Just a few days ago I’ve been busy configuring one of the Solaris 10 zones on a DMZ server, and sure enough I hit one of the most common IP-related issues with non-global zones.
Shared IP configuration for non-global Solaris zones
By default, non-global zones will be configured with a shared IP functionality. What this means is that IP layer configuration and state is shared between the zone you’re creating and the global zone. This usually implies both zones being on the same IP subnet for each given NIC.
Shared IP mode is defined by the following statement in zone configuration:
Here’s all the commands needed to enable it for a zone called s10zone in my example:
solaris# zonecfg -z s10zone zonecfg:s10zone> set ip-type=shared zonecfg:s10zone> verify zonecfg:s10zone> commit zonecfg:s10zone> end solaris#
While I’ve deployed quite a few zones before, it was only recently that I learned what sharing IP layer configuration meant in practical terms: no IP routing within non-global zone. So if for some reason you want your non-global zone to use a different IP route for connecting one of the available networks, you really can’t don it in shared IP mode, because your non-global zone can only inherit the routing rules of the global zone.
You still have an option of assigning different IP addresses to different virtual interfaces of a non-global zone, but unless their routing is catered for by the global zone, it won’t be of much use.
Exclusive IP configuration for non-global Solaris zones
Configured using this statement in zone configuration:
… this mode implies that a given non-global zone will have exclusive access to one of the NICs on your system.
While for me the most important aspect of such exclusivity was the possibility to configure zone-specific routing, there’s obviously much more offered by this mode:
- DHCPv4 and IPv6 stateless address autoconfiguration
- IP Filter, including network address translation (NAT) functionality
- IP Network Multipathing (IPMP)
- IP routing
- ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs
- IP security (IPsec) and IKE, which automates the provision of authenticated keying material for IPsec security association
So here it is – another design lesson for you – make sure you know what kind of networking your zones will need.