Wayne Nichols wrote: > Setup: > > Global zone, multiple labeled zones, each labeled zone configured more > or less identically. Each labeled zone connects to a different > network. Each labeled zone has a process that needs to be accessed by > the global zone via a network socket. This process and socket must > not be visible on the labeled zone network. > > Requirement: > > Allow global zone to connect to labeled zone sockets. > > What I have now: > > Global Zone: > all-zones is configured on a real interface, e1000g3 > each labeled zone has an interface to connect to zone network, e.g. > e1000g1:1, e1000g2:1, etc. > each labeled zone has a virtual interface vni1:1, vni2:2 etc. > route is added in global zone to each of the vni IP addresses: route > add host <vni address> <all-zones address> > > each zone has an MLP entry in tnzonecfg: "<zone>: > 0x0023-08-0000000010:0:<port>/tcp:" > > With this setup, I can ping each vni address from global zone and can > connect to each MLP, BUT, if i run "svcadm restart tnctl" at any > point, I lose the ability to communicate from the global zone to the > vni addresses. I don't understand what happens when I restart tnctl > that causes things to "break." >
Since Network service depends on tnctl service, Network service will restart as a result of restarting tnctl. My guess is that the routes didn't survive the network service restart. You may verify by `netstat -rn` after `svcadm restart tnctl`. Also, your set up seems to allow labeled zones talking to labeled zones as well. Not sure that's what you want. Jarrett
