Re: [zones-discuss] Solaris Zones and Blackhole Routing

[Erik Nordmark]

Tony Marshall wrote:


When the application servers and database servers start we are seeing a
large number of timeouts when the application tries to connect to the
localhost to check a service is up.

When a number of blackhole routes are removed these timeouts disappear.


Tony,

Has anybody tried a
ping -s localhost
in the various zones?

I'm trying to understand if there is a potential networking issue, or 
whether there is an issue with the system being to loaded in general.



The system works with just over 2000 routes but we have just provisioned
another 8 zones to this system which has increased the number of
blackhole routes to just over 3000 and the application servers and
database servers start getting timeouts.

So is there a maximum number of routes that can be defined in the global
zones routing table? 


No


Is there another way of blocking zones from talking
to each other without having to use blackhole routes?  


There will be in S10U4, when IP Filter can be used to filter packets 
between zones.



Have we reached
the maximum number of zones we can run on that system because of the
blackhole routes rather than using all of the capacity (CPU and Memory)
on the box?


Each blackhole route might use a few hundered *bytes* of memory, thus 
even thousands of them isn't a lot of memory these days.


   Erik
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Solaris Zones and Blackhole Routing

[Jeff Victor]

Tony,

Would reject routes (instead of blackholes) be acceptable?  If so, have you 
tried that?  It would reduce or remove the need to wait for timeouts.


Tony Marshall wrote:

Hi All,

We are providing a service to a customer using and E6900 as the platform
to the provision multiple Solaris zones to the customer for them to run
their application and database servers to their customers.

For the sake of this e-mail I will talk about customers as being the end
users of the application and database servers.

Currently we have about 58 zones running on the E6900, each customer
must not have access to another customers zones, the recommended way to
do this is to employ blackhole routes for each zone that is not allowed
to communicate.  Each customer has 2 zones which can communicate with
each other, there are a couple of administration zones that are allowed
to communicate with all zones but everything else must be blocked. We
end up with about 53 blackhole routes per zone, plus we need to block
the zones from talking to the global zone ip addresses.

When the application servers and database servers start we are seeing a
large number of timeouts when the application tries to connect to the
localhost to check a service is up.

When a number of blackhole routes are removed these timeouts disappear.

The system works with just over 2000 routes but we have just provisioned
another 8 zones to this system which has increased the number of
blackhole routes to just over 3000 and the application servers and
database servers start getting timeouts.

So is there a maximum number of routes that can be defined in the global
zones routing table? Is there another way of blocking zones from talking
to each other without having to use blackhole routes?  Have we reached
the maximum number of zones we can run on that system because of the
blackhole routes rather than using all of the capacity (CPU and Memory)
on the box?

Thanks

Tony

___
zones-discuss mailing list
zones-discuss@opensolaris.org


--
--
Jeff VICTOR  Sun Microsystemsjeff.victor @ sun.com
OS AmbassadorSr. Technical Specialist
Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq
--
___
zones-discuss mailing list
zones-discuss@opensolaris.org