Wayne Nichols wrote: > > On Dec 29, 2008, at 5:08 PM, Jarrett Lu wrote: > >> >> Wayne Nichols wrote: >>> Setup: >>> >>> Global zone, multiple labeled zones, each labeled zone configured >>> more or less identically. Each labeled zone connects to a >>> different network. Each labeled zone has a process that needs to >>> be accessed by the global zone via a network socket. This process >>> and socket must not be visible on the labeled zone network. >>> >>> Requirement: >>> >>> Allow global zone to connect to labeled zone sockets. >>> >>> What I have now: >>> >>> Global Zone: >>> all-zones is configured on a real interface, e1000g3 >>> each labeled zone has an interface to connect to zone network, e.g. >>> e1000g1:1, e1000g2:1, etc. >>> each labeled zone has a virtual interface vni1:1, vni2:2 etc. >>> route is added in global zone to each of the vni IP addresses: >>> route add host <vni address> <all-zones address> >>> each zone has an MLP entry in tnzonecfg: "<zone>: >>> 0x0023-08-0000000010:0:<port>/tcp:" >>> >>> With this setup, I can ping each vni address from global zone and >>> can connect to each MLP, BUT, if i run "svcadm restart tnctl" at >>> any point, I lose the ability to communicate from the global zone >>> to the vni addresses. I don't understand what happens when I >>> restart tnctl that causes things to "break." >>> >> >> Since Network service depends on tnctl service, Network >> service will restart as a result of restarting tnctl. My guess is >> that the routes didn't survive the network service restart. You >> may verify by `netstat -rn` after `svcadm restart tnctl`. > > Hi Jarrett, > > I actually tried that before posting and the route did survive the > tnctl restart. > > Alas, you are right about the labeled zones talking to each other. I > don't want that. Any suggestions?
You may play with label sets for this. For example, create a new cipso tempalte for the PUBLIC zone vni address. In the template, use label set instead of label range, i.e. for PUBLIC zone, the labeled set should be [admin_low, PUBLIC]; for INTERNAL ZONE, the set should be [admin_low, INTERNAL]. I forgot the exact syntax of label set on top of my head. So try to configure that use SMC if possible. Jarrett > > >> >> >> Also, your set up seems to allow labeled zones talking to >> labeled zones as well. Not sure that's what you want. >> >> >> Jarrett >> >
