Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: April 2019

Networking in Shared-IP Non-Global Zones

Zones installed on an Oracle Solaris system can communicate with each other over the network. The zones have separate bindings, or connections, and can run their own server daemons. These daemons can listen on the same port numbers without any conflict. The IP stack resolves conflicts by considering the IP addresses for incoming connections. The IP addresses identify the zone.

In Oracle Solaris, the network configuration of a specific system is managed by an active network configuration profile (NCP) that is enabled either automatically during an Oracle Solaris installation or manually by a system administrator. Only one NCP can be active on the system at one time.

To use shared-IP type zones, the operative NCP on the global zone must be the DefaultFixed NCP. To check which NCP is currently active on the system, type the following command:

# netadm list
ncp    DefaultFixed    online
ncp    Automatic       disabled
loc    Automatic       offline
loc    NoNet           offline
loc    DefaultFixed    online

The NCP with the online state is the operative or active network configuration profile on the system. If DefaultFixed is offline, then enable the profile with the following command:

# netadm enable DefaultFixed
# svcprop -p netcfg/active_ncp svc:/network/physical:default

Shared-IP Zone Partitioning

Shared-IP is not the default, but this type is supported.

The IP stack in a system supporting zones implements the separation of network traffic between zones. Applications that receive IP traffic can only receive traffic sent to the same zone.

Each logical interface on the system belongs to a specific zone, the global zone by default. Logical network interfaces assigned to zones though the zonecfg utility are used to communicate over the network. Each stream and connection belongs to the zone of the process that opened it.

Bindings between upper-layer streams and logical interfaces are restricted. A stream can only establish bindings to logical interfaces in the same zone. Likewise, packets from a logical interface can only be passed to upper-layer streams in the same zone as the logical interface.

Each zone has its own set of binds. Each zone can be running the same application listening on the same port number without binds failing because the address is already in use. Each zone can run its own version of various networking service such as the followings:

  • Internet services daemon with a full configuration file (see the inetd(1M) man page)

  • sendmail (see the sendmail(1M) man page)

  • apache

Zones other than the global zone have restricted access to the network. The standard TCP and UDP socket interfaces are available, but SOCK_RAW socket interfaces are restricted to Internet Control Message Protocol (ICMP). ICMP is necessary for detecting and reporting network error conditions or using the ping command.

Shared-IP Network Interfaces

Each non-global zone that requires network connectivity has one or more dedicated IP addresses. These addresses are associated with logical network interfaces that can be placed in a zone. Zone network interfaces configured by zonecfg will automatically be set up and placed in the zone when it is booted. The ipadm command can be used to add or remove logical interfaces when the zone is running. Only the global administrator or a user granted the appropriate authorizations can modify the interface configuration and the network routes.

Within a non-global zone, only that zone's interfaces are visible to the ipadm command.

For more information, see the ipadm(1M) and if_tcp(7P) man pages.

IP Traffic Between Shared-IP Zones on the Same Machine

A shared-IP zone can reach any given IP destination if there is a usable route for that destination in its routing table. To view the routing table, use the netstat command with the –r option from within the zone. The IP forwarding rules are the same for IP destinations in other zones or on other systems.

Oracle Solaris IP Filter in Shared-IP Zones

Oracle Solaris IP Filter provides stateful packet filtering and network address translation (NAT). A stateful packet filter can monitor the state of active connections and use the information obtained to determine which network packets to allow through the firewall. Oracle Solaris IP Filter also includes stateless packet filtering and the ability to create and manage address pools. See Chapter 6, IP Filter Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.3 for additional information.

Oracle Solaris IP Filter can be enabled in non-global zones by turning on loopback filtering as described in Chapter 7, Configuring IP Filter Firewall in Securing the Network in Oracle Solaris 11.3.

Oracle Solaris IP Filter is derived from open source IP Filter software.

IP Network Multipathing in Shared-IP Zones

In Oracle Solaris, IP network multipathing (IPMP) ensures continuous network availability by grouping multiple interfaces on the same IP link. These underlying interfaces back up one another such that the network remains available if one of the underlying interfaces fail. IPMP also provides load spreading of packets for systems with multiple interfaces.

    IPMP is implemented in Oracle Solaris in the following manner:

  • Multiple interfaces such as net0, net1, and net2 are configured to form an IPMP interface ipmp0.

  • The IPMP interface ipmp0 is configured with multiple IP addresses called data addresses. These addresses are used to host network traffic.

  • IP addresses can also be configured directly on the underlying interfaces netN. These addresses are not used for network traffic but for failure detection to determine whether an underlying interface has failed. Thus, these IP addresses on the underlying interfaces are called test addresses.

Because the data addresses reside on ipmp0, the network remains available even if one underlying IP interface fails. Traffic continues to flow through the other addresses in ipmp0.

As with all network configuration tasks, you configure IPMP on the global zone. Then, you extend the functionality to non-global zones. The functionality is extended by assigning one of the IPMP interface's data address to the zone.

In a given non-global zone, only the interfaces associated with the zone are visible through the ipadm command.

See How to Extend IP Network Multipathing Functionality to Shared-IP Non-Global Zones. The zones configuration procedure is covered in How to Configure the Zone. For information on IPMP features, components, and usage, see Chapter 2, About IPMP Administration in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.3.