Re: [zones-discuss] Shared-IP zones - global network
My apologies for the lateness of this summary - work has been "interesting". The solution on the routing side was to plumb and fully activate two nics in the global zone for the two subnets the whole root zones would be active in. For the zones themselves each nic assigned to a zone was plumbed with a null address and gateway in the global zone and with the zone specific information within the zone. No routing was needed in the zones - the global routing table is passed through to the zones. This is suboptimal from a security standpoint as the global zone must be in the public sphere if the working zones are. It is also wasteful of nics. The long term solution, budget allowing, would be to buy some newer nics. Thank you to all who helped. Matthew On 4/2/08 8:49 PM, "Steffen Weiberle" <[EMAIL PROTECTED]> wrote: > Matthew Taylor wrote: >> Thank you, and to those who replied off line as well. I will try it out and >> report back on my success (or not) in the morning. >> >> It does strike me that this should be in the docs. I have gone through >> 817-1592-15, the Zones admin guide, and find little to nothing on what the >> configuration of the global zone should be to enable shared-ip. I can't be >> the only one to want to use otherwise not in use physical nics. > > Its not in the docs because (AFAIK) it is not a test, and thus not > supported, configuration. As I state or paraphrase it, because of the > shared IP, the expectation is that the global and non-global zones are > on the same subnet. Many deployments want to have the global, or system > administrative, zone on a separate admin network, and the non-global > zones on the service networks. The original implementation, and dare I > say design [1], was not to that. And as I have been repeatedly told by > folks who know the routing very well, trying to get routing to do the > right thing and what users would like it to do may be very difficult in > a single IP instance. > > IP Instances is in place to help address that, but as you have found > out, unfortunately it does not work with all NICs (in Solaris and in > OpenSolaris prior to b84). > > I have been reading the design doc recently and need to look back at the > networking part to be sure. > > Steffen > > [1] http://www.opensolaris.org/os/community/arc/caselog/2002/174/ > >> This message posted from opensolaris.org >> ___ >> zones-discuss mailing list >> zones-discuss@opensolaris.org > -- Matthew Taylor Montgomery College Office of Information Technology 240.567.3100 [EMAIL PROTECTED] ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network
James Carlson wrote: > Matthew Taylor writes: >> Do you know if plumbing all the qfe's without assigning an IP address will >> persist across reboots of the base system? Never tried that on Solaris >> (works on LINUX iirc, but you have to enter the info in a script). > > This will make plumbing persist across reboot for qfe0 through qfe3: > > touch /etc/hostname.qfe0 /etc/hostname.qfe1 > touch /etc/hostname.qfe2 /etc/hostname.qfe3 > > Not sure if that's what you were after, though. (More context needed ...) > Thats true. I find must users are trying to do something like this diagram shows http://blogs.sun.com/stw/resource/ipinstances-vlans/tieredweb-ipinstance-vlan071102.png replacing VLANs with discrete NICs, and web, auth, and app with what ever services they are trying to run. Matthew, if that is not the case, a description would be very handy Steffen ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network
Matthew Taylor wrote: > Thank you, and to those who replied off line as well. I will try it out and > report back on my success (or not) in the morning. > > It does strike me that this should be in the docs. I have gone through > 817-1592-15, the Zones admin guide, and find little to nothing on what the > configuration of the global zone should be to enable shared-ip. I can't be > the only one to want to use otherwise not in use physical nics. Its not in the docs because (AFAIK) it is not a test, and thus not supported, configuration. As I state or paraphrase it, because of the shared IP, the expectation is that the global and non-global zones are on the same subnet. Many deployments want to have the global, or system administrative, zone on a separate admin network, and the non-global zones on the service networks. The original implementation, and dare I say design [1], was not to that. And as I have been repeatedly told by folks who know the routing very well, trying to get routing to do the right thing and what users would like it to do may be very difficult in a single IP instance. IP Instances is in place to help address that, but as you have found out, unfortunately it does not work with all NICs (in Solaris and in OpenSolaris prior to b84). I have been reading the design doc recently and need to look back at the networking part to be sure. Steffen [1] http://www.opensolaris.org/os/community/arc/caselog/2002/174/ > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network
Matthew Taylor writes: > Do you know if plumbing all the qfe's without assigning an IP address will > persist across reboots of the base system? Never tried that on Solaris > (works on LINUX iirc, but you have to enter the info in a script). This will make plumbing persist across reboot for qfe0 through qfe3: touch /etc/hostname.qfe0 /etc/hostname.qfe1 touch /etc/hostname.qfe2 /etc/hostname.qfe3 Not sure if that's what you were after, though. (More context needed ...) -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network
Thank you, and to those who replied off line as well. I will try it out and report back on my success (or not) in the morning. It does strike me that this should be in the docs. I have gone through 817-1592-15, the Zones admin guide, and find little to nothing on what the configuration of the global zone should be to enable shared-ip. I can't be the only one to want to use otherwise not in use physical nics. This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network
Matthew Taylor wrote: > Do you know if plumbing all the qfe's without assigning an IP address will > persist across reboots of the base system? Never tried that on Solaris > (works on LINUX iirc, but you have to enter the info in a script). It will not persist. An empty /etc/hostname.qfe0 will plumb it for you, however. > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network
Do you know if plumbing all the qfe's without assigning an IP address will persist across reboots of the base system? Never tried that on Solaris (works on LINUX iirc, but you have to enter the info in a script). This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-IP zones - global network config preconditions
Matthew Taylor wrote: > Apologies if my search-fu failed me and the answer is out there. > > I have a box with 1 hme and 8 qfe interfaces. I would normally used > exclusive IP zones, but that is not possible with these non-gldv3 driven > interfaces, so I am forced to use shared IP zones. > > hme0 is configured on the host with a 10.x.x.x address. This is the only IP > address to be used on the global zone. > > Each shared-ip zone is to have two of the physical qfe addresses assigned to > it, in two different subnets, one public, one the same 10.x.x.x as in the > global. > > > I have searched, and can not find the answer to this question: > > Do the qfe's all have to have to be plumbed and have an assigned IP address > in the global zone separate from the IP address assigned in the non-global > zone configuration? Yes, they all need to be plumbed. A 0.0.0.0 address is sufficient in the global zone. however, routing will be unless at some time you have an address of the other subnet configured so routes can be set up. At least until after one zone has booted (but I have never tried all the possible permutations and timeouts (how long after the last zone is halted will the entry go away and when you boot a zone again its traffic won't go where you expect it to). Not sure if setting a persistent route 'route -p add...' will do the trick. OpenSolaris build 84 and later has the shim in place to that you can use legacy NICs. Steffen > > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Shared-IP zones - global network config preconditions
Apologies if my search-fu failed me and the answer is out there. I have a box with 1 hme and 8 qfe interfaces. I would normally used exclusive IP zones, but that is not possible with these non-gldv3 driven interfaces, so I am forced to use shared IP zones. hme0 is configured on the host with a 10.x.x.x address. This is the only IP address to be used on the global zone. Each shared-ip zone is to have two of the physical qfe addresses assigned to it, in two different subnets, one public, one the same 10.x.x.x as in the global. I have searched, and can not find the answer to this question: Do the qfe's all have to have to be plumbed and have an assigned IP address in the global zone separate from the IP address assigned in the non-global zone configuration? This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
