sun microsystems Systems Architecture Committee _________________________________________________________________ Subject: Stack instances: Exclusive IP stack per zone Submitted by: Erik Nordmark File: PSARC/2006/366/opinion.ms Date: November 8th, 2006 Committee: Kais Belgaied (opinion written by Rick Matthews), James Carlson, Ed Gould, Glenn Skinner, Bill Sommerfeld, Gary Winiger. Product Approval Committee: Solaris PAC solaris-pac@sun.com 1. Summary This case proposes an extension to zones to allow (as an option) a zone's IP networking be completely separate from the IP networking in other zones. This separation can iso- late a zone's IP networking from the global zone as well. 2. Decision & Precedence Information This project is approved as specified in reference [1] but as modified by the required technical changes listed in Appendix A below. The project may be delivered in a micro or patch release of Solaris. 3. Interfaces The project exports the following interfaces. ________________________________________________________________________________ | Interfaces Exported | |__________________________|_______________________|___________________________| |Interface | Classification | Comments | |__________________________|_______________________|___________________________| |zonecfg extensions | | [8], The existing zonecfg| | | | syntax was classified as | | | | Evolving in [9]. | | ip-type property | Committed | | | | | | |zoneadm extensions | | [7] | | -l list_option | Committed | | |__________________________|_______________________|___________________________| PSARC/2006/366 Copyright 2006 Sun Microsystems - 2 - ________________________________________________________________________________ | Interfaces Exported | |__________________________|_______________________|___________________________| |Interface | Classification | Comments | |__________________________|_______________________|___________________________| | -v/-p output format | Committed | | | | | | |dladm extensions | | [2] | | in show-linkprop | Committed | displays zone | | in set-linkprop | Committed | specifies zone | | | | | |privileges(5) | | [6] | |PRIV_SYS_IP_CONFIG | Committed | The privilege names in | | | | [10] are stable. | | | | | |Extensions to zone xml | Project Private | Introduced by [9] | |zone_create flags | Project Private | excl or shared | |zone_add_ifname() | Project Private | restrict=yes implementa- | | | | tion | |zone_remove_ifname() | Project Private | | |zone_ifname_lookup() | Project Private | | | | | | |netstack_register() | Project Private | Akin to zone_key_create()| |netstack_unregister() | Project Private | | | | | | |netstack_get_current() | Project Private | For xx_open lookups, etc.| |netstack_find_by_cred() | Project Private | | |netstack_find_by_stackid()| Project Private | | |netstack_hold() | Project Private | | |netstack_rele() | Project Private | | |netstackid_to_zoneid() | Project Private | | |zoneid_to_netstackid() | Project Private | | | | | | |kstat_create_netstack() | Project Private | For kstats made visible | | | | for one netstack. | |kstat_destoy_netstack() | Project Private | | | | | | |netstack_handle_t | Project Private | For modules that need to | | | | walk all netstacks. | |netstack_next_init() | Project Private | | |netstack_next_fini() | Project Private | | |netstack_next() | Project Private | | | | | | |secpolicy_ip_config() | Consolidation Private| | | | | | |net_register() | Consolidation Private| [4], added zoneid argu- | | | | ment, introduced in [11] | |net_lookup() | Consolidation Private| [3], added zoneid argu- | | | | ment, introduced in [11] | |net_walk() | Consolidation Private| [5], added zoneid argu- | | | | ment, introduced in [11] | | | | | |hook_run() | Project Private | Introduced in [11] | | | | | |__________________________|_______________________|___________________________| PSARC/2006/366 Copyright 2006 Sun Microsystems - 3 - ________________________________________________________________________________ | Interfaces Exported | |__________________________|_______________________|___________________________| |Interface | Classification | Comments | |__________________________|_______________________|___________________________| |platform.xml | Project Private | Introduced in [12] | |__________________________|_______________________|___________________________| The project imports the following interfaces. ____________________________________________________ | Interfaces Imported | |_______________|_______________________|__________| |Interface | Classification | Comments| |_______________|_______________________|__________| |zone_key_create| Consolidation Private| | |_______________|_______________________|__________| 4. Opinion 4.1. zoneadm list The project proposed exposing zone specific information for IP networking from zoneadm list. The IP networking zone con- figuration should be made with dladm show-linkprop and be removed from zoneadm. Some members of the committee were concerned that adding networking specifics to zoneadm list was contrary to any other means (like file systems) of exposing zone specific information. This issue resulted in TCR-1. 4.2. Use of zoneid The net_* functions (net_register, net_lookup, net_walk) require a zoneid argument. We need to raise the stability of the zoneid, as provided by netstackid_to_zoneid(), to Conso- lidation Private. This issue resulted in TCR-2. 4.3. Use of the global zone This project interacts with individual zones as well as the global zone. Portions of the documentation were not specific as to relation to the global zone. This should be clarified in the documentation. 4.4. Future Direction for this project The project as proposed is complete and useful on its own, but substantially duplicates a capability provided by two current virtual machine projects (LDOMS, (FWARC 2005/633), and Xen, (PSARC 2006/260)). PSARC/2006/366 Copyright 2006 Sun Microsystems - 4 - Its promise is greatest as a basis for certain other future capabilities which are not entirely practical in a virtual machine environment, but the project team was insistent dur- ing the review that the future work, while reasonable, was not planned. 4.4.1. Secure observability from the global zone. After a successful attack on a zone, the software in that zone may be compromised in subtle ways, altering the behavior of tools such as "netstat" within that zone. It should be possible to use the global zone's copy of tools such as "netstat" from the global zone to accurately observe kernel state associated with the zone and its stack instance. The project team suggested using mdb, but mdb is not really suitable for this purpose. 4.4.2. Zones vs. virtual machines The committee is concerned that should these follow-on pro- jects not materialize, we will further confuse customers as to the relative applicability of zones vs. virtual machines, and create a maintenance and support burden for the groups working on and near the Solaris IP stack. 5. Minority Opinion(s) None. 6. Advisory Information None. 7. Appendices 7.1. Appendix A: Technical Changes Required 1. The project must not use use zoneadm list -l to display IP instances. This function should be added to dladm rather than zoneadm. 2. The netstackid interface and routines that manipu- late it must be Consolidation Private. 7.2. Appendix B: Technical Changes Advised None. 7.3. Appendix C: Reference Material All path names are relative to the case directory (PSARC/2006/366). PSARC/2006/366 Copyright 2006 Sun Microsystems - 5 - 1 Project Specification - final.materials/si- interfaces.pdf 2 manpage - final.materials/dladm.1m.txt 3 manpage - commitment.materials/net_lookup.9f.txt 4 manpage - commitment.materials/net_register.9f.txt 5 manpage - commitment.materials/netstat.1m.txt 6 manpage - commitment.materials/net_walk.9f.txt 7 manpage - commitment.materials/privileges.5.txt 8 manpage - commitment.materials/zoneadm.1m.txt The following PSARC cases are referenced in this opinion, and can be found in the appropriate PSARC case directory: 9 PSARC 2002/174 Virtualization and Namespace Isolation in Solaris 10 PSARC 2002/188 Least privilege for Solaris 11 PSARC 2005/334 Packet Filtering Hooks APIs 12 PSARC 2005/471 BrandZ: Support for non-native zones PSARC/2006/366 Copyright 2006 Sun Microsystems