Dombrowski, Neil wrote: > My next question (which I think may have been partially answered already); > it's obvious now that the global zone inherits the ngzones (non-global zones) > routing information; is that a two-way street? If zone1 has a default route > using 10.10.10.1 as it's gateway, and in the global zone I use a different > router on the same network (10.10.10.5) as my default gateway, will that > affect/interrupt zone1's routing table? I'll be experimenting a bit with this > on my opensolaris box; hopefully it will match what solaris will do on our > sparc servers.
A shared-stack zone cannot modify the kernel's forwarding table. It "inherits" -- read-only -- the forwarding table that is established by the global zone. Actually, there's no real "inheritance" going on here. There's just one forwarding table. The non-global zone is permitted to view it, and all of its packets are delivered according to it, but only the global zone can modify it. The only special thing going on with Solaris Zones is that when the non-global zone uses the table, it ignores any entries that it's "not permitted" to use -- where "permitted" is defined as "for the output physical interface identified by the route, there exists at least one IP address [logical interface] configured and marked 'up' for that zone." If you establish two default routes in the global zone, then the system will treat them as equivalent. Packets from the global zone may be sent to either router without distinction. That might not be what you want. In general, if you want isolation, then you want the exclusive IP stack zone model. The shared stack model was designed for a BSD-Jails-like environment, where you're consolidating numerous servers that were previously configured side-by-side on a single network. Shared doesn't work as well when the zones are mutually hostile. -- James Carlson 42.703N 71.076W <carls...@workingcode.com> _______________________________________________ zones-discuss mailing list email@example.com