On 02/17/10 14:38, James Carlson wrote:
Dombrowski, Neil wrote:
My next question (which I think may have been partially answered already); it's
obvious now that the global zone inherits the ngzones (non-global zones)
routing information; is that a two-way street? If zone1 has a default route
using 10.10.10.1 as it's gateway, and in the global zone I use a different
router on the same network (10.10.10.5) as my default gateway, will that
affect/interrupt zone1's routing table? I'll be experimenting a bit with this
on my opensolaris box; hopefully it will match what solaris will do on our
A shared-stack zone cannot modify the kernel's forwarding table. It
"inherits" -- read-only -- the forwarding table that is established by
the global zone.
Actually, there's no real "inheritance" going on here. There's just one
forwarding table. The non-global zone is permitted to view it, and all
of its packets are delivered according to it, but only the global zone
can modify it. The only special thing going on with Solaris Zones is
that when the non-global zone uses the table, it ignores any entries
that it's "not permitted" to use -- where "permitted" is defined as "for
the output physical interface identified by the route, there exists at
least one IP address [logical interface] configured and marked 'up' for
If you establish two default routes in the global zone, then the system
will treat them as equivalent. Packets from the global zone may be sent
to either router without distinction. That might not be what you want.
And I wrote up
http://blogs.sun.com/stw/entry/what_happened_to_my_packets after coming
up with this for a customer who was loosing connections because there
were multiple default routes to different subnets, and connections would
intermittently not work as they were using the 'wrong' default route.
In general, if you want isolation, then you want the exclusive IP stack
zone model. The shared stack model was designed for a BSD-Jails-like
environment, where you're consolidating numerous servers that were
previously configured side-by-side on a single network. Shared doesn't
work as well when the zones are mutually hostile.
Yup. If you run out of NIC on Solaris 10 (which does not have VNICs),
you can use VLANs, if that works in your environment.
zones-discuss mailing list