Exclusive VNICS in Solaris 11 zones

Discussions about using Solaris guests in VirtualBox.
Post Reply
scouzi
Posts: 1
Joined: 5. Nov 2012, 13:30

Exclusive VNICS in Solaris 11 zones

Post by scouzi »

I'm having problems configuring VNICS in Zones on VirtualBox WIN7 Host with Solaris 11 guest. It seems that VIrtualBox does not like the virtual MAC addresses of the VNICS associated with the zone. I can network between the global zone and the NGZ but I cannot communicate with the other hosts within the subnet from the NGZ. I can't even reach the gateway. Seems that VirtualBox discards the packets because it is unaware of these VNICS.

Does VirtualBox support this? Is there a workaround to allow the Zones within a Solaris 11 VM (on VirtualBox Host) to be part of a subnet? The global zone networking is working fine.
PavelAnni
Posts: 1
Joined: 7. Mar 2013, 19:35

Re: Exclusive VNICS in Solaris 11 zones

Post by PavelAnni »

I'm having the same problem. I'm trying to make zones visible from outside using VNICs inside the Solaris VM, but to no avail. The only workaround I found is to create another VBox NIC and use it as plain physical NIC inside Solaris for the zone. But it doesn't help me as I'm trying to create a DEMO and this doesn't demonstrate what I want.
I'll be glad to hear a confirmation that VBox doesn't support multiple MAC addresses per NIC. Don't want to spend too much time trying... :-)
ionuion
Posts: 1
Joined: 27. Oct 2013, 12:41

Re: Exclusive VNICS in Solaris 11 zones

Post by ionuion »

Hi guys.

I solved this problem on my machine.
Provided you have only one bridge interface that the solaris virtual machine is bound to, in the virtualbox configuration you need to put that interface's Promiscuous mode field to 'Allow both'
Then, after starting the global and non-global zones, put snoop to work:

Code: Select all

root@globalzone # nohup snoop -d net0 &
Now you should be able to ping the global and non-global zones from outside the global zone and ping the gateway and other machines on the network from within non-global zones.

Be aware that the snoop process produces a dump file which increases in size pretty quickly and you could run out of disk space if left.

I don't know why it works or why snoop is necessary. If you want the reference, google for "How to get Solaris 11 VNICs in a Virtualbox VM to work - kind of" with quotes
Zupport
Posts: 1
Joined: 18. Jan 2014, 15:49

Re: Exclusive VNICS in Solaris 11 zones

Post by Zupport »

I did the below on virtualbox with Promiscuous: Allow All and could ping the net0 and vnics!

dladm create-bridge esxbridge
dladm create-etherstub esxswitch0
dladm set-linkprop -p mtu=1500 esxswitch0
dladm add-bridge -l esxswitch0 esxbridge
dladm add-bridge -l net0 esxbridge
dladm create-vnic -l esxswitch0 vnic1
ipadm create-ip vnic1
ipadm create-addr -T static -a 192.168.1.121/24 vnic1/v4
dladm create-vnic -l esxswitch0 vnic2
ipadm create-ip vnic2
ipadm create-addr -T static -a 192.168.1.122/24 vnic2/v4

root@solaris5:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
esxbridge0 bridge 1500 up esxswitch0 net0
esxswitch0 etherstub 1500 up --
vnic1 vnic 1500 up esxswitch0
vnic2 vnic 1500 up esxswitch0

(note the change in bridgename)

The bridge between the physical(net0) and the vnics seems to be required. I will test this on vmware and post an update.
Akame
Posts: 1
Joined: 10. Oct 2014, 22:39

Re: Exclusive VNICS in Solaris 11 zones

Post by Akame »

Hi ,

Thanks Zupport,

I actually tried something similar on VMware Workstation as well, works perfectly without having to have the tcpdump/snoop running on the backrgroung to keep net0 on promiscuous mode.

here is what I have, makes no sense, but works somehow.

Code: Select all

# dladm create-bridge bridge
# dladm create-etherstub switch0
# dladm set-linkprop -p mtu=1500 switch0
# dladm add-bridge -l switch0 bridge
# dladm add-bridge -l net0 bridge
# dladm create-vnic -l net0  vnet0
# dladm create-vnic -l net0  vnet1

Code: Select all

# dladm 
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
bridge0             bridge    1500   up       net0 switch0
switch0             etherstub 1500   up       --
vnet0               vnic      1500   up       net0
momo/vnet0          vnic      1500   up       net0
vnet1               vnic      1500   up       net0
shido/vnet1         vnic      1500   up       net0
So I am not even using the bridge/etherstub with the vnics.. but now these vnics inside the zones are pingable.

Hope it helps someone!

Cheers.
pburdine
Posts: 1
Joined: 5. Nov 2014, 16:26

Re: Exclusive VNICS in Solaris 11 zones

Post by pburdine »

The issue here is that Virtualbox (and VMware, OVM, etc) all assign a MAC address to the VM when it gets created. It only expects the VM to talk using that MAC address and the virtual switches they make internally don't learn MAC addresses like a normal switch does. Because of this, normally only packets that go to the VM provided MAC work.

To work around this you have to do 2 things:
1) Enable promiscuous mode in the host VM (virtualbox, VMware, etc) -- NOTE that this doesn't actually enable promiscuous mode automatically in the guest OS
2) Enable promiscuous mode in the NIC driver in the guest OS. This part is critical because this triggers the flag in the VM NIC driver to tell the VM host to deliver ALL the packets to the guest VM (remember that the VM host is actually the virtual NIC, so you have to tell the NIC to change its default behavior. If you were running Linux you could just put the promisc flag on the interface directly, but Solaris doesn't offer that option, which is why you need to use snoop or create a bridge.
Txalamar
Posts: 3
Joined: 12. May 2015, 21:28

Re: Exclusive VNICS in Solaris 11 zones

Post by Txalamar »

Hi all,

I came through the same problem. I wanted to use etherstub cause I wanted to create a network between two zones that didn't imply any traffic in underlying datalinks. The result is that using etherstub I had to create a bridge with the physical link and the etherstub itself as indicated in this post. And, of course, activate promisc mode. This means that traffic between zones is handled by OVB... so maybe I don't understand well what an etherstub is for. As I said I thought it was a virtual private network that could be used to communicate zones w/o intervention of underlying datalinks.

Code: Select all

# dladm
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
vnic0               vnic      1500   up       net0
zone1/vnic0     vnic      1500   up       net0
vnic1               vnic      1500   up       net0
zone2/vnic1     vnic      1500   up       net0
This much more simple network configuration also works to communicate bridged OVB physical network with zones and between them. No need of a bridge or an etherstub. But in the same way as the version with an etherstub and a bridge if promisc mode is not activated there is not only no communication between zones and physical bridged OVB network but also between two zones. Something strange because:

Extracted from Oracle White Paper - Exploring Network Virtualization With Oracle Solaris Zones on Oracle Solaris 11 Express
Whenever you create two or more VNICs on the same physical port, a virtual switch will be created at
the MAC layer.

The effect of the creation of the virtual switch is that traffic between those VNICs is
switched at the MAC layer. It does not need to leave via the physical NIC to be switched by some
external piece of hardware. As long as the VNICs share the same physical NIC, and are on the same
VLAN, this MAC layer virtual switch can be employed.
Post Reply