2012-06-12 4:32, Darren Reed wrote:
There should be a particular amount of emphasis on the word "test" there as the shared stack provides a very specific security model for networking.
Does make sense. Perhaps the testing should involve a recipe that would build a preconfigured VM with a number of zones in different networking scenarios and would try hordes of communications which should be "expected to work" and those which should be "expected to fail (be forbidden)".
To throw out some architectural questions... Does the existence of a shared networking stack require the existence of a zone configured with an exclusive networking instance or should networking instances be managed independently of zones?
I think that is what the GZ is for. It spawns NICs and VNICs for the exclusive stacks, aliases for shared stacks, etherstubs for both :) I think GZ should be the one that spawns the (generic?) IP stacks and attaches a zone (including a GZ) to one stack. I did not read the source, but I believe that an exclusive stack is created by the GZ at about the same time that the GZ forks off a local zone to use this stack; at least, this would only make sense :) I am not sure now that we need more than one IP stack in one zone - when we can freely create zones and spawn a few for routing over a private etherstub if need be - though there might be uses for several stacks in a zone too, like multiple VRF tables in a Cisco switch with explicit routing injection into a VRF and an interface/subnet (but THAT's overcomplication, I agree).
>* How does the system behave when you shutdown the zone which > owns the networking instance that is being shared (assuming > that was the model used)? >* Do all of the zones sharing it also need to be shutdown? >* What about if you then want to destroy the zone that "owns" > the networking instance? I assumed this model is not used, and the GZ owns all system resources, including IP stacks, and delegates access (maybe some control) to these objects to its local zones. Not necessarily the GZ itself *uses* all of these resources - just like it does not by itself use a VNIC delegated into an ip-type=exclusive local zone today. Basically, "an IP stack" becomes the conceptual networking engine domain where fast-pathing and shortcuts for routerless connection can take place - like is done for shared stacks today. If there is one consumer (zone), the stack is exclusive. If more consumers are attached at this moment - the stack becomes shared. However, a different matter was discussed last night about which interfaces a zone (or stack) is allowed to use - aliases of one NIC/VNIC, or dedicated NICs/VNICs; and how much control are they allowed (does address and routing configuration come from inside or outside the zone); and is sniffing allowed - though there can be zone-level privileges for that, apparently? I think these differences should remain in place, to be used at an admin's discretion, but they don't fit the terminological dissection of "shared" vs. "exclusive" anymore.
... there are probably more questions along this train of thought that need to be answered before starting to look at code. Darren ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/22642773-76f3f1fc Modify Your Subscription: https://www.listbox.com/member/?&; Powered by Listbox: http://www.listbox.com
-- +============================================================+ | | | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО "ЦОС и ВТ" JSC COS&HT | | | | +7-903-7705859 (cellular) mailto:[email protected] | | CC:[email protected],[email protected] | +============================================================+ | () ascii ribbon campaign - against html mail | | /\ - against microsoft attachments | +============================================================+ ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
