James Carlson wrote:
In some usage models, the global zone administrator "owns"
everything. Even if he can't directly control things from the global
zone (and must log into the non-global zone to turn services on and
off), he wants to see a view of the system that includes everything.
Do you have an example of that?
I'm not sure I understand the question. Is CR 6369726 a suitable
example? If not, then what are you asking?
Sorry, I misread "want" as "need" in the sense of being a show-stopper.
For example, if the administrator of the global zone has Firewall-1
installed, he's going to need to configure IP details in the global
zone. I don't see how he can do that if he doesn't have access to
Sure. But that is analogous to the external firewall.
We could decide that we want zones/containers/domains on the same system
to be different, but I think there is value in following a network model
for network components. After all the network is the computer(tm) ;-)
It depends on the administrator's mental model for the system.
Agreed. My point is that the model for an exclusive-IP zone is different
in important aspects than the shared-IP zones.
We could try to hide this by pretending that (parts of) ifconfig
behavior is the same, but I'm far from certain that is a good idea.
But the suggestion (made at PSARC) to use dladm to both
- assign datalink names to zones
- observe them (in e.g. show-link)
is one which satisfies the consistency between manipulation and
observation. (And zonecfg can specify things as well; dladm can be used
to manipulate and observe the running state.)
zones-discuss mailing list