OpenSolaris governing board threatens dissolution (The H)

Posted Jul 15, 2010 17:31 UTC (Thu) by captrb (guest, #2291)
In reply to: OpenSolaris governing board threatens dissolution (The H) by jello
Parent article: OpenSolaris governing board threatens dissolution (The H)

I could be mistaken, but I believe that when I tried OpenVZ, I couldn't use a dedicated network card for the zones and had a great deal of trouble (at least without serious iptables magic) getting independent networking between the containers.

On Solaris, I can have dedicated nics for each zone, so they can reside on physically separate LAN's. This is a huge coup, since the machine can be (pretty) safely shared on two sides of a firewall.

With OpenSolaris and Crossbow, I think you can even share a physical NIC, but have distinct IP-stacks per-Zone, so that each can have it's own host-level firewall and VLAN configuration. Pretty awesome.

If I remember, I was quite dismayed. I was trying to use it in a test environment because I thought it would be much easier than installing Solaris (I really hate administering Solaris, I just like what is done once it is all up and running ;-). I wasted a day of work trying to do what I needed, then eventually resorted back to Zones.

OpenSolaris governing board threatens dissolution (The H)

Posted Jul 16, 2010 13:04 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

You can give each OpenVZ machine its own network card (they are named veth1, veth2, ...). You can bridge them with your existing card, build vlans or route them using iptables etc.

AFAIR, you can also give full control over a hardware card to an OpenVZ container, but I hadn't tried that.

OpenSolaris governing board threatens dissolution (The H)

Posted Jul 17, 2010 0:42 UTC (Sat) by dlang (guest, #313) [Link] (3 responses)

the bridging solution doesn't actually work if you have multiple virtual machines on the same network.

or more precisely, it works in that it gets packets from one virtual machine to another, but it doesn't work in terms of making that traffic go through the interface that you bridge to. the host kernel will short-circuit the communication between virtual servers and not send the packets out over the wire, just deliver them to the destination if it's on the same box.

for most people this is the best thing to do, but there are cases where there are requirements for monitoring/controlling the traffic between virtual servers where you really do want to force the traffic out over the wire.

OpenSolaris governing board threatens dissolution (The H)

Posted Jul 17, 2010 14:31 UTC (Sat) by cesarb (subscriber, #6266) [Link] (2 responses)

How is this different to a normal Ethernet switch then? Nowadays, Ethernet switches also avoid sending traffic to where it is not needed. The bridge is just a virtual Ethernet switch, acting like a physical one.

OpenSolaris governing board threatens dissolution (The H)

Posted Jul 17, 2010 21:22 UTC (Sat) by dlang (guest, #313) [Link] (1 responses)

this is exactly like a normal switch, but if all you want is a normal switch you won't be asking how to dedicate a physical ethernet port to a particular virtual machine, you would just connect all the virtual machines to your virtual switch and have an 'uplink interface' out of your machine.

when you want to dedicate an ethernet port to a particular virtual machine you don't want the host OS to short-circuit traffic between mirtual machines, you want the traffic between virtual machines to go out over the wire.

switching for virt envs

Posted Jul 18, 2010 13:16 UTC (Sun) by mcmanus (guest, #4569) [Link]

I understand that VEPA is the likely candidate to deal with some of the shared uplink issues of virtualization.. it basically moves all the switching functionality, including hairpin routing, back onto the switch..

impt for the sr-iov hardware too.

http://lwn.net/Articles/337547/