IPv6/4 classification for Crossbow
Networking virtualization project crossbow provide users L3,L4 FLOW classification capabilities. Users can keep their traffic isolated vs.
client's data traffic, voice traffic. Isolation of services is very important
for virtualization, when there are no separate instances of OS (execution environments).
As part of Crossbow's virtualization and resource management work, I have been involved working on IPv6 and IPv4 virtualization with crossbow, IPv6 packets should get classified separate over IPv4 packets with flowadm defined policy.
Thus, new crossbow bits allow following attributes along with transport+port -
* transport - icmpv6
* local_ip[/prefix_len] - Local IPv4/IPv6 address
* remote_ip[/prefix_len] - Remote IPv4/IPv6 address
* ip_version - 4 or 6
This set can classify IP address/netmask based flows and transport+port based flows as well as combination of local_ip,remote_ip,local_ip+remote_ip+transport,
local_ip+remote_ip+transport+local_port+remote_port also these policies are direction sensitive.
Further, multiple attributes support for flows also involvs "position aware placement of flows in flow table such as most specific flows should be ahead
of less specific flows, irrespective of the order in which they were added"
as well as varying combination of different set of attributes should work
as well as single attribute based flows should work. i.e.
#flowadm add-flow -a ip_version=4 IP4 -l bge0 -b
Usage of such functionalities are-
----------------------------------
TCP traffic or UDP traffic between 2 subnets/networks could be prioritized or classified separate from each other.
privileged nodes could have separate flow policies for their host-addresses along with type (TCP/UDP/...etc ) traffic and port, peer to peer networks may benefit.
Traffic (say TCP/UDP) from a remote network to a particular VM instance or Virtualized exclusive IP-zone could be classified, B/W controlled separate over generic traffic policies.
Set of IP addresses could be specified to classify and prioritize say Forwarding traffic.
example
--------
bash-3.2# flowadm add-flow -a local_ip=fe80::20a:e4ff:fe26:6eca,remote_ip=fe80::/10,transport=TCP ip3 -l bge0
# flowadm add-flow -a local_ip=1.1.1.1,remote_ip=2.2.2.2,transport=TCP,local_port=8080,remote_port=4040 tcp3 -l e1000g0
[Read More]Posted at 12:42PM May 28, 2008 by ddeepti in General |
Live upgrade with solaris
1)
During the initial install create alternate partition or else leave enough disk space for
alternate partition, boot environment,
I created 2 partitions 1 for initial install and second for secondary.
2)
I have had
/dev/dsk/c1t0d0s0 mounted as /
and
/dev/dsk/c1t0d0s4 mounted as /second_root
slices.
df -hk output will show the available clices and also the mountpoints.
3)
#umount /second_root
comment out corresponding entry from /etc/vfstab
4)
now execute command-
lucreate -c "snv_87: -m/:/dev/dsk/c1t0d0s4:ufs -n "snv_87_2"
5)
I do LUpgrade from a install cd.
now execute command -
luupgrade -u -n snv_87_2 -s /cdrom/sol_x11_86
6)
remove DVD
7)
#init 6
8)
after reboot into either partition you will see -
# lustatus
Boot Environment Is Active Active Can Copy
Name Complete Now On Reboot Delete Status
-------------------------- -------- ------ --------- ------ ----------
snv_87 yes no no yes -
snv_87_2 yes yes yes no -
9)
you can do lumount the other partition.
#lumount snv_87
/.alt.snv_87
10)
you can cd to /.alt.snv_87 change contents and or bfu into this alternate bootable
partition such as -
# bfu /.../nightly /.alt.snv_87
#acr
#reboot
Posted at 05:05PM May 06, 2008 by ddeepti in General |
Project Crossbow: Networking Virtualization and Resource Partitioning
Crossbow is a networking virtualization technology being developed in solaris networking group.
Crossbow's virtualization limits to bare minimum kernel resources while providing strict isolation between network applications providing exclusive IP stack instance for a zone and exclusive access to a single VNIC (carved out of physical NICs).
This helps in a way such as no single traffic on one virtual machine can monopolize the entire NIC but get limited to VNICs.
Further Using L2, L3,L4 FLOW classification capabilities, users can keep their important traffic such as billing and accounting isolated vs. client's data traffic, voice traffic. Isolation of services is very important for virtualization,
when there are no separate instances of OS (execution enviornments).
Crossbow's light-weight virtualization surpass many virtualization innovations.
In July 2007, Our project Crossbow won 2007 Chairman's Award for innovation!
We have renamed it as "Networking Virtualization and Resource Partitioning"
recently.
later,
Posted at 12:03AM Dec 02, 2007 by ddeepti in General |
JavaOne 2007
JavaOne is an annual conference by Sun Microsystems sponsored in collaboration with various OEM, ISV who develop, promote Java based products. Since 1996, it had been primarily Java developer's conference. But this time, with Java being open-sourced there has been new buzz in the air that was Open community one, Open possibilities...
sun exhibited various innovative products. Project Blackbox, Storage tek storage device, ZFS, Xen, Dtrace made appearance. SUN Spots, Virtual workSpace were amazing innovations from SUN Lab. Java submarine, Robots, car Racer were awesome projects.
ORACLE, BEA, IBM, Google, Motorola, Nokia like big names showcased endless Strategic possibilities with Java.
Project Crossbow was for everybody's delight a grand treat for many application developers.....
Networking Application isolation throuch zones/containers and ability to keeping it isolated through IP instances all the way to Virtual Nics with further packet flow classification at the granulaity levels of L2,L3,L4 (all the way to L5)to keep the traffic isolated, with right bandwidths and prioritiess was something many business app developers were amazed about.
Exlusive IP instance, classifying packets into different tiers to be able to assign network bandwidths and priorities and ability to assign processor pool through container set or dladm cli looked handy for many networked gaming apps developers.
As Crossbow takes simple approach to complex virtualization problem, appeared promising in application space virtualization for them, and we found out many opportunities for crossbow in application space.
Ability to do this virtualization and isolation for any type of application say C++, Java, PHP, python,PERL etc. was found very interesting by couple of non-Java/C++ developers those are recently moving to Java code base.
3 days of fun, filled with technical people, sessions, exhibitions, talks, ice cream bars, capuccinos, late sandwitch lunches, early morning wake ups, BARTs, cal trains and lots and lots of just hard work ! we enjoyed every bit of it and nonenthless, we did a great job!!!
-later,
Posted at 01:35PM Jun 28, 2007 by ddeepti in General |
Solaris 10 Update 4 is v6Ready certified!
v6Ready is a certification that certifies IPv6 protocol implementation for its compliance with the IPv6 standard.
This v6certification could provide us opportunities to reach out to those businesses and companies who care and value such certification, who would need a compliant Unix OS and compliant stack with a commercial support.
later,
Posted at 08:37PM May 12, 2007 by ddeepti in General |
WPA/802.1x/EAP
WPA = 'WiFi protected access' acronym developed by wifi
committee. It implies wireless access protected with
advanced Wireless security features.
802.1x = IEEE standard which defines port based Access control
Mechanism.
EAP = Extensible Authentication protocol, It is a framework
used in wired as well as wireless infrasture that
uses authentication server say RADIUS, to
authenticate users.
Lately, I found EAP,802.1x and WPA terms has been used interchangeably in supposedly "technical" magazine and
I think it is not right.
802.1x is a IEEE standard that defines port based access control, It proposes EAP as one of the authentication method as a method of Advanced authentication using TLS (Transport Layer security)and TTLS(Tunneled Transport Layered Security) , PEAP, LEAP etc. authentication protocols.
WPA is not necessarily EAP, a preshared Key (modelled after classic 10 hex digit WEP) can also be a protection mechanism and thus infrastrutures without EAP like authetication mechanism can be still termed as "with WPA".
802.1x is not necessarily has to be with EAP, It can be with say PPP as well.
Port based Access Control using EAP as per 802.1x standard means:
An access control device (sitting on the edge of the ISP network servicing subscriber/end-user)/Authenticator blocks
L3 connectivity for a particular L2 address untill its UserID+password, userID+client-certificate etc. based autheticity is verified using Authetication Sever.
Host+AP+Radius server combo would work as below:
EAP messages (Access-request, Access-challenge) are encapsulated as L2 payloads (without L3,L4 headers) between Authenticator (say, Access Point) and supplicant(host,laptop).
The responses are relayed as EAP messages wth regular networking heades(UDP-IP packets carrying say Radius headers with EAP-Access Requests) to Authentication Server (say, Radius) of ISP infrastructure.
Responses from Radius/ Authentication server (say Access-Accept)to AP/Autheticator are relayed again as EAP messages as L2-payload from AP/Authenticator to Host/Supplicant.
Supplicant <---EAP-L2---> Authenticator <---EAP-Radius-UDP-IP-L2------> Authtentication Server
,
Posted at 02:43PM May 09, 2007 by ddeepti in General |
s/getrlimit
getrlimit and setrlimit are the system calls that application processes
could use to get and set resource sizes.
useful resources such STACK_LIMIT, CPU time in msecs can be tweaked.
These are power syscalls and should be used in given process context.
POSIX also allow similar tweaking for application thread stack
sizes using pthread_attr_g/setstackzise. care should be taken using these.
The default values are usually good enough for most of the cases.
Also,
Solaris provide RLIMIT_AS and RLIMIT_VMEM to allow process Address space
manipulations.
later,
Posted at 07:10PM Dec 04, 2006 by ddeepti in General |
Our Blackbox/Mobile datacenter
Sun’s Project Blackbox is the world's first virtualized datacenter. Available in 2007, the 5-patent-pending Project Blackbox will be 1/100th the initial cost, 1/5 the cost per sq. ft., 3x the computing power for equivalent space, 20% more efficient cooling/power, and 10x faster to turn on than a traditional 10,000 sq. ft. datacenter. Just amazing!!!
While Being cooled with water pipes, I picture it to be solar powered sometime.
later,
Posted at 08:45PM Oct 17, 2006 by ddeepti in General |
Mounting USB Thumb Drive on Solaris NV: HowTo
I used vold to mount flash device on solaris Nevada.
I had lexar jumpDrive.
This method I learnt by trial and error, so I do not claim its flawless.
You may use it at your risk.
In order to make vold detect the USB flash device it's necessary
to obtain the correct controller id and target and fill in c*s2
for the line 'use rmdisk' in vold.conf file i.e.
use rmdisk drive /dev/rdsk/c3t0*s2 dev_rmdisk.so rmdisk%d
in /etc/vold.conf file
if vold is not using this file re start the daemon with -f /etc/vold.conf command and check if its running,
bash-3.00# ps -ef | grep vold
root 479 1 0 11:19:35 ? 0:03 /usr/sbin/vold -f /etc/vold.conf
Insert flash device check if it found by vold.
bash-3.00# volcheck -v
media was found
check the device linkage,
bash-3.00# eject -n
[...]
/dev/sr0 -> cdrom0
/dev/rsr0 -> cdrom0
rmdisk0 -> /vol/dev/rdsk/c3t0d0/noname
cdrom0 -> /vol/dev/rdsk/c1t0d0/nomedia
Verify Storage device size.
bash-3.00# iostat -En
[...]
Vendor: LEXAR Product: JUMPDRIVE SPORT Revision: 3000 Serial No:
Size: 0.52GB <519569408 bytes>
Media Error: 0 Device Not Ready: 0 No Device: 0 Recoverable: 0
Illegal Request: 5 Predictive Failure Analysis: 0
Find out volume management node, logical node
etc.
bash-3.00# rmformat -l
Looking for devices...
[...]
2. Volmgt Node: /vol/dev/aliases/rmdisk0
Logical Node: /dev/rdsk/c3t0d0p0
Physical Node: /pci@0,0/pci1025,7e@13,2/storage@7/disk@0,0
Connected Device: LEXAR JUMPDRIVE SPORT 3000
Device Type: Removable
Bus: USB
Size: 495.5 MB
Label:
Access permissions: Medium is not write protected.
Mount the device (name is found in earlier step) using volrmmount.
bash-3.00# volrmmount -i rmdisk0
Find out the location where the device is mounted.
bash-3.00# df -kl
Filesystem kbytes used avail capacity Mounted on
/vol/dev/dsk/c3t0d0/noname:c
507104 1208 505896 1% /rmdisk/noname
Copy files to the flash device mounted on location found above.
bash-3.00# cp ./some-file /rmdisk/noname
Unmount device.
bash-3.00# volrmmount -e rmdisk0
Remove media and check it is removed from kernel states as well.
bash-3.00# volcheck -v
no media was found
Posted at 01:28PM Jun 29, 2006 by ddeepti in General |