Dombrowski, Neil wrote:
> My next question (which I think may have been partially answered already);
> it's obvious now that the global zone inherits the ngzones (non-global zones)
> routing information; is that a two-way street? If zone1 has a default route
> using 10.10.10.1 as it's gateway, and in the global zone I use a different
> router on the same network (10.10.10.5) as my default gateway, will that
> affect/interrupt zone1's routing table? I'll be experimenting a bit with this
> on my opensolaris box; hopefully it will match what solaris will do on our
> sparc servers.
A shared-stack zone cannot modify the kernel's forwarding table. It
"inherits" -- read-only -- the forwarding table that is established by
the global zone.
Actually, there's no real "inheritance" going on here. There's just one
forwarding table. The non-global zone is permitted to view it, and all
of its packets are delivered according to it, but only the global zone
can modify it. The only special thing going on with Solaris Zones is
that when the non-global zone uses the table, it ignores any entries
that it's "not permitted" to use -- where "permitted" is defined as "for
the output physical interface identified by the route, there exists at
least one IP address [logical interface] configured and marked 'up' for
If you establish two default routes in the global zone, then the system
will treat them as equivalent. Packets from the global zone may be sent
to either router without distinction. That might not be what you want.
In general, if you want isolation, then you want the exclusive IP stack
zone model. The shared stack model was designed for a BSD-Jails-like
environment, where you're consolidating numerous servers that were
previously configured side-by-side on a single network. Shared doesn't
work as well when the zones are mutually hostile.
James Carlson 42.703N 71.076W <carls...@workingcode.com>
zones-discuss mailing list