Routing in Solaris zones
Hi,
I have a situation where I have two solaris zones on the same host (lets call then zoneA and zoneB), which require to be able to route to the same address (let's say hostZ) via different networks (zoneA via networkA, and zoneB via networkB).
What complicates matters further is that the Global zone also must be able route to hostZ via networkA only.
Bear in mind that routing tables have to be maintained at the Global level.
Taking care of zoneA and Global zone is easy - I can set up a specific route, or a default route which will allow them both to route via networkA to hostZ. ZoneB does not have an interface on networkA, so it ignores the routing table entry. However, zoneB cannot route to hostZ.
OR....
Taking care of zoneA and zoneB is also straightforward (but a little messy).... I can set up two specific routes to hostZ or two default routes which are inherited by the zones... ZoneA ignores the networkB routing table entry as it can't see networkB and vice versa..... However, Global zone gets confused, and sends traffic out both networkA and networkB for hostZ - not the behaviour we wish.
I'm beginning to run out of ideas in regards to solving this issue. The fact that I can get two thirds of the functionality I require, but the the whole is frustrating me!!!!
Does anyone have any suggestions on how to solve this routing issue?
[1414 byte] By [
dougiesic] at [2007-11-26 11:05:19]
# 1
Zones are cool, but they are well short of being independent machines with separate IP stacks. Because the IP/ARP/routing layer is completely shared among all zones, routing and other tasks are difficult to isolate. There are some tricks that can get some things working, but it simply wasn't designed with independent network isolation in mind. It's only at the transport layer (TCP) that most things are separated.
IP instances will change that behavior and can let a non-global zone control the IP/ARP layer of an interface. Once that goes in, if you want your zones to share the same network and network range, things will work just like they do today. If you want to assign a network to a zone and let it handle all the routing and stuff like that, you'll be able to.
So long term, this will be the best solution for any sort of separation like this. Short term, it may not be possible. There might be a way to have ipnat rewrite addresses from the global zone so they don't use netB, but I don't have a specific set of things to try.
This falls under the crossbow project, so see the crossbow discussion group for more information:
http://www.opensolaris.org/jive/forum.jspa?forumID=110
And a thread about the design review:
http://www.opensolaris.org/jive/thread.jspa?threadID=13754
And the slides from a presentation of IP Instances:
http://blogs.sun.com/aland/resource/ipinstances-svosug.pdf
--
Darren
