Erik Nordmark writes: > Jeff Victor wrote: > > Here's one reason: consistency. All users in the GZ can see some > > inforamtion about non-global zones (e.g. "ps"). Privileged GZ users can > > see all info about non-global zones, and need to do so in order to > > manage them. > > But the exclusive-IP behavior is quite different from the shared-IP > behavior; it offers complete IP isolation between different zones/IP > instances.
I don't think that argument works on two counts. First, exclusive-IP behavior does not offer complete IP isolation, because you can't (for instance) install your own copy of Firewall-1 or Cisco VPN into a non-global exclusive-IP zone. Some things do still require global zone administration. Second, "ps" shows processes that the user in the global zone cannot 'administer' by way of kill(2), so they are at least as isolated as IP instances, but they're still of interest to global zone administrators who want a global view of the system. All that said, I think making ifconfig list the interfaces present in exclusive-IP zones, given the design of ifconfig, would be prohibitively difficult. It'd have no access to the DLPI nodes, which is where it gets some of its information, and the ioctls it uses for tunnels and the like won't work well if the zones have independent control of the interfaces. (It'd work "for now," but I think it'd end up representing more confusion with Clearview, as there'd be no easy way to coordinate interface names across multiple zones, so ifta_lifr_name would be ambiguous.) -- James Carlson, KISS Network <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
