Jeff Victor wrote:
Here's one reason: consistency. All users in the GZ can see some inforamtion about non-global zones (e.g. "ps"). Privileged GZ users can see all info about non-global zones, and need to do so in order to manage them.


But the exclusive-IP behavior is quite different from the shared-IP behavior; it offers complete IP isolation between different zones/IP instances.

The argument that it should have consistent behavior could also be used to argue that it shouldn't offer IP isolation. I'm sure that isn't the type of consistency we desire.

I am not certain that observation of exclusive-IP-instances from the GZ should be the default, but it should be possible.

They can be observed from the global zone using zoneadm list -l instead of ifconfig -a, which is used for the shared-IP zones. (And if the global admin wants to look deeper than that output, then for both the exclusive and shared cases things behave the same in that e.g. netstat in the global zone does not report information for other zones.)

   Erik


_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to