[OpenIndiana-discuss] container with same ip

Peter Tribble peter.tribble at gmail.com
Wed Nov 15 17:50:52 UTC 2023 

On Tue, Nov 14, 2023 at 5:24 PM Goetz T. Fischer <g.fischer at r-a-c.de> wrote:

> thanks but i don't think this is the right one for me. i want to run
> services inside the container which
> are available from the outside through the same ip as the host os.
> or maybe i got the crossbow concept wrong?
>

The way I do this (on OmniOS and Tribblix, but conceptually it's the same
on all Solaris/illumos
variants):

1. Create an etherstub

2. In the global zone, create a vnic over that etherstub, and then give it
an address eg 10.0.0.1

3. For each zone, create a vnic over that etherstub, and assign the vnic to
that zone
as an exclusive-ip device (so the addresses will be 10.0.0.2, 10.0.0.3 etc)

4. Run haproxy or nginx (or something similar, whatever you're familiar
with) in the global zone as
a reverse proxy so it's listening on the system's main IP address, and
proxies the traffic to the zone(s).
This can be name-based websites (either from the host header for http or
SNI for https), or port-based
for things that can't handle routing based on names (eg ssh).

5. If you want to get out of the zone, set up simple nat in the global zone
and have each zone point
it's default router at the global zone's address on the etherstub. But if
you don't want the zones to
be able to escape, don't handle nat. (In that case you might want a local
dns server or forward proxy
if you need to handle outbound requests.)


> On Tue, 14 Nov 2023 12:12:51 -0500, John D Groenveld wrote:
> > In message <20231114174007794762.87d3dcb1 at r-a-c.de>, "Goetz T. Fischer"
> writes:
> >> first choice are zones. however as far as i've seen they have one
> catch: they
> >> need their own ip.
> >> what i'm looking for though is more like a jail, just to not let
> certain progr
> >> ams reach outside of their
> >> jail in case they get hacked.
> >
> > You might assign your zones private IP addresses with Crossbow NICs
> > and virtual switches:
> > <URL:
> https://www.usenix.org/legacy/event/lisa09/tech/full_papers/tripathi.pdf>
> >
> > John
> > groenveld at acm.org
> >
> > _______________________________________________
> > openindiana-discuss mailing list
> > openindiana-discuss at openindiana.org
> > https://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>


-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/

More information about the openindiana-discuss mailing list