset the
global zone or some other zone.
And the subset would have to be useful in the sense that it enables a
different way to delegate management using zones.
For example, I'm not sure allowing a non-global zone to setup link
aggregation really creates more flexibility in how administration can be
delegated.
In order for a zone to use link aggregation the following steps are
necessary:
1. use zonecfg to assign bge1 and bge2 to zoneA (global zone admin)
2. connect bge1 and bge2 to the same Ethernet switch
3. enable link aggregation for those ports on the switch (I don't know
if there are switches that do LACP by default in which case this can be
omitted)
4. the dladm create-aggr setup
Thus even if we make the last step possible in a non-global zone, the
non-global zone admin depends on a network admin for 2 and 3.
Setting up tunnels is different, because there we don't have a
dependency on any other admin (except the far end of the tunnel, but
that is most likely unrelated to the admin of the local servers).
Erik
