Thursday, January 15, 2009

Crossbow in a zone

I've now got a zone up and running with a virtual nic hanging off a virtual switch but with the zone being able to talk out to the internet.

I've chosen 10.10.11.0/24 as my virtual network, as opposed to my physical network of 10.10.10.0/24.

So, in a nutshell;

Create the virtual switch;
dladm create-etherstub etherstub0

Create the virtual nics;
dladm create-vnic -l etherstub0 vnic0
dladm create-vnic -l etherstub0 vnic1

Plumb up vnic0 on the global zone, and assign it an address;
vnic0: flags=201100843 mtu 9000 index 7
inet 10.10.11.254 netmask ffffff00 broadcast 10.10.11.255
ether 2:8:20:8c:67:2e

Create the sparse zone, with vnic1 as the nic.
Set the ip-type to be exclusive and just add the vnic to the config. This means the zone will take its settings from /etc/hostname.vnic1 and /etc/defaultrouter like a standard host;
[root] deckard:/root # zonecfg -z zone1 info
zonename: zone1
zonepath: /tank/zones/zone1
brand: native
autoboot: false
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
fs:
dir: /export/home
special: /export/home
raw not specified
type: lofs
options: []
net:
address not specified
physical: vnic1
defrouter not specified

ifconfig from the zone;
vnic1: flags=201000843 mtu 9000 index 2
inet 10.10.11.1 netmask ffffff00 broadcast 10.10.11.255

Both vnics are connected to the same virtual switch, so they can ping each other no bother.
We are nearly there, but to communicate with my 'real' network I need to add a default route on the zone;
[root] zone1:/root # netstat -rn

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.10.11.254 UG 1 25
10.10.11.0 10.10.11.1 U 1 2 vnic1

To get internet access, just add the following to /etc/ipf/ipnat.conf;
map nge0 10.10.11.0/24 -> 0/32

and the following to /etc/ipf/ipf.conf;
pass in quick on nge0 from 10.10.11.0/24 to any keep state


And erm, that's it. I'm writing this in a firefox session launched from zone1. Nice :-)


Thanks to Ben Rockwood's Blog for providing the inspiration for this expedition.
Posted by Blue Atom at Thursday, January 15, 2009
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)