Bart S. suggested I post this here. I don't subscribe to this list, so I
will follow along in the Jive forums.
First, my initial note to Bart, with some edits ('cause I now AM running
IPS):
===================== (Cut up to and including here.) =====================
I've updated my home server to IPS, and it occurs to me that operationally
I'm going to have to bend-over-backwards once I get my full configuration up
and running.
Consider this deployment:
global-zone: local-only NFS service (10.1.1.15/24, no defrtr)
NAT-zone: plugged into Internet and NAT-ting to 10.1.1.0/24.
webserver zone: webserver, with inbound TCP ports 80 and 443
directed by the NAT zone.
VPN-GW-zone: NAT directs inbound UDP ports 500 and 4500 into here.
It also proxy-ARPs internal network addresses that
get assigned to remote clients.
If I use "zoneadm attach -u" I must have the global zone able to reach an IPS
repository. If I deploy as I've shown above, I have to attach my global zone
to the Internet (by adding a default route) until my other zones are upgraded
(or at least my NAT zone is).
Many security-conscious admins don't want their global zone reachable to or
from the public Internet, even behind a NAT. And if I can deploy a
remote-site-in-a-box like this, well, let's just say it presents some
interesting opportunities.
Dave Miner mentioned the possibility of using the global zone's IPS cache
(did I get the term right?) to upgrade the subservient zones. In such a
deployment I would have to add a default route to the global zone for the
duration of "pkg image-update" or "pkg install", but after that I could
safely delete the default route.
I wanted to mention this to you first because if you're working on something
to this end, I can test it now.
Also, I would like to put this question on a public list, and don't know the
exact one on which to do it.
Thanks!
Dan
===================== (Cut up to and including here.) =====================
Bart then replied (no edits).
===================== (Cut up to and including here.) =====================
pkg-discuss is the right place....
We don't yet have an elegant solution to this particular config; the easiest
fix is the repo on a stick model where you stand up a local
repo using the dvd.
In general, the only way you have to upgrade these boxes w/ svr4 packaging is
to drive out w/ a dvd.
In the future, real zone support will work such that the global zone
distributes system packages to the other zones; in this case you'd
use the NATed zone to upgrade the global zone and then the zones
would be upgraded from the global zone.
- Bart
===================== (Cut up to and including here.) =====================
So hello, pkg-discuss! I have a multi-zone IPS server (NFS and webserver
running now, VPN next, followed by NAT-Router), and I'm ready to give
feedback to anyone who will listen! :)
Thanks!
Dan
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
