Zone network interfaces configured by the zonecfg utility to provide network connectivity are automatically set up and placed in the zone when it is booted.
The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.
There are two IP types available for non-global zones, shared-IP and exclusive-IP. Exclusive IP is the default IP type. A shared-IP zone shares a network interface with the global zone. Configuration in the global zone must be done by the ipadm utility to use shared-IP zones. An exclusive-IP zone must have a dedicated network interface. If the exclusive-IP zone is configured using the anet resource, a dedicated VNIC is automatically created and assigned to that zone. By using the automated anet resource, the requirement to create and configure data-links in the global zone and assign the data-links to non-global zones is eliminated. Use the anet resource to accomplish the following:
Allow the global zone administrator to choose specific names for the data-links assigned to non-global zones
Allow multiple zones to use data-links of the same name
For backward compatibility, preconfigured data-links can be assigned to non-global zones.
For information about IP features in each type, see Networking in Exclusive-IP Non-Global Zones in Creating and Using Oracle Solaris Zones and Networking in Shared-IP Non-Global Zones in Creating and Using Oracle Solaris Zones .
A data-link is a physical interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. A data-link is also referred to as a physical interface, for example, a Network Interface Card (NIC). The data-link is the physical property configured by using zonecfg (1M) . The physical property can be a VNIC.
By default in Oracle Solaris 11, physical network device names use generic names, such as net0, instead of device driver names, such as nxge0.
For information about using IP over Infiniband (IPoIB) for solaris zones, see the anet description in Resource Type Properties.
For an anet resource that connects to an Elastic Virtual Switch (EVS) with the evs and vport properties set, the properties of that anet resource are encapsulated in the evs and vport pair. You cannot change any of the following properties for an EVS anet resource:
The only properties that you can set for an EVS anet resource are the following:
You must also set the tenant resource. Tenants are used for namespace management. The EVS resources defined within a tenant are not visible outside that tenant's namespace.
The following input for a zone named evszone sets the tenant resource for a tenant named tenantA. The zonecfg anet resource properties create a VNIC for a zone that has an anet resource that connects to an EVS named evsa and a VPort named vport0:
zonecfg:evszone> set tenant=tenantA
zonecfg:evszone> add anet
zonecfg:evszone> set evs=EVSA
zonecfg:evszone> set vport=vport0
For more information, see Chapter 5, About Elastic Virtual Switches, in Managing Network Virtualization and Network Resources in Oracle Solaris 11.2 .
A shared-IP zone uses an existing IP interface from the global zone. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:
The non-global zone is to use the same data-link that is used by the global zone, regardless of whether the global and non-global zones are on the same subnet.
You do not want the other capabilities that the exclusive-IP zone provides.
Shared-IP zones are assigned one or more IP addresses using the net resource of the zonecfg command. The data-link names must also be configured in the global zone.
In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.
To use the shared-IP type networking configuration in the global zone, you must use ipadm, not automatic network configuration. To determine whether networking configuration is being done by ipadm, run the following command. The response displayed must be DefaultFixed.
# svcprop -p netcfg/active_ncp svc:/network/physical:default DefaultFixed
The IP addresses assigned to shared-IP zones are associated with logical network interfaces.
The ipadm command can be used from the global zone to assign or remove logical interfaces in a running zone.
To add interfaces, use the following command:
global# ipadm set-addrprop -p zone=my-zone net0/addr1
To remove interfaces, use one of the following commands:
global# ipadm set-addrprop -p zone=global net0/addr
global# ipadm reset-addrprop -p zone net0/addr1
For more information, see Shared-IP Network Interfaces in Creating and Using Oracle Solaris Zones .
Exclusive-IP is the default networking configuration for non-global zones.
An exclusive-IP zone has its own IP-related state and one or more dedicated data-links.
The following features can be used in an exclusive-IP zone:
IP Filter, including network address translation (NAT) functionality
ipadm for setting TCP/UDP/SCTP as well as IP/ARP-level tunables
IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association
There are two ways to configure exclusive-IP zones:
Use the anet resource of the zonecfg utility to automatically create a temporary VNIC for the zone when the zone boots and delete it when the zone halts.
Preconfigure the data-link in the global zone and assigned it to the exclusive-IP zone by using the net resource of the zonecfg utility. The data-link is specified by using the physical property of the net resource. The physical property can be a VNIC. The address property of the net resource is not set.
By default, an exclusive-IP zone can configure and use any IP address on the associated interface. Optionally, a comma-separated list of IP addresses can be specified using the allowed-address property. The exclusive-IP zone cannot use IP addresses that are not in the allowed-address list. Moreover, all the addresses in the allowed-address list will automatically be persistently configured for the exclusive-IP zone when the zone is booted. If this interface configuration is not wanted, then the configure-allowed-address property must be set to false. The default value is true.
Note that the assigned data-link enables the snoop command to be used.
The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones. SeeAdministering Data-Links in Exclusive-IP Non-Global Zones in Creating and Using Oracle Solaris Zones for usage examples.
Inside a running exclusive-IP zone that is assigned its own set of data-links, the ipadm command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as in the global zone, by using the sysconfig interface described in the sysconfig(1M) man page.
The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command.
global# zlogin zone1 ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 nge0/v4 dhcp ok 10.134.62.47/24 lo0/v6 static ok ::1/128 nge0/_a addrconf ok fe80::2e0:81ff:fe5d:c630/10
The Reliable Datagram Sockets (RDS) IPC protocol is supported in both exclusive-IP and shared-IP non-global zones. The RDSv3 driver is enabled as SMF service rds. By default, the service is disabled after installation. The service can be enabled within a given non-global zone by a zone administrator granted appropriate authorizations. After zlogin, rds can be enabled in each zone in which it is to run.Example 2-1 How to Enable the rds Service in a Non-Global Zone
To enable RDSv3 service in an exclusive-IP or shared-IP zone, zlogin and execute the svcadm enable command:
# svcadm enable rds
Verify that rds is enabled:
# svcs rds STATE STIME FMRI online 22:50:53 svc:/system/rds:default
For more information, see the svcadm(1M) man page.
In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.
For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, in an exclusive-IP zone, the superuser or user with the required rights profile can send spoofed packets on those data-links, just as can be done in the global zone. IP address spoofing can be disabled by setting the allowed-address property. For the anet resource, additional protections such as mac-nospoof and dhcp-nospoof can be enabled by setting the link-protection property.
The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.