At 10:10 PM 8/8/06, carlsonj wrote:
...
>For what it's worth, and it may not be much, the original design
>center for Zones was aggregation of services that are present on the
>same collection of networks. The classic example is a farm of web
>servers (for ISP-hosted services) on an Internet-facing subnet.
The typical scenario that I'm most familiar with is a pair of SLBs
out front with a few simple acls, then a variety of services
ib-mail, auth-dns, and web-rev-proxy, all on pairs (or more) of
dual-homed hosts, typically Dell or SUN 1RU.
Another layer inwards are the page/app servers,
and another layer inwards the DB and secured services.
Conventional wisdom and SMCC marketing, suggest that consolidating
this first layer into a pair of T2000s is a GOOD(tm) idea.
Multiple network interfaces are necessary esp. when 1G or 100M.
Jails won't do, LPARS aren't available and would cost LOTS of memory,
but Zones seemed to fit the bill.
>The design center explicitly did not include systems that were on
>isolated (and possibly mutually-hostile) networks, or with complex
>inter-dependencies (such as load balancers, NATs, or filters between
>the zones).
This was NOT communicated to the great unwashed,
and in fact Zones have been sold/promoted into this space.
>...
>It's possible that a future project ("stack instances") will alter
>this somewhat, but I think it's important to understand that Zones was
>designed with a particular class of usage in mind. It's not all
>things to all people, and likely cannot be.
You don't need to separate the stacks if some basic issues with
interfaces inside of zones, filtering packet paths between zones,
and multiple default routes were fixed.
In a POC, I've used IPFilter's "on int:gw" construct to kludge the
routing, I'm now just working out how to get into the zone-zone path.
I think SMCC needs to re-look at these issues if they're going
to win back lots of us who have deserted Solaris for FreeBSD
in our Internet Facing production systems.
BTW, my progress is a little slowed by nv-b43 and some really
silly problems with routing UDP, it used to work on b35 ... <g>
pjc
This message posted from opensolaris.org
_______________________________________________
networking-discuss mailing list
[email protected]
