Wednesday, December 16, 2009

Shared IP configuration for non-global Solaris zones

By default, non-global zones will be configured with a shared IP functionality. What this means is that IP layer configuration and state is shared between the zone you’re creating and the global zone. This usually implies both zones being on the same IP subnet for each given NIC.

Shared IP mode is defined by the following statement in zone configuration:

set ip-type=shared

Here’s all the commands needed to enable it for a zone called s10zone in my example:

solaris# zonecfg -z s10zone
zonecfg:s10zone> set ip-type=shared
zonecfg:s10zone> verify
zonecfg:s10zone> commit
zonecfg:s10zone> end
solaris#

While I’ve deployed quite a few zones before, it was only recently that I learned what sharing IP layer configuration meant in practical terms: no IP routing within non-global zone. So if for some reason you want your non-global zone to use a different IP route for connecting one of the available networks, you really can’t don it in shared IP mode, because your non-global zone can only inherit the routing rules of the global zone.

You still have an option of assigning different IP addresses to different virtual interfaces of a non-global zone, but unless their routing is catered for by the global zone, it won’t be of much use.
Exclusive IP configuration for non-global Solaris zones

Configured using this statement in zone configuration:

set ip-type=exclusive

… this mode implies that a given non-global zone will have exclusive access to one of the NICs on your system.

While for me the most important aspect of such exclusivity was the possibility to configure zone-specific routing, there’s obviously much more offered by this mode:

* DHCPv4 and IPv6 stateless address autoconfiguration
* IP Filter, including network address translation (NAT) functionality
* IP Network Multipathing (IPMP)
* IP routing
* ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs
* IP security (IPsec) and IKE, which automates the provision of authenticated keying material for IPsec security association

So here it is – another design lesson for you – make sure you know what kind of networking your zones will need.
Posted by at
Labels:

1 comment:

  1. tikitodoMay 25, 2010 at 1:03 PM

    there are many ways of acrobat reader repair, try this application if you’d like to get better results

    ReplyDelete

Subscribe to: Post Comments (Atom)