Margot H. Miller writes: > THe problem you quoted here wrt zones is that an IP address > is allocated for each zone. I thought I read that this is no > longer the case with the recent Solaris builds?
This doesn't quite sound right. If you want a non-global zone to communicate on a network, then it'll need at least one IP address to do so. The phrase "an IP address is allocated" makes it sound like this is done automatically -- it's not; the administrator must assign addresses _if_ that's what he wants to do. Non-global zones don't require any addresses (they never have), but if you don't have any addresses, then you can't talk on any network. Thus, _most_ common uses of Zones will require at least one IP address per zone; and perhaps more. In recent Solaris builds, there's a new feature called "Trusted Extensions." That does allow a single IP address to be used across all of the non-global zones on a system, if desired. It does so, though, by tagging each of the packets with a CIPSO security label so that they can be distinguished on the wire. Furthermore, you cannot configure such an all-zones address without enabling CIPSO (trusted mode). There's no way to make such an address unambiguous without those labels. And when you enable trusted mode operation, there effectively aren't any "zones" as you might know them. Instead, each non-global zone is used to represent a security label -- e.g., "unclassified," "secret," and "top-secret" -- and the zones are not independent. The trusted extensions model gives a unified view of the system; it's one system with multiple label levels. It's clearly not the solution sought for here. So, no, there's no way to use a single IP address across multiple, classical non-global zones. > The other problem I hear wrt zones is that the O/S > administator is not the application administrator and > that there would have to be some communication > between the two to create a zone. That's not quite true. Non-global zone administrators can't touch the global zone, and thus can't affect the rest of the system. They _can_ install their own local applications in their own zone, and that operation does _not_ require "communication" between the non-global zone administrator and the global zone administrator. -- James Carlson, KISS Network <james.d.carlson at sun.com> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
