>So when sharing one hostname in the global zone, every local zone
>needs to have the same hostname? And that hostname is the name of the
>all-zones interface?
You're not sharing in the global zone, you're sharing, period. The
all-zones address is your internal system bus, in addition to whatever
else it is.
>What if I want a unique IP address per local zone, does that require
>not having any interface marked as 'all-zones'?
Just the opposite. You need one additional address. If you want, it can
be a fake private address on a vni0 interface, but in that case no
other system in your network can have that address for it's "real" address.
Your "hostname" for each zone including the globalzone must be the the all-zones
address. (If all your addresses are on the same subnet, and/or the
same physical interface, rumor has it you can dispense with the all-zones
address, but that is still in test.)
Other addresses have their own names, whether or not we're talking about
the global zone.
10.1.2.3 all-zones sunhost (the nodename for every single zone is sunhost)
10.2.3.4 (global zone) sunhost-server (for printing and nfs)
11.2.3.4 (public zone) sunhost-public (or maybe some other name,
like "sfbay-wiki")
192.168.2.3 (need to know zone) sun-financials
>On May 18, 2007, at 1:06 PM, Jan Parcel wrote:
>
>> The hostname for the local zone must be the same as the all-zones
>> address,
>> really there's no such thing as an address "in the global zone" for
>> all-zones, it's really in all zones.
>>
>> The additional address in the local zone must be *additional* it
>> cannot
>> be the hostname.
>>
>>
>>> Date: Fri, 18 May 2007 09:19:25 +0100
>>> From: Darren J Moffat <Darren.Moffat at sun.com>
>>> Subject: Re: [security-discuss] BSM Bug?
>>> To: Robert Bailey <robert.bailey at mac.com>
>>> Cc: security-discuss at opensolaris.org
>>> Delivered-to: security-discuss at opensolaris.org
>>> X-Original-To: security-discuss at opensolaris.org
>>> List-Unsubscribe:
>> <http://mail.opensolaris.org/mailman/listinfo/security-discuss>,
>> <mailto:security-discuss-request at opensolaris.org?subject=unsubscribe>
>>> List-Id: OpenSolaris Security Discussions <security-
>>> discuss.opensolaris.org>
>>>
>>> Robert Bailey wrote:
>>>> I was wondering if anyone has run into this. I have two TX systems,
>>>> each with the same BSM configuration, that has zonename enabled.
>>>> On one TX system I have my local zones configured to run without IP
>>>> addreses. In the global, there is one IP for all-zones, one
>>>> without the
>>>> all-zones tag. This system can report via BSM, on all transactions
>>>> within a local zone.
>>>>
>>>> The second system, has the same BSM configuration, but for the
>>>> local
>>>> zone configuration there is an IP on the local zone, the global
>>>> has one
>>>> with an all-zones. This system does not report any audit trail
>>>> for the
>>>> local zone except for one entry for zoneadmd.
>>>
>>> Can you send the output of `auditconfig -lspolicy` for both machines.
>>> Also ifconfig -a from the global zone for both machines.
>>>
>>> If I understand correctly you have: `auditconfig -setpolicy
>>> +zonename`
>>> for both but have only a global zone audit log configured ?
>>>
>>>
>>>
>>> --
>>> Darren J Moffat
>>> _______________________________________________
>>> security-discuss mailing list
>>> security-discuss at opensolaris.org
>>
>
