[OpenIndiana-discuss] [discuss] Is it possible to do shared networking for LZ different from IP stack in GZ?

James Carlson carlsonj at workingcode.com
Mon Jun 11 20:32:22 UTC 2012


Jim Klimov wrote:
> 2012-06-11 18:19, Dan McDonald wrote:
>> The fundamental question is always:  What problem are you really
>> trying to solve?
> 
> Okay, I found another rationale beside performance and simplified
> intra-zone routing (though not as apparent as exclusive routing).
> It seems that the shared IP stack offer better protection against
> sniffing on colocated environments (i.e. zone-based hosting): it
> is not allowed to use promiscuous mode on NIC aliases used in the
> shared stack, while sniffing does work on exclusive VNICs.
> 
> That might be a serious difference in some cases...

Yanking away PRIV_NET_RAWACCESS and PRIV_NET_OBSERVABILITY ought to
prevent sniffing.  (I haven't tested, though, to see what else breaks,
as that seems to be a cruel thing to do to zone administrators.)

For what it's worth (and having worked on the code in the now-distant
past), I certainly agree with you at a high level.  What you're
describing is an "obvious" generalization of the exclusive stack
concept.  It was "obvious" enough that we actually discussed it
internally when the feature was being added.  Testing complexity and
lack of a clear use-case were the main factors in deciding not to
generalize.

A related factor was feedback from the field.  The addition of exclusive
stacks was done because customers told Sun that they did not or could
not use shared stacks at all, and they adamantly didn't want to share.
Well, with no desire to share, that makes the implementation simpler; it
becomes just an on/off flag rather than a multi-valued and
reference-counted beast.

Depending on what you're trying to accomplish, there may be other ways
to go about providing higher-performance data paths between zones.  One
is by communicating between zones via shared (loopback-mounted) file
systems.

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>



More information about the OpenIndiana-discuss mailing list