[csw-maintainers] Mail / Web outage

İhsan Doğan ihsan at opencsw.org
Wed May 22 12:10:14 CEST 2013


On 05/19/2013 09:10 PM, Juraj Lutter wrote:

>>>>>>>> I will install patches now and do another reboot tomorrow.
>>>>>>> The patching round was faster then I thought. The mail/web service might
>>>>>>> not run during the next 120 minutes.
>>>>>> The Live Upgrade reboot took 5 hours!
>>>>>>
>>>>>> Well, everything is now up to date again. Sorry for the outage and
>>>>>> thanks for the patience.
>>>>> Thanks for handling the upgrade!
>>>> BTW, I've disabled IPv6 again. As soon I've upgraded the global zone to
>>>> Solaris 11 and and the zone have their own dedicated IP stack, I will
>>>> enabled it again.
>>> What is the problem with IPv6 in local zones on Solaris 10?
>> I don't want, that the global zone can be reached from a regular zone.
>> With a shared IP stack, configuring black hole routes for the global
>> zone isn't easy.
> 
> intercept loopback via ipfilter or
> https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common ?

I didn't know, that there are other options then the route hole.

-----------------------------------------------------------------
The /dev/ip ndd(1M) paramter 'ip_restrict_interzone_loopback', managed
from the global zone, will force traffic out of the system on a datalink
if the source and destination zones do not share a datalink. The default
configuration for this is to allow inter-zone networking using internal
loopback of IP datagrams, with the value of this parameter set to '0'.
When the value is set to '1', traffic to an IP address in another zone
in the shared IP Instance that is not on the same datalink will be put
onto the external network. Whether the destination is reached will
depend on the full network configuration of the system and the external
network. This applies whether the source and destination IP address are
on the same or different IP subnets. This parameter applies to all IP
Instances active on the system, including exclusive IP Instance zones.
In the case of exclusive IP zones, this will apply only if the zone has
more than one datalink configured with IP addresses. The for two zones
on the same system to communicate with the
'ip_restrict_interzone_loopback' set to '1' requires the following
conditions.
There is a network path to the destination. If on the same subnet, the
switch(es) must allow the connection. If on different subnets, routes
must be in place for packets to pass reliably between the two zones.
The destination address is not on the same datalink (as this would break
the datalink rules).
The destination is not on datalink in an IPMP group that the sending
datalink is also in.
-----------------------------------------------------------------

The ip_restrict_interzone_loopback sounds very interesting. Have you
ever tried it out?




Ihsan

-- 
ihsan at dogan.ch		http://blog.dogan.ch/


More information about the maintainers mailing list