Add a Network Interface to an Existing Labeled Zone

This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each zone is connected to a separate physical network.

The global zone must configure an IP address for every subnet in which a non-global zone address is configured.

Before You Begin

You are superuser in the global zone. You have successfully completed Verify the Status of the Zone.

1. In the global zone, type the IP addresses and hostnames for the additional network interfaces into the /etc/hosts file.

   Use a standard naming convention, such as adding -zone-name to the name of the host.

   ## /etc/hosts in global zone 10.10.8.2 hostname-zone-name1 10.10.8.3 hostname-global-name1 10.10.9.2 hostname-zone-name2 10.10.9.3 hostname-global-name2

2. For the network for each interface, add entries to the /etc/netmasks file.

   ## /etc/netmasks in global zone 10.10.8.0 255.255.255.0 10.10.9.0 255.255.255.0

   For more information, see the netmasks(4) man page.

3. In the global zone, plumb the zone-specific physical interfaces.

   1. Identify the physical interfaces that are already plumbed.

      # ifconfig -a

   2. Configure the global zone addresses on each interface.

      # ifconfig interface-nameN1 plumb # ifconfig interface-nameN1 10.10.8.3 up # ifconfig interface-nameN2 plumb # ifconfig interface-nameN2 10.10.9.3 up

   3. For each global zone address, create a hostname.interface-nameN file.

      # /etc/hostname.interface-nameN1 10.10.8.3 # /etc/hostname.interface-nameN2 10.10.9.3

   The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.

4. Assign a security template to each zone-specific network interface.

   If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.

   You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map) in Solaris Trusted Extensions Administrator’s Procedures.

5. Halt every labeled zone to which you plan to add a zone-specific interface.

   # zoneadm -z zone-name halt

6. Start the Labeled Zone Manager.

   # /usr/sbin/txzonemgr

7. For each zone where you want to add a zone-specific interface, do the following:

   1. Select the zone.

   2. Select Add Network.

   3. Name the network interface.

   4. Type the IP address of the interface.

8. In the Labeled Zone Manager for every completed zone, select Zone Console.

9. Select Boot.

10. In the Zone Console, verify that the interfaces have been created.

    # ifconfig -a

11. Verify that the zone has a route to the gateway for the subnet.

    # netstat -rn

Troubleshooting

To debug zone configuration, see the following:

• Chapter 28, Troubleshooting Miscellaneous Solaris Zones Problems, in System Administration Guide: Solaris Containers-Resource Management and Solaris Zones

• Troubleshooting Your Trusted Extensions Configuration

• Troubleshooting the Trusted Network (Task Map) in Solaris Trusted Extensions Administrator’s Procedures