James Carlson wrote:

I don't think that argument works on two counts.  First, exclusive-IP
behavior does not offer complete IP isolation, because you can't (for
instance) install your own copy of Firewall-1 or Cisco VPN into a
non-global exclusive-IP zone.

Agreed you can't do that. But how does that make IP packets leak between different exclusive-IP zones?
Perhaps we have a different definition of what "IP isolation" means?
To me the critical property is that there is no IP packet leakage.

Some things do still require global
zone administration.  Second, "ps" shows processes that the user in
the global zone cannot 'administer' by way of kill(2), so they are at
least as isolated as IP instances, but they're still of interest to
global zone administrators who want a global view of the system.

I tried the kill and AFAICT root in the global zone can kill a process in a non-global zone:
bilen# ptree 103436
100996 gnome-terminal
  100999 csh
    101003 -csh
      103331 zlogin 49bge
        103332 -sh
          103338 csh
            103436 cat
bilen# kill 103436
(and the cat process in the 49bge zone died).

All that said, I think making ifconfig list the interfaces present in
exclusive-IP zones, given the design of ifconfig, would be
prohibitively difficult.  It'd have no access to the DLPI nodes, which
is where it gets some of its information, and the ioctls it uses for
tunnels and the like won't work well if the zones have independent
control of the interfaces.  (It'd work "for now," but I think it'd end
up representing more confusion with Clearview, as there'd be no easy
way to coordinate interface names across multiple zones, so
ifta_lifr_name would be ambiguous.)

I agree it would be a pain to implement. zone_enter() would be one way.

But the key thing to me is the consistency between where things can be observed and where they can be modified.


zones-discuss mailing list

Reply via email to