Re: [OpenIndiana-discuss] OI 151a as akvm under rhel6.x hosts
On 11/30/2011 04:04 PM, Geoff Flarity wrote:
On Wed, Nov 30, 2011 at 9:59 AM, carlopmart wrote:
On 11/30/2011 03:51 PM, Geoff Flarity wrote:
On Wed, Nov 30, 2011 at 6:48 AM, carlopmartwrote:
Hi all,
Somebody have tried to install OI 151a under rhel6.x kvm hosts?? Works
well?? how about performance?? Is OI stable under this platform??
Are you looking to just test OI out? Not sure I see the use case here,
with ZFS, Zones, Crossbow etc, it makes more sense to use OI as the
host rather than a guest?
No, I would like to deploy OI guests under kvm hosts ... because kvm is our
first virtualization platform ...
--
Why exactly? Most people are doing the opposite. IE using OI as a host
with linux guests. I'm running OI under VirtualBox as a learning
exercise, so far so good.
GF
I have said: kvm is our virtualization platform, RHEV/RHEL more exactly.
And xen support for RHEL is not very good ... For these reasons, I would
like to know if OI is more or less stable under this platform ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OI 151a as akvm under rhel6.x hosts
On 11/30/2011 03:51 PM, Geoff Flarity wrote:
On Wed, Nov 30, 2011 at 6:48 AM, carlopmart wrote:
Hi all,
Somebody have tried to install OI 151a under rhel6.x kvm hosts?? Works
well?? how about performance?? Is OI stable under this platform??
Are you looking to just test OI out? Not sure I see the use case here,
with ZFS, Zones, Crossbow etc, it makes more sense to use OI as the
host rather than a guest?
No, I would like to deploy OI guests under kvm hosts ... because kvm is
our first virtualization platform ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] OI 151a as akvm under rhel6.x hosts
Hi all,
Somebody have tried to install OI 151a under rhel6.x kvm hosts?? Works
well?? how about performance?? Is OI stable under this platform??
---
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Configuring span ports on oi151
On 11/08/2011 01:43 AM, Jonathan Loran wrote:
On Oct 24, 2011, at 10:54 AM, James Carlson wrote:
carlopmart wrote:
On 10/24/2011 07:08 PM, James Carlson wrote:
You didn't say how you're sniffing traffic. If you mean that you must
use an _external_ network monitoring device to do this, then the
existing built-in mechanism obviously won't be sufficient. That'd be a
fair reason to add a port mode flag that disables the normal MAC
filtering, though it's a little unclear why an external device would be
required or desired.
Sorry James, for not being properly explained. But yes, I need to use an
external monitoring device. I use an external server with a different
IDS/IPS sensors to process certain type of traffic. For example: exists
one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
Bro-IDS sensor to process ssl traffic. And another suricata sensor to
process http traffic only. All these three sensors are installed in one
server.
I see. One solution might be to get those "sensors" to run on the
OpenIndiana system. Then they could take advantage of the observability
interface to grab the traffic desired.
And it is a lab. not a production system ...
The other solutions I can think of (besides adding this feature to the
existing code or porting the applications) would be intentionally
breaking the bridge_learn() function in bridge.c so that it always
returns without updating the forwarding tables, or, alternatively, using
an external bridge that has this feature.
The latter would be extremely easy, but would cost more money. The
former is a bit hackish, but should do the job, and would be fairly easy
to do, provided you are able to build kernel modules.
Why not something like this:
mkfifo /tmp/spanout-pipe
tcpdump -i bridgename0 -s0 -w /tmp/spanout-pipe&
cat /tmp/spanout-pipe | ssh ids-system "snort-etc-capture"
You could replace cat | ssh with something spiffier, but perhaps less secure,
like nc or mbuffer.
Jon
It is not a bad idea, but requires a watchdog to control
ssh/nc/or_whatever is always up ... Best solution is to use daemonlogger ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OI on kvm-linux -> networking issue?
On 11/04/2011 11:44 AM, Peter Lees wrote:
On 4/11/11 7:42 PM, carlopmart wrote:
On 11/04/2011 02:32 AM, Peter Lees wrote:
hi folks
i'm trying to run openindiana 151a in a VM using KVM linux (centos 6.0)
i'm trying to use a bridged ethernet connection, but for some reason the
data is not getting through (can't ping the real network)
this is probably more a centos/linux question than OI, but i wondered if
anyone had a similar setup they could share ?
regards
p
--
peter lees
How do you defined the bridge in c6 host?? What nic driver do you use in
OI??
centos6 (host) bridge is defined using /etc/sysconfig/network-scripts:
ifcfg-eth0:
DEVICE="eth0"
BRIDGE=br0
NM_CONTROLLED="no"
ONBOOT="yes"
HWADDR=00:1E:67:14:E7:5D
TYPE=Ethernet
DNS1=10.16.168.10
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
ifcfg-br0
DEVICE=br0
NM_CONTROLLED=no
BOOTPROTO=static
ONBOOT=yes
TYPE=Bridge
IPADDR=10.16.168.3
PREFIX=27
GATEWAY=10.16.168.10
DNS1=10.16.168.10
DEFROUTE=yes
IPV6INIT=no
10.16.168.3 is the host IP address on that network.
nics driver on OI was the default rtl8139 (rtls0), but i have changed to
e1000g (the physical port, fwiw, is e1000g)
both types plumb OK on the OI VM, but no traffic seems to cross the bridge
thoughts?
p
Uhmm ... Maybe the problem is with e1000g driver. I have installed a
FreeBSD guest under a RHEL6 kvm host, and this driver suffers problems ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] KVM again
On 11/04/2011 01:33 PM, alessio wrote:
I'm very interested in KVM on Openindiana.
Unfortunately I don't actually have a CPU supporting KVM.
I can buy a new PC, so I want to buy a system on wich I can install
Openindiana and run KVM.
Can someone tell me wich intel CPU model works with KVM for sure?
Thank you for any advice.
These:
-
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Virtualization_Host_Configuration_and_Guest_Installation_Guide/ch03s02.html
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OI on kvm-linux -> networking issue?
On 11/04/2011 02:32 AM, Peter Lees wrote:
hi folks
i'm trying to run openindiana 151a in a VM using KVM linux (centos 6.0)
i'm trying to use a bridged ethernet connection, but for some reason the
data is not getting through (can't ping the real network)
this is probably more a centos/linux question than OI, but i wondered if
anyone had a similar setup they could share ?
regards
p
--
peter lees
How do you defined the bridge in c6 host?? What nic driver do you use in
OI??
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Isolating networks for zones
On 10/31/2011 01:32 PM, Jeppe Toustrup wrote:
On Sun, Oct 30, 2011 at 22:59, carlopmart wrote:
Many thanks Jeppe. I am reconfiguring this zone to use ip-type=shared
instead of exlusive. My zone config is:
...
But when I try to boot this new zone, console returns me this error:
"WARNING: skipping network interface 'e1000g1' which may not be
present/plumbed in the global zone."
Do I need to "ifconfig up" this physical interface before zone boots??
I don't think it necessarily needs to be up, but it needs to be
plumbed in the global zone. You can do this automatically by just
having an empty file located at /etc/hostname.e1000g1, as long as you
are not using NWAM to do the network configuration.
Ok, many thanks Jeppe. Now my zone is working ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Isolating networks for zones
On 10/30/2011 12:29 PM, Jeppe Toustrup wrote:
On Sun, Oct 30, 2011 at 09:27, carlopmart wrote:
Thanks Jeppe. I don't have configured a etherstub. current config is:
root@oihost:~# dladm show-vnic
LINK OVER SPEED MACADDRESSMACADDRTYPE VID
dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
and dladm show-phys:
root@oihost:~# dladm show-phys
LINK MEDIASTATE SPEED DUPLEXDEVICE
e1000g0 Ethernet up 1000 full e1000g0
e1000g1 Ethernet up 1000 full e1000g1
e1000g2 Ethernet unknown0 half e1000g2
But one question: how can I associate certail physical interface to a
etherstub?? Do I need to create a bridge with only one interface??
Right, that means your dmzlan0 vnic is basically connected to the same
network as e1000g1. If you only want to get traffic to the zone which
is meant for it, then you should not use a vnic, but instead set
"ip-type=shared" in the zone configuration and set the physical
interface to "e1000g1", then the zone will only get traffic intended
for it while being connected to the same network as e1000g1.
Alternatively, you can use an etherstub as previously mentioned. That
does however require you to set up routing of packages in the global
zone, in order for packages to get from the physical network to the
etherstub network. Packages will then basically go like this:
Physical network -> Physical network interface (global zone) -> VNIC
(active on global zone) -> Etherstub -> VNIC (belonging to zone).
--
Many thanks Jeppe. I am reconfiguring this zone to use ip-type=shared
instead of exlusive. My zone config is:
zonename: dnssrvdmz
zonepath: /zones/dnssrvdmz
brand: ipkg
autoboot: false
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed:
net:
address: 172.25.80.5
allowed-address not specified
physical: e1000g1
defrouter: 172.25.80.1
But when I try to boot this new zone, console returns me this error:
"WARNING: skipping network interface 'e1000g1' which may not be
present/plumbed in the global zone."
Do I need to "ifconfig up" this physical interface before zone boots??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Isolating networks for zones
On 10/30/2011 09:53 AM, carlopmart wrote:
On 10/30/2011 09:27 AM, carlopmart wrote:
On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:
On Sat, Oct 29, 2011 at 23:30, carlopmart wrote:
I have installed oi zone under a oi_151a host to provide dns caching
services. All works ok now, except network isolation. Running snoop on
non-global zone I can see all traffic of all networks where global zone
connects. For example:
How is the vnic configured? (dladm show-vnic)
You might want to set the global zone up as a router which route
traffic from it's external interface to an etherstub (virtual switch)
which the vnic then is connected to. Then you shouldn't be able to
sniff network traffic from the external network on the zone.
--
Venlig hilsen / Kind regards
Jeppe Toustrup (aka. Tenzer)
Thanks Jeppe. I don't have configured a etherstub. current config is:
root@oihost:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
and dladm show-phys:
root@oihost:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
e1000g0 Ethernet up 1000 full e1000g0
e1000g1 Ethernet up 1000 full e1000g1
e1000g2 Ethernet unknown 0 half e1000g2
But one question: how can I associate certail physical interface to a
etherstub?? Do I need to create a bridge with only one interface??
Thanks.
Oops stupid question. Ethersub is used only when no physical nics will
be used. And I need to use physical nic. But I don't understand why a
zone can see all traffic that cross global zone. Is it not possible to
restrict this traffic to only that comes/go to vnic??
I will try to explain something more. I need to build a complete public
dmz infrastructure using oi zones (if I can). OIhost is on internal
network without Internet access. On this host I have three physical nics:
a) e1000g0 --- Internal network
b) e1000g1 --- First public DMZ
c) e1000g2 --- Second public DMZ
OI zones will deployed over e1000g1 and e1000g2 only. Between all
physical nics on OI host exists two firewalls. Oi host can not be
routeable from Internet.
Is it possible to accomplish this using zones or do I need to use a real
virtualization hypervisors like vmware ESXi??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Isolating networks for zones
On 10/30/2011 09:27 AM, carlopmart wrote:
On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:
On Sat, Oct 29, 2011 at 23:30, carlopmart wrote:
I have installed oi zone under a oi_151a host to provide dns caching
services. All works ok now, except network isolation. Running snoop on
non-global zone I can see all traffic of all networks where global zone
connects. For example:
How is the vnic configured? (dladm show-vnic)
You might want to set the global zone up as a router which route
traffic from it's external interface to an etherstub (virtual switch)
which the vnic then is connected to. Then you shouldn't be able to
sniff network traffic from the external network on the zone.
--
Venlig hilsen / Kind regards
Jeppe Toustrup (aka. Tenzer)
Thanks Jeppe. I don't have configured a etherstub. current config is:
root@oihost:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
and dladm show-phys:
root@oihost:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
e1000g0 Ethernet up 1000 full e1000g0
e1000g1 Ethernet up 1000 full e1000g1
e1000g2 Ethernet unknown 0 half e1000g2
But one question: how can I associate certail physical interface to a
etherstub?? Do I need to create a bridge with only one interface??
Thanks.
Oops stupid question. Ethersub is used only when no physical nics will
be used. And I need to use physical nic. But I don't understand why a
zone can see all traffic that cross global zone. Is it not possible to
restrict this traffic to only that comes/go to vnic??
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Isolating networks for zones
On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:
On Sat, Oct 29, 2011 at 23:30, carlopmart wrote:
I have installed oi zone under a oi_151a host to provide dns caching
services. All works ok now, except network isolation. Running snoop on
non-global zone I can see all traffic of all networks where global zone
connects. For example:
How is the vnic configured? (dladm show-vnic)
You might want to set the global zone up as a router which route
traffic from it's external interface to an etherstub (virtual switch)
which the vnic then is connected to. Then you shouldn't be able to
sniff network traffic from the external network on the zone.
--
Venlig hilsen / Kind regards
Jeppe Toustrup (aka. Tenzer)
Thanks Jeppe. I don't have configured a etherstub. current config is:
root@oihost:~# dladm show-vnic
LINK OVER SPEED MACADDRESSMACADDRTYPE VID
dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
and dladm show-phys:
root@oihost:~# dladm show-phys
LINK MEDIASTATE SPEED DUPLEXDEVICE
e1000g0 Ethernet up 1000 full e1000g0
e1000g1 Ethernet up 1000 full e1000g1
e1000g2 Ethernet unknown0 half e1000g2
But one question: how can I associate certail physical interface to a
etherstub?? Do I need to create a bridge with only one interface??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Chrooting Bind9 under oi_151a
On 10/29/2011 01:13 AM, Marion Hakanson wrote:
carlopm...@gmail.com said:
I am installing an oi_151a server to use as a bind9 caching name server. I
am searching docs about howto do this under openindiana without luck.
Please any site that explains how to do this??
Run it in a non-global zone. If/when OI gets read-only sparce
zones like Solaris-10 has, it would be even more secure.
Here are some other references if you want to go farther than the above:
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/832
95dd027cc4b67
http://www.geekride.com/how-to-configure-chroot-jailed-dns-server-solaris-10/
Regards,
Marion
Thanks Marion. Finally, I have installed bind under a zone.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Isolating networks for zones
Hi all,
I have installed oi zone under a oi_151a host to provide dns caching
services. All works ok now, except network isolation. Running snoop on
non-global zone I can see all traffic of all networks where global zone
connects. For example:
root@oizone01:~# snoop -r
Using device dmzlan0 (promiscuous mode)
172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657
Seq=2855015487 Len=80 Win=64436 Options=
172.25.50.30 -> 172.25.80.5 TCP D=22 S=57770 Ack=2855015567
Seq=522318657 Len=0 Win=598 Options=
172.25.50.14 -> 239.192.33.21 UDP D=5405 S=5404 LEN=90
10.0.0.0 -> 224.0.0.1IGMP v3 membership query
10.7.1.2 -> 172.25.50.10 DNS C 10.230.203.192.in-addr.arpa.
Internet PTR ?
172.25.80.5 -> 224.0.0.22 IGMP v3 membership report
10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657
Seq=2855015567 Len=560 Win=64436 Options=
172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657
Seq=2855016127 Len=160 Win=64436 Options=
172.25.50.30 -> 172.25.80.5 TCP D=22 S=57770 Ack=2855016127
Seq=522318657 Len=0 Win=644 Options=
172.25.50.30 -> 172.25.80.5 TCP D=22 S=57770 Ack=2855016287
Seq=522318657 Len=0 Win=689 Options=
10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657
Seq=2855016287 Len=592 Win=64436 Options=
172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657
Seq=2855016879 Len=208 Win=64436 Options=
172.25.50.30 -> 172.25.80.5 TCP D=22 S=57770 Ack=2855016879
Seq=522318657 Len=0 Win=734 Options=
172.25.50.30 -> 172.25.80.5 TCP D=22 S=57770 Ack=2855017087
Seq=522318657 Len=0 Win=779 Options=
172.25.50.14 -> 239.192.33.21 UDP D=5405 S=5404 LEN=90
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Push Ack=3561090956
Seq=3412835876 Len=314 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561090956 Len=0 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Push Ack=3412836190
Seq=3561090956 Len=202 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561091158 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561092618 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Ack=3561092618
Seq=3412836190 Len=0 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561094078 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561095538 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561096998 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Ack=3561095538
Seq=3412836190 Len=0 Win=64915
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561098458 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561099918 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561101378 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Ack=3561095538
Seq=3412836190 Len=0 Win=64915
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Ack=3561098458
Seq=3412836190 Len=0 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561102838 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561104298 Len=1460 Win=65535
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561105758 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Ack=3561099918
Seq=3412836190 Len=0 Win=65535
172.25.50.29 -> 10.7.1.2 TCP D=18190 S=1307 Ack=3561102838
Seq=3412836190 Len=0 Win=62615
10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190
Seq=3561107218 Len=1460 Win=65535
OI zone is on 172.25.80.0/29 network. But, why this zone is seeing
traffic for networks like 10.7.1.0/30 or 172.25.50.0/27?? How can I
deploy a real network isolation for zones??
Zone config is:
root@oihost:~# zonecfg -z dnssrvdmz info
zonename: dnssrvdmz
zonepath: /zones/dnssrvdmz
brand: ipkg
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
address not specified
allowed-address not specified
physical: dmzlan0
defrouter not specified
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Chrooting Bind9 under oi_151a
Hi all,
I am installing an oi_151a server to use as a bind9 caching name
server. I am searching docs about howto do this under openindiana
without luck.
Please any site that explains how to do this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Configuring span ports on oi151
On 10/24/2011 07:08 PM, James Carlson wrote:
carlopmart wrote:
On 10/24/2011 06:13 PM, James Carlson wrote:
carlopmart wrote:
Is it possible to configure a bridge (with n physical nics) with a
span
port like for example FreeBSD does??
No, mirror port functionality does not exist.
If you intend to use snoop / tcpdump / wireshark on the span port, then
just use the existing monitoring facility. A bridge created with dladm
will have an observability node, based on the bridge name. If you
create a bridge named "foo", then you can snoop on "foo0" and see all of
the packets processed by the bridge.
If you're using the span port for some other purpose, then the feature
will probably have to be added to the code. It's not present in the
current code because the observability node covered the known uses of
that sort of port without extra complications.
Thanks James. I need to sniff traffic on this bridge, but using it as
port mirror or span port. For example, if I create a bridge with bge0,
bge1, and bge2, I need to "see" all traffic that cross these interfaces,
not only, for example, bge0 ... That's the problem.
I'm a little confused, because that's exactly what the existing
observability mechanism is for. If you use that existing node (named
after the bridge), you'll see all of the traffic processed by the
bridge, regardless of the port on which it was received. It's a solved
problem.
You didn't say how you're sniffing traffic. If you mean that you must
use an _external_ network monitoring device to do this, then the
existing built-in mechanism obviously won't be sufficient. That'd be a
fair reason to add a port mode flag that disables the normal MAC
filtering, though it's a little unclear why an external device would be
required or desired.
Sorry James, for not being properly explained. But yes, I need to use an
external monitoring device. I use an external server with a different
IDS/IPS sensors to process certain type of traffic. For example: exists
one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
Bro-IDS sensor to process ssl traffic. And another suricata sensor to
process http traffic only. All these three sensors are installed in one
server.
And it is a lab. not a production system ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Configuring span ports on oi151
On 10/24/2011 06:13 PM, James Carlson wrote:
carlopmart wrote:
Is it possible to configure a bridge (with n physical nics) with a span
port like for example FreeBSD does??
No, mirror port functionality does not exist.
If you intend to use snoop / tcpdump / wireshark on the span port, then
just use the existing monitoring facility. A bridge created with dladm
will have an observability node, based on the bridge name. If you
create a bridge named "foo", then you can snoop on "foo0" and see all of
the packets processed by the bridge.
If you're using the span port for some other purpose, then the feature
will probably have to be added to the code. It's not present in the
current code because the observability node covered the known uses of
that sort of port without extra complications.
Thanks James. I need to sniff traffic on this bridge, but using it as
port mirror or span port. For example, if I create a bridge with bge0,
bge1, and bge2, I need to "see" all traffic that cross these interfaces,
not only, for example, bge0 ... That's the problem.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Configuring span ports on oi151
Hi all,
Is it possible to configure a bridge (with n physical nics) with a
span port like for example FreeBSD does??
For example, under FreeBSD, executing this command:
"ifconfig bridge0 addm em1 addm em2 addm em3 addm em4 span em7 up",
result is:
bridge0: flags=8843 metric 0 mtu
1500
ether 02:a7:16:07:6b:00
nd6 options=29
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em4 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 2
member: em3 flags=143
ifmaxaddr 0 port 4 priority 128 path cost 2
member: em2 flags=143
ifmaxaddr 0 port 3 priority 128 path cost 2
member: em1 flags=143
ifmaxaddr 0 port 2 priority 128 path cost 2
member: em7 flags=8
ifmaxaddr 0 port 8 priority 128 path cost 2
In this example interface em7 act as port mirror or span port ... Is it
possible to accomplish this with oi151??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Possible bug with zones using OpenIndiana oi_151
On 09/08/2011 12:24 AM, Gary wrote:
CL Martinez wrote:
Yes, I know that they are development branches ... but there is not exists
stable release yet, correct??
Build 148 is the current stable release.
Then, openindiana is not usable??
I didn't mean to imply that and I apologize if I my pervious short reply may
have suggested as much. But 151 has not been released to the general public.
If you downloaded it, you probably found the link through the developer list
and should have read the README file in the top level directory near the ISO
-- the one that strongly suggests that this is an unstable build and should
only be used accordingly.
I think it is an important bug, if confirmed, in the zones code
Possibly. Please contact the dev team via IRC or the aforementioned dev
list. Some of them participate on this list but it's more appropriate to ask
over there until 151 has shipped.
kind regards,
Gary
Thanks Gary.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Possible bug with zones using OpenIndiana oi_151
On 09/07/2011 11:59 PM, Gary wrote:
you're aware that 151 and 151a are development branches...?
___
Yes, I know that they are development branches ... but there is not
exists stable release yet, correct?? Then, openindiana is not usable??
I think it is an important bug, if confirmed, in the zones code
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Possible bug with zones using OpenIndiana oi_151
Hi all,
As is explained on these threads:
http://mail.opensolaris.org/pipermail/zones-discuss/2011-September/006799.html
http://mail.opensolaris.org/pipermail/zones-discuss/2011-September/006803.html
Can somebody confirms that maybe exists a bug using exclude as ip-type
option under OpenIndiana oi_151's zones??
Well, this host is not exactly an oi_151, I have run pkg image_update
today.
root@oitst01:/etc/zones# uname -a
SunOS oitst01 5.11 oi_151a i86pc i386 i86pc Solaris
root@oitst01:/etc# cat release
OpenIndiana Development oi_151 X86 (powered by illumos)
Copyright 2011 Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms.
Assembled 28 April 2011
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Using different repositories for OpenIndiana zones
Hi all,
Is it possible to use differents packages repositories in several
OpenIndiana's zones??
For example:
a) Global zone: http://pkg.openindiana.org/release (when openindiana
stable be released)
b) ZoneA: http://pkg.openindiana.org/release
c) ZoneB: http://pkg.openindiana.org/dev
Is it safe to mix different repositories in openIndiana's zones??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to remove all X11 packages under oi_151
On 09/05/2011 07:19 PM, carlopmart wrote:
Hi all,
I have installed a virtual Openindiana oi_151 machine under ESXi5. I
will use this virtual machine as a mysql and squid server and I would
like to remove all X11 packages and their dependencies. How can I do this??
Thanks.
Nothing?? Is not possible to do this??
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] How to remove all X11 packages under oi_151
Hi all,
I have installed a virtual Openindiana oi_151 machine under ESXi5. I
will use this virtual machine as a mysql and squid server and I would
like to remove all X11 packages and their dependencies. How can I do this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] OI as an iSCSI target for ESXi hosts
Hi all,
Has anyone tried to install oi 148 as an iSCSI target for ESXi hosts?? is it ok or
not?? Any hints??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
