Zones on Virtual Local Netowrk?

Networking is not my strong suit so please forgive me if this is basic.
I have one nic connected on Solaris 10 with a public IP address on the internet. I have another zone with a public IP address as well. What I would like to do is setup one or more zones in a private IP address space that can access the internet outbound. I don't require port forwarding (yet?), just to be able to wget, ftp and ssh out, etc. Basically, I have zones I want to create that don't need to be accessible via the internet and since I have to pay for additional IP addresses and wait for them to be assigned, I'd like to be able to set up a virtual network inside the box for additional zones to communicate.
I think I have to create a virtual nic in the global zone with a local ip address and a vnic for each zone. Then use that nic when creating the zone. I'd also have to add that interface to the existing public zone to be able to talk to the private ip zones.
This seems to be what I need http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris do I just need to add a virtual nic to each zone, including the one that already has an internet ip address using the add-net command in zonecfg? I understand the vnic stuff but the ipfilter I'm a bit confused about.
Then, if I get another physical server, is there a way to have the private zones talk to private zones on the other server as well? Or would I need to have a separate physical nic with a physical switch/crossover cable connecting the two and then get rid of the virtual nics altogether?

Darren_Dunham wrote:
These are advanced features of crossbow. It does not exist in any current version of Solaris. I'm not sure if it's in recent SXCE builds yet or not.
DarrenI came across this message on the crossbow discussion list [http://mail.opensolaris.org/pipermail/crossbow-discuss/2007-February/000983.html|http://mail.opensolaris.org/pipermail/crossbow-discuss/2007-February/000983.html]
If you would like multiple containers to communicate with each other, without
using the physical network for inter-container transport, you can do that
today without Crossbow. All inter-container traffic stays in the IP stack.
Another example that you can do without Crossbow is a web server which sits in
one container and uses the physical network, and an app server which only
communicates with the web server, and perhaps with another container in which
you run a DB server.
But if you would like something more sophisticated, e.g. packets come in from
the network into one container where they are filtered, and some packets are
forwarded/routed to other containers in the same system, you should be looking
at Crossbow.This is exactly what I'm trying to do but not sure how.
Edited by: njjavadev on Apr 18, 2008 3:36 PM

Similar Messages

Configuring a zone with virtual ip [eth0:1]

Hi,
i have tried to configure a zone with virtual ip address,but i couldn't.i was getting error.i have selected shared ip.is it possible to do that,did i miss something or do i need any particular release for that.
Thanks,

You can't change the IP for a shared IP zone from within the zone.
You edit the zone config from the global zone and reboot the zone.

Lost Local Netowrk...

Help, I cant get my Mac back on the local network... I am not sure what I did but my server I turned off yesterday, then rebooted and no longer accepts the IP from my Switch for DHCP. It keeps wanting to put it's own self assigned IP address in. I cannot get to be seen by the switch and therefor do no have access to any of my network hard drives or the internet. I can manually assign an IP but it still doesn't connect to my local network and I still cannot see my network hard drives... I can get to the internet but that is it. What happened?

Lost 1 Port on my router. What a headached, Time to buy a new router.

Network access from local zones on a Solaris 10 router

I'm kind of stuck at an interesting problem.
I have a Solaris 10u6 system which is itself a router between a number of networks.
It has several dozen routes to different networks via different next-hop gateways,
just one of which is a default route to the ISP to internet.
I thought of setting up local zones to securely run infrastructure services (BIND,
Squid, Mail relay) on this machine, with only a single dedicated public IP address
(from our delegated address space) per such zone. Zones use a shared-IP stack
on one of the machine's VLAN interfaces (the LAN part with public IP addresses).
The problem is - since this machine is the gateway for the subnet used for the
local zones, they don't inherit any default route. The one default we have to the
ISP is on another interface's subnet.
[root@ns8 /]# netstat -rn | grep default
[root@ns8 /]# netstat -rn | wc -l
50
On a side note, these zones do inherit dozens of other routes (50 above) with
next-hop routers not on the local zone's subnet - so these are also not accessible.
I think such useless routes should also be filtered away - as "mismatching" default
routes are.
Due to all this the zone has no networking outside its subnet/mask: it doesn't
even try to send anything, since there is not a single route with a matching next
hop router, i.e.
[root@ns8 /]# traceroute -nI 194.87.0.50
traceroute to 194.87.0.50 (194.87.0.50), 30 hops max, 40 byte packets
1 xx.yy.zz.8 0.102 ms !H 0.032 ms !H 0.027 ms !H
To reiterate, this setup is different from that of the numerous replays of "How to
set up internet for zones with virtual IP addresses?"
That recipe suggests to add a fake router and maintain its ARP address to be
that of the real default gateway, and set up NAT to rewrite private IP addresses
to the global zone's public IP. While I've also used the recipe a number of times,
it does not seem feasible in this router's case - there are too many next-hop
routers (and learned with a dynamic routing protocol), not just one default-gw.
I can of course go back to running services in the global zone and binding them
to these dedicated public IP addresses via configuration files - and this works
since the global zone has access to any needed routers having IP addresses
in relevant subnets - but I hoped to secure the system a bit more and separate
routing from infrastructure tasks...
So the question is: how can I set up networking for local zones in this case
when they are running on a router? Is it possible?
Thanks,
//Jim

You can set the Airport Extreme in "Bridge" mode, and then it will just extend the existing subnet.
Airport Utility -> Airport Extreme -> Internet -> Connection Sharing -> Off (bridge mode)

Sun Live Upgrade with local zones Solaris 10

I have M800 server running global root (/) fs on local disk and running 6 local zones on another local disk. I am running solaris 5.10 8/07.
I used live upgrade to patch the system and created new BE (lucreate). Both root fs are mirror as RAID-1.
When I ran lucreate, it copies all 6 local zones root fs to the global root fs and failed no enogh space.
What is the best procedure to use lu with local zones.
Note: I used lu with global zone only, and worked without any problem.
regards,

I have been trying to use luupgrade for Solaris10 on Sparc, 05/09 -> 10/09.
lucreate is successful, but luactivate directs me to install 'the rest of the packages' in order to make the BE stable enough to activate. I try to find the packages indicated , but find only "virtual packages" which contain only pkgmap.
I installed upgrade 6 on a spare disk to make sure my u7 installation was not defective, but got similar results.
I got beyond luactivate on x86 a while ago, but had other snags which I left unattended.

Changing MTU for local-zone

I'm getting ready to go to gigabit jumbo frame (MTU 9000) network, but I'm not there yet.
I have some nice Intel NICs, and I set them so they can do a MTU 16128 but fix the MTU at 1500 until I make the change.
But the local-zones interface won't change with the global:
e1000g1: flags=1001000803<UP,BROADCAST,MULTICAST,IPv4,FIXEDMTU> mtu 1500 index 3
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
ether 0:e:c:c4:48:a8
e1000g1:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 16128 index 3
zone test-zone
inet 10.0.0.191 netmask ffffff00 broadcast 10.0.0.255
I would like the local-zone's virtual interface to have a MTU of 1500 just like it's proud parent.
I've tried a /etc/hostname.e1000g1:1 with 'mtu 1500'. That creates a virtual interface with the proper MTU, but the zone's interface becomes e1000g1:2 still with a MTU of 16128.
How can I set the MTU of the local-zone?
Thanks.

Its now a few months since i last played with networking in zones, but i don't think you can do that. IIRC there are only a limited set of options which can be set to a shared interface which belongs to a zone.
I think that in order for this to work you would have to dedicate an interface to the zone (i.e. 'exclusive mode'), then you can probably change the MTU from inside the zone.
However this is my guess, i haven't tested or verified it..
.7/M.

Local zone using IPMP in global zone

Hi all,
I've installed a zone and when I'm booting it, I receive the following error :
bge0:2: could not bring interface up: address in use by zone 'global': Cannot assign requested addres
The bge2 is used in my global zone (member of IPMP group of 2 interfaces : bge0 - ce0).
Is there a way to use the IPMP mecanism from my global zone to my local zone ?
Something like :
add net
set address = xxx.xxx.xxx.xxx
set physical = IPMP_group (instead of a physical interface)
OR must I unplumb the bge0 in the global zone in order to use it in local zone ?
Thanks for the help or the advices !
Quentin.

I think I won the 10 duke stars that I was giving for this topic ...
I didn't see that the IP/interface I wanted to configure with my local-zone was already plumbed in global zone from a previous failed zone boot.
I've unplumbed the logical interface in global zone and I've booted successfully the zone.

SAPINST 'space' error on Solaris 10 Zone

Hi All,
I am attempting to install a 4.7E X 110 system on Oracle 9 and Solaris 10. I am in the CI phase of the installation and am getting an error in phase "Check/Adapt Filesystem". I'm not sure where - it does not say exactly. But the 3 main areas - /sapmnt , /usr/sap and /oracle all share the same space - "1927165003 blocks" (about 919GB).
This makes no sense for the space check function to be failing. It is possible that the SAPINST is checking the /usr directory at the global level even though it cannot install it there. (We are running a local zone for the server). We have a link set up /usrsap for the /usr/sap folder.
Has anyone ever seen this? Any ideas on how to push this forward? SAPINST does not offer an explicit option for the /usr/sap/ folder.
Points for all helpful answers!!!
Thanks!!

Due to Zones are virtualized Solaris 10 environments during the installation the standard Solaris installation problems may occur. For instance, the /home directory is read-only due to the auto-mount feature is enabled by default. This usually causes problems with the installer when creation of the users is required.
The concept of zones includes that the kernel of the host system is used. Therefore other limitations may occur when adapting the OS kernel is required. Also the read-only directories mounted from the global zone may cause problems.
Please read;724713,828268And important 1 zone note also.sorry to say i realy forgot that note number.
--Sreejesh

Cluster zone without agent, is it possible?

Hi. Experts
I m planning to install 2 nodes cluster with 4 local zones, each node have 2 local zones.
global zone will be cluster 3.2, application will be installed in local zones.
the requirements are all the local zones are active.
from my understanding it is neither failover nor scalable, so no zone agent needed, is it possible to achieve?
my question is how to protect applications and ip in localzones.
tks, regards

The HA Container agents is just one option within Solaris Cluster 3.2 to handle non-global zones.
You can achieve what you want by using the ability of Solaris Cluster 3.2 to treat zones as virtual nodes. You can specify the Nodelist property of a resource group to run within zones by using the syntax node:zone. Example
# clrg register -n node-a:zone-1,node-b:zone2 my-rgWould register a RG to run on node-a within zone-1 and it can failover to node-b into zone-2. zone-1 and zone-2 would run all the time. Only the resources configured within RG my-rg would failover between the two zones.
The SC concepts guide has a brief introduction:
http://docs.sun.com/app/docs/doc/820-2554/gcbkf?a=view
A brief deep dive into both models can be found at
http://opensolaris.org/os/community/ha-clusters/ohac/Documentation/Technical-Presentations/SunClusterAndSolaris10Container.pdf
Greets
Thorsten

Oracle 9i Database and Solaris 10 Zones

Can an existing oracle 9i database be moved into a new zone? The database resides on it's own filesystem. The server is runnign Solaris 10, and the zones are not set up yet, but Oracle is installed, and the 2 databases are up and running.
Basically there are 2 existing oracle 9i databases, and I want to setup 2 zones, where none other than the default global exist right now, and have each database in a zone.
Thanks in advance.

You need to do the following -
Configure loopback mount points from the global zone into the local zone through zonecfg (one for Oracle binary, other for Oracle data). I am assuming that you want to share the same Oracle binary location between all the zones. The Oracle database mounts must be separate & make sure that you put them in the respective zone's config only.
Create an oracle user with dba group in both the zones. It's best if the user IDs & group IDs across all the zones & global zone match.
Stop both the database instances in the global zone.
zlogin to a zone, su as oracle and startup the instances.
Hope that works!

Zone Base Forewall for VPN connections does not work after IOS upgrade

Hi all,
We use cisco router 2911 as corporate gateway - there is Zone Based Firewall implemented - I upgraded IOS to last version (15.2(2)T1) - originaly version 15.1(4)M1 - to solve issue with Anyconnect connections (bug CSCtx38806) but I found that after upgrade the VPN users are not able to communicate with sources in other zones.
More specific
WebVPN use this virtual template interface
interface Virtual-Template100
description Template for SSLVPN
ip unnumbered GigabitEthernet0/1.100
zone-member security INSIDE
There are other zones VOICE, LAB, ...
In the policy any connection is allowed (used inspection of icmp, tcp and udp) from INSIDE zone to VOICE or LAB zone
After VPN connection I am able to reach resources in INSIDE zone (which is the most important), but not in other zones. Before upgrade it worked.
Once I changed zone in Virtual-Template interface to VOICE, I was able to reach sources in VOICE zone but not in any other. I searched more and found the stateful firewall is not working for connections from VPN as ping is blocked by policy on returning way - it means by policy VOICE->INSIDE, once I allowed communication from "destination" zone to INSIDE zone - the connections started to work, but of cause it is not something I want to setup.
Does anybody has the same experiance?
Regards
Pavel

It seems to me I should add one importatant note - if client is connected directly in INSIDE zone, he can reach resources in other zones without any issue - so the problem is only when the client is connected by VPN - not in ZBF policy setup.
Pavel

Access Manager + Portal Server + Zones + Subnets

Hi
Appreciate your help.
I'm installing Access Manager and Portal Server, this is the environment:
- 3 machines - Solaris 10, 2 local zones per machine
ie
root@global1 # zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 accesclbp1 running /zone-access
2 portalclbp1 running /zone-portal
Every local zone assigned to Portal Server and the global zone lives on the same VLAN, and every local zone assigned to AM lives on a different VLAN.
The failover of AM is been working rigth now, but I have a problem trying to install the Portal Server's, when I try to connect to AM through the VIP I'm loosing the connections to AM, sometimes I can connect and sometimes is not possible.
Somebody has an environment like this? PS + AM + zones + subnets???

We have this configuration as well.
A few things we have experienced during installation:
1. If Access Manager is https the Portal install fails even the cert is included in the installer JVM.
2. Zones: We use DNS and in nsswitch.conf - hosts and ipnodes were both set to files dns. Once I changed ipnodes to files only problem disappeared.
3. Check that Password Encryption Key is the same across the AMSDKs and the Access Manager servers.

Zone is in state 'shutting_down', but zoneadmd does not appear to be availa

Hello,
I have a global zone with two local zones. One of the local zones has an issue where it got stuck in the "ready" state when its SAN device was not available.
This zone continues to hold onto it's SAN device (which has an I/O error), and I am unable to halt the zone, and cannot unmount the zfs partition (using "-f")
If I try to kill the zone-related processes for this zone, they do not die.
Any ideas on how to stop processes related to this zone (zsched, zoneadmd) and umount the zfs partition. "zpool list" shows the pool as UNAVAIL but the zone partition is still showing as mounted (df) and I can see files via "ls" -- no writing permitted... zfs list" does not show the device related to this zone -- but "df" does...
I would prefer to not have to reboot the global -- and the other local zone is running with no issues. Is there any way out of this situation where a device has an I/O issue and various processes are trying to access the device...
thanks in advance,
--Rebecca

UPdate: I am able to see the luns via a single path; so my zfs pools will work but without the redundancy of dual paths...
Please bear with me as I describe the problem.
There should be 4 paths to each lun, (via 2 HBAs, 2 physical host connections to the SAN).
I see for lun0 4 paths -- 3 are shown via luxadm display as accessing the same physical device -- but the device is listed as "Not Ready". The 4th path to the same WWN device is shown as "online" and that one is working. The lun1 has only a single "online" path -- no additional paths.
I do not have access to the SAN but I am told that all the zoning is correct for this host. The SAN storage is Clariion CX3-40.
The error message in /var/adm/messages associated with this is: Page83 data not standards compliant DGC LUNZ 0326
and there are also SCSI error messages related to this.
There are 2 other hosts that have this issue -- but in those cases there are multiple paths that are working.
SAN switches are brocades.
What might cause the same lun to have one working path on an HBA and one path with the device in the "Not Ready" state (visible but not readable or writeable)? The other physical connection has two paths in the "Not Ready" state.
Any ideas on what could cause devices to appear as "Not Ready" when in fact the real device is working? Or what to check on the SAN side. OR suggestions on how to fix.
I have done the following: exported the zfs pools; unconfigured all devices via cfgadm -c unconfigure; validated all devices are gone from /dev/*dsk; then re-created. I also tried "boot -r" which I did not expect to fix the problem and it did not. Is there anything else to try on the host side that might shed more light on where the problem lies?
(Note: we have many hosts with this <same> configuration -- 2 HBAs connected; 4 working paths shown.)
thanks much for any assistance,
--Rebecca

Zone create not installing all zone root files

I'm installing a new T5240 Solaris 10 u6 10/08 with the 10_Recommended patch kit from 09 Dec 2008. The system is jumpstarted with /, /usr, /var, /export/home on SVM mirrored internal 146g drives. When I first got the server up and running, I tested zone creation with a default zone setup:
zonecfg -z test
create -b
set zonepath=/export/home/zones
set autoboot=true
add net
set physical=nxge0
set address=192.168.103.254
end
verify
commit
exit
zoneadm -z test install
Preparing to install zone <test>.
Creating list of files to copy from the global zone.
Copying <139100> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1164> packages on the zone.
This worked, so I removed it and continued with the server configuration:
The nxge0 interface has been configured with 802.1q vlan (nxge103000) and is successfully on the network. I configured MPX/IO on the pair of fp interfaces. I've added a disk from our HP EVA SAN array and created a ZFS pool and filesystem for the zoneroot, mounted at /opt/zones/zoneroots/oraprod1.
Now, when I try to recreate the test zone it now fails to copy all of the required files to the root, puts many errors into the install log about files changed in the global-zone root after installation and won't boot the zone past single-user maintenance mode.
The zone create now shows: (after adjusting the phys net i/f name)
bash-3.00# zoneadm -z test2 install
Preparing to install zone <test2>.
Creating list of files to copy from the global zone.
Copying <78> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1165> packages on the zone.
When I zlogin to the zone after it's booted into maint, it's obvious that many root fs files are missing - including
most of the SMF service manifests.
I've searched for forums, mailing lists and sun support knowledgebase without finding anything similar.
What am I missing?

Yes, I've reproduced the problem with and without the '-b' option on create, on UFS as well as ZFS filesystem and on /export/home/zones on the local drive.
My plan now is to walk thru the configuration process one step at a time, trying to create the zone at each step. I re-jumped the server last night and created the zone correctly. I then removed it, installed patches in single user, rebooted with "-r" and was able to recreate the zone. I've enabled mpxio and i can still create the zone. Next up tonight is to add the 802.1Q configuration, add the ZFS rootzone and run our custom scripts that to server hardening, user setup, etc.
There was one bug report that sounded "interesting" having to do with a patch set that wasn't zone-friendly as it left patch files in place w/o fixing the manifests so when the zone create ran it found files that didn't match the checksums or whatever is used to validate file correctness when copying files into the zone.
I'll keep updating this with my progress and findings.

Recommended Patch Clusters and Zones

Good Afternoon,
Ran into a problem earlier this week and wanted to get other views on this. Our current configuration is as followed:
Global zone installed on Local Disk (ZFS)
5 - Non-global whole root zones installed on SAN disk (ZFS)
No Live Upgrade (Will eventually get to this)
Never have had any problems until I attempted to install the latest Patch Cluster because of Comms Suite 7. I shutdown all of the non-global zones and shutdown the Global zone to init S. I then started my Patch Cluster install. The Patch Cluster appears to start all of the zones up in an Administrative Mode for patching. The problem was that when it go to the kernel patch, 141414-10, it appeared to install in the Global but none of the non-global zones were updated. The Patch then stopped on 141414-10 (Patch 109 of 155). I did finally get the patch cluster to install after some work and a support call.
My question is this the proper way to install the Patch Clusters? I've been told that you have to "mount" the zones manually but wouldn't that defeat the purpose of being single-user?
Any help is appreciated.
Doug

I tend to use LU to create a new BE and then patch that. Then activate the new BE and reboot.
Saves a lot of pain and gives a safe fall back option.

Zones on Virtual Local Netowrk?

Similar Messages

Maybe you are looking for