Using branded zones on a laptop

I'm figuring that now that we've released BrandZ there are going to be people out there that want to install linux branded zones and run applications that might not be available for x86 solaris (say acroread.) If you have a machine with a static network configuration then this is will be pretty easy. (Create a linux zone with a static ip, log into it, and run your application.) But, if you're like me and want to be able to do this on your laptop where the network environment may be changing it takes a bit more work. So now I'll document my current laptop configuration, which I've setup to allow me to easily run applications in multiple branded and non-branded zones in a changing network environment. To support running multiple zones I had to create a local subnet on my laptop. (I randomly chose 10.11.12.0/29, you could choose a different network. Also, i used the iprb network interface on my laptop, if you have a different network interface then substitute it's name in place of iprb in the commands below.) Here's what I did in the global zone to set this up:

- added entries to /etc/netmasks:
> 10.11.12.0 255.255.255.248

- added entries to /etc/hosts:
> 10.11.12.0 lnetwork
> 10.11.12.1 lrouter
> 10.11.12.2 lhost
> 10.11.12.3 lzone1
> 10.11.12.4 lzone2
> 10.11.12.5 lzone3
> 10.11.12.6 lzone4
> 10.11.12.7 lbroadcast

- created /etc/hostname.iprb0 with the following content:
> addif lhost

- reboot [1]

Now whenever my system boots up I have a virtual interface (iprb0:1) plumbed up on a local subnet. iprb0 is still free so that all my scripts which setup dhcp on interface will continue to work. Next I created a branded centos linux zone with a network interface on this new local network.

# cat > /tmp/zonecfg.txt <<-EOF
create -B lx
set autoboot=true
set zonepath=/export/zones/lzone1
add net
set physical=iprb0
set address=lzone1/29
end
commit
exit
EOF
# zonecfg -z lzone1 -f /tmp/zonecfg.txt
# zoneadm -z lzone1 install -d <path to install archives>
# zoneadm -z lzone1 boot

After booting the zone, I can see that I have another virtual interface plumbed on my machine (iprb0:2) that is allocated to the new zone. At this point the only way to log into the zone is via zlogin. The reason for this is that zonecfg simply allocated networking resources to the zone and the linux processes in the zone are not yet aware of (or configured to use) those resource. So now we'll log into the linux zone and configure the network:

# zlogin lzone1
[Connected to zone 'lzone1' pts/4]
...
-bash-2.05b# cat > /etc/sysconfig/network <<-EOF
NETWORKING=yes
HOSTNAME=lzone1
GATEWAY=10.11.12.1
EOF
-bash-2.05b# exit
...
# zoneadm -z lzone1 reboot

Once the zone finishes rebooting networking should be enabled within the zone and i should be able to log into it via ssh:

edp@squee% ssh root@lzone1
The authenticity of host 'lzone1 (10.11.12.3)' can't be established.
RSA key fingerprint is be:49:a8:09:8c:19:18:cc:f2:1c:e3:84:c7:76:d7:5d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'lzone1,10.11.12.3' (RSA) to the list of known hosts.
root@lzone1's password: <the default password is "root">
Last login: Tue Nov 29 16:52:22 2005 from 10.11.12.2
Welcome to your shiny new Linux zone.
...
-bash-2.05b#

Sweet! Now since ssh supports X forwarding I can simply run X applications like xterm, acroread, real player, or glquake without having to do any xauth/xhost/DISPLAY magic.

Course after doing all this you might want to create yourself a local user account in the linux zone and loop back mount your home directory from the global zone so you can easily read all those .pdf documents.

Well this is all fine and whizzy (and it let's me conveniently run linux apps and do brandz development on my laptop) but then what happens when you hook your laptop up to a real network and discover that you want to be able to access it from within the linux zone? Well, since the private little network we created isn't routed you can't do this. But hey, solaris has ipfilter and ipnat, so with a little help from an old blog entry by mike ditto we can get this working. Basically, we'll set up ipnat to do forwarding for the new local subnet we created. here's what I did in the global zone:

- uncomment or create the following entry in /etc/ipf/pfil.ap
> iprb  -1      0       pfil

- add the following entry to /etc/ipf/ipnat.conf
> map iprb0 10.11.12.0/29 -> 0

- enable ipfilters by running the following command:
> svcadm enable ipfilter

- reboot [1]

Then whenever I connect my laptop to a network I run the following additional commands in a shell script:

#/bin/sh

# get the ip address of our fake private subnet router from /etc/hosts
lrouter=`getent hosts lrouter | nawk '{print $1}'`

# get the ip address of the real network router
router=`netstat -rn | grep default | grep -v " $lrouter " | nawk '{print $2}'`

# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null

# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`

# delete any existing arp address entry for our fake private subnet router
arp -d $lrouter >/dev/null

# assign the real routers arp address to our fake private subnet router
arp -s $lrouter $router_arp

# route our private subnet through our fake private subnet router
route add default lrouter

Now all the local zones on my laptop can access whatever network I'm connected to via my iprb interface.

--

Footnotes:

1 - It is possible to enable all the configuration listed above without rebooting the system. It involves re-arrange the configuration steps above and adding a few more steps. I included reboots since they simplified the documentation of the configuration process.

Comments:

Exactly what I was looking for. Saves me a great deal of trying, tinkering. Thanks for sharing this.. /Per

Posted by Per Öberg on December 14, 2005 at 04:35 AM PST #

Great post. Glad you took the time to write it. Thanks.

Posted by Philippe Plouffe on December 15, 2005 at 02:11 PM PST #

Hi, thanks for the great info. A quick question though. Looks like at the end of this procedure a zone can get onto the network, but that its DNS is not working. Is that true? Any thoughts on having DNS automatically set up in a zone given this networking procedure? --Peter

Posted by Peter Galvin on December 18, 2005 at 02:17 PM PST #

apple's os/x - not linux - will be the logical focus of interest over the next 12 months. so it would be really nice to see some emphasis on darwin/x86 in brandz. how does this happen? tahnx: dlf

Posted by zahadum on December 20, 2005 at 08:46 AM PST #

Post a Comment:
Comments are closed for this entry.
About

edp

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today