On Dec 29, 2008, at 5:08 PM, Jarrett Lu wrote: > > Wayne Nichols wrote: >> Setup: >> >> Global zone, multiple labeled zones, each labeled zone configured >> more or less identically. Each labeled zone connects to a >> different network. Each labeled zone has a process that needs to >> be accessed by the global zone via a network socket. This process >> and socket must not be visible on the labeled zone network. >> >> Requirement: >> >> Allow global zone to connect to labeled zone sockets. >> >> What I have now: >> >> Global Zone: >> all-zones is configured on a real interface, e1000g3 >> each labeled zone has an interface to connect to zone network, >> e.g. e1000g1:1, e1000g2:1, etc. >> each labeled zone has a virtual interface vni1:1, vni2:2 etc. >> route is added in global zone to each of the vni IP addresses: >> route add host <vni address> <all-zones address> >> each zone has an MLP entry in tnzonecfg: "<zone>: >> 0x0023-08-0000000010:0:<port>/tcp:" >> >> With this setup, I can ping each vni address from global zone and >> can connect to each MLP, BUT, if i run "svcadm restart tnctl" at >> any point, I lose the ability to communicate from the global zone >> to the vni addresses. I don't understand what happens when I >> restart tnctl that causes things to "break." >> > > Since Network service depends on tnctl service, Network > service will restart as a result of restarting tnctl. My guess is > that the routes didn't survive the network service restart. You > may verify by `netstat -rn` after `svcadm restart tnctl`.
Hi Jarrett, I actually tried that before posting and the route did survive the tnctl restart. Alas, you are right about the labeled zones talking to each other. I don't want that. Any suggestions? > > > Also, your set up seems to allow labeled zones talking to > labeled zones as well. Not sure that's what you want. > > > Jarrett >
