Jeff Victor wrote:
Here's one reason: consistency. All users in the GZ can see some
inforamtion about non-global zones (e.g. "ps"). Privileged GZ users can
see all info about non-global zones, and need to do so in order to
But the exclusive-IP behavior is quite different from the shared-IP
behavior; it offers complete IP isolation between different zones/IP
The argument that it should have consistent behavior could also be used
to argue that it shouldn't offer IP isolation. I'm sure that isn't the
type of consistency we desire.
I am not certain that observation of exclusive-IP-instances from the GZ
should be the default, but it should be possible.
They can be observed from the global zone using zoneadm list -l instead
of ifconfig -a, which is used for the shared-IP zones.
(And if the global admin wants to look deeper than that output, then for
both the exclusive and shared cases things behave the same in that e.g.
netstat in the global zone does not report information for other zones.)
zones-discuss mailing list