Virtual Network - Part 3
By Jeff Victor-Oracle on Feb 08, 2011
This is the third in a series of blog entries that discuss the network virtualization features in Oracle Solaris 11 Express. Part 1 introduced the concept of network virtualization and listed the basic virtual network elements that Solaris 11 Express (S11E) provides. Part 2 expanded on the concepts and discussed the resource management features which can be applied to those virtual network elements (VNEs).
This blog entry assumes that you have some experience with Solaris Zones. If you don't, you can read my earlier blog entries, or buy the book "Oracle Solaris 10 System Virtualization Essentials" or read the documentation.
This entry will demonstrate the creation of some of these VNEs.
For today's examples, I will use an old Sun Fire T2000 that has one SPARC CMT (T1) chip and 32GB RAM. I will pretend that I am implementing a 3-tier architecture in this one system, where each tier is represented by one Solaris zone. The mythical example provides access to an employee database. The 3-tier service is named 'emp' and VNEs will use 'emp' in their names to reduce confusion regarding the dozens of VNEs we expect to create for the services this system will deliver.
The commands shown below use the prompt "GZ#" to indicate that the command is entered in the global zone by someone with sufficient privileges. Similarly, the prompt "emp-web1#" indicates a command which is entered in the zone "emp-web1" as a sufficiently privileged user.
Fortunately, Solaris network engineers gathered all of the actions regarding the management of network elements (virtual or physical) into one command: dladm(1M). You use dladm to create, destroy, and configure datalinks such as VNICs. You can also use it to list physical NICs:
GZ# dladm show-link LINK CLASS MTU STATE BRIDGE OVER e1000g0 phys 1500 up -- -- e1000g2 phys 1500 unknown -- -- e1000g1 phys 1500 down -- -- e1000g3 phys 1500 unknown -- --We need three VNICs for our three zones, one VNIC per zone. They will also have useful names - one for each of the tiers - and will share e1000g0:
GZ# dladm create-vnic -l e1000g0 emp_web1 GZ# dladm create-vnic -l e1000g0 emp_app1 GZ# dladm create-vnic -l e1000g0 emp_db1 GZ# dladm show-link LINK CLASS MTU STATE BRIDGE OVER e1000g0 phys 1500 up -- -- e1000g2 phys 1500 unknown -- -- e1000g1 phys 1500 down -- -- e1000g3 phys 1500 unknown -- -- emp_web1 vnic 1500 up -- e1000g0 emp_app1 vnic 1500 up -- e1000g0 emp_db1 vnic 1500 up -- e1000g0 GZ# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE VID emp_web1 e1000g0 0 2:8:20:3a:43:c8 random 0 emp_app1 e1000g0 0 2:8:20:36:a1:17 random 0 emp_db1 e1000g0 0 2:8:20:b4:5b:d3 random 0
The system has four NICs and three VNICs. Note that the name of a VNIC may not include a hyphen (-) but may include an underscore (_).
VNICs that share a NIC appear to be attached together via a virtual switch. That vSwitch is created automatically by Solaris. This diagram represents the NIC and NVEs we have created.
Now that these datalinks - the VNICs - exist, we can assign them to our zones. I'll assume that the zones already exist, and just need network assignment.
GZ# zonecfg -z emp-web1 info zonename: emp-web1 zonepath: /zones/emp-web1 brand: ipkg autoboot: false bootargs: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: GZ# zonecfg -z emp-web1 zonecfg:emp-web1> add net zonecfg:emp-web1:net> set physical=emp_web1 zonecfg:emp-web1:net> end zonecfg:emp-web1> exit
Those steps can be followed for the other two zones and matching VNICs. After those steps are completed, our earlier diagram would look like this:
Packets passing from one zone to another within a Solaris instance do not leave the computer, if they are in the same subnet and use the same datalink. This greatly improves network bandwidth and latency. Otherwise, the packets will head for the zone's default router.
Therefore, in the above diagram packets sent from emp-web1 destined for emp-app1 would traverse the virtual switch, but not pass through e1000g0.
This zone is an "exclusive-IP" zone, meaning that it "owns" its own networking. What is its view of networking? That's easy to determine. The zlogin(1M) command inserts a complete command-line into the zone. By default, the command is run as the root user.
GZ# zoneadm -z emp-web1 boot GZ# zlogin emp-web1 dladm show-link LINK CLASS MTU STATE BRIDGE OVER emp_web1 vnic 1500 up -- ? GZ# zlogin emp-web1 dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE VID emp_web1 ? 0 2:8:20:3a:43:c8 random 0
Notice that the zone sees its own VNEs, but cannot see NEs or VNEs in the global zone, or in any other zone.
The other important new networking command in Solaris 11 Express is ipadm(1M). That command creates IP address assignments, enables and disables them, displays IP address configuration information, and performs other actions.
The following example shows the global zone's view before configuring IP in the zone:
GZ# ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --- e1000g0 ok bm--------4- --- GZ# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 lo0/? static ok 127.0.0.1/8 lo0/? static ok 127.0.0.1/8 lo0/? static ok 127.0.0.1/8 e1000g0/_a static ok 10.140.204.69/24 lo0/v6 static ok ::1/128 lo0/? static ok ::1/128 lo0/? static ok ::1/128 lo0/? static ok ::1/128
At this point, not only does the zone know it has a datalink (which we saw above) but the IP tools show that it is there, ready for use. The next example shows this:
GZ# zlogin emp-web1 ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --- GZ# zlogin emp-web1 ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 lo0/v6 static ok ::1/128An ethernet datalink without an IP address isn't very useful, so let's configure an IP interface and apply an IP address to it:
GZ# zlogin emp-web1 ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --- GZ# zlogin emp-web1 ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 lo0/v6 static ok ::1/128 GZ# zlogin emp-web1 ipadm create-if emp_web1 GZ# zlogin emp-web1 ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --- emp_web1 down bm--------46 -46 GZ# zlogin emp-web1 ipadm create-addr -T static -a local=10.140.205.82/24 emp_web1/v4static GZ# zlogin emp-web1 ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 emp_web1/v4static static ok 10.140.205.82/24 lo0/v6 static ok ::1/128 GZ# zlogin emp-web1 ifconfig emp_web1 emp_web1: flags=1000843
mtu 1500 index 2 inet 10.140.205.82 netmask ffffff00 broadcast 10.140.205.255 ether 2:8:20:3a:43:c8
The last command above shows the "old" way of displaying IP address configuration. The command ifconfig(1) is still there, but the new tools dladm and ipadm provide a more consistent interface, with well-defined separation between datalink management and IP management.
Of course, if you want the zone's outbound packets to be routed to other networks, you must use the route(1M) command, the /etc/defaultrouter file, or both.
Next time, I'll show a new network measurement tool and the ability to control the amount of network bandwidth consumed.