crossbow discuss - Nov 2009 - Zone and vnic with snv_127

Hi,

I am new to vnic and I m trying to setup a zone using one.
I followed a guide I found on a blog however at the end, somehow, the zone
can''t ping anything but itself and the global domain.

I can ping the zone just fine though from other computers.

Global domain (192.168.2.50):
----------------------------
root at server:/etc# dladm show-link
LINK        CLASS     MTU    STATE    BRIDGE     OVER
bnx1        phys      1500   up       --         --
bnx0        phys      1500   up       --         --
devdb0      vnic      1500   up       --         bnx0

Zone devdb (192.168.2.52):
--------------------------------
root at server:/etc# zonecfg -z devdb info
zonename: devdb
zonepath: /data/zones/devdb
brand: ipkg
autoboot: false
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
net:
        address not specified
        physical: devdb0
        defrouter not specified


root at devdb:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        inet 127.0.0.1 netmask ff000000
devdb0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index
2
        inet 192.168.2.52 netmask ffffff00 broadcast 192.168.2.255
        ether 2:8:20:f2:e1:23
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252
index 1
        inet6 ::1/128


root at devdb:~# netstat -nr
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              192.168.2.1          UG        1          0
192.168.2.0          192.168.2.52         U         1          0 devdb0
127.0.0.1            127.0.0.1            UH        1          0 lo0


The default gateway is pretty weird as it does not show the used interface. That
might be the issue but I don''t know how to fix it.

Did i miss something else ? any idea ?

Thanks in advance !
Chris
-- 
This message posted from opensolaris.org

Chris wrote:
> Hi,
> 
> I am new to vnic and I m trying to setup a zone using one.
> I followed a guide I found on a blog however at the end, somehow, the zone
can''t ping anything but itself and the global domain.
> 
> I can ping the zone just fine though from other computers.
> 
> Global domain (192.168.2.50):
> ----------------------------
> root at server:/etc# dladm show-link
> LINK        CLASS     MTU    STATE    BRIDGE     OVER
> bnx1        phys      1500   up       --         --
> bnx0        phys      1500   up       --         --
> devdb0      vnic      1500   up       --         bnx0
> 
> Zone devdb (192.168.2.52):
> --------------------------------
> root at server:/etc# zonecfg -z devdb info
> zonename: devdb
> zonepath: /data/zones/devdb
> brand: ipkg
> autoboot: false
> bootargs:
> pool:
> limitpriv:
> scheduling-class:
> ip-type: exclusive
> hostid:
> net:
>         address not specified
>         physical: devdb0
>         defrouter not specified
> 
> 
> root at devdb:~# ifconfig -a
> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
>         inet 127.0.0.1 netmask ff000000
> devdb0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
>         inet 192.168.2.52 netmask ffffff00 broadcast 192.168.2.255
>         ether 2:8:20:f2:e1:23
> lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu
8252 index 1
>         inet6 ::1/128
> 
> 
> root at devdb:~# netstat -nr
> Routing Table: IPv4
>   Destination           Gateway           Flags  Ref     Use     Interface
> -------------------- -------------------- ----- ----- ---------- ---------
> default              192.168.2.1          UG        1          0
> 192.168.2.0          192.168.2.52         U         1          0 devdb0
> 127.0.0.1            127.0.0.1            UH        1          0 lo0
> 
> 
> The default gateway is pretty weird as it does not show the used interface.
That might be the issue but I don''t know how to fix it.
The default route looks reasonable to me, but ultimately it depends on 
the network you are connected to.
> 
> Did i miss something else ? any idea ?
It''s hard to say without having more information on the rest of your 
host and network configuration.

For instance how did you pick the IP address for your VNIC? Is that 
address valid on the network bnx0 is connected to? Is bnx0 configured on 
the global zone? If so can you ping it from the non-global zone?

Nicolas.

> 
> Thanks in advance !
> Chris

Bonjour Nicolas,

1) IIs it not weird that the default route does not show the interface it will
use ? That''s the first time i saw this but i am not a network expert
either...

2) Host and Network configuration are straight forward, everything is on the
same subnet 192.168.2.0/24, the server ip address is 192.168.2.50 , the cisco
router is 192.168.2.1 and the dhcp pool is on 192.168.2.100 -> 192.168.2.200
for the workstations and printers.

I have already a zone wihout an exclusive stack set to 192.168.2.51 and it works
just fine.

Is there any other tools output I can provide to help you further understand
what is going on ?

I looked at the forum before posting and I noticed one topic which looks very
similar to mine but there is no answer:
http://opensolaris.org/jive/thread.jspa?messageID=346719&#346719

Thanks in advance for your help Nicolas.

Christian
-- 
This message posted from opensolaris.org

Sorry I just realized I didnt answer your questions fully.

bnx0 is configured just fine on the global zone:

root at server:/etc# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
        zone dev
        inet 127.0.0.1 netmask ff000000
bnx0: flags=1004943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,DHCP,IPv4> mtu
1500 index 3
        inet 192.168.2.50 netmask ffffff00 broadcast 192.168.2.255
        ether 0:1c:23:d7:1d:9e
bnx0:1: flags=1000943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,IPv4> mtu
1500 index 3
        zone dev
        inet 192.168.2.51 netmask ffffff00 broadcast 192.168.2.255
bnx1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 0.0.0.0 netmask ff000000
        ether 0:1c:23:d7:1d:a0
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252
index 1
        inet6 ::1/128
lo0:1: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu
8252 index 1
        zone dev
        inet6 ::1/128
bnx0: flags=2004941<UP,RUNNING,PROMISC,MULTICAST,DHCP,IPv6> mtu 1500 index
3
        inet6 fe80::21c:23ff:fed7:1d9e/10
        ether 0:1c:23:d7:1d:9e

I can ping the zone from the global zone just fine as well:

root at server:/etc# ping -I1 192.168.2.52
PING 192.168.2.52: 56 data bytes
64 bytes from 192.168.2.52: icmp_seq=0. time=0.094 ms
64 bytes from 192.168.2.52: icmp_seq=1. time=0.041 ms
64 bytes from 192.168.2.52: icmp_seq=2. time=0.046 ms
64 bytes from 192.168.2.52: icmp_seq=3. time=0.074 ms
^C
----192.168.2.52 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 0.041/0.064/0.094/0.025


And I can ping the global zone from the zone as well:

root at devdb:~# ping -I1 192.168.2.50
PING 192.168.2.50: 56 data bytes
64 bytes from 192.168.2.50: icmp_seq=0. time=0.136 ms
64 bytes from 192.168.2.50: icmp_seq=1. time=0.114 ms
64 bytes from 192.168.2.50: icmp_seq=2. time=0.114 ms
64 bytes from 192.168.2.50: icmp_seq=3. time=0.058 ms
^C
----192.168.2.50 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 0.058/0.105/0.136/0.033

I can ping another zone on the same server as well however as soon as I try to
ping something outside the server, it does not work.
-- 
This message posted from opensolaris.org

Chris wrote:
> Sorry I just realized I didnt answer your questions fully.
> 
> bnx0 is configured just fine on the global zone:
> 
> root at server:/etc# ifconfig -a
> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
>         inet 127.0.0.1 netmask ff000000
> lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
>         zone dev
>         inet 127.0.0.1 netmask ff000000
> bnx0: flags=1004943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,DHCP,IPv4>
mtu 1500 index 3
>         inet 192.168.2.50 netmask ffffff00 broadcast 192.168.2.255
>         ether 0:1c:23:d7:1d:9e
> bnx0:1: flags=1000943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,IPv4>
mtu 1500 index 3
>         zone dev
>         inet 192.168.2.51 netmask ffffff00 broadcast 192.168.2.255
> bnx1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
>         inet 0.0.0.0 netmask ff000000
>         ether 0:1c:23:d7:1d:a0
> lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu
8252 index 1
>         inet6 ::1/128
> lo0:1: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL>
mtu 8252 index 1
>         zone dev
>         inet6 ::1/128
> bnx0: flags=2004941<UP,RUNNING,PROMISC,MULTICAST,DHCP,IPv6> mtu 1500
index 3
>         inet6 fe80::21c:23ff:fed7:1d9e/10
>         ether 0:1c:23:d7:1d:9e
> 
> I can ping the zone from the global zone just fine as well:
> 
> root at server:/etc# ping -I1 192.168.2.52
> PING 192.168.2.52: 56 data bytes
> 64 bytes from 192.168.2.52: icmp_seq=0. time=0.094 ms
> 64 bytes from 192.168.2.52: icmp_seq=1. time=0.041 ms
> 64 bytes from 192.168.2.52: icmp_seq=2. time=0.046 ms
> 64 bytes from 192.168.2.52: icmp_seq=3. time=0.074 ms
> ^C
> ----192.168.2.52 PING Statistics----
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip (ms)  min/avg/max/stddev = 0.041/0.064/0.094/0.025
> 
> 
> And I can ping the global zone from the zone as well:
> 
> root at devdb:~# ping -I1 192.168.2.50
> PING 192.168.2.50: 56 data bytes
> 64 bytes from 192.168.2.50: icmp_seq=0. time=0.136 ms
> 64 bytes from 192.168.2.50: icmp_seq=1. time=0.114 ms
> 64 bytes from 192.168.2.50: icmp_seq=2. time=0.114 ms
> 64 bytes from 192.168.2.50: icmp_seq=3. time=0.058 ms
> ^C
> ----192.168.2.50 PING Statistics----
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip (ms)  min/avg/max/stddev = 0.058/0.105/0.136/0.033
OK that''s great to know.
> 
> I can ping another zone on the same server as well however as soon as I try
to ping something outside the server, it does not work.
Do you see the packets sent from the non-global zone arriving on the 
machine you are trying to reach?

What if you snoop on bnx0, does that make any difference? (this could 
help me zero-in on the root cause)

Thanks,
Nicolas.

1) No packet arrive at the destination

2) Snoop didnt help but the global zone(server) see the requests :

root at server:~#  snoop -d bnx0 | grep ICMP
Using device bnx0 (promiscuous mode)
192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence number: 0)
192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence number: 1)
192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence number: 2)
192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence number: 3)
192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence number: 4)

I tried to reproduce the env on another computer and I did it with success
following the same steps as outlined in this blog:
http://unixsysadmin.net/2008/07/17/create-a-vnic-on-solaris-nevada-solaris-express-builds-and-use-it-for-an-exclusive-ip-stack-in-zones/

I end up with the same situation given that the global zone is using snv_127.

If you need anymore info Nicolas, please just let me know.
Thanks !

Chris
-- 
This message posted from opensolaris.org

On Nov 25, 2009, at 11:45 PM, Chris wrote:
> 1) No packet arrive at the destination
> 
> 2) Snoop didnt help but the global zone(server) see the requests :
> 
> root at server:~#  snoop -d bnx0 | grep ICMP
> Using device bnx0 (promiscuous mode)
> 192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence
number: 0)
> 192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence
number: 1)
> 192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence
number: 2)
> 192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence
number: 3)
> 192.168.2.52 -> 192.168.2.100 ICMP Echo request (ID: 9338 Sequence
number: 4)
> 
> I tried to reproduce the env on another computer and I did it with success
following the same steps as outlined in this blog:
>
http://unixsysadmin.net/2008/07/17/create-a-vnic-on-solaris-nevada-solaris-express-builds-and-use-it-for-an-exclusive-ip-stack-in-zones/
> 
> I end up with the same situation given that the global zone is using
snv_127.
Chris,

That''s odd, packets seem to be going out through the underlying NIC but
they never make it to the destination. To rule out the network you could try a
similar test with a back-to-back setup, and snooping on the peer to see if the
packets are getting to the wire at all. If that is not the case, we''d
have to do some tracing on the sender host to figure out why the packets are not
making it on the wire.

Nicolas.
> 
> If you need anymore info Nicolas, please just let me know.
> Thanks !
> 
> Chris
> -- 
> This message posted from opensolaris.org
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
-- 
Nicolas Droux - Solaris Kernel Networking - Sun Microsystems, Inc.
nicolas.droux at sun.com - http://blogs.sun.com/droux