On 3/15/07, Darren Dunham <[EMAIL PROTECTED]> wrote:
(But you'd need to wait for some other changes to the networking before you can 
run a DHCP server in a zone.  I don't think that's possible today).

In my lab, I have DHCP servers working in sparse non-global zones
today, even with S10U3.  They keys to getting it to work are:

1. Add net_rawaccess and /dev/ip when configuring the zone.
2. Remove privileges=all from the dhcp service
3. Manually set the interface list in /etc/inet/dhcpsvc.conf

I do have some concerns regarding the ability to update the ARP table
with this configuration, which will likely go away once each zone can
have its own IP stack.  (Perhaps this is in Nevada now, I forget and
haven't had a chance to test the last ~10 builds.)

A more detailed tour of the steps for those that need a bit more
detail follows...

When configuring the zone:

set limitpriv = default,net_rawaccess
add device
  set match=/dev/ip

Inside the zone, remove "privileges='all'" from the start method of
/var/svc/manifest/network/dhcp-server.xml.  You will then need to
notify SMF of this change. There is likely a shorter version of this,
but the following should definitely do it:

svcadm disable network/dhcp-server
svccfg delete network/dhcp-server
svccfg import /var/svc/manifest/network/dhcp-server.xml

Disclaimers apply (e.g. that file will be overwritten by patches,
etc.).  In real life I create a different service in the
/var/svc/manifest/site directory and create dependencies that ensure
that my service and network/dhcp-server do not run at the same time.

For dhcp-server to really run, you need to update
/etc/inet/dhcpsvc.conf to list the INTERFACES=.  A good idea would be
to automatically update that on boot before dhcp-server starts so that
it has the right virtual interface in there across reboots when zones
may come up in different order.

I have also noticed the following when the DHCP server gives out a lease:

in.dhcpd[22624]: [ID 480883 daemon.error] ADD: Cannot modify ARP table
to add:

It seems as though the zone would require the sys_net_config privilege
to force entries into the ARP table.  When serving addresses on the
same subnet, this seems to have no impact.  I have not tried
cross-subnet DHCP services with this config yet.  I don't fully
understand the impact of the comment at


Mike Gerdts
zones-discuss mailing list

Reply via email to