Re: [zones-discuss] if the local zone and global zone share the same arp table

2006-05-16 Thread Erik Nordmark
Joanna.Zhou wrote: if the local zone and global zone share the same arp table? The local zone has the same ether address with the global zone, if I made an arp reply to the ether address to answer an arp request (I plan to reply to local zone) , how could the system differentiate which

[zones-discuss] [Fwd: Reminder: Design review of IP Instances part of Crossbow]]

2006-10-10 Thread Erik Nordmark
Original Message Subject: Reminder: Design review of IP Instances part of Crossbow] Date: Tue, 10 Oct 2006 14:21:59 -0700 From: Erik Nordmark [EMAIL PROTECTED] To: [EMAIL PROTECTED] The deadline for design review comments is October 20th. Erik Original Message

Re: [zones-discuss] Strange routing using zones

2006-10-10 Thread Erik Nordmark
[EMAIL PROTECTED] wrote: Observation on NIC gives me: [e1000g1] /opt/sfw/bin/tethereal -i e1000g1 -t ad host l.l.l.110 and host c.c.c.186 [e1000g0] /opt/sfw/bin/tethereal -i e1000g0 -t ad host l.l.l.110 and host c.c.c.186 [1] [e1000g1] 2006-10-06 09:25:11.329472 c.c.c.186 - l.l.l.110 TCP

Re: [zones-discuss] Zones and VLAN tagging.

2006-10-18 Thread Erik Nordmark
Roshan Perera wrote: Hi all, Appreciate if someone can help me with VLAN tagging on zones please. Details below. Dummy example.. Global Zone IP address 10.10.10.5 (IPMP real) ce0 10.10.10.6 (IPMP test) ce1 10.10.10.7

Re: [zones-discuss] [Fwd: Reminder: Design review of IP Instances part of Crossbow]]

2006-10-24 Thread Erik Nordmark
Edward Pilatowicz wrote: hey erik, some questions after reading the interface document. (and i apologize in advance if some of the questions seem silly because i'm not a networking expert.) No problem - I explicitly want reviews from the zones perspective. And I'm getting reviews from the

[zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-03 Thread Erik Nordmark
Peter Memishian wrote: With regard to the third bullet, please see my concerns above about the introduction of list -l. I think this should be part of a general zone status/health facility or perhaps something that dladm(1M) can print about the link names and how their

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-03 Thread Erik Nordmark
Dan Price wrote: 'list -i' religiously follows this idiosyncratic approach ;-) We have a plan to add 'zoneadm info' or some such to display all the runtime attributes of running zones. Hopefully we'll get to that in the next 12 months or so. I'd request that you hold off on adding list -l

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-05 Thread Erik Nordmark
Eric Enright wrote: I just subscribed to this alias, apologies if I'm missing anything from this thread... Some of this was discussed a few months back. I'd like to express interest in this as well. Just last week I came across the need for this, and was disappointed to learn that it (or

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-05 Thread Erik Nordmark
[EMAIL PROTECTED] wrote: Could ifconfig be modified to report all network interfaces that are assigned to a zone? I assume you mean in the global zone; ifconfig -a inside a zone (global or not) does report all the network interfaces that are configured. But that would be quite odd. The

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-06 Thread Erik Nordmark
[EMAIL PROTECTED] wrote: Yes, that's one of the reasons I suggested having dladm(1M) be the place to display this information since it's where links are administered in general, even the ones that will be handed off to exclusive-stack zones. David, If we want any form of internal

Re: [zones-discuss] [Fwd: Reminder: Design review of IP Instances part of Crossbow]]

2006-11-06 Thread Erik Nordmark
Edward Pilatowicz wrote: [You brought up an issue with /etc/hostname.* etc being ignored when a shared-IP zone is booted.] perhaps some kind of warning message should be generated in this scenario instead? something like: Ignoring zone network configuration specified:

[zones-discuss] Re: [Fwd: Re: BrandZ and IP instances]

2006-11-06 Thread Erik Nordmark
Edward Pilatowicz wrote: hm. that's unfortunate. so if a user wanted to use ip filters in an lx zone, how would we support this? Do we know what users might want in this space? Has anybody asked on the brandz-discuss list? Is the iptables syntax important? Or is IP Filter syntax ok? Does

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss]Design review of IP Instances part of Crossbow

2006-11-07 Thread Erik Nordmark
Jeff Victor wrote: Here's one reason: consistency. All users in the GZ can see some inforamtion about non-global zones (e.g. ps). Privileged GZ users can see all info about non-global zones, and need to do so in order to manage them. But the exclusive-IP behavior is quite different from

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss]Design review of IP Instances part of Crossbow

2006-11-07 Thread Erik Nordmark
Darren Reed wrote: - Original Message - From: Erik Nordmark [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Could ifconfig be modified to report all network interfaces that are assigned to a zone? I assume you mean in the global zone; ifconfig -a inside a zone (global or not) does

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-07 Thread Erik Nordmark
Eric Enright wrote: I'd like to express interest in this as well. Just last week I came across the need for this, and was disappointed to learn that it (or something similar) is not there. Would zoneadm list -l as specified (with example output) in

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss]Design review of IP Instances part of Crossbow

2006-11-08 Thread Erik Nordmark
James Carlson wrote: I don't think that argument works on two counts. First, exclusive-IP behavior does not offer complete IP isolation, because you can't (for instance) install your own copy of Firewall-1 or Cisco VPN into a non-global exclusive-IP zone. Agreed you can't do that. But how

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-11-08 Thread Erik Nordmark
[EMAIL PROTECTED] wrote: If we want any form of internal consistency, wouldn't we also need to change were we assign datalink names from zonecfg to dladm? Thus no more 'net' resource in zonecfg for exclusive-IP zones, but instead some dladm set-zone zoneA bge1 Only having dladm show it,

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss]Design review of IP Instances part of Crossbow

2006-11-08 Thread Erik Nordmark
James Carlson wrote: Erik Nordmark writes: But the key thing to me is the consistency between where things can be observed and where they can be modified. We already have RFEs filed against other utilities because they don't show non-global zone activity (see, for example, CR 6369726). I

Re: [zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss]Design review of IP Instances part of Crossbow

2006-11-08 Thread Erik Nordmark
James Carlson wrote: In some usage models, the global zone administrator owns everything. Even if he can't directly control things from the global zone (and must log into the non-global zone to turn services on and off), he wants to see a view of the system that includes everything. Do you

[zones-discuss] [Fwd: [crossbow-discuss] Code review for IP Instances]

2006-11-15 Thread Erik Nordmark
Original Message Subject: [crossbow-discuss] Code review for IP Instances Date: Wed, 15 Nov 2006 01:32:31 -0800 From: Erik Nordmark [EMAIL PROTECTED] To: [EMAIL PROTECTED] The IP Instances project is now soliciting code review comments. You can access the webrev at http

Re: [zones-discuss] DHCP-/BOOTP-server in a local zone ?

2006-12-18 Thread Erik Nordmark
James Carlson wrote: Jeff Victor writes: Detlef Drewanz wrote: I know dhcp-server and bootp-server were not possible to run in local zones. So now with S10 11/06 we can configure some more privileges into a zone. E.g. if I add the privilege net_raw_access to a zone, can I then run

[zones-discuss] Re: [crossbow-discuss] Design review of IP Instances part of Crossbow

2006-12-20 Thread Erik Nordmark
[EMAIL PROTECTED] wrote: Erik, Here are my belated comments on the IP Instances design. And here are my belated responses. But we've already acted on the comments that affect the design and code, and I'll make sure the Zones documentation covers the other documentation items. There are

Re: [zones-discuss] [Fwd: [crossbow-discuss] Code review for IP Instances]

2006-12-21 Thread Erik Nordmark
Jerry Jelinek wrote: Erik Nordmark wrote: The IP Instances project is now soliciting code review comments. I reviewed the zones portions of the webrev and my comments are below. Great. Thanks for your careful review. Unless otherwise noted we've applied your suggested changes. Responses

Re: [zones-discuss] Re: [nfs-discuss] Re: [sysadmin-discuss] NFS server in zones

2007-02-14 Thread Erik Nordmark
Robert Thurlow wrote: Glenn Faden wrote: 4) A bug currently prevents a client instance and a server instance from being safe to use on the same box (apologies, can't quote the bugid from here). How likely, in your use case, is it that this will be a problem, i.e. will your boxes be in the

Re: [zones-discuss] Re: [install-discuss] DHCP Server in zone, WAS: Install software from SXCE DVD?

2007-03-19 Thread Erik Nordmark
Steffen Weiberle wrote: I'll have to see if you steps are easier in a zone with an exclusive IP instance. FWIW There wasn't anything extra I had to do when I tested the DHCP server in an exclusive-IP zone a few months back. Erik ___

Re: [zones-discuss] Problem with lack of closed port response on zones

2007-04-02 Thread Erik Nordmark
Kevin Van Der Hart wrote: When I telnet to any non-listening port on a global zone, I get connection refused. When I telnet to any non-listening port on a local zone that has a virtual address on the same NIC as the global zone, I get connection refused. When I telnet to any non-listening port

Re: [zones-discuss] Problem with lack of closed port response on zones

2007-04-02 Thread Erik Nordmark
is sent as if originated from the global zone. With your reject routes that packet would be dropped. Erik Thanks, Kevin -Original Message- From: Erik Nordmark [mailto:[EMAIL PROTECTED] Sent: Monday, April 02, 2007 1:24 PM To: Van Der Hart, Kevin Cc: zones-discuss@opensolaris.org

Re: [zones-discuss] Solaris Zones and Blackhole Routing

2007-04-16 Thread Erik Nordmark
Tony Marshall wrote: When the application servers and database servers start we are seeing a large number of timeouts when the application tries to connect to the localhost to check a service is up. When a number of blackhole routes are removed these timeouts disappear. Tony, Has anybody

Re: [zones-discuss] pidentd

2007-05-04 Thread Erik Nordmark
James Carlson wrote: [EMAIL PROTECTED] writes: I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn not work on zones as it can't open kmem. Is there any way to make it work ? Essentially, no. Opening /dev/kmem in the

Re: [zones-discuss] zonecfg and dhcp for shared interface?

2007-06-14 Thread Erik Nordmark
Martin Man wrote: Steffen Weiberle wrote: Hi Martin, looking at your question again... What are the requirements? Do non-global zones need to get their address via DHCP? yes, not necessarily from the non-global zone, the address can be assigned and renewed periodically from the global

Re: [zones-discuss] zonecfg and dhcp for shared interface?

2007-06-15 Thread Erik Nordmark
James Carlson wrote: Getting the DHCP data into a form where Linux can use it inside the zone might be a challenge, but it's worth some thought. I think it would also require emulation/translation of some additional Linux ioctls; I don't think the ioctl to *set* the IP address and netmask

Re: [zones-discuss] Configure ipv6 address for an exclusive zone

2007-07-26 Thread Erik Nordmark
LaoTsao (Dr. Tsao) wrote: try network_interface=e1000g2 { hostname=zox04-ipv6 ip_address=2000::214:4fff:fe6a:b80f/64. protocol_ipv6=yes } AFAIK the ipv6 support in sysidcfg is merely the protocol_ipv6=yes thus it isn't possible to specify a static IPv6 address. Instead the

Re: [zones-discuss] Question about IP instances

2007-08-15 Thread Erik Nordmark
Coy Hile wrote: When Sol10u4 comes out, I intend to move my non-global zones to exclusive IP instances so that I can route traffic through my NAT from the outside more easily (don't ask!). I do have a question, however. Say I have a machine with one physical link, e1000g0, which has

[zones-discuss] Need code review: 6558857 ZSD callback locking cause deadlocks

2007-08-29 Thread Erik Nordmark
Fixing the above CR requires changing how locking is done across the ZSD callbacks. The new design is to determine what callbacks are needed while holding the usual locks, but not hold any locks across the actual callbacks. This holds up under extreme stress testing where zones come and go at

Re: [zones-discuss] Need code review: 6558857 ZSD callback locking cause deadlocks

2007-08-29 Thread Erik Nordmark
Nicolas Williams wrote: Hmmm, someone commented (in the VSD case) that maybe we ought to have a common object-specific key facility. Here we have fixes to two different object-specific key facilities. I think a heads up to the RE for CR 6588504 is in order. And maybe we should think about

Re: [zones-discuss] Need code review: 6558857 ZSD callback locking cause deadlocks

2007-09-04 Thread Erik Nordmark
Nicolas Williams wrote: On Wed, Aug 29, 2007 at 03:47:22PM -0700, Erik Nordmark wrote: Comments? - $SRC/uts/common/sys/zone.h:483 - $SRC/uts/common/sys/netstack.h:90 s/looks/locks/ - $SRC/uts/common/os/zone.c:321 s/ZONE_EVENT_UNINITIALIZED/ZONE_EVENT_INITIALIZED

Re: [zones-discuss] physical= not obeyed when ip-type=shared and physical dev part of IPMP group in global zone

2008-05-21 Thread Erik Nordmark
Lewis Thompson wrote: Hi, I have a customer who has a basic IPMP config in his global zone: vnet0 vnet1 [currently vnet0 has the 'floating' IP] In addition he has a zone with ip-type=shared where physical=vnet1 When the zone boots the zone interface gets created on vnet0 instead

Re: [zones-discuss] Zone with IP address from a different subnet

2008-06-04 Thread Erik Nordmark
Alain Durand wrote: Thanks for your answer, I might be missing something obvious, but how can I add this route ? (global zone) # route add default xx.121.41.254 add net default: gateway xx.121.41.254: Network is unreachable I forgot about that part. The common way is to add the route while

Re: [zones-discuss] Adding a NIC to running zones

2009-01-28 Thread Erik Nordmark
James Carlson wrote: Jeff Victor writes: A NIC can be added to a running shared-IP zone by using the ifconfig command its zone parameter. Can an unplumbed NIC be added to a running exclusive-IP zone usnig the same method? (I don't have a system with enough NICs to test this.) No, because

Re: [zones-discuss] Inter-Zone Networking Question

2009-04-23 Thread Erik Nordmark
Patrick Pinchera wrote: I'm working with a customer who wants to put 16 containers in an M8000 server. Each of these containers will have the need to have a private network that they all share so that they can all talk to each other, and the network traffic DOES NOT have to go outside of the

[zones-discuss] opensolaris + zones + networking services?

2009-05-05 Thread Erik Nordmark
Running build 111a of opensolaris I created an exlusive-IP zone. In the zone I try r...@c1:~# routeadm -e ipv4-routing Pattern 'route:default' doesn't match any instances Comparing svcs -a | grep networking in the global zone and the exclusive IP zone, there is a lot of

Re: [zones-discuss] routing issues

2009-08-19 Thread Erik Nordmark
Robert Hartzell wrote: I have a host that's on two subnets: 10.0.0.0/24 (all external facing services through a firewall) 192.168.0.0/24 (internal lan) I wish to move my external services into zones (dns, smtp, webstack) but am having problems which I believe are caused by routing

Re: [zones-discuss] Can I config a Zone as a DHCP client ?

2010-01-25 Thread Erik Nordmark
On 01/25/10 02:29 AM, Tina wrote: Hi all, Can Zone work as a DHCP client? In my testing enviorment, all ip must be assigned from a DHCP server, I have setup a solaris 10 (x86 version) and config it as a DHCP client, now I tried to create a ZONE on it. How can I config the ZONE as a DHCP

Re: [zones-discuss] Can I config a Zone as a DHCP client ?

2010-01-28 Thread Erik Nordmark
On 01/28/10 02:44 AM, Tina wrote: Hi Erik, Thanks for your suggestion. I have tried the way that run ifconfig bge0 zone zoneA, it did not work. I'm a newer to solaris ZONE, I did not have a good idea about how to troubleshooting it. :-) So I deceided to try IP-exclusive. Now I install

[zones-discuss] Motivation for limiting zonename length to 64 characters?

2010-05-14 Thread Erik Nordmark
If I want to create zonenames that are known to be unique across a set of nodes, one way to do this is to use fully qualified domain names as the zonenames. But this might run into the current limit of the zonename length. Looking at the source I see: /* * The zone support infrastructure