On 02/17/10 14:38, James Carlson wrote:
Dombrowski, Neil wrote:
My next question (which I think may have been partially answered already); it's 
obvious now that the global zone inherits the ngzones (non-global zones) 
routing information; is that a two-way street? If zone1 has a default route 
using as it's gateway, and in the global zone I use a different 
router on the same network ( as my default gateway, will that 
affect/interrupt zone1's routing table? I'll be experimenting a bit with this 
on my opensolaris box; hopefully it will match what solaris will do on our 
sparc servers.

A shared-stack zone cannot modify the kernel's forwarding table.  It
"inherits" -- read-only -- the forwarding table that is established by
the global zone.

Actually, there's no real "inheritance" going on here.  There's just one
forwarding table.  The non-global zone is permitted to view it, and all
of its packets are delivered according to it, but only the global zone
can modify it.  The only special thing going on with Solaris Zones is
that when the non-global zone uses the table, it ignores any entries
that it's "not permitted" to use -- where "permitted" is defined as "for
the output physical interface identified by the route, there exists at
least one IP address [logical interface] configured and marked 'up' for
that zone."

If you establish two default routes in the global zone, then the system
will treat them as equivalent.  Packets from the global zone may be sent
to either router without distinction.  That might not be what you want.

And I wrote up http://blogs.sun.com/stw/entry/what_happened_to_my_packets after coming up with this for a customer who was loosing connections because there were multiple default routes to different subnets, and connections would intermittently not work as they were using the 'wrong' default route.

In general, if you want isolation, then you want the exclusive IP stack
zone model.  The shared stack model was designed for a BSD-Jails-like
environment, where you're consolidating numerous servers that were
previously configured side-by-side on a single network.  Shared doesn't
work as well when the zones are mutually hostile.

Yup. If you run out of NIC on Solaris 10 (which does not have VNICs), you can use VLANs, if that works in your environment. http://blogs.sun.com/stw/entry/using_ip_instances_with_vlans


zones-discuss mailing list
  • [zones-discus... Dombrowski, Neil
    • Re: [zon... sowmini . varadhan
      • Re: ... Dombrowski, Neil
        • ... Christine Tran
          • ... Steffen Weiberle
            • ... Dombrowski, Neil
              • ... James Carlson
                • ... Steffen Weiberle
        • ... Enda O'Connor
          • ... Dombrowski, Neil
            • ... Enda o'Connor - Sun Microsystems Ireland - Software Engineer
          • ... Ellard Roush

Reply via email to