X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Zones and Network Virtualization

Guest Author

If you're like me and working with zones on your laptop and/or desktop, you probably only have one network interface card to work with. Therefore, the zones I've created share the single network interface with the global zone (ip-type=shared).

Behind the scenes, Solaris creates a logical interface for the zone to use. The logical interface appears in ifconfig as your physical interface with an instance number. For example:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

zone myzone

inet 127.0.0.1 netmask ff000000
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2

inet 10.0.1.10 netmask ffffff00 broadcast 10.0.1.255
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

zone myzone

inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255

You can see both the loopback (loO) and physical (e1000g0) have an instance (lo0:1 and e1000g0:1) that was created for the zone myzone. These logical interfaces only exist when the zone is running. If you halt the zone, they disappear.

From inside the zone, I only see the logical interfaces:

root@myzone:~# ifconfig -au4
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255

However, I have no control over them. For example, if I try to bring down e1000g0:1:

root@myzone:~# ifconfig e1000g0:1 inet down
ifconfig: setifflags: SIOCSLIFFLAGS: e1000g0:1: permission denied

The global zone is responsible for managing the local zone's network configuration.

Network Virtualization

Oracle Solaris 11 introduces network virtualization technology. For example, I can create a virtual network interface card (vnic) that has all the properties of a physical nic.

bleonard@solaris:~$ sudo dladm create-vnic -l e1000g0 myzone0
bleonard@solaris:~$ dladm show-link 
LINK CLASS MTU STATE OVER
e1000g0 phys 1500 up --
iwh0 phys 1500 down --
vboxnet0 phys 1500 unknown --
myzone0 vnic 1500 up e1000g0

Now it's as if my laptop has 2 physical network interface cards. Using this "new" card, I can create a zone with an exclusive IP stack. My zone config would look something like follows:

bleonard@solaris:~$ cat myzone.config
create
set zonepath=/zones/myzone
set ip-type=exclusive


add net
set physical=myzone0
end

Note there's no longer an IP address associated with the zone configuration. With a dedicated IP stack the zone will be able to manage its own IP.

Create the zone:

bleonard@solaris:~$ sudo zonecfg -z myzone -f myzone.config

Install the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone install
A ZFS file system has been created for this zone.
Publisher: Using solaris (https://pkg.oracle.com/solaris/support/ ).
Image: Preparing at /zones/myzone/root.
Credentials: Propagating Oracle_Solaris_11_Express_Support.key.pem
Credentials: Propagating Oracle_Solaris_11_Express_Support.certificate.pem
Cache: Using /var/pkg/download.
Sanity Check: Looking for 'entire' incorporation.
Installing: Core System (output follows)
Packages to install: 1
Create boot environment: No
DOWNLOAD PKGS FILES XFER (MB)
Completed 1/1 1/1 0.0/0.0
PHASE ACTIONS
Install Phase 11/11
PHASE ITEMS
Package State Update Phase 1/1
Image State Update Phase 2/2
Packages to install: 45
Create boot environment: No
Services to restart: 3
DOWNLOAD PKGS FILES XFER (MB)
Completed 45/45 12511/12511 89.1/89.1
PHASE ACTIONS
Install Phase 17958/17958
PHASE ITEMS
Package State Update Phase 45/45
Image State Update Phase 2/2
Installing: Additional Packages (output follows)
Packages to install: 46
Create boot environment: No
Services to restart: 2
DOWNLOAD PKGS FILES XFER (MB)
Completed 46/46 4498/4498 26.5/26.5
PHASE ACTIONS
Install Phase 6143/6143
PHASE ITEMS
Package State Update Phase 46/46
Image State Update Phase 2/2
Note: Man pages can be obtained by installing SUNWman
Postinstall: Copying SMF seed repository ... done.
Postinstall: Applying workarounds.
Done: Installation completed in 486.420 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)
to complete the configuration process.

Create a configuration file for the zone. Note, here we can define the zone's IP configuration (or we could do it later):

bleonard@solaris:~$ cat sysidcfg
system_locale=C
terminal=xterms
network_interface=myzone0 {

hostname=myzone

ip_address=10.0.1.25
default_route=NONE

netmask=255.255.255.0

protocol_ipv6=no}
security_policy=none
name_service=NONE
nfs4_domain=dynamic
timezone=US/Eastern
root_password=fto/dU8MKwQRI

Copy the sysidcfg file to the zone:

bleonard@solaris:~$ sudo cp sysidcfg /zones/myzone/root/etc/.

Boot the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone boot

Log into zone. The first login will take some time as the zone completes it's system configuration:

bleonard@solaris:~$ sudo zlogin -C myzone
[Connected to zone 'myzone' console]
100/100
Hostname: myzone
Loading smf(5) service descriptions: 3/3
network_interface=myzone0 {
myzone0 is not a valid network interface line 3 position 19
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses: myzone0.
Note the message about myzone0 being an invalid network interface. This appears to be benign as a few lines down we see myzone0 getting configured. If you used the root_password setting from above, you can log in as root/abc123:
myzone console login: root
Password: abc123
May 31 08:30:02 myzone login: ROOT LOGIN /dev/console
Oracle Corporation SunOS 5.11 snv_151a April 2011
root@myzone:~#

As with shared IP, you can see the interface using ifconfig:

root@myzone:~# ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
myzone0: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255
ether 2:8:20:59:0:b5

However, now you can also manage it. For example:

root@myzone:~# ifconfig myzone0 down
root@myzone:~# ifconfig -au4
lo0: flags=2001000849<⁞UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000

And back in the global zone, there's no more logical interfaces cluttering up the ifconfig output:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,⁞RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2

inet 10.0.1.10 netmask ffffff00 broadcast 10.0.1.255

In addtion to this, virtual nics provide a whole bunch of control over the data passing through the network interface. For a brief introduction to that see Fun with Crossbow.

Join the discussion

Comments ( 4 )
  • Stefan Thursday, July 16, 2009

    Yeah, this looks pretty nice.

    Will a VNIC survive a reboot or how can these devices made persistent?


  • Varol Monday, August 24, 2009

    My sysidcfg looks similar to yours, but it gives a syntax error for the root password as shown below. (note: root password is the 18th line of my sysidcfg). Then, it goes into the interactive configuration... Any suggestions???

    [NOTICE: Zone booting up]

    SunOS Release 5.11 Version snv_111b 32-bit

    Copyright 1983-2009 Sun Microsystems, Inc. All rights reserved.

    Use is subject to license terms.

    Hostname: varolz2

    Reading ZFS config: done.

    Mounting ZFS filesystems: (6/6)

    root_password=fto/dU8MKwQR

    syntax error line 18 position 15

    Creating new rsa public/private host key pair

    Creating new dsa public/private host key pair

    Configuring network interface addresses: vnic2


  • Brian Leonard Monday, August 31, 2009

    Varol, yeah, the line looks good to me. Can you post your sysidcfg file? I'll try it myself.


  • Brian Leonard Thursday, September 17, 2009

    Sorry. It turns out that I truncated the sysidcfg file by 1 character. It's fixed now. Thanks for the heads up.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.