Tunneling TCP connections from local zone to the global zone

Tunneling TCP connections from local zone to the global zone

Post by Drazen Kac » Fri, 31 Jul 2009 15:14:14


Say I have a global zone with IP address on network A and a local zone
with IP address on network B. Each of them is using its own interface and
the packets between those two networks are not routed.

However, local zone needs some services on network A. I have two use
cases:
1. The mail relay is on network A. Local zone might need to send a mail
occasinally, so it would be nice if it could connect to the sendmail
listening only on the global zone's 127.0.0.1 which would then send the
mail to the real relay. (The real relay doesn't accept anything from
network B, even if it somehow gets routed.)

2. Some network service (a database, for example) on network A needs to be
accessed from the local zone, without any processing by programs in the
global zone.

Both of these cases could be implemented with a little programming. I
could write a daemon which would listen for TCP connections in the local
zone and transfer the data via Unix domain socket to the daemon in the
global zone which would then transfer the data to the appropriate IP
addresses reachable from the global zone.

I was wondering if there's anything in the kernel which can already do
that for me and just needs to be configured.

--
.-. .-. Yes, I am an agent of Satan, but my duties are largely
(_ \ / _) ceremonial.
|
| XXXX@XXXXX.COM
 
 
 

Tunneling TCP connections from local zone to the global zone

Post by Michael We » Sat, 01 Aug 2009 17:54:22

Drazen Kacar wrote at 30.07.2009 08:14

No.

This would destroy the privacy of a zone. It is intended that processes
in a zone cannot communicate with procs/interfaces/devices or whatever
in another zone.

If you wish to implement such a "feature", you have to look for process
privileges, I think.

Michael

 
 
 

Tunneling TCP connections from local zone to the global zone

Post by Drazen Kac » Sun, 02 Aug 2009 03:35:52


But they can when using TCP connections and I don't see any difference
between TCP and other communication methods. It would be nicer to have in
kernel mechanisms to avoid userland daemon overheads. And to awoid writing
that daemon code.


I want two zones to minimize downtime. The machines I have in mind run
only Java application servers and trivial application upgrade involves
20-30 minutes of downtime because JVMs take too much time to compile all
the code that's involved in the upgrade process. I'd like to perform the
upgrade inside another zone and then just swap the IP addresses (and
probably some other minor details).

In order to implement that, I need to do something with the network
thingies that stand in the way. For this purpose I don't care about zone
privacy at all.

--
.-. .-. Yes, I am an agent of Satan, but my duties are largely
(_ \ / _) ceremonial.
|
| XXXX@XXXXX.COM
 
 
 

Tunneling TCP connections from local zone to the global zone

Post by Stefaan A » Wed, 19 Aug 2009 08:14:32

On Fri, 31 Jul 2009 18:35:52 +0000 (UTC)




If you can afford a bit of downtime, you can achieve this with zonecfg
followed by a reboot of the zone (which is usually quite speedy, but
e.g. heavy tomcat based apps can take a while to get going).

Otherwise, deploy an Apache reverse proxy as a front-end, point to
the active zone, and change as required (you can automate this using
Apache's load balancing features). If the applications are
Internet-facing, having a reverse proxy is a Really Good Thing(TM:).


But Solaris does :)


--
Stefaan A Eeckels
--
You know, it is almost always the case in the real world that something
is "fair" when you like it and "unfair" when you don't.
-- Jeffrey Siegal in gnu.misc.discuss
 
 
 

Tunneling TCP connections from local zone to the global zone

Post by Drazen Kac » Wed, 19 Aug 2009 08:49:56


It takes 5-6 minutes to start an app server. Once they started in 2
minutes, but I don't know how to repeat that miracle. :-)


I already have reverse proxy. It brought its share of problems, but it
provides a feature or two. :-)


I know. Will have to break its legs. :-)

--
.-. .-. Yes, I am an agent of Satan, but my duties are largely
(_ \ / _) ceremonial.
|
| XXXX@XXXXX.COM