Zones and Network Virtualization

If you're like me and working with zones on your laptop and/or desktop, you probably only have one network interface card to work with. Therefore, the zones I've created share the single network interface with the global zone (ip-type=shared).

Behind the scenes, Solaris creates a logical interface for the zone to use. The logical interface appears in ifconfig as your physical interface with an instance number. For example:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	zone myzone
	inet 127.0.0.1 netmask ff000000 
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet 10.0.1.10 netmask ffffff00 broadcast 10.0.1.255
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
	zone myzone
	inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255

You can see both the loopback (loO) and physical (e1000g0) have an instance (lo0:1 and e1000g0:1) that was created for the zone myzone. These logical interfaces only exist when the zone is running. If you halt the zone, they disappear.

From inside the zone, I only see the logical interfaces:

root@myzone:~# ifconfig -au4
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255

However, I have no control over them. For example, if I try to bring down e1000g0:1:

root@myzone:~# ifconfig e1000g0:1 inet down
ifconfig: setifflags: SIOCSLIFFLAGS: e1000g0:1: permission denied 

The global zone is responsible for managing the local zone's network configuration.

Network Virtualization

Oracle Solaris 11 introduces network virtualization technology. For example, I can create a virtual network interface card (vnic) that has all the properties of a physical nic.

bleonard@solaris:~$ sudo dladm create-vnic -l e1000g0 myzone0
bleonard@solaris:~$ dladm show-link 
LINK        CLASS    MTU    STATE    OVER
e1000g0     phys     1500   up       --
iwh0        phys     1500   down     --
vboxnet0    phys     1500   unknown  --
myzone0     vnic     1500   up       e1000g0

Now it's as if my laptop has 2 physical network interface cards. Using this "new" card, I can create a zone with an exclusive IP stack. My zone config would look something like follows:

bleonard@solaris:~$ cat myzone.config
create
set zonepath=/zones/myzone
set ip-type=exclusive	
add net
set physical=myzone0
end

Note there's no longer an IP address associated with the zone configuration. With a dedicated IP stack the zone will be able to manage its own IP.

Create the zone:

bleonard@solaris:~$ sudo zonecfg -z myzone -f myzone.config

Install the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone install
A ZFS file system has been created for this zone.
   Publisher: Using solaris (https://pkg.oracle.com/solaris/support/ ).
       Image: Preparing at /zones/myzone/root.
 Credentials: Propagating Oracle_Solaris_11_Express_Support.key.pem
 Credentials: Propagating Oracle_Solaris_11_Express_Support.certificate.pem
       Cache: Using /var/pkg/download.
Sanity Check: Looking for 'entire' incorporation.
  Installing: Core System (output follows)
               Packages to install:     1
           Create boot environment:    No
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1         1/1      0.0/0.0

PHASE                                        ACTIONS
Install Phase                                  11/11 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Image State Update Phase                         2/2 
               Packages to install:    45
           Create boot environment:    No
               Services to restart:     3
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                45/45 12511/12511    89.1/89.1

PHASE                                        ACTIONS
Install Phase                            17958/17958 

PHASE                                          ITEMS
Package State Update Phase                     45/45 
Image State Update Phase                         2/2 
  Installing: Additional Packages (output follows)
               Packages to install:    46
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                46/46   4498/4498    26.5/26.5

PHASE                                        ACTIONS
Install Phase                              6143/6143 

PHASE                                          ITEMS
Package State Update Phase                     46/46 
Image State Update Phase                         2/2 

        Note: Man pages can be obtained by installing SUNWman
 Postinstall: Copying SMF seed repository ... done.
 Postinstall: Applying workarounds.
        Done: Installation completed in 486.420 seconds.

  Next Steps: Boot the zone, then log into the zone console (zlogin -C)
              to complete the configuration process.

Create a configuration file for the zone. Note, here we can define the zone's IP configuration (or we could do it later):

bleonard@solaris:~$ cat sysidcfg
system_locale=C
terminal=xterms
network_interface=myzone0 {
	hostname=myzone
	ip_address=10.0.1.25
        default_route=NONE
	netmask=255.255.255.0
 	protocol_ipv6=no}
security_policy=none
name_service=NONE
nfs4_domain=dynamic
timezone=US/Eastern
root_password=fto/dU8MKwQRI

Copy the sysidcfg file to the zone:

bleonard@solaris:~$ sudo cp sysidcfg /zones/myzone/root/etc/.

Boot the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone boot

Log into zone. The first login will take some time as the zone completes it's system configuration:

bleonard@solaris:~$ sudo zlogin -C myzone
[Connected to zone 'myzone' console]
100/100
Hostname: myzone
Loading smf(5) service descriptions: 3/3
 network_interface=myzone0 {
myzone0 is not a valid network interface  line 3 position 19
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses: myzone0.
Note the message about myzone0 being an invalid network interface. This appears to be benign as a few lines down we see myzone0 getting configured. If you used the root_password setting from above, you can log in as root/abc123:
myzone console login: root
Password: abc123
May 31 08:30:02 myzone login: ROOT LOGIN /dev/console
Oracle Corporation      SunOS 5.11      snv_151a        April 2011
root@myzone:~#

As with shared IP, you can see the interface using ifconfig:

root@myzone:~# ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
myzone0: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255
        ether 2:8:20:59:0:b5 

However, now you can also manage it. For example:

root@myzone:~# ifconfig myzone0 down
root@myzone:~# ifconfig -au4
lo0: flags=2001000849<⁞UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 

And back in the global zone, there's no more logical interfaces cluttering up the ifconfig output:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,⁞RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet 10.0.1.10 netmask ffffff00 broadcast 10.0.1.255
In addtion to this, virtual nics provide a whole bunch of control over the data passing through the network interface. For a brief introduction to that see Fun with Crossbow.
Comments:

Yeah, this looks pretty nice.
Will a VNIC survive a reboot or how can these devices made persistent?

Posted by Stefan on July 16, 2009 at 10:58 AM GMT #

The problem is NWAM, which currently doesn't manage VNICs (http://defect.opensolaris.org/bz/show_bug.cgi?id=8383 ). Your options are to switch to manual network configuration (svcadm disable nwam; svcadm enable physical:default). Alternatively, you can bring the VNICs up at boot using dladm up-vnic.

Posted by Brian Leonard on July 16, 2009 at 12:01 PM GMT #

My sysidcfg looks similar to yours, but it gives a syntax error for the root password as shown below. (note: root password is the 18th line of my sysidcfg). Then, it goes into the interactive configuration... Any suggestions???

[NOTICE: Zone booting up]

SunOS Release 5.11 Version snv_111b 32-bit
Copyright 1983-2009 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: varolz2
Reading ZFS config: done.
Mounting ZFS filesystems: (6/6)
root_password=fto/dU8MKwQR
syntax error line 18 position 15
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses: vnic2

Posted by Varol on August 24, 2009 at 08:43 PM GMT #

Varol, yeah, the line looks good to me. Can you post your sysidcfg file? I'll try it myself.

Posted by Brian Leonard on August 31, 2009 at 10:11 AM GMT #

Well, I posted the same question in OpenSolaris forum (http://opensolaris.org/jive/thread.jspa?threadID=111425&tstart=0). It turned out that the encryption for "abc123" was not right (or didn't work for me). Now I use something else, which works... Thanks for your reply...

Posted by Varol on August 31, 2009 at 07:12 PM GMT #

Sorry. It turns out that I truncated the sysidcfg file by 1 character. It's fixed now. Thanks for the heads up.

Posted by Brian Leonard on September 17, 2009 at 10:53 AM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Connect with Oracle Solaris:


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today