xen discuss - Jun 2009 - snv domU + zones ?

hi folks,

i''m just getting started in this xvm stuff & am planning a
DMZ-in-a-box configuration.

i currently have a server running solaris nevada & using zones to split up
some of the functionality;  if i move this to xvm, am i better off using
separate  domU''s, or does it still make sense (from an efficiency PoV)
to have solaris zones inside one domU ?

i *do* plan to use domU''s for different versions of solaris, linux, etc
in a more "direct" model .

thoughts or pointers welcome.

regards

p
-- 
This message posted from opensolaris.org

i think you will not have much options if you want to explore other OSs in a
virtual environment. Keep it it mind, that from IO Perspective, Solaris
zones can give you pure native performance in comparison to domUs.

rgds,
dot.yet

On Wed, Jun 10, 2009 at 8:22 PM, Peter Lees
<no-reply@opensolaris.org>wrote:
> hi folks,
>
> i''m just getting started in this xvm stuff & am planning a
DMZ-in-a-box
> configuration.
>
> i currently have a server running solaris nevada & using zones to split
up
> some of the functionality;  if i move this to xvm, am i better off using
> separate  domU''s, or does it still make sense (from an efficiency
PoV) to
> have solaris zones inside one domU ?
>
> i *do* plan to use domU''s for different versions of solaris,
linux, etc in
> a more "direct" model .
>
> thoughts or pointers welcome.
>
> regards
>
> p
> --
> This message posted from opensolaris.org
> _______________________________________________
> xen-discuss mailing list
> xen-discuss@opensolaris.org
>

* no-reply@opensolaris.org [2009-06-11 01:22:06]
> i currently have a server running solaris nevada & using zones to
> split up some of the functionality; if i move this to xvm, am i better
> off using separate domU''s, or does it still make sense (from an
> efficiency PoV) to have solaris zones inside one domU ?
VNICs inside a domU don''t work very well (in fact, they work fine, they
just don''t get to see any traffic from outside the domU), so if that
was
part of your plan for Zones you''ll struggle.

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

* progbob@gmail.com [2009-06-11 14:59:37]
> David Edmondson wrote:
>> VNICs inside a domU don''t work very well (in fact, they work
fine,
>> they just don''t get to see any traffic from outside the domU),
so if
>> that was part of your plan for Zones you''ll struggle.
> 
> In a "doctor it hurts when I do that" alternative, can''t
you assign
> multiple vnics to the domU (as opposed to within the domU) and let
> your zones use them as they see fit ?
Yes.

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

On Thu, Jun 11, 2009 at 2:58 PM, David Edmondson<dme@sun.com>
wrote:
> VNICs inside a domU don''t work very well (in fact, they work fine,
they
> just don''t get to see any traffic from outside the domU)
Why is that?
I had thought it would be somewhat similar to tun/tap + bridge in
Linux, where you can have tun/tap interfaces and bridges in dom0,
domU, or both, and they''d function correctly as expected.

-- 
Fajar

* fajar@fajar.net [2009-06-11 15:10:34]
> On Thu, Jun 11, 2009 at 2:58 PM, David Edmondson<dme@sun.com> wrote:
>> VNICs inside a domU don''t work very well (in fact, they work
fine, they
>> just don''t get to see any traffic from outside the domU)
>
> Why is that?
> I had thought it would be somewhat similar to tun/tap + bridge in
> Linux, where you can have tun/tap interfaces and bridges in dom0,
> domU, or both, and they''d function correctly as expected.
It''s not similar to Linux in this respect. The VNIC implementation
would
be better described as a non-learning switch (e.g. you assign ports to
VMs and each port has an assigned MAC address).

There''s an RFE to fix this (allow the guest to add more unicast MAC
addresses), but it''s not yet completed.

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

On Thu, Jun 11, 2009 at 03:35:52PM +0100, David Edmondson
wrote:
> * fajar@fajar.net [2009-06-11 15:10:34]
> > On Thu, Jun 11, 2009 at 2:58 PM, David Edmondson<dme@sun.com>
wrote:
> >> VNICs inside a domU don''t work very well (in fact, they
work fine, they
> >> just don''t get to see any traffic from outside the domU)
> >
> > Why is that?
> > I had thought it would be somewhat similar to tun/tap + bridge in
> > Linux, where you can have tun/tap interfaces and bridges in dom0,
> > domU, or both, and they''d function correctly as expected.
>
> It''s not similar to Linux in this respect. The VNIC implementation
would
> be better described as a non-learning switch (e.g. you assign ports to
> VMs and each port has an assigned MAC address).
>
> There''s an RFE to fix this (allow the guest to add more unicast
MAC
> addresses), but it''s not yet completed.
>
what''s the CR number for this RFE?

ed

* Edward.Pilatowicz@Sun.COM [2009-06-11 19:22:18]
> On Thu, Jun 11, 2009 at 03:35:52PM +0100, David Edmondson wrote:
>> * fajar@fajar.net [2009-06-11 15:10:34]
>> > On Thu, Jun 11, 2009 at 2:58 PM, David
Edmondson<dme@sun.com> wrote:
>> >> VNICs inside a domU don''t work very well (in fact,
they work fine, they
>> >> just don''t get to see any traffic from outside the
domU)
>> >
>> > Why is that?
>> > I had thought it would be somewhat similar to tun/tap + bridge in
>> > Linux, where you can have tun/tap interfaces and bridges in dom0,
>> > domU, or both, and they''d function correctly as expected.
>>
>> It''s not similar to Linux in this respect. The VNIC
implementation would
>> be better described as a non-learning switch (e.g. you assign ports to
>> VMs and each port has an assigned MAC address).
>>
>> There''s an RFE to fix this (allow the guest to add more
unicast MAC
>> addresses), but it''s not yet completed.
>>
>
> what''s the CR number for this RFE?
6738714

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

> VNICs inside a domU don''t work very well (in fact,
> they work fine, they
> just don''t get to see any traffic from outside the
> domU), so if that was
> part of your plan for Zones you''ll struggle.
so the upshot is that i can''t talk from a non-global zone inside a domU
to anything outside that domU?  hmmm....
-- 
This message posted from opensolaris.org

On Tue, Jun 16, 2009 at 08:20:59AM -0700, Peter Lees
wrote:
> > VNICs inside a domU don''t work very well (in fact,
> > they work fine, they
> > just don''t get to see any traffic from outside the
> > domU), so if that was
> > part of your plan for Zones you''ll struggle.
>
> so the upshot is that i can''t talk from a non-global zone inside a
domU to anything outside that domU?  hmmm....
if your using vnics created inside the domU for the zone then that
appears to be the case.

you could try using shared stack zones, or creating vnics inside dom0,
adding them to the domU, and then assigning them to the zone.

ed

* no-reply@opensolaris.org [2009-06-16 16:20:59]
>> VNICs inside a domU don''t work very well (in fact,
>> they work fine, they
>> just don''t get to see any traffic from outside the
>> domU), so if that was
>> part of your plan for Zones you''ll struggle.
>
> so the upshot is that i can''t talk from a non-global zone inside a
> domU to anything outside that domU?  hmmm....
If you use VNICs and exclusive IP stacks, that''s correct.

For the shared IP stack it should work just fine (because it uses only a
single MAC address).

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org