This section provides the following information:
Datalink Security Differences Between Shared-IP andin Exclusive-IP Non-Global Zones
This section provides guidelines for network interfaces used by zones.
Exclusive-IP network configuration – There are two IP types available for non-global zones, shared-IP and exclusive-IP. Exclusive-IP is the default IP type. A shared-IP zone shares a network interface with the global zone. Configuration in the global zone must be done by the ipadm utility to use shared-IP zones. An exclusive-IP zone must have a dedicated network interface. If the exclusive-IP zone is configured by using the anet resource type, a dedicated VNIC is automatically created and assigned to that zone. By using the automated anet resource type, the requirement to create and configure datalinks in the global zone and assign the datalinks to non-global zones is eliminated. Use the anet resource type to accomplish the following:
Allow the global zone administrator to choose specific names for the datalinks assigned to non-global zones
Allow multiple zones to use datalinks of the same name
For additional information about IP features in each type for exclusive-IP zones, see Exclusive-IP Non-Global Zones and Networking in Exclusive-IP Non-Global Zones in Creating and Using Oracle Solaris Zones and Networking in Shared-IP Non-Global Zones in Creating and Using Oracle Solaris Zones.
SMF management of network configuration – To manage the persistent network configuration, use the Service Management Facility (SMF). Network configuration is aligned with other system components that use SMF as a core storage repository. Network configuration through SMF also enables you to perform customized network configuration during an installation by specifying datalink, flow, and IP properties in a system configuration profile. The properties are administered by the dladm, flowadm, and ipadm commands. For details about the dladm property names that support SMF, see Configuring and Managing Network Components in Oracle Solaris 11.4.
Network set-up at boot – Zone network interfaces configured by the zonecfg utility to provide network connectivity are automatically set up and placed in the zone when it is booted.
IP layers – The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and Packet Filter.
Multiple network resources – If some addresses must be automatically configured and other addresses must be available to be brought online and offline within the zone, multiple anet resources can be used.
For example, the following configuration uses two anet resources. The first automatically configures the 192.168.3.3 address on one of the zone's interfaces. The second allows the zone to configure only 192.168.3.100 and 192.168.3.101 on the other interface.
zonecfg:my-zone> select anet linkname=net0 zonecfg:my-zone:anet> set allowed-address=192.168.3.3/24 zonecfg:my-zone:anet> set configure-allowed-address=true zonecfg:my-zone:anet> end zonecfg:my-zone: add anet zonecfg:my-zone:anet> set allowed-address=192.168.3.100/24,192.168.3.101/24 zonecfg:my-zone:anet> set configure-allowed-address=false zonecfg:my-zone:anet> end zonecfg:my-zone>
Preconfigured datalinks – For backward compatibility, preconfigured datalinks can be assigned to non-global zones.
Link protection in zones – The link protection described in Chapter 1, Using Link Protection in Virtualized Environments in Securing the Network in Oracle Solaris 11.4 can be used on a system running zones. This functionality is configured in the global zone.
A datalink is a physical interface at Layer 2 of the OSI protocol stack, which is represented in a system as a STREAMS DLPI (v2) interface. Such an interface can be plumbed under protocol stacks such as TCP/IP. A datalink is also referred to as a physical interface, for example, a Network Interface Card (NIC). The datalink is the physical property configured by using the zonecfg utility. The physical property can be a VNIC.
By default, physical network device names use generic names, such as net0, instead of device driver names, such as nxge0.
For information about using IP over InfiniBand (IPoIB) in zones, see the anet resource type description in Zone Resource Types and Their Properties.
For an anet resource that connects to an Elastic Virtual Switch (EVS) with the evs and vport properties set, the properties of that anet resource are encapsulated in the evs and vport pair.
You cannot change any of the following properties for an EVS anet resource:
You can set the following properties for an EVS anet resource:
You must also set the tenant global property. Tenants are used for namespace management. The EVS resources defined within a tenant global property are not visible outside that tenant's namespace.
The following example input for a zone named evszone sets the tenant global property for a tenant named tenantA. The anet resource type properties create a VNIC for a zone that has an anet resource that connects to an EVS named EVSA and a VPort named vport0.
zonecfg:my-zone> set tenant=tenantA zonecfg:my-zone> add anet zonecfg:my-zone> set evs=EVSA zonecfg:my-zone> set vport=vport0
For more information, see Chapter 5, About Elastic Virtual Switches in Managing Network Virtualization and Network Resources in Oracle Solaris 11.4.
Exclusive-IP is the default networking configuration for non-global zones. An exclusive-IP zone has its own IP-related state and one or more dedicated datalinks.
The following features can be used in an exclusive-IP zone:
Packet Filter, including network address translation (NAT) functionality
ipadm for setting TCP/UDP/SCTP as well as IP/ARP-level tunables
IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association
There are two ways to configure exclusive-IP zones:
Use the anet resource type of the zonecfg utility to automatically create a temporary VNIC for the zone when the zone boots and delete it when the zone halts.
Preconfigure the datalink in the global zone and assigned it to the exclusive-IP zone by using the net resource type of the zonecfg utility. The datalink is specified by using the physical property of the net resource type. The physical property can be a VNIC. The address property of the net resource type is not set.
By default, an exclusive-IP zone can configure and use any IP address on the associated interface. Optionally, you can specify a comma-separated list of IP addresses by using the allowed-address property of the anet resource type. The exclusive-IP zone cannot use IP addresses that are not in the allowed-address list. Moreover, all the addresses in the allowed-address list will automatically be persistently configured for the exclusive-IP zone when the zone is booted. If this interface configuration is not wanted, then the configure-allowed-address property must be set to false. The default value is true.
If some addresses must be automatically configured and some addresses must be able to be brought online and offline within the zone, multiple anet resources can be used.
In the following example, this configuration will have two anet resources. The first anet resource automatically configures the address 192.168.3.3 on one of the zone's interface. The second anet resource permits the zone to configure only 192.168.3.100 and 192.168.3.101 on the other interface.
zonecfg:my-zone> select anet linkname=net0 zonecfg:my-zone:anet> set allowed-address=192.168.3.3/24 zonecfg:my-zone:anet> set configure-allowed-address=true zonecfg:my-zone:anet> end zonecfg:my-zone> add anet zonecfg:my-zone:anet> set allowed-address=192.168.3.100/24,192.168.3.101/24 zonecfg:my-zone:anet> set configure-allowed-address=false zonecfg:my-zone:anet> end zonecfg:my-zone>
The dladm command can be used with the show-linkprop subcommand to show the assignment of datalinks to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional datalinks to running zones. SeeManaging Datalinks Related to Zones in Creating and Using Oracle Solaris Zones for usage examples.
Inside a running exclusive-IP zone that is assigned its own set of datalinks, the ipadm command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as in the global zone, by using the sysconfig interface described in the sysconfig(8) man page.
The IP configuration of an exclusive-IP zone can only be viewed from the global zone by using the zlogin command, as shown in the following example.
global$ zlogin my-zone ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 nge0/v4 dhcp ok 10.134.62.47/24 lo0/v6 static ok ::1/128 nge0/_a addrconf ok fe80::2e0:81ff:fe5d:c630/10
A shared-IP zone uses an existing IP interface from the global zone. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:
The non-global zone is to use the same data-link that is used by the global zone, regardless of whether the global and non-global zones are on the same subnet.
You do not want the other capabilities that the exclusive-IP zone provides.
Shared-IP zones are assigned one or more IP addresses using the net resource of the zonecfg command. The data-link names must also be configured in the global zone.
In the zonecfg net resource, the address and the physical properties must be set. The defrouter property is optional.
To use the shared-IP type networking configuration in the global zone, you must use ipadm, not automatic network configuration. To determine whether networking configuration is being done by ipadm, run the following command. The response displayed must be DefaultFixed.
global$ svcprop -p netcfg/active_ncp svc:/network/physical:default DefaultFixed
The IP addresses assigned to shared-IP zones are associated with logical network interfaces.
The ipadm command can be used from the global zone to assign or remove logical interfaces in a running zone.
To add interfaces, use the following command:
global$ ipadm set-addrprop -p zone=my-zone net0/addr1
To remove interfaces, use one of the following commands:
global$ ipadm set-addrprop -p zone=global net0/addr
or:
global$ ipadm reset-addrprop -p zone net0/addr1
For more information, see Shared-IP Network Interfaces in Creating and Using Oracle Solaris Zones.
The Reliable Datagram Sockets (RDS) IPC protocol is supported in both exclusive-IP and shared-IP non-global zones. The RDSv3 driver is enabled as SMF service rds. By default, the service is disabled after installation. The service can be enabled within a given non-global zone by a zone administrator granted appropriate authorizations. After you log in to the zone, the rds service can be enabled in each zone in which it is to run.
For more information, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones.
my-zone$ pfbash svcadm enable rds
For more information, see the svcadm(8) man page.
my-zone$ svcs rds
STATE STIME FMRI
online 22:50:53 svc:/system/rds:defaultIn a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.
For an exclusive-IP zone, the zonecfg command grants the entire specified datalink to the zone. As a result, in an exclusive-IP zone, the root user or user with the required rights profile can send spoofed packets on those datalinks, just as can be done in the global zone. IP address spoofing can be disabled by setting the allowed-address property. For the anet resource type, additional protections such as mac-nospoof and dhcp-nospoof can be enabled by setting the link-protection property.
The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same system.