Introduction to Oracle Solaris Zones

Exit Print View

Updated: July 2014
 
 

Zone Network Interfaces

Zone network interfaces configured by the zonecfg utility to provide network connectivity are automatically set up and placed in the zone when it is booted.

The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.

There are two IP types available for non-global zones, shared-IP and exclusive-IP. Exclusive IP is the default IP type. A shared-IP zone shares a network interface with the global zone. Configuration in the global zone must be done by the ipadm utility to use shared-IP zones. An exclusive-IP zone must have a dedicated network interface. If the exclusive-IP zone is configured using the anet resource, a dedicated VNIC is automatically created and assigned to that zone. By using the automated anet resource, the requirement to create and configure data-links in the global zone and assign the data-links to non-global zones is eliminated. Use the anet resource to accomplish the following:

  • Allow the global zone administrator to choose specific names for the data-links assigned to non-global zones

  • Allow multiple zones to use data-links of the same name

For backward compatibility, preconfigured data-links can be assigned to non-global zones.

For information about IP features in each type, see Networking in Exclusive-IP Non-Global Zones in Creating and Using Oracle Solaris Zones and Networking in Shared-IP Non-Global Zones in Creating and Using Oracle Solaris Zones .


Note -  The link protection described in Securing the Network in Oracle Solaris 11.2 can be used on a system running zones. This functionality is configured in the global zone.

About Data-Links

A data-link is a physical interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. A data-link is also referred to as a physical interface, for example, a Network Interface Card (NIC). The data-link is the physical property configured by using zonecfg (1M) . The physical property can be a VNIC.

By default in Oracle Solaris 11, physical network device names use generic names, such as net0, instead of device driver names, such as nxge0.

For information about using IP over Infiniband (IPoIB) for solaris zones, see the anet description in Resource Type Properties.

About Elastic Virtual Switch and Zones

For an anet resource that connects to an Elastic Virtual Switch (EVS) with the evs and vport properties set, the properties of that anet resource are encapsulated in the evs and vport pair. You cannot change any of the following properties for an EVS anet resource:

  • mac-address

  • mtu

  • maxbw

  • priority

  • allowed-address

  • vlan-id

  • defrouter

  • lower-link

The only properties that you can set for an EVS anet resource are the following:

  • linkname

  • evs

  • vport

  • configure-allowed-address

You must also set the tenant resource. Tenants are used for namespace management. The EVS resources defined within a tenant are not visible outside that tenant's namespace.

The following input for a zone named evszone sets the tenant resource for a tenant named tenantA. The zonecfg anet resource properties create a VNIC for a zone that has an anet resource that connects to an EVS named evsa and a VPort named vport0:

zonecfg:evszone> set tenant=tenantA

zonecfg:evszone> add anet

zonecfg:evszone> set evs=EVSA

zonecfg:evszone> set vport=vport0

For more information, see Chapter 5, About Elastic Virtual Switches, in Managing Network Virtualization and Network Resources in Oracle Solaris 11.2 .

Shared-IP Non-Global Zones

A shared-IP zone uses an existing IP interface from the global zone. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:

  • The non-global zone is to use the same data-link that is used by the global zone, regardless of whether the global and non-global zones are on the same subnet.

  • You do not want the other capabilities that the exclusive-IP zone provides.

Shared-IP zones are assigned one or more IP addresses using the net resource of the zonecfg command. The data-link names must also be configured in the global zone.

In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.

To use the shared-IP type networking configuration in the global zone, you must use ipadm, not automatic network configuration. To determine whether networking configuration is being done by ipadm, run the following command. The response displayed must be DefaultFixed.

# svcprop -p netcfg/active_ncp svc:/network/physical:default
DefaultFixed

The IP addresses assigned to shared-IP zones are associated with logical network interfaces.

The ipadm command can be used from the global zone to assign or remove logical interfaces in a running zone.

To add interfaces, use the following command:

global# ipadm set-addrprop -p zone=my-zone net0/addr1

To remove interfaces, use one of the following commands:

global# ipadm set-addrprop -p zone=global net0/addr

or:

global# ipadm reset-addrprop -p zone net0/addr1 

For more information, see Shared-IP Network Interfaces in Creating and Using Oracle Solaris Zones .

Exclusive-IP Non-Global Zones

Exclusive-IP is the default networking configuration for non-global zones.

An exclusive-IP zone has its own IP-related state and one or more dedicated data-links.

The following features can be used in an exclusive-IP zone:

  • DHCPv4 and IPv6 stateless address autoconfiguration

  • IP Filter, including network address translation (NAT) functionality

  • IP Network Multipathing (IPMP)

  • IP routing

  • ipadm for setting TCP/UDP/SCTP as well as IP/ARP-level tunables

  • IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association

There are two ways to configure exclusive-IP zones:

  • Use the anet resource of the zonecfg utility to automatically create a temporary VNIC for the zone when the zone boots and delete it when the zone halts.

  • Preconfigure the data-link in the global zone and assigned it to the exclusive-IP zone by using the net resource of the zonecfg utility. The data-link is specified by using the physical property of the net resource. The physical property can be a VNIC. The address property of the net resource is not set.

By default, an exclusive-IP zone can configure and use any IP address on the associated interface. Optionally, a comma-separated list of IP addresses can be specified using the allowed-address property. The exclusive-IP zone cannot use IP addresses that are not in the allowed-address list. Moreover, all the addresses in the allowed-address list will automatically be persistently configured for the exclusive-IP zone when the zone is booted. If this interface configuration is not wanted, then the configure-allowed-address property must be set to false. The default value is true.

Note that the assigned data-link enables the snoop command to be used.

The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. SeeAdministering Data-Links in Exclusive-IP Non-Global Zones in Creating and Using Oracle Solaris Zones for usage examples.

Inside a running exclusive-IP zone that is assigned its own set of data-links, the ipadm command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as in the global zone, by using the sysconfig interface described in the sysconfig(1M) man page.

The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command.

global# zlogin zone1 ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
nge0/v4           dhcp     ok           10.134.62.47/24
lo0/v6            static   ok           ::1/128
nge0/_a           addrconf ok           fe80::2e0:81ff:fe5d:c630/10

Reliable Datagram Sockets Support in Non-Global Zones

The Reliable Datagram Sockets (RDS) IPC protocol is supported in both exclusive-IP and shared-IP non-global zones. The RDSv3 driver is enabled as SMF service rds. By default, the service is disabled after installation. The service can be enabled within a given non-global zone by a zone administrator granted appropriate authorizations. After zlogin, rds can be enabled in each zone in which it is to run.

Example 2-1  How to Enable the rds Service in a Non-Global Zone
  1. To enable RDSv3 service in an exclusive-IP or shared-IP zone, zlogin and execute the svcadm enable command:

    # svcadm enable rds
  2. Verify that rds is enabled:

    # svcs rds
        STATE          STIME    FMRI
        online         22:50:53 svc:/system/rds:default

For more information, see the svcadm(1M) man page.

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, in an exclusive-IP zone, the superuser or user with the required rights profile can send spoofed packets on those data-links, just as can be done in the global zone. IP address spoofing can be disabled by setting the allowed-address property. For the anet resource, additional protections such as mac-nospoof and dhcp-nospoof can be enabled by setting the link-protection property.

Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.