I'm sponsoring this fast-track request for Glenn Faden. The timer is set to 02/05/2008. The requested release binding is "patch/micro" (as it will be needed for an S10 Update), and the stability level for the new zonecfg keyword is "Committed."
Zones may be configured with shared or exclusive IP stacks. The shared stack configuration has network interfaces configured by the global zone, not by the non-global zone itself. Zones with shared IP stacks are assigned logical interfaces associated with the physical interface specified in the zone's configuration file. Therefore, the physical interface must exist (be plumbed) in the global zone. Customers who are using zones for cross-domain solutions associate each zone with a unique physical network. They want to restrict network traffic such that each network interface is used by only a single zone, and the global zone is isolated from any of these networks. Currently such network configurations are difficult to manage because there is no facility to specify the default route for each network. Existing mechanisms such as persistent routes and /etc/defaultrouters don't work because they require that the interface is up when the routes are applied. However, these customers do not want to bring up the zone's network interfaces in the global zone. They must wait until the zone is booted and then apply its default route, but there is no mechanism for synchronizing these events. This project proposes that the default route for a zone's interface that uses a shared IP stack can be optionally specified using a new default router property, defrouter, that is associated with the network resource (net), via zonecfg(1M). Currently, the network resource has two properties, "physical" and "address." The latter can only be used with the shared IP stack. The default router property is optional for the shared IP stack, and not permitted with exclusive IP stack. The value for the default router is a hostname or an IP address. Host names are resolved in the context of the global zone. The router address is specified as part of the "net" resource type, so that the installed routes may be associated with a specific interface via the route(1M) "-ifp" option. For zones using a shared IP stack, the interface specified in the "physical" property must be plumbed in the global zone prior to booting the non-global zone. However, if the interface is not intended to be used by the global zone, it should be configured in the global zone via ifconfig(1M) into the down state. In this project, the specification of the default route in the zone's configuration file is needed for the zone to send packets off the assigned subnet. When specified, the default route for the interface is interpreted by zoneadmd, after it has brought up the specified logical interface and applied its address and netmask. If a default route is specified, zoneadmd then calls the route(1M) command to establish the specified route. If the exit status of the route command is non-zero, it is checked for the value EEXIST, which indicates that the route already exists. If any other exist status result is returned, a non-fatal warning message is generated. (The exit status values of the route command are not documented; the dependency is Consolidation Private.) This change is backward compatible because the new "defrouter" keyword is optional.
