Re: [zones-discuss] Shared-ip routing and VNI interface
Paul van der Zwan writes: > service address=10.1.1.1 > default gateway=192.168.1.254 > zone1 on host1 has 192.168.1.1 on bge0 and 10.1.1.1 on vni0 > zone1 on host2 has 192.168.1.2 on bge0 and 10.1.1.1 on vni0 That looks like a variant on the original design target for vni, so I'd expect it to work. > The loadbalancer routes 10.1.1.1 traffic for session1 to 192.168.1.1 > Would traffic from zone1 be able to go out to the internet using the > default gateway > 192.168.1.254 with a source of 10.1.1.1 or would the source become > 192.168.1.1 ( even if > the application binds to 10.1.1.1 ) ? Yes, it should be able to reach that router because the configuration of bge0 in the zone gives it access to that subnet. No, the system never alters a chosen source address. The only time we ever pick a source address is when the application itself has not chosen one -- either it hasn't called bind() at all, or it has called bind() and supplied an all-zeros address. > Is there some documentation on the routing in Solaris 10 esp. in > combination with zones ? Besides the man pages and docs.sun.com, there's some useful information in the FAQ: http://www.opensolaris.org/os/community/zones/faq/#cfg_io -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
On 3 Dec 2007, at 12:49, James Carlson wrote: > Paul Van Der Zwan writes: >> I'm having a problem figuring out why my ping replies never get sent. > > There's no way for any of your configured zones to transmit, so they > don't. "Vni" is really not much different from "lo0." You cannot > transmit packets on "vni" -- it's just a place to hang a local IP > address. That's why they say "NOXMIT" when you configure them. > >> The global zone has 192.168.200.14 configured on bge0 > > You need to give your zones access to bge0 if you want them to > transmit there. You "give access" by assigning an address on that > interface. > What I was trying to do was have the option of running multiple zones, on different hosts, configured with the same IP address on a VNI interface so a loadbalancer can balance between different zones, each with the same configuration as far as the application, running within the zone,is concerned. If I give each zone a unique address on the bge0 intf. and an application address on the vni, will the zone be able to route traffic out to the client? For example: service address=10.1.1.1 default gateway=192.168.1.254 zone1 on host1 has 192.168.1.1 on bge0 and 10.1.1.1 on vni0 zone1 on host2 has 192.168.1.2 on bge0 and 10.1.1.1 on vni0 The loadbalancer routes 10.1.1.1 traffic for session1 to 192.168.1.1 Would traffic from zone1 be able to go out to the internet using the default gateway 192.168.1.254 with a source of 10.1.1.1 or would the source become 192.168.1.1 ( even if the application binds to 10.1.1.1 ) ? Is there some documentation on the routing in Solaris 10 esp. in combination with zones ? TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
Paul Van Der Zwan writes: > I'm having a problem figuring out why my ping replies never get sent. There's no way for any of your configured zones to transmit, so they don't. "Vni" is really not much different from "lo0." You cannot transmit packets on "vni" -- it's just a place to hang a local IP address. That's why they say "NOXMIT" when you configure them. > The global zone has 192.168.200.14 configured on bge0 You need to give your zones access to bge0 if you want them to transmit there. You "give access" by assigning an address on that interface. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
Paul, Have you done "zlogin -C zonename", it will initialize the zone environment including the network. Chris Paul Van Der Zwan wrote: > I'm having a problem figuring out why my ping replies never get sent. > > I have a Blade 1500 running Solaris 10 08/07 > > On it I have 2 active local zones, zone1 and zone2, their configs are: > # zonecfg -z zone1 export > create -b > set zonepath=/zones/zone1 > set autoboot=false > set ip-type=shared > add inherit-pkg-dir > set dir=/lib > end > add inherit-pkg-dir > set dir=/platform > end > add inherit-pkg-dir > set dir=/sbin > end > add inherit-pkg-dir > set dir=/usr > end > add net > set address=192.168.200.50 > set physical=vni0 > end > > and > > # zonecfg -z zone2 export > create -b > set zonepath=/zones/zone2 > set autoboot=false > set ip-type=shared > add inherit-pkg-dir > set dir=/lib > end > add inherit-pkg-dir > set dir=/platform > end > add inherit-pkg-dir > set dir=/sbin > end > add inherit-pkg-dir > set dir=/usr > end > add net > set address=192.168.200.51 > set physical=vni1 > end > > The global zone has 192.168.200.14 configured on bge0 > The default gateway is 192.168.200.4. > > If I configure a host route routing 192.168.200.50 to 192.168.200.14 > on the router (192.168.200.4) and ping 192.168.200.50 > I see echo request packets arrive on the bge0 interface but I never > see any replies go out. > 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence > number: 744) > 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence > number: 745) > 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence > number: 746) > > The routing table shows: > netstat -rn > > Routing Table: IPv4 > Destination Gateway Flags Ref Use > Interface > - - -- > - > default 192.168.200.4UG1 0 > 192.168.42.0 192.168.42.1 U 1 0 bge0:1 > 192.168.200.0192.168.200.14 U 1 5 bge0 > 224.0.0.0192.168.200.14 U 1 0 bge0 > 127.0.0.1127.0.0.1UH1 38 lo0 > > ifconfig -a shows : > # ifconfig -a > lo0: flags=2001000849 mtu > 8232 index 1 > inet 127.0.0.1 netmask ff00 > lo0:1: flags=2001000849 > mtu 8232 index 1 > zone zone1 > inet 127.0.0.1 netmask ff00 > lo0:2: flags=2001000849 > mtu 8232 index 1 > zone zone2 > inet 127.0.0.1 netmask ff00 > bge0: flags=1000843 mtu 1500 index 2 > inet 192.168.200.14 netmask ff00 broadcast 192.168.200.255 > ether 0:3:ba:2f:c1:bb > bge0:1: flags=1000843 mtu 1500 > index 2 > inet 192.168.42.1 netmask ff00 broadcast 192.168.42.255 > vni0: flags=20010100c0 mtu 0 index 3 > inet 0.0.0.0 netmask 0 > vni0:1: flags=20010100c1 mtu 0 > index 3 > zone zone1 > inet 192.168.200.50 netmask ff00 > vni1: flags=20010100c0 mtu 0 index 4 > inet 0.0.0.0 netmask 0 > vni1:1: flags=20010100c1 mtu 0 > index 4 > zone zone2 > inet 192.168.200.51 netmask ff00 > # > > > Any ideas ? > > > Paul > > ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Shared-ip routing and VNI interface
I'm having a problem figuring out why my ping replies never get sent. I have a Blade 1500 running Solaris 10 08/07 On it I have 2 active local zones, zone1 and zone2, their configs are: # zonecfg -z zone1 export create -b set zonepath=/zones/zone1 set autoboot=false set ip-type=shared add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.200.50 set physical=vni0 end and # zonecfg -z zone2 export create -b set zonepath=/zones/zone2 set autoboot=false set ip-type=shared add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.200.51 set physical=vni1 end The global zone has 192.168.200.14 configured on bge0 The default gateway is 192.168.200.4. If I configure a host route routing 192.168.200.50 to 192.168.200.14 on the router (192.168.200.4) and ping 192.168.200.50 I see echo request packets arrive on the bge0 interface but I never see any replies go out. 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 744) 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 745) 192.168.200.4 -> 192.168.200.50 ICMP Echo request (ID: 27266 Sequence number: 746) The routing table shows: netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface - - -- - default 192.168.200.4UG1 0 192.168.42.0 192.168.42.1 U 1 0 bge0:1 192.168.200.0192.168.200.14 U 1 5 bge0 224.0.0.0192.168.200.14 U 1 0 bge0 127.0.0.1127.0.0.1UH1 38 lo0 ifconfig -a shows : # ifconfig -a lo0: flags=2001000849 mtu 8232 index 1 inet 127.0.0.1 netmask ff00 lo0:1: flags=2001000849 mtu 8232 index 1 zone zone1 inet 127.0.0.1 netmask ff00 lo0:2: flags=2001000849 mtu 8232 index 1 zone zone2 inet 127.0.0.1 netmask ff00 bge0: flags=1000843 mtu 1500 index 2 inet 192.168.200.14 netmask ff00 broadcast 192.168.200.255 ether 0:3:ba:2f:c1:bb bge0:1: flags=1000843 mtu 1500 index 2 inet 192.168.42.1 netmask ff00 broadcast 192.168.42.255 vni0: flags=20010100c0 mtu 0 index 3 inet 0.0.0.0 netmask 0 vni0:1: flags=20010100c1 mtu 0 index 3 zone zone1 inet 192.168.200.50 netmask ff00 vni1: flags=20010100c0 mtu 0 index 4 inet 0.0.0.0 netmask 0 vni1:1: flags=20010100c1 mtu 0 index 4 zone zone2 inet 192.168.200.51 netmask ff00 # Any ideas ? Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
On (11/30/07 08:25), Mike Gerdts wrote: > The 10.1.1.100 address must not be reachable. The last time I tried > this in Nevada it causes a panic. The last time I tried it on S10 it > causes one kernel thread to spin (mpstat will show one CPU at 100% > sys). > > Through bugs.opensolaris.org I opened a bug (6422863) but now I cannot > see that bug through bugs.opensolaris.org. Anyone from Sun care to > comment? That bug was fixed in SXDE 9/07 See also: http://unix.derkeiler.com/Newsgroups/comp.unix.solaris/2006-11/msg01251.html --Sowmini ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shared-ip routing and VNI interface
On Nov 30, 2007 7:37 AM, Paul Van Der Zwan <[EMAIL PROTECTED]> wrote: > Host 1: > global zone bge0 192.168.1.1/24 > vni0 10.1.1.254/24 > zone1 vni1 10.1.1.1/24 > zone2 vni2 10.1.1.2/24 > zone3 vni3 10.1.1.3/24 When you try this configuration, go into any zone listed above and try this (when it is safe to reboot): nslookup anything.com 10.1.1.100 The 10.1.1.100 address must not be reachable. The last time I tried this in Nevada it causes a panic. The last time I tried it on S10 it causes one kernel thread to spin (mpstat will show one CPU at 100% sys). Through bugs.opensolaris.org I opened a bug (6422863) but now I cannot see that bug through bugs.opensolaris.org. Anyone from Sun care to comment? My simplified way to trigger this was: ifconfig vni0 plumb ifconfig vni0 10.0.0.1 up netmask 255.255.255.0 broadcast + ifconfig vni0 xmit nslookup 1.2.3.4 10.0.0.4 Zones were not needed to cause this problem. However, my purpose for doing this was to make it so that I had an "internal" communication path between global and non-global zones. That is, every global zone would have vni0 at 10.0.0.1 so that non-global zones could have a reliable address to reach the global zone at. I just tried to reproduce on S10U4 + all current patches on a T5120. As soon as I ran nslookup, the following appeared on the console: ip: vni0: DL_UNITDATA_REQ failed: DL_UNSUPPORTED mpstat showed that one strand went to 100% sys and 14 other strands went to between 9% and 59% sys for a total of 345% sys. Prior to running nslookup it was 100% idle. Overall system utilization went from 100% idle to 3% user and 6% sys (on a 64 processor system). When I typed reboot, the console began getting spammed with the same error message above. The messages were interspersed, possibly implying that multiple threads were writing the messages. I had to hard reset the system to get back. Be careful with vni. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Shared-ip routing and VNI interface
I am wondering if the following setup on S10u4 with local zones will work, or can be made to work. The setup is meant be used as a backend for a loadbalancer which uses the direct-return method, that is, no NAT but the balanced service talks directly to the client. In all zones running a service I confgure the same IP address on a vni interface, I know you can configure a single IP only on a single interface, AFAIK that means that I cannot run more than one instance of the same service on a single global zone. The local zones will not get a 'real' interface configured, only the vni interface. The global zone has a real interface configured with a real IP address. The loadbalancer will use host routing to direct traffic to the correct global zone. My theoretical setup would have this set of addresses and routes configured: Host 1: global zone bge0 192.168.1.1/24 vni0 10.1.1.254/24 zone1 vni1 10.1.1.1/24 zone2 vni2 10.1.1.2/24 zone3 vni3 10.1.1.3/24 Host 2: global zone bge0 192.168.1.2/24 vni0 10.1.1.254/24 zone1 vni1 10.1.1.1/24 zone2 vni2 10.1.1.2/24 zone3 vni3 10.1.1.3/24 Default routes would be the same on both hosts, destinations would be 10.1.1.254 and 192.168.1.254 What would happen if the load balancer would send a packet with destination address 10.1.1.1 and source address some public address on the internet the mac address of bge0 of host 2 ? (the load balancer has selected 192.168.1.2 as the destination for this session to 10.1.1.1 and did an arp for 192.168.1.2 to find the mac for 192.168.1.2) Would that end up in zone 2 ? And if zone2 retrurns traffic would that end up on 192.168.1.254 who whould be able to route it to the final destination. TIA Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
