[zones-discuss] Shared-ip routing and VNI interface
I am wondering if the following setup on S10u4 with local zones will work, or can be made to work. The setup is meant be used as a backend for a loadbalancer which uses the direct-return method, that is, no NAT but the balanced service talks directly to the client. In all zones running a service I confgure the same IP address on a vni interface, I know you can configure a single IP only on a single interface, AFAIK that means that I cannot run more than one instance of the same service on a single global zone. The local zones will not get a 'real' interface configured, only the vni interface. The global zone has a real interface configured with a real IP address. The loadbalancer will use host routing to direct traffic to the correct global zone. My theoretical setup would have this set of addresses and routes configured: Host 1: global zone bge0 192.168.1.1/24 vni0 10.1.1.254/24 zone1 vni1 10.1.1.1/24 zone2 vni2 10.1.1.2/24 zone3 vni3 10.1.1.3/24 Host 2: global zone bge0 192.168.1.2/24 vni0 10.1.1.254/24 zone1 vni1 10.1.1.1/24 zone2 vni2 10.1.1.2/24 zone3 vni3 10.1.1.3/24 Default routes would be the same on both hosts, destinations would be 10.1.1.254 and 192.168.1.254 What would happen if the load balancer would send a packet with destination address 10.1.1.1 and source address some public address on the internet the mac address of bge0 of host 2 ? (the load balancer has selected 192.168.1.2 as the destination for this session to 10.1.1.1 and did an arp for 192.168.1.2 to find the mac for 192.168.1.2) Would that end up in zone 2 ? And if zone2 retrurns traffic would that end up on 192.168.1.254 who whould be able to route it to the final destination. TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Shared-ip routing and VNI interface
I'm having a problem figuring out why my ping replies never get sent. I have a Blade 1500 running Solaris 10 08/07 On it I have 2 active local zones, zone1 and zone2, their configs are: # zonecfg -z zone1 export create -b set zonepath=/zones/zone1 set autoboot=false set ip-type=shared add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.200.50 set physical=vni0 end and # zonecfg -z zone2 export create -b set zonepath=/zones/zone2 set autoboot=false set ip-type=shared add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.200.51 set physical=vni1 end The global zone has 192.168.200.14 configured on bge0 The default gateway is 192.168.200.4. If I configure a host route routing 192.168.200.50 to 192.168.200.14 on the router (192.168.200.4) and ping 192.168.200.50 I see echo request packets arrive on the bge0 interface but I never see any replies go out. 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 744) 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 745) 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 746) The routing table shows: netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface - - -- - default 192.168.200.4UG1 0 192.168.42.0 192.168.42.1 U 1 0 bge0:1 192.168.200.0192.168.200.14 U 1 5 bge0 224.0.0.0192.168.200.14 U 1 0 bge0 127.0.0.1127.0.0.1UH1 38 lo0 ifconfig -a shows : # ifconfig -a lo0: flags=2001000849 mtu 8232 index 1 inet 127.0.0.1 netmask ff00 lo0:1: flags=2001000849 mtu 8232 index 1 zone zone1 inet 127.0.0.1 netmask ff00 lo0:2: flags=2001000849 mtu 8232 index 1 zone zone2 inet 127.0.0.1 netmask ff00 bge0: flags=1000843 mtu 1500 index 2 inet 192.168.200.14 netmask ff00 broadcast 192.168.200.255 ether 0:3:ba:2f:c1:bb bge0:1: flags=1000843 mtu 1500 index 2 inet 192.168.42.1 netmask ff00 broadcast 192.168.42.255 vni0: flags=20010100c0 mtu 0 index 3 inet 0.0.0.0 netmask 0 vni0:1: flags=20010100c1 mtu 0 index 3 zone zone1 inet 192.168.200.50 netmask ff00 vni1: flags=20010100c0 mtu 0 index 4 inet 0.0.0.0 netmask 0 vni1:1: flags=20010100c1 mtu 0 index 4 zone zone2 inet 192.168.200.51 netmask ff00 # Any ideas ? Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
On 3 Dec 2007, at 12:49, James Carlson wrote: > Paul Van Der Zwan writes: >> I'm having a problem figuring out why my ping replies never get sent. > > There's no way for any of your configured zones to transmit, so they > don't. "Vni" is really not much different from "lo0." You cannot > transmit packets on "vni" -- it's just a place to hang a local IP > address. That's why they say "NOXMIT" when you configure them. > >> The global zone has 192.168.200.14 configured on bge0 > > You need to give your zones access to bge0 if you want them to > transmit there. You "give access" by assigning an address on that > interface. > What I was trying to do was have the option of running multiple zones, on different hosts, configured with the same IP address on a VNI interface so a loadbalancer can balance between different zones, each with the same configuration as far as the application, running within the zone,is concerned. If I give each zone a unique address on the bge0 intf. and an application address on the vni, will the zone be able to route traffic out to the client? For example: service address=10.1.1.1 default gateway=192.168.1.254 zone1 on host1 has 192.168.1.1 on bge0 and 10.1.1.1 on vni0 zone1 on host2 has 192.168.1.2 on bge0 and 10.1.1.1 on vni0 The loadbalancer routes 10.1.1.1 traffic for session1 to 192.168.1.1 Would traffic from zone1 be able to go out to the internet using the default gateway 192.168.1.254 with a source of 10.1.1.1 or would the source become 192.168.1.1 ( even if the application binds to 10.1.1.1 ) ? Is there some documentation on the routing in Solaris 10 esp. in combination with zones ? TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
On 11 Dec 2007, at 13:23, caroline wrote: > Hi, > > I set up exclusive-ip zone, using theses instructions : > >> set ip-type=excluse >> add net >> set physical=ce > > The ce interface currently cannot be used with exclusive ip instances. Look at the crosbow faq for supported network interfaces: http://www.opensolaris.org/os/project/crossbow/faq/#ipinst_any_nic Paul > When I boot the zone, I don't see physical interface anymore > zone1# ifconfig -a > lo0: flags=2001000849 > mtu 8232 index 1 > inet 127.0.0.1 netmask ff00 > > > Is there other configuration to add ? > > Thanks a lot > > carol > > > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Patches via Live Upgrade with 2 zones on Solaris 10 Update 4 failed
> Last Friday 2/29 I decided to try Live Upgrade on my Solaris 10 Update > 4 V480 Sparc box to apply about 50 or so patches with PCA > (http://www.par.univie.ac.at/solaris/pca/). > > # cat /etc/release > Solaris 10 8/07 s10s_u4wos_12b SPARC > Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. > Use is subject to license terms. > Assembled 16 August 2007 > # uname -a > SunOS ldap-global1 5.10 Generic_127111-07 sun4u sparc SUNW,Sun-Fire-480R > > My 2 internal drives are mirrored with SVM for the BE and ABE. I also > have 2 sparse zones installed. I disabled the primary applications > (Directory Proxy Server and Directory Server) in the respective zones > and applied the following 2 patches first in the global zone of the BE > with no errors. > > ./pca --install 119254-51 > 119254 50 < 51 RS- 15 SunOS 5.10: Install and Patch Utilities Patch > > ./pca --install 121430-22 > 121430 21 < 22 --- 15 SunOS 5.8 5.9 5.10: Live Upgrade Patch > > I then ran the following Live Upgrade and PCA commands with no errors. > > lumake -s sol10-2007-08 -n d2 > lumount d2 > ./pca -R /.alt.d2 --install > luumount d2 > lurename -e d2 -n sol10p-20080229 > luactivate sol10p-20080229 > init 6 > > The reboot seemed fine with no errors on the console. After logging > in though I noticed that only 1 of my zones started up correctly > > ldap-global1:/ 124# zoneadm list -cv >ID NAME STATUS PATH BRAND >IP > 0 global running/ > native shared > 9 ldap-proxy1 running/zones/ldap-proxy1 > native shared > - ldap-supplc incomplete /zones/ldap-supplc > native shared > > ldap-global1:/ 125# zoneadm -z ldap-supplc boot > zoneadm: zone 'ldap-supplc': must be installed before boot. > > Since it seems that the only way to resolve an "incomplete" zone is to > uninstall and then install, I decided instead to luactivate the > original BE and fallback to that instead. I didn't see any zone or > patch errors in the /var/adm/messages file. > > Perhaps someone can give me a tip of where else to look for relevant > error or log files? If more information on my system config is needed > please let me know too. I would ultimately like to resolve this since > applying patches with Live Upgrade seems very easy to do and provides > a minimal amount of downtime. > Have you tried a luactivate directly after the lumake ? There is a bug in cpio that causes lucreate to fail to create the zones in the new be when there is a server in the zone that uses unix domain sockets. One server I had that caused the problem was the admin server used for the directory server. I don't have the CR number available right now. Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Patches via Live Upgrade with 2 zones on Solaris 10 Update 4 failed
> > Have you tried a luactivate directly after the lumake ? > > There is a bug in cpio that causes lucreate to fail to create the > zones in the new be when > > there is a server in the zone that uses unix domain sockets. One > server I had that caused the > > problem was the admin server used for the directory server. > > > > I don't have the CR number available right now. > > Paul, > > After reading that BigAdmin article that przemol suggested I see that > I should have tried the luactivate after the lumake. > > You may be onto something with the unix domain sockets. The zone that > failed (ldap-supplc) is running Directory Server 5.2P4. Looking at > the box now in production I see that there are several sockets from > the "netstat -an" output below for the admin server. Since I turned > Directory Server off before running the LU commands I would have > thought those sockets would be cleaned up? If you can find the CR > number maybe it's related to my system. > I only ran into it with the servers enabled at boot in the zones, disabling the servers seems to fix the problem. The sockets apparently only were created when the server was running. Even though I had the zones halted the lucreate process started them enough to have the server processes started. I did get an error message from lucreate that the zone copy in the new BE was not created correctly. If you don't get that error you are probably running into something else. The CR number is 2154382, it's an old one but has been bumped up to P1. Paul > 60005bdc728 stream-ord > /var/Sun/mps/admin-serv/tmp/iwsadmin.2012 > 60005bdc8f0 stream-ord > /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 > 60005bdcab8 stream-ord > /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 > 60005bdcc80 stream-ord 600070e1640 > /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 > 60005bdce48 stream-ord 6000713c000 > /var/Sun/mps/admin-serv/tmp/iwsadmin.2012 > 60005bdd010 stream-ord 600070e1640 > /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 > 60005bdd1d8 stream-ord 6000713c000 > /var/Sun/mps/admin-serv/tmp/iwsadmin.2012 > 60005bdd3a0 stream-ord 60006e04d40 /var/run/.inetd.uds > 60005bdd730 stream-ord 600070e1640 > /var/Sun/mps/admin-serv/tmp/iwswatchdog.2011 > > > Thanks, > -Eric > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone with IP address from a different subnet
> James Carlson writes: > > Steffen Weiberle writes: > > > BTW, this only works for default routes. Static ones don't work. > at > > > least that is my/others' experience. > > > > That's not true. Default routes are not supposed to be special. > > They're just regular network routes that happen to have 0/0 as a > > destination. > > Eh ... nuts. I forgot about the special strangeness around "default" > routes in zones. I still think it's not good, but you're right about > that. > Is there any official documentation of this 'strangeness' because if there isn't ( and I haven't been able to find it so far), it's still a bug. Either a code bug or a documentation bug. Paul PS We are running into this problem at a project at the moment and it cost us a lot of hours figuring out why routing isn't working as we supposed it should :-( ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Downgrading zones on Opensolaris 2009.x ( b131)
I have upgraded my Opensolaris system to b131 and followed the zoneadm detach/attach -u procedure to upgrade my zones to b131 as well. Unfortunately I am running into bug 6912829 ( causes panic on zoneadm halt ) quite often. Downgrading the global zone by beadm activating my old be is easy. But how do I get my zones back ? Zoneadm attach complains that the zone is a newer rev than the global zone and that the global zone should be upgraded… TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Downgrading zones on Opensolaris 2009.x ( b131)
On 25 jan 2010, at 14:01, Jerry Jelinek wrote: > On 01/25/10 04:30, Paul van der Zwan wrote: >> I have upgraded my Opensolaris system to b131 and followed the zoneadm >> detach/attach -u procedure to upgrade my zones >> to b131 as well. Unfortunately I am running into bug 6912829 ( causes panic >> on zoneadm halt ) quite often. >> Downgrading the global zone by beadm activating my old be is easy. But how >> do I get my zones back ? >> Zoneadm attach complains that the zone is a newer rev than the global zone >> and that the global zone should be upgraded… > > Unfortunately it sounds like you detached your zones > before doing the image-update. If you do the image-update, > then reboot, then detach/attach, then you will have a zone > root for each BE and booting back is no problem. However, > if you detach before the image-update, then you only have > one zone root and once you've updated that to match the > new BE, then there is no way to downgrade it if you boot back. > Ok that’s what I did. Detach first and then the image-update. I saw a workaround for the panics so downgrading may be less important, but I’ll have to change my procedure the next update. Do you know of an ‘official’ zones/beadm/image-update doc that explains the correct procedure somewhere ? Paul > Jerry > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] GDM connect to GDM in a zone ?
Is it possible to run GDM inside a zone on b131 ? I would like to have a zone I can use to run stuff like netbeans etc in, and I don’t want to use the global zone for that. As far as I can tell the gdm smf service depends on dbus and that is marked as global zone only. One more complication is that gdm is missing the old dtlogin option to select a remote host to connect to. Or is that option hidden/disabled by default ? TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] GDM connect to GDM in a zone ?
On 1 feb 2010, at 22:22, Edward Pilatowicz wrote: > i've never tried this, but i'd recommend figuring out if gdm can be run > as an xdmcp server. > > optionally, you could also run Xvnc within the zone. That is an option I had not thought about... > > or you could ssh -X to the zone and remote display your apps. That’s no problem but I would like to run a full session in the zone. > > if you're tring to run gdm in the zone to access local hardware > (graphics card, keyboard, mouse, etc) that will be a difficult, since X > now uses hal (which depends on dbus) to discover hardware. i'm not sure > how you could work around this (my X foo is not that strong). > IMHO there is no reason for the local zone to access any hardware. The X server would be running in the global zone. On Solaris 10 this setup worked without any problems. Dtlogin provided XDMCP services in the local zone and the dtlogin in the global zone allowed me to connect to that local zone using the chooser. Paul > ed > > > On Mon, Feb 01, 2010 at 04:54:19PM +0100, Paul van der Zwan wrote: >> Is it possible to run GDM inside a zone on b131 ? I would like to have a >> zone I can use to run stuff like netbeans etc in, and >> I don’t want to use the global zone for that. >> >> As far as I can tell the gdm smf service depends on dbus and that is marked >> as global zone only. >> One more complication is that gdm is missing the old dtlogin option to >> select a remote host to connect to. >> Or is that option hidden/disabled by default ? >> >> TIA >> Paul >> >> ___ >> zones-discuss mailing list >> zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [osol-discuss] GDM connect to GDM in a zone ?
On 2 feb 2010, at 00:54, Brian Cameron wrote: > > Paul: > >> Is it possible to run GDM inside a zone on b131 ? I would like to have a >> zone I can use to run stuff like netbeans etc in, and >> I don’t want to use the global zone for that. > > It would think that it should be possible, though I have not tried it > myself. > >> As far as I can tell the gdm smf service depends on dbus and that is marked >> as global zone only. > > I do not believe that GDM depends on the system D-Bus service. Instead, > D-Bus and ConsoleKit communicate with each other via D-Bus. So, it > depends on D-Bus, but not the system D-Bus instance. > Well , according to the default SMF configuration it seems to. Maybe this is a bogus dependency but that’s the way the system is configured by default. I’ll see what happens if I delete the dependency from SMF. > So, this should not be an issue, I'd think. If anything, there may be > an issue with the battery status applet in GDM not working properly if > it cannot connect to the system D-Bus, though that may not be an issue > if you are using a server that does not run on a battery. > It is on a server so that applet would not be useful anyway. >> One more complication is that gdm is missing the old dtlogin option to >> select a remote host to connect to. >> Or is that option hidden/disabled by default ? > > The new GDM does support running as an XDMCP server and supports > running XDMCP clients via indirect queries. However, it currently does > not support the ability to launch the XDMCP chooser from the login > screen. This is a known regression: > > https://bugzilla.gnome.org/show_bug.cgi?id=592976 > Is there anything I need to configure to have gdm be an XDMCP server ? Is there any other way to connect to a xdmcp server from gdm ? > Brian ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [osol-discuss] GDM connect to GDM in a zone ?
On 2 feb 2010, at 00:54, Brian Cameron wrote: > > Paul: > >> Is it possible to run GDM inside a zone on b131 ? I would like to have a >> zone I can use to run stuff like netbeans etc in, and >> I don’t want to use the global zone for that. > > It would think that it should be possible, though I have not tried it > myself. > >> As far as I can tell the gdm smf service depends on dbus and that is marked >> as global zone only. > > I do not believe that GDM depends on the system D-Bus service. Instead, > D-Bus and ConsoleKit communicate with each other via D-Bus. So, it > depends on D-Bus, but not the system D-Bus instance. > I just installed a zone and I see the following: r...@dev:~# svcs -a |grep offline offline10:12:09 svc:/system/consolekit:default offline10:12:09 svc:/application/graphical-login/gdm:default r...@dev:~# r...@dev:~# svcs -vx svc:/system/consolekit:default (ConsoleKit) State: offline since Tue Feb 02 10:12:09 2010 Reason: Dependency svc:/system/dbus is absent. See: http://sun.com/msg/SMF-8000-E2 See: man -M /usr/share/man -s 1m console-kit-daemon Impact: 1 dependent service is not running: svc:/application/graphical-login/gdm:default r...@dev:~# That seems to indicate that gdm will not run in a zone with the default dependencies. I installed the zone and ran 'pkg -R /zones/dev/root install SUNWgnome-display-mgr’ to add gdm. Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Error on zoneadm attach -u when going from b132 to b133
I upgraded my system from b132 to b133 this weekend and I got error messages when I ran attach -u to upgrade my zones. The second run of the install of updated packages fails. In the log I find: $ pfexec cat /var/tmp/dns.attach_log.sCaydi [Saturday, 20 February 2010 20:57:50 CET] Log File: /var/tmp/dns.attach_log.sCaydi [Saturday, 20 February 2010 20:57:52 CET] Attaching... [Saturday, 20 February 2010 20:57:52 CET] existing [Saturday, 20 February 2010 20:57:52 CET] [Saturday, 20 February 2010 20:57:52 CET] Sanity Check: Passed. Looks like an OpenSolaris system. pkg: 'network/ftp' matches multiple packages network/ftp service/network/ftp 'network/dns/bind' matches multiple packages service/network/dns/bind network/dns/bind 'network/ssh' matches multiple packages network/ssh service/network/ssh If I run attach -u a second time it attaches without doing anything, or giving an error. Are my zones OK or are they partly upgraded ? Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Error on zoneadm attach -u when going from b132 to b133
On 22 feb 2010, at 12:02, Frank Batschulat (Home) wrote: > On Mon, 22 Feb 2010 11:49:46 +0100, Paul van der Zwan > wrote: > >> I upgraded my system from b132 to b133 this weekend and I got error messages >> when I ran attach -u to upgrade my zones. >> The second run of the install of updated packages fails. >> In the log I find: >> >> $ pfexec cat /var/tmp/dns.attach_log.sCaydi >> [Saturday, 20 February 2010 20:57:50 CET] Log File: >> /var/tmp/dns.attach_log.sCaydi >> [Saturday, 20 February 2010 20:57:52 CET] Attaching... >> [Saturday, 20 February 2010 20:57:52 CET] existing >> [Saturday, 20 February 2010 20:57:52 CET] >> [Saturday, 20 February 2010 20:57:52 CET] Sanity Check: Passed. Looks >> like an OpenSolaris system. >> >> pkg: 'network/ftp' matches multiple packages >>network/ftp >>service/network/ftp >> 'network/dns/bind' matches multiple packages >>service/network/dns/bind >>network/dns/bind >> 'network/ssh' matches multiple packages >>network/ssh >>service/network/ssh >> >> If I run attach -u a second time it attaches without doing anything, or >> giving an error. >> >> Are my zones OK or are they partly upgraded ? > > I think exactly this issue is listed in the 133 release notes, and it states > running > a 2nd attach will work. > > if our marvellous opensolaris.org system would work you could read the 133 > release notes here > on the indiana discuss alias: > > http://opensolaris.org/jive/thread.jspa?threadID=124275 > That seems to be it. Must have missed it.. Thanks Paul > --- > frankB > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [osol-discuss] Error on zoneadm attach -u when going from b132 to b133
On 22 feb 2010, at 12:26, Alan Burlison wrote: > Paul van der Zwan wrote: > >> If I run attach -u a second time it attaches without doing anything, or >> giving an error. >> Are my zones OK or are they partly upgraded ? > > Sounds like an issue mentioned in the release notes: > > http://mail.opensolaris.org/pipermail/opensolaris-announce/2010-February/001411.html > http://defect.opensolaris.org/bz/show_bug.cgi?id=14673 > That seems to be it. Glad I did what the release notes say I should have done ;-) Thanks Paul > -- > Alan Burlison > -- ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [osol-discuss] Error on zoneadm attach -u when going from b132 to b133
On 22 feb 2010, at 15:02, Thomas Burgess wrote: > > you're lucky. It didn't work for me. I got caught in a catch 22 > i'd do attach -u and it would fail, then i'd do attach (without -u) and it > would tell me to do attach -u > Did you do the detach after the image-update ? That was a mistake I made the first time I wanted to upgrade a system with zones, doing the detach before the image-update. My zones are fairly minimal, just ‘entire’ and a few extra packages, all from the dev repo. Nothing from contrib in the zones, maybe that might be a difference. Paul > On Mon, Feb 22, 2010 at 8:51 AM, Paul van der Zwan > wrote: > > On 22 feb 2010, at 12:26, Alan Burlison wrote: > > > Paul van der Zwan wrote: > > > >> If I run attach -u a second time it attaches without doing anything, or > >> giving an error. > >> Are my zones OK or are they partly upgraded ? > > > > Sounds like an issue mentioned in the release notes: > > > > http://mail.opensolaris.org/pipermail/opensolaris-announce/2010-February/001411.html > > http://defect.opensolaris.org/bz/show_bug.cgi?id=14673 > > > > That seems to be it. Glad I did what the release notes say I should have done > ;-) > > > Thanks >Paul > > > -- > > Alan Burlison > > -- > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Not all zones will start at system boot on b133
When I boot my b133 system not all zones will get started, even when they are
marked with auto-boot = yes.
In the smf log /var/svc/log/system-zones:default.log I see:
[ Feb 26 21:14:44 Enabled. ]
[ Feb 26 21:15:09 Executing start method ("/lib/svc/method/svc-zones start"). ]
Booting zones: webzone mailzone buildzone dns devERROR: error while acquiring
slave handle of zone console for dev: No such device or address
console setup: device initialization failed
ERROR: error while acquiring slave handle of zone console for buildzone: No
such device or address
console setup: device initialization failed
zone 'dev': could not start zoneadmd
zoneadm: zone 'dev': call to zoneadmd failed
zone 'buildzone': could not start zoneadmd
zoneadm: zone 'buildzone': call to ERROR: error while acquiring slave handle of
zone console for mailzone: No such device or address
console setup: device initialization failed
zoneadmd failed
zone 'mailzone': could not start zoneadmd
zoneadm: zone 'mailzone': call to zoneadmd failed
.
[ Feb 26 21:15:24 Method "start" exited with status 0. ]
When I do a zoneadm boot for the zones that have failed to boot they start
without any problem.
Any ideas ?
Paul
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] Not all zones will start at system boot on b133
On 9 mrt 2010, at 00:26, Jordan Vaughan wrote:
> Hi Paul,
>
> I wrote the code that introduced the zcons (zone console) ioctl that's
> failing on your system. I'll investigate this problem as soon as possible.
>
> Does this problem occur consistently (i.e., every time you boot your system)?
> Does it ever happen when you manually boot a zone?
>
Yes as far as I can tell zones fail to boot on each boot. I upgraded to 134
yesterday and after the reboot to enable b134 3 out of 8 zones
had not booted.
If you need more info or logging please let me know.
Paul
> Thanks,
> Jordan
>
>
> On 03/ 1/10 04:20 AM, Paul van der Zwan wrote:
>> When I boot my b133 system not all zones will get started, even when they
>> are marked with auto-boot = yes.
>>
>> In the smf log /var/svc/log/system-zones:default.log I see:
>> [ Feb 26 21:14:44 Enabled. ]
>> [ Feb 26 21:15:09 Executing start method ("/lib/svc/method/svc-zones
>> start"). ]
>> Booting zones: webzone mailzone buildzone dns devERROR: error while
>> acquiring slave handle of zone console for dev: No such device or address
>> console setup: device initialization failed
>> ERROR: error while acquiring slave handle of zone console for buildzone: No
>> such device or address
>> console setup: device initialization failed
>> zone 'dev': could not start zoneadmd
>> zoneadm: zone 'dev': call to zoneadmd failed
>> zone 'buildzone': could not start zoneadmd
>> zoneadm: zone 'buildzone': call to ERROR: error while acquiring slave handle
>> of zone console for mailzone: No such device or address
>> console setup: device initialization failed
>> zoneadmd failed
>> zone 'mailzone': could not start zoneadmd
>> zoneadm: zone 'mailzone': call to zoneadmd failed
>> .
>> [ Feb 26 21:15:24 Method "start" exited with status 0. ]
>>
>> When I do a zoneadm boot for the zones that have failed to boot they start
>> without any problem.
>>
>> Any ideas ?
>>
>> Paul
>>
>> ___
>> zones-discuss mailing list
>> zones-discuss@opensolaris.org
>
> ___
> zones-discuss mailing list
> zones-discuss@opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 Nov 2010, at 10:50 , Orvar Korvar wrote: > petrben, > Yes that is my question too: "is running in a local zone safer?". That is why > I created this thread. > > I was thinking something like this: If someone hacks my WinXP, then he must > bypass VBox. Then he is inside the local zone. Then he must get root access > to the local zone. Then he must break the zone to get into the global zone. > When he is in the global zone, he must gain root access. Then he is in my > computer. > > To prevent this, I shut down the NIC to the global zone. Then there is no > communication between the global zone and local zones. So how can a hacker > inside a local zone, gain access to the global zone? The global zone does not > respond to any communication, because it's NIC is down. > > There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul > > But you say something like: if a hacker takes control over VBox, then he also > gets inside the kernelspace and then he bypasses zones and everything and is > inside the global zone? He does not have to go through NICs and zones and > what not? There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
