> For example, I'm not sure allowing a non-global zone to setup link > aggregation really creates more flexibility in how administration can be > delegated. > In order for a zone to use link aggregation the following steps are > necessary: > 1. use zonecfg to assign bge1 and bge2 to zoneA (global zone admin) > 2. connect bge1 and bge2 to the same Ethernet switch > 3. enable link aggregation for those ports on the switch (I don't know > if there are switches that do LACP by default in which case this can be > omitted) > 4. the dladm create-aggr setup > > Thus even if we make the last step possible in a non-global zone, the > non-global zone admin depends on a network admin for 2 and 3. > > Setting up tunnels is different, because there we don't have a > dependency on any other admin (except the far end of the tunnel, but > that is most likely unrelated to the admin of the local servers). > ... and creating VLANs also doesn't depend on any other admins. Then it could cause real confusion if the local zone can execute some of the dladm operations but not the others.
- Cathy
