[zones-discuss] Re: [networking-discuss] Re: [crossbow-discuss]Design review of IP Instances part of Crossbow
Erik Nordmark
erik.nordmark at sun.com
Wed Nov 8 09:24:39 PST 2006
James Carlson wrote:
> Erik Nordmark writes:
>> But the key thing to me is the consistency between where things can be
>> observed and where they can be modified.
>
> We already have RFEs filed against other utilities because they don't
> show non-global zone activity (see, for example, CR 6369726). I think
> the lines here are pretty blurry.
>
> In some usage models, the global zone administrator "owns"
> everything. Even if he can't directly control things from the global
> zone (and must log into the non-global zone to turn services on and
> off), he wants to see a view of the system that includes everything.
Do you have an example of that?
> In other usage models, the global zone administrator just provides
> "infrastructure" and has no business looking at non-global zones. And
> we've had requests to lock down the global zone so it can't look where
> it shouldn't.
I know the about is quite blurry - I sure wish zone administration was
more self-consistent.
> Given that there are some networking things that must be administered
> in the global zone alone even when exclusive stack instances are in
> use, it doesn't seem unreasonable to me to say that the administrator
> of the global zone should be able to list related information without
> entering the non-global zone.
ifconfig displays network interface names used by IP and IP addresses
and related information.
zoneadm list -l displays the datalink names assigned to an exclusive-IP
zone.
Are you saying that the datalink names are insufficient for the
administration the global zone would need to do for the exlusive-IP zone?
There are things external to the system (such a firewalls) that might
need to be configured with IP addresses, and I can see the same thing
being true for the global zone (e.g. the global zone might run a
firewall in front of the non-global zone down the road).
But I don't see that particular type of configuration as an argument for
being able to do ifconfig -a in the global zone and see the non-global
information, any more than there being a requirement for a router
outside the system being able to do ifconfig -a and see the IP
configuration of other systems on the network.
Thus I am trying to understand what the architectural or design
principle is that makes you conclude that showing IP address
configuration for exclusive-IP zones in ifconfig in the global zone.
Erik
More information about the crossbow-discuss
mailing list