.de Sc \\s-1\\$1\\s0\\$2 .. .ds cA 2006/366 .ds aR \s-1PSARC\s0 .LP .so /shared/sac/Tools/lib/amac .Co .ds LF \fI\*(aR/\*(cA\fP .ds RF \fICopyright 2006 Sun Microsystems\fP .if n .ds CF .IP \fBSubject:\fP 15 Stack instances: Exclusive IP stack per zone .IP "\fBSubmitted by:\fP" 15 Erik Nordmark .IP \fBFile:\fP 15 \*(aR/\*(cA/opinion.ms .IP \fBDate:\fP 15 November 8th, 2006 .IP "\fBCommittee:\fP" 15 Kais Belgaied (opinion written by Rick Matthews), James Carlson, Ed Gould, Glenn Skinner, Bill Sommerfeld, Gary Winiger. .IP "\fBProduct Approval Committee:\fP" 15 Solaris PAC .br solaris-pac@sun.com .pn 2 .NH Summary .LP This case proposes an extension to zones to allow (as an option) a zone's IP networking be completely separate from the IP networking in other zones. This separation can isolate a zone's IP networking from the global zone as well. .NH Decision & Precedence Information .LP This project is approved as specified in reference [1] but as modified by the required technical changes listed in Appendix A below. .LP The project may be delivered in a micro or patch release of Solaris. .NH Interfaces .LP \." this information, listing imported interfaces in a separate table from \." interfaces being exported. Two skeleton tables appear below; fill them in The project exports the following interfaces. .if n .ne 8 .if t .ne 3 .TS H box; c s s l | l | l. Interfaces Exported _ Interface Classification Comments _ .TH zonecfg extensions T{ .na [8], The existing zonecfg syntax was classified as Evolving in [9]. T} ip-type property Committed zoneadm extensions [7] -l list_option Committed -v/-p output format Committed dladm extensions [2] in show-linkprop Committed displays zone in set-linkprop Committed specifies zone privileges(5) [6] PRIV_SYS_IP_CONFIG Committed T{ .na The privilege names in [10] are stable. T} Extensions to zone xml Project Private Introduced by [9] zone_create flags Project Private excl or shared zone_add_ifname() Project Private T{ .na restrict=yes implementation T} zone_remove_ifname() Project Private zone_ifname_lookup() Project Private netstack_register() Project Private Akin to zone_key_create() netstack_unregister() Project Private netstack_get_current() Project Private For xx_open lookups, etc. netstack_find_by_cred() Project Private netstack_find_by_stackid() Project Private netstack_hold() Project Private netstack_rele() Project Private netstackid_to_zoneid() Project Private zoneid_to_netstackid() Project Private kstat_create_netstack() Project Private T{ .na For kstats made visible for one netstack. T} kstat_destoy_netstack() Project Private netstack_handle_t Project Private T{ .na For modules that need to walk all netstacks. T} netstack_next_init() Project Private netstack_next_fini() Project Private netstack_next() Project Private secpolicy_ip_config() Consolidation Private net_register() Consolidation Private T{ .na [4], added zoneid argument, introduced in [11] T} net_lookup() Consolidation Private T{ .na [3], added zoneid argument, introduced in [11] T} net_walk() Consolidation Private T{ .na [5], added zoneid argument, introduced in [11] T} hook_run() Project Private Introduced in [11] platform.xml Project Private Introduced in [12] .TE .LP The project imports the following interfaces. .if n .ne 8 .if t .ne 3 .TS H box; c s s l | l | l. Interfaces Imported _ Interface Classification Comments _ .TH zone_key_create Consolidation Private .TE .NH Opinion .LP .NH 2 zoneadm list .LP The project proposed exposing zone specific information for IP networking from zoneadm list. The IP networking zone configuration should be made with dladm show-linkprop and be removed from zoneadm. Some members of the committee were concerned that adding networking specifics to zoneadm list was contrary to any other means (like file systems) of exposing zone specific information. This issue resulted in TCR-1. .NH 2 Use of zoneid .LP The net_* functions (net_register, net_lookup, net_walk) require a zoneid argument. We need to raise the stability of the zoneid, as provided by netstackid_to_zoneid(), to Consolidation Private. This issue resulted in TCR-2. .NH 2 Use of the global zone .LP This project interacts with individual zones as well as the global zone. Portions of the documentation were not specific as to relation to the global zone. This should be clarified in the documentation. .NH 2 Future Direction for this project .LP The project as proposed is complete and useful on its own, but substantially duplicates a capability provided by two current virtual machine projects (LDOMS, (FWARC 2005/633), and Xen, (PSARC 2006/260)). .LP Its promise is greatest as a basis for certain other future capabilities which are not entirely practical in a virtual machine environment, but the project team was insistent during the review that the future work, while reasonable, was not planned. .NH 3 Secure observability from the global zone. .LP After a successful attack on a zone, the software in that zone may be compromised in subtle ways, altering the behavior of tools such as "netstat" within that zone. It should be possible to use the global zone's copy of tools such as "netstat" from the global zone to accurately observe kernel state associated with the zone and its stack instance. The project team suggested using mdb, but mdb is not really suitable for this purpose. .NH 3 Zones vs. virtual machines .LP The committee is concerned that should these follow-on projects not materialize, we will further confuse customers as to the relative applicability of zones vs. virtual machines, and create a maintenance and support burden for the groups working on and near the Solaris IP stack. .NH Minority Opinion(s) .LP None. .NH Advisory Information .LP None. .NH Appendices .NH 2 Appendix A: Technical Changes Required .LP \." The formatting that works best is: .RS .IP 1. The project must not use use zoneadm list -l to display IP instances. This function should be added to dladm rather than zoneadm. .IP 2. The netstackid interface and routines that manipulate it must be Consolidation Private. .RE .NH 2 Appendix B: Technical Changes Advised .LP None. .NH 2 Appendix C: Reference Material .LP All path names are relative to the case directory (\*(aR/\*(cA). .IP 1 Project Specification - final.materials/si-interfaces.pdf .br .IP 2 manpage - final.materials/dladm.1m.txt .br .IP 3 manpage - commitment.materials/net_lookup.9f.txt .br .IP 4 manpage - commitment.materials/net_register.9f.txt .br .IP 5 manpage - commitment.materials/netstat.1m.txt .br .IP 6 manpage - commitment.materials/net_walk.9f.txt .br .IP 7 manpage - commitment.materials/privileges.5.txt .br .IP 8 manpage - commitment.materials/zoneadm.1m.txt .br .LP The following PSARC cases are referenced in this opinion, and can be found in the appropriate PSARC case directory: .IP 9 PSARC 2002/174 Virtualization and Namespace Isolation in Solaris .br .IP 10 PSARC 2002/188 Least privilege for Solaris .br .IP 11 PSARC 2005/334 Packet Filtering Hooks APIs .br .IP 12 PSARC 2005/471 BrandZ: Support for non-native zones .br