hey dan,
i'm currently prototyping the zones support for pkg.
afaik, bart is correct in you options. with the current pkg software
and your config, if you want to stick with our documented "zoneadm
attach -u" upgrade mechanism then you'll need to stand up a depot in the
global zone.
wrt using the pkg download cache, you might be able to do this but you'd
have to figure out a way to manipulate the cache to ensure that it will
have everyting needed in it for you to zones updates. (if you figure
out a way to do this then please share it with this alias.)
i do have one other workaround/suggestion you could try. after you do
an image-update of your global zone. before rebooting, use beadm to
mount the new image on /a. then you can try doing "pkg -R
/a/<path_to_you_zone>/root image-update" for each of your zones. this
will probably work as long as your always image-update'ing to the latest
bits in the repository (and no new images get pushed to the repository
in between all the image-update opreations.)
once we have actual zone support in pkg, your zones will get
automatically updated when you do the image-update of the global zone.
and since you have a network connection at that point in time everything
will work correctly, as you'd expect.
unfortunatly, my prototype is still in very rough shape right now and
not something that anyone can really test out. i hope to have something
more solid, and some related design docs, out soon.
ed
On Mon, Jan 11, 2010 at 01:15:15PM -0500, Dan McDonald wrote:
> Bart S. suggested I post this here. I don't subscribe to this list, so I
> will follow along in the Jive forums.
>
> First, my initial note to Bart, with some edits ('cause I now AM running
> IPS):
>
> ===================== (Cut up to and including here.) =====================
>
> I've updated my home server to IPS, and it occurs to me that operationally
> I'm going to have to bend-over-backwards once I get my full configuration up
> and running.
>
> Consider this deployment:
>
> global-zone: local-only NFS service (10.1.1.15/24, no defrtr)
>
> NAT-zone: plugged into Internet and NAT-ting to 10.1.1.0/24.
>
> webserver zone: webserver, with inbound TCP ports 80 and 443
> directed by the NAT zone.
>
> VPN-GW-zone: NAT directs inbound UDP ports 500 and 4500 into here.
> It also proxy-ARPs internal network addresses that
> get assigned to remote clients.
>
> If I use "zoneadm attach -u" I must have the global zone able to reach an IPS
> repository. If I deploy as I've shown above, I have to attach my global zone
> to the Internet (by adding a default route) until my other zones are upgraded
> (or at least my NAT zone is).
>
> Many security-conscious admins don't want their global zone reachable to or
> from the public Internet, even behind a NAT. And if I can deploy a
> remote-site-in-a-box like this, well, let's just say it presents some
> interesting opportunities.
>
> Dave Miner mentioned the possibility of using the global zone's IPS cache
> (did I get the term right?) to upgrade the subservient zones. In such a
> deployment I would have to add a default route to the global zone for the
> duration of "pkg image-update" or "pkg install", but after that I could
> safely delete the default route.
>
> I wanted to mention this to you first because if you're working on something
> to this end, I can test it now.
>
> Also, I would like to put this question on a public list, and don't know the
> exact one on which to do it.
>
> Thanks!
> Dan
>
> ===================== (Cut up to and including here.) =====================
>
> Bart then replied (no edits).
>
> ===================== (Cut up to and including here.) =====================
>
> pkg-discuss is the right place....
>
> We don't yet have an elegant solution to this particular config; the easiest
> fix is the repo on a stick model where you stand up a local
> repo using the dvd.
>
> In general, the only way you have to upgrade these boxes w/ svr4 packaging is
> to drive out w/ a dvd.
>
> In the future, real zone support will work such that the global zone
> distributes system packages to the other zones; in this case you'd
> use the NATed zone to upgrade the global zone and then the zones
> would be upgraded from the global zone.
>
> - Bart
>
> ===================== (Cut up to and including here.) =====================
>
>
> So hello, pkg-discuss! I have a multi-zone IPS server (NFS and webserver
> running now, VPN next, followed by NAT-Router), and I'm ready to give
> feedback to anyone who will listen! :)
>
> Thanks!
> Dan
> _______________________________________________
> pkg-discuss mailing list
> [email protected]
> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
