Zonecfg set ip-type=exclusive | Sun Microsystems 10 guide

Version 3.1-enSolaris 10 Container Guide - 3.1 5. Cookbooks

Effective: 30/11/2009

5.2.7.5. Zones in separate networks using exclusive IP instances

[dd]Two local zones, zone1 and zone2, are located in separated networks and provide services for other networks.

−Each local zone should have its own physical interface in the network.

−Additional networks are connected to the network segment.

−Routing is used.

−There should be no communication between local zones.

−Communication between the global zone and the local zones is not intended.

Implementation:

∙A separate GLDV3 interface (e.g. bge1 and bge2) is provided for each zone. These interfaces must not be used elsewhere in the global zone.

zone1-zonecfg: add net physical=bge1

zone2-zonecfg: add net physical=bge2

∙The zone configuration for zone1 and zone2 is converted to the use of exclusive IP instances.

zonecfg: set ip-type=exclusive

∙In the zones, the IP addresses and the default router are specified in the usual way.

Zone 1: /etc/hostname.bge1

Zone 2: /etc/hostname.bge2 /etc/defaultrouter

∙Through the exclusive IP instances, communication between the zones or between the zones and the global zone takes place only if corresponding routing entries exist in the zones and if a physical network connection exists between the zone interfaces.

192.168.201.0

Network

bge1 - 192.168.201.1	bge2 - 192.168.202.1
Def router - 192.168.201.2	Def router - 192.168.202.2
ip type: exclusive	ip type: exclusive
Zone 1	Zone 2

bge0 - 192.168.1.1

ip type: shared

Global Zone

192.168.1.0

Network

192.168.202.0

Network

Figure 35: [dd] Zones in separate networks using exclusive IP instances

87

Image 94

Sun Microsystems 10 manual Zones in separate networks using exclusive IP instances, Zonecfg set ip-type=exclusive

Contents

Solaris 10 Container Guide Table of contents III Network limitation IPQoS Duplicating zones with zoneadm detach/attach and zfs clone Disclaimer VII Introduction Solaris Containers and Solaris Zones Overview Ug Characteristics of Solaris 10 Zones Zones and security Zones and software installationZones and privileges Processor sets in a resource pool Zones and resource managementCPU resources Fair share scheduler in a resource pool Memory resource management Network resource management IPQoS = IP Quality of ServiceUser interfaces for zones Zones and high availability Branded zones Linux and Solaris 8/Solaris 9 compatibility Solaris container cluster aka zone cluster Virtualization technologies compared App Server Domains/physical partitions Logical partitions Dd Logical partitions Containers Solaris zones in an OS Dd Container Solaris zones in an OS Consolidation in one computer Dd Consolidation in one computer Summary of virtualization technologies App Physical Logical Resource Virtualisation Management Requirement SolutionGrid computing with isolation Assessment Global Zone System Small web servers Multi-network consolidation Dd Use case Multi-network consolidation Multi-network monitoring Dd Use case Multi-network monitoring Multi-network backup Dd Use case Multi-network backup Consolidation development/test/integration/production Consolidation of test systems Dd Use case Consolidation of test systems Training systems Requirements Server consolidation Dd Use case Server consolidation Confidentiality of data and processes Dd Use case Confidentiality of data and processes Test systems for developers Dd Use case Developer test systems Solaris 8 and Solaris 9 containers for development Solaris 8 and Solaris 9 containers as revision systems Hosting for several companies on one computer Dd Use case Hosting for different companies on one computer SAP portals in Solaris containers Da Use case SAP portals in Solaris containers Upgrade- and Patch-management in a virtual environment Da Live upgrade Flying zones Service-oriented Solaris server infrastructure DC1 DC2 Solaris Container Cluster aka zone cluster − /lib − /platform − /sbin − /usr ConceptsSparse-root zones Whole-root zones Whole-root Var Usr Comparison between sparse-root zones and whole-root zonesPlatform ~3.6 GB Software in zones Software installations in Solaris and zones Software installation by the global zone usage in all zones Installation by the local zone usage in the local zone Data storage Program/application storage Opt/staroffice Root disk layoutZFS within a zone Volume manager in local zones Options for using ZFS in local zonesNFS and local zones Shared IP instance and routing between zones Network concepts Introduction into networks and zonesNetwork address management for zones Ndd -set /dev/ip iprestrictinterzoneloopback Interface = InterfacenameInstance + VLAN-ID Exclusive IP instancePlumb, snoop1M, dhcp5 or ipfilter5 is possible Firewalls between zones IP filter Zones and limitations in the network Ipmp Static configuration of devices Dynamic configuration of devices Hosts database Separate name services in zonesServices Projects Paradigms Applications in local zones only One application per zone Clustered containers Client Solaris Container Cluster Configuration and administration Automated provisioning of services Automatic configuration of zones by scriptInstallation and administration of a branded zone Lifecycle management Patching with live upgradePatching a system with local zones Patching with zoneadm attach -u Patching with upgrade serverMoving zones between architectures sun4u/sun4v Backup and recovery of zones ∙ create /zones/zone1 Management and monitoring Backup of zones with ZFSUsing boot arguments in zones Migration of a zone to another system Extended accounting with zones Consolidating log information of zonesMonitoring zone workload Auditing operations in the zone DTrace of processes within a zone Global# dtrace -n iostart@zonename = count Capping of CPU time for a zone Resource managementTypes of resource management General resource pools Fair share scheduler in a zone Lightweight processes LWPFair share scheduler FSS Projects, projadd, projmod, projdel Assessing memory requirements for global and local zones Limiting memory resourcesRcapstat Limiting virtual memory IPC limits Semaphore, shared memory, message queues Limiting locked memoryNetwork limitation IPQoS Privileges and resource management Solaris container navigator Dd Planning a Solaris container Dd Self-qualification of an application in a container 4zonecfgbrand=native Configuration files Installation and configurationDd File /etc/zones/index Special commands for zones Command Description Command Description Var/crash SwapVar Metadb Configuring a sparse root zone required Actions Configuring a whole root zone required Actions Zone installation Zone initialization with sysidcfg Uninstalling a zone Starting zones automatically Optional settingsChanging the set of privileges of a zone Using a device in a local zone Storage within a zone Local zone mounts a UFS file system from a device Zone1# ls /dev/dsk C1d0s0 Using a DVD drive in the local zone User level NFS server in a local zone Version 3.1-enSolaris 10 Container Guide 3.1 5. Cookbooks Tank 30.2M 10G 18K None Tank/zone1 16.3M 983M Mnt Several zones share a file systemZFS in a zone User attributes for ZFS within a zone With zonecfg -z zone export -f file of an existing zone Configuring a zone by command file or templateAutomatic quick installation of zones − zonecfg -z zone -f file Accelerated automatic creation of zones on a ZFS file system Zones hardening Network Change network configuration for shared IP instancesSet default router for shared IP instance Network interfaces for exclusive IP instances IP filter between shared IP zones on a system Set interceptloopback Global and local zone with shared network IP filter between exclusive IP zones on a systemZones, networks and routing Implementation NetworkNetwork Zone 1 /etc/hostname.bge1 Zone 2 /etc/hostname.bge2 Zoneadm -z zone1 ready Zoneadm -z zone2 ready Zones in separate networks using the shared IP instanceIfconfig bge1 plumb down Set defrouter=192.168.202.2 Zonecfg set ip-type=exclusive Zones in separate networks using exclusive IP instancesZone 1 /etc/hostname.bge1 Zone2 192.168.202.1 are now active 192.168.101.201 Zone 1 /etc/hostname.bge1 Zone1 192.168.201.1,192.168.200.1 and zone2192.168.202.1 Zoneadm -z zone1 boot, zoneadm -z zone2 boot Zone 1 /etc/hostname.bge3 /etc/defaultrouter Load Balancer Boot arguments in zones Booting a zoneRoot password for system maintenance control-d to bypass Software installation per mount Zone migration among systems Software installation with provisioning system∙ Detach the zone with zoneadm -z zone detach Global Running Native Shared Test Export/home/zone/test Zone migration within a systemGlobal# zoneadm List -vc Global# zoneadm -z test halt Global Running Native Shared Test Installed Container/test Duplicating zones with zoneadm clone ID Name Status Path Brand 100 Duplicating zones with zoneadm detach/attach and zfs clone 101 Moving a zone between a sun4u and a sun4v system 102 103 Lucreate -c s10-807 -n s10-807+1 -m //dev/dsk/c1t0d0s4ufs Using live upgrade to patch a system with local zonesShutting down a zone Lumount s10-807+1 Reboot Luactivate s10-807+1 init 105 Zone accounting DTrace in a local zoneZone1# dtrace -l tail +2 zone1# Zone audit Limiting the CPU usage of a zone CPU capping Limiting the /tmp-size within a zoneSwap Tmp Tmpfs Yes Size=250m Resource pools with processor sets 108 Global # svcs dynamic Dynamic resource pools for zones109 Rcapadm -z zone1 -m 40m Limiting the physical main memory consumption of a projectImplementing memory resource management for zones 110 Zone.max-swap Privileged 180MB Deny System 16.0EB Max Global # prctl -i zone zone1 Zone 22 zone1111 Ipkg-Branded zones Solaris Container in OpenSolarisOpenSolaris general 112 Cookbook Installing an ipkg zone Cookbook Configuring an ipkg zone113 References 114