Sun Microsystems 10 用户手册
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
Effective: 30/11/2009
•
In order to avoid communication between the local zones through the shared TCP/IP stack,
reject routes must be set in the global zone that prevent communication between the IP
addresses of the two zones (or the use of ipfilter).
route add 192.168.201.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.201.1 -interface -reject
route add 192.168.200.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.200.1 -interface -reject
reject routes must be set in the global zone that prevent communication between the IP
addresses of the two zones (or the use of ipfilter).
route add 192.168.201.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.201.1 -interface -reject
route add 192.168.200.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.200.1 -interface -reject
•
Zones can now be booted up for operation:
zoneadm -z zone1 boot, zoneadm -z zone2 boot
zoneadm -z zone1 boot, zoneadm -z zone2 boot
•
The reject route leads to the complete prevention of communication between zone1 and
zone2 which, however, is required in this scenario according to the above specifications.
Therefore, the configured default router must support NAT. It must convert the address
192.168.102.1 into the address 192.168.202.1.
Communication via the NAT router thereby bypasses the reject routes.
zone2 which, however, is required in this scenario according to the above specifications.
Therefore, the configured default router must support NAT. It must convert the address
192.168.102.1 into the address 192.168.202.1.
Communication via the NAT router thereby bypasses the reject routes.
•
Option: To allow communication between the global and the local zone, an interface that is
located in the logical network of the local zone must be configured in the global zone.
located in the logical network of the local zone must be configured in the global zone.
The procedure is as follows:
•
An HTTP request is made to zone zone1 from the outside.
•
It is able to process parts of the request by itself but another part must come from the
application server that is addressed via the address 192.168.102.1.
application server that is addressed via the address 192.168.102.1.
•
This address is routed via the NAT router which converts the address into the address
192.168.202.1 on the other side.
192.168.202.1 on the other side.
•
This is the address of zone zone2 which carries the application server that processes the
missing parts of the request and sends them back through the existing connection.
missing parts of the request and sends them back through the existing connection.
92
bge0 - 192.168.1.1
bge1 - 0.0.0.0
bge2 - 0.0.0.0
bge3 - 0.0.0.0
bge2 - 0.0.0.0
bge3 - 0.0.0.0
reject route 192.168.201.1 ↔ 192.168.202.1
reject route 192.168.200.1 ↔ 192.168.202.1
reject route 192.168.200.1 ↔ 192.168.202.1
Global Zone
bge2:2 - 192.168.202.1
Zone 2
bge1:1 - 192.168.201.1
bge3:1 - 192.168.200.1
Def router - 192.168.200.2
bge3:1 - 192.168.200.1
Def router - 192.168.200.2
Zone 1
192.168.1.0
Network
192.168.201.0
Network
NAT
router
router
NAT: 192.168.102.1 --> 192.168.202.1
192.168.202.0
Network
192.168.202.2
192.168.201.2
Addressing
zone 2 as
192.168.102.1
zone 2 as
192.168.102.1
192.168.200.2