Re: [zones-discuss] exclusive-ip
Have any GLD drivers for qfe on sparc been released? I'm looking for developments on this. What's the likelihood, that, drivers for sparc-opensolaris, will, on, Solaris 10 sparc, work? Kartik Vashishta -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
Hi, KARTIK VASHISHTA wrote: Have any GLD drivers for qfe on sparc been released? I'm looking for developments on this. What's the likelihood, that, drivers for sparc-opensolaris, will, on, Solaris 10 sparc, work? Kartik Vashishta The Nevada (OpenSolaris) qfe drivers are GLDv3 based. These drivers however will not directly work on Solaris 10. The GLDv3 qfe driver depends on the GLDv3 hme driver so first you would need to backport the hme driver to Solaris 10 and then the qfe driver. There are only a few code changes necessary to do this but this will still not be done because there are several interface changes which will break compatibility (e.g. when using the ndd command on /dev/qfe and instance vs. /dev/qfeinstance). So most likely there will not be any GLDv3 based qfe driver for Solaris 10. See RFE 6590092 (qfe) and 6568532 (hme) which both have the request for Solaris 10 backports (not done though). Bye, Wolfgang Ley. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
Christine Tran writes: I am putting 2 applications that talk to each other on two non-global zones of type exclusive-ip. I do this for one reason only, that is to be able to observe traffic between the two applications for troubleshooting if and when things go wrong. Unfortunately, this will run afoul of security guidelines, which says one should not be able to observe anything from the outside. Encryption is just not in the picture right now. I'm trying to think of a way to make traffic observable from the global zone only, and obscured to everyone else outside the box. I thought of not cabling the interfaces and turning off ip_restrict_interzone_loopback, but that just backs me right into the corner of not being able to snoop anything on the lo0 channel. I don't have anything here that I can use, do I? Just making sure. Using the existing Clearview interfaces (integrated back in November for build 103; see CR 4085089), you should be able to snoop lo0 just fine. -- James Carlson, Solaris Networking james.d.carl...@sun.com Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
Instead of snooping the traffic, why not do it through DTrace? That should meet your security requirements nicely. fpsm On Tue, Dec 16, 2008 at 11:59 AM, Christine Tran christine.t...@gmail.com wrote: Hi, I am putting 2 applications that talk to each other on two non-global zones of type exclusive-ip. I do this for one reason only, that is to be able to observe traffic between the two applications for troubleshooting if and when things go wrong. Unfortunately, this will run afoul of security guidelines, which says one should not be able to observe anything from the outside. Encryption is just not in the picture right now. I'm trying to think of a way to make traffic observable from the global zone only, and obscured to everyone else outside the box. I thought of not cabling the interfaces and turning off ip_restrict_interzone_loopback, but that just backs me right into the corner of not being able to snoop anything on the lo0 channel. I don't have anything here that I can use, do I? Just making sure. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
On Tue, Dec 16, 2008 at 6:13 PM, Fredrich Maney fredrichma...@gmail.com wrote: Instead of snooping the traffic, why not do it through DTrace? That should meet your security requirements nicely. fpsm Heh! No SUNWCdtrace cluster either. In fact, I may have to sell observability down the river because I see that snoop is in SUNWrcmdc and that's not in the SUNWCrnet, either. And that needs Kerberos, yadda yadda ... ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
On 11 Dec 2007, at 13:23, caroline wrote: Hi, I set up exclusive-ip zone, using theses instructions : set ip-type=excluse add net set physical=ce The ce interface currently cannot be used with exclusive ip instances. Look at the crosbow faq for supported network interfaces: http://www.opensolaris.org/os/project/crossbow/faq/#ipinst_any_nic Paul When I boot the zone, I don't see physical interface anymore zone1# ifconfig -a lo0: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 inet 127.0.0.1 netmask ff00 Is there other configuration to add ? Thanks a lot carol This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
Robert Smicinski writes: We have the same problem, none of our interfaces show up on ce's, bge's, qfe's or ge's on sparc. It does work on one of our x86 machines though. Maybe it's related to sparc? It's not SPARC that's the problem. The problem is that the IP Instances feature (exclusive-ip) currently supports only GLDv3 interfaces. Any interface implemented using GLDv3 will work, regardless of platform. ce, qfe, and ge are (or at least _were_) monolithic DLPI designs, not GLD-based. It's also pretty important to know that version matters here, so describe the system you're using. Quite a few changes have gone into OpenSolaris-based distributions that haven't gotten back (and may never get back) to S10. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
Robert Smicinski writes: I don't see that reference in the Sun What's New Solaris 10 8/07 Release: http://docs.sun.com/app/docs/doc/817-0547/6mgbdbsoa?l=ena=viewq=ip+instances I don't see a reference to the issue there, either. I think that's probably a documentation bug. The issue is with the design of the driver. If it uses GLDv3, then zoneadmd can issue a special new ioctl to move the link into the zone. If it doesn't use GLDv3, then that doesn't work. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip
On Tue, Dec 11, 2007 at 12:04:02PM +, Caroline Carol wrote: Hi, I configure a local zone as exclusive-ip ## zonecfg -z zone1 . ... set ip-type=exclusive ...add net set physical=ce0 ... end But when I boot the zone, I don't see any inteface ### ifconfig -a lo0: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 inet 127.0.0.1 netmask ff00 Is there extra configuration ? You have to configure its network as it was a new server. Regards przemol -- http://przemol.blogspot.com/ -- Diverse Extreme Team Goes Dakar http://link.interia.pl/f1ca9 ___ zones-discuss mailing list zones-discuss@opensolaris.org