Glenn Faden wrote:
> I have tried this already and it doesn't work. I'm pretty sure that
> AF_UNIX doesn't work across zones if the rendezvous file is loopback
> mounted. With respect to named pipes, I was able to get them to work for
> some cross-zone services, but not for X11. When using named pipes as the
> transport, the X server assumes it can share memory with its client,
> which doesn't work.
Yes, by design it doesn't work. But one can extend it to work (when the
AF_UNIX pathname or named pipe is loopback mounted into the non-global
zone).
> On the other hand, vni(7) works fine and has several other advantages
> for Trusted Extensions users. For example, the single interface, vni0,
> can be specified:
>
> ifconfig vni0 all-zones
Which IP address do you assign to vni?
It had better be a different address (and subnet perhaps) than any other
IP address in use on the network that you might want to talk to.
> which allows all zones to share the same hostname and IP address. This
> makes a bunch of fussy X11 applications work properly in zones because
> they think that they local, not remote. It also allows services other
> services that are TCP only to work across zones, like remote printing.
But using vni has some security issues.
For instance, an attacker on one network (attached to one zone) can use
an IP source route option to jump via the vni interface over to another
zone.
This is why I think it is important to explore non-IP ways for
applications in zones to be able to communicate.
> Named pipes don't work across zones in standard Solaris because the FIFO
> logic in the kernel doesn't match endpoints through lofs mounts. This
> may apply to AF_UNIX, too. In Trusted Extensions, named pipes work as
> unidirectional conduits which are constrained to only allow writing from
> lower-level zones to higher-level zones.
Yes, I played around with this starting with your namefs fix for TX.
I don't think I got AF_UNIX to work quite (got distracted by other work)
and I didn't have X11 work over the named pipe; perhaps this is the
shared memory assumption in the X server.
Erik
