On (12/27/10 08:26), James Carlson wrote:
> That's not quite what I'd call "simple," but I guess it's a matter of
> taste.  That uses VNICs and exclusive IP stack zones, which wasn't what
> I was describing in my previous message.  Doing it that way means that
> you have to grant privileges to the zones such that they can manage the
> interfaces they have, and then you may need to set up security on top of
> that to keep them from "managing" them in ways you don't want, such as
> configuring the wrong IP address.

That (the wrong IP address bit) has changed a bit recently- in S11, we
have the facility to configure IP addresses from the global zone, and
ensure that the NGZ cannot use any other IP addresses: see the
"allowed-address" property in zonecfg for exclusive IP zones in S11.

> Shared IP stack zones are simpler, at least to me, because the
> non-global zones are much more constrained in what they can do.

ymmv, but shared IP has its share of ugly "features" which may
leave the NGZ with an incorrect perception of what exactly it can
and cannot administer. And it makes it harder for the GZ to observe
NGZ networking resource usage (or enforce controls on these).

> (But I'm usually not concerned about things like this.  Either we're
> friends just sharing a box, or we're not.  If we're not, then I'm going
> to set up secure protocols to talk; I'm not going to trust my data to
> any sort of partitioning scheme -- whether subnets, VLANs, VNICs or
> whatever.)

yes, agreed.


zones-discuss mailing list

Reply via email to