James Carlson wrote:

In some usage models, the global zone administrator "owns"
everything.  Even if he can't directly control things from the global
zone (and must log into the non-global zone to turn services on and
off), he wants to see a view of the system that includes everything.
Do you have an example of that?

I'm not sure I understand the question.  Is CR 6369726 a suitable
example?  If not, then what are you asking?

Sorry, I misread "want" as "need" in the sense of being a show-stopper.

For example, if the administrator of the global zone has Firewall-1
installed, he's going to need to configure IP details in the global
zone.  I don't see how he can do that if he doesn't have access to
them.

Sure. But that is analogous to the external firewall.
We could decide that we want zones/containers/domains on the same system to be different, but I think there is value in following a network model for network components. After all the network is the computer(tm) ;-)

It depends on the administrator's mental model for the system.

Agreed. My point is that the model for an exclusive-IP zone is different in important aspects than the shared-IP zones.

We could try to hide this by pretending that (parts of) ifconfig behavior is the same, but I'm far from certain that is a good idea.

But the suggestion (made at PSARC) to use dladm to both
 - assign datalink names to zones
and
 - observe them (in e.g. show-link)

is one which satisfies the consistency between manipulation and observation. (And zonecfg can specify things as well; dladm can be used to manipulate and observe the running state.)

   Erik

_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to