I''m wondering if Open Solaris + xVM will allow me to do the following: I currently have 2 Solaris 10 servers sucking down electrons that I would like to consolidate into 2 xVM instances on a Solaris 11 quad core box. This is what it looks like: Internet --->A sol 10 FW/Web B>---->C Sol 10 app/mail D---> local LAN So interface A is connected to the Internet. The FW/Web box runs IP Filter for FW + NAT, plus there are web services on that system. Interface B connects via crossover cable to interface C on another box running Solaris 10/IPFilter (again) as an app/file/mail server for the local lan. What I''d like to do is UFS dump the OS images into xVM images and connect them up with the same network topology. I have enough hardware to put 6 ethernets into the new box. So my questions are: 1) Can I dedicate an interface to an xVM instance without plumbing an IP on the host Sol 11 box such that I can run IPFilter in xVM as a FW and not have that interface used as an attack vector to the host? I would then dedicate 3 interfaces to xVM instances. 2 interfaces to the first Solaris 10 instance, 1 for the connection to the Internet, and the other to a cross over to another port dedicated to the 2nd Solaris 10 instance. The 4th could then be shared between the 2nd instance and the host. Ideally it, if this could be done as above, It would be cool if I could somehow virtually plumb two virtual interfaces between xVM instances for high speed communications w/o having to use physical hardware, and for increased performance, but again, without having IP plumbed on the host to use as an attack vector. Any thoughts? (Yes I know this is somewhat convoluted perhaps, and eventually once Solaris 11 is officially released I''ll consider using zones and IP instances, but until then I''d like not to have to reconfigure two highly customized Solaris 10 systems just to save on power...) This message posted from opensolaris.org
Matt.Ingenthron@Sun.COM
2008-Apr-03 02:38 UTC
Re: Solaris 10 FW/IPF in a Open Solaris dom/U?
Hi Bill, Bill Werner wrote: (snip...)> What I''d like to do is UFS dump the OS images into xVM images and connect > them up with the same network topology. I have enough hardware to > put 6 ethernets into the new box. >(snip...) I can''t speak for most of the xVM stuff, but an OS image like that will probably not be portable across drastic hardware changes. You may want to investigate Solaris Flash Archives. For moving an OS image from one system to another, this seems to be one of the best ways. It''s also the method they use under project etude to move a whole OS from one system to a separate one which is virtualized. Regards, - Matt -- Matt Ingenthron - Web Infrastructure Solutions Architect Sun Microsystems, Inc. - Global Systems Practice http://blogs.sun.com/mingenthron/ email: matt.ingenthron@sun.com Phone: 310-242-6439
Hi What are the reasons for not using containers/zones in Solaris 10? Henry On Thu, Apr 3, 2008 at 4:29 AM, Bill Werner <werner@cubbyhole.com> wrote:> > I currently have 2 Solaris 10 servers sucking down electrons that I would > like to consolidate into 2 xVM instances on a Solaris 11 quad core box. > Any thoughts? > > (Yes I know this is somewhat convoluted perhaps, and eventually once > Solaris 11 is officially released I''ll consider using zones and IP > instances, but until then I''d like not to have to reconfigure two > highly customized Solaris 10 systems just to save on power...) > > > This message posted from opensolaris.org > _______________________________________________ > xen-discuss mailing list > xen-discuss@opensolaris.org >
> <div id="jive-html-wrapper-div"> > Hi<br><br>What are the reasons for not using > containers/zones in Solaris 10?<br><br>My environment is already built and highly customized. I don''t wish to redo everything into a zone to do consolidation, if I could just put it into an xVM image. I might consider redoing it into zones when 11 is officially released. I wonder though, if xVM instances don''t provide better isolation and security than zones? This message posted from opensolaris.org
No comments? It''s not possible to assign an interface to an xVM instance w/o plumbing up an IP on the host? This message posted from opensolaris.org
On 3 Apr 2008, at 03:29, Bill Werner wrote:> 1) Can I dedicate an interface to an xVM instance without plumbing > an IP on the host Sol 11 boxYes. You can either completely dedicate it (use the ''vif-dedicated'' script) or use the normal VNIC approach. Note that the packets are still flowing through the host domain with this configuration (they arrive in the host domain and are passed to the guest domain using the normal inter-domain protocol). Allowing a guest domain direct access to the NIC is the subject of a future project.