On 06/ 2/10 02:04 PM, Edward Pilatowicz wrote:
what i was trying to compare this to is the default route behavior of: if you have an interface configured with a default route in zonecfg, and you delete that default route from with the zone, and then reboot the zone, that default route will re-appear. ie, you can't persistently delete just a default route. i think that this same behavior would be fine wrt network interfaces. i mean, what is the use case for assigning an interface to a zone via zonecfg if the admin of that zone is going to persistently disable that interface?
The model we are trying to follow is the same as DHCP - the other case of externally provided IP address configuration.
Basically the gz statement about the container in which the ngz can run is of the form "on bge0 zoneA can not use any IP addresses other than X and Y". (The similar statement for a DHCP server is that when asked by clientA, it will provide IP address Z.)
But those statements don't actually say that zoneA is required to use its interface on bge0 (and nor does the DHCP server configuration require the client to ask the DHCP server).
Hence just like a DHCP client can choose to not use bge0 (and use its other datalinks instead), a ngz should be able to choose to not use its vnic on bge0 (and use its other datalinks instead).
Basically the gz provides constraints on which IP addresses can be used on a datalink, but neither mandates that that datalink be used nor mandates that all the IP addresses on the datalink be used by the ngz.
This is somewhat analogous to providing a mountpoint to a ngz (the gz constrains which mountpoints are available to the ngz, but can't force the applications to actually access files under those mountpoints.)
The primary purpose of the zonecfg IP address configuration for exclusive-IP zones is security, and having the ngz choose to not use the datalink doesn't introduce a security issue. In terms of the secondary purpose of ease of configuration, we are trying to find a balance between the gz being helpful and the ngz having autonomy. That has lead us down the path of following the DHCP model where the set of datalinks is initialized on first boot after install/clone, but the set of IP addresses are more dynamic.
Let's chat more about this on the phone. Erik _______________________________________________ opensolaris-arc mailing list [email protected]
