Wednesday March 14, 2007
All
|
Solaris
Wednesday March 14, 2007 Tech Days in Kuala Lumpur Last week I presented a talk at the Sun Tech Days Conference in Kuala Lumpur, Malaysia about most of the virtualization work going on in OpenSolaris. I covered a lot of information about technologies like Zones, BrandZ, Xen, and Crossbow. The attendance was great (over a hundred people) and after a full day of OpenSolaris presentations we also had a BoF where we sat around for almost 2 hours discussing different aspects of OpenSolaris. Since then I've gotten a couple requests for the slides from my presentation, so now you can get them here. Posted by edp ( Mar 14 2007, 02:23:53 PM PDT ) Permalink
Wednesday December 14, 2005 Using branded zones on a laptop
I'm figuring that now that we've released BrandZ there are going to be people out there that want to install linux branded zones and run applications that might not be available for x86 solaris (say acroread.) If you have a machine with a static network configuration then this is will be pretty easy. (Create a linux zone with a static ip, log into it, and run your application.) But, if you're like me and want to be able to do this on your laptop where the network environment may be changing it takes a bit more work. So now I'll document my current laptop configuration, which I've setup to allow me to easily run applications in multiple branded and non-branded zones in a changing network environment. To support running multiple zones I had to create a local subnet on my laptop. (I randomly chose 10.11.12.0/29, you could choose a different network. Also, i used the iprb network interface on my laptop, if you have a different network interface then substitute it's name in place of iprb in the commands below.) Here's what I did in the global zone to set this up:
- added entries to /etc/netmasks: > 10.11.12.0 255.255.255.248 - added entries to /etc/hosts: > 10.11.12.0 lnetwork > 10.11.12.1 lrouter > 10.11.12.2 lhost > 10.11.12.3 lzone1 > 10.11.12.4 lzone2 > 10.11.12.5 lzone3 > 10.11.12.6 lzone4 > 10.11.12.7 lbroadcast - created /etc/hostname.iprb0 with the following content: > addif lhost - reboot [1]
Now whenever my system boots up I have a virtual interface (iprb0:1) plumbed up on a local subnet. iprb0 is still free so that all my scripts which setup dhcp on interface will continue to work. Next I created a branded centos linux zone with a network interface on this new local network.
# cat > /tmp/zonecfg.txt <<-EOF create -B lx set autoboot=true set zonepath=/export/zones/lzone1 add net set physical=iprb0 set address=lzone1/29 end commit exit EOF # zonecfg -z lzone1 -f /tmp/zonecfg.txt # zoneadm -z lzone1 install -d <path to install archives> # zoneadm -z lzone1 boot
After booting the zone, I can see that I have another virtual interface plumbed on my machine (iprb0:2) that is allocated to the new zone. At this point the only way to log into the zone is via zlogin. The reason for this is that zonecfg simply allocated networking resources to the zone and the linux processes in the zone are not yet aware of (or configured to use) those resource. So now we'll log into the linux zone and configure the network:
# zlogin lzone1 [Connected to zone 'lzone1' pts/4] ... -bash-2.05b# cat > /etc/sysconfig/network <<-EOF NETWORKING=yes HOSTNAME=lzone1 GATEWAY=10.11.12.1 EOF -bash-2.05b# exit ... # zoneadm -z lzone1 reboot
Once the zone finishes rebooting networking should be enabled within the zone and i should be able to log into it via ssh:
edp@squee% ssh root@lzone1 The authenticity of host 'lzone1 (10.11.12.3)' can't be established. RSA key fingerprint is be:49:a8:09:8c:19:18:cc:f2:1c:e3:84:c7:76:d7:5d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'lzone1,10.11.12.3' (RSA) to the list of known hosts. root@lzone1's password: <the default password is "root"> Last login: Tue Nov 29 16:52:22 2005 from 10.11.12.2 Welcome to your shiny new Linux zone. ... -bash-2.05b#
Sweet! Now since ssh supports X forwarding I can simply run X applications like xterm, acroread, real player, or glquake without having to do any xauth/xhost/DISPLAY magic.
Course after doing all this you might want to create yourself a local user account in the linux zone and loop back mount your home directory from the global zone so you can easily read all those .pdf documents.
Well this is all fine and whizzy (and it let's me conveniently run linux apps and do brandz development on my laptop) but then what happens when you hook your laptop up to a real network and discover that you want to be able to access it from within the linux zone? Well, since the private little network we created isn't routed you can't do this. But hey, solaris has ipfilter and ipnat, so with a little help from an old blog entry by mike ditto we can get this working. Basically, we'll set up ipnat to do forwarding for the new local subnet we created. here's what I did in the global zone:
- uncomment or create the following entry in /etc/ipf/pfil.ap > iprb -1 0 pfil - add the following entry to /etc/ipf/ipnat.conf > map iprb0 10.11.12.0/29 -> 0 - enable ipfilters by running the following command: > svcadm enable ipfilter - reboot [1]
Then whenever I connect my laptop to a network I run the following additional commands in a shell script:
#/bin/sh
# get the ip address of our fake private subnet router from /etc/hosts
lrouter=`getent hosts lrouter | nawk '{print $1}'`
# get the ip address of the real network router
router=`netstat -rn | grep default | grep -v " $lrouter " | nawk '{print $2}'`
# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null
# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`
# delete any existing arp address entry for our fake private subnet router
arp -d $lrouter >/dev/null
# assign the real routers arp address to our fake private subnet router
arp -s $lrouter $router_arp
# route our private subnet through our fake private subnet router
route add default lrouter
Now all the local zones on my laptop can access whatever network I'm connected to via my iprb interface.
--
Footnotes:
1 - It is possible to enable all the configuration listed above without rebooting the system. It involves re-arrange the configuration steps above and adding a few more steps. I included reboots since they simplified the documentation of the configuration process. Posted by edp ( Dec 14 2005, 12:01:39 PM PST ) Permalink Comments [4]
| Archives | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Links | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Navigation | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Referrers | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Today's Page Hits: 15 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||