I have been working a lot recently with kernel zones to test various aspects of the archive library. Most of my work requires connectivity to IPS publishers which I have set up on the zone, and those are usually hosted remotely on my build server. So I found myself needing networking for the test zones in order for them to be useful. However, I didn't want to go through the trouble of allocating static IP addresses for simple throwaway test stands. So I started using a private DHCP server for the zones, and I set up NAT with IP filtering so that the zones could reach the outside world through the private network.
The general idea is as follows. We build an etherstub in the host global zone and hang a virtual NIC off of it. We plumb up the vnic with a private net address and run a DHCP server on that private subnet. We then configure NAT with IP filtering and IP forwarding for that subnet over to the public network, and clients on that private net can get out to the public network.
For a zone to make use of the DHCP server, it needs its net/anet 'lower-link' set to the etherstub, which is one simple zonecfg change from the default. You can put as many zones as you like on the stub, but if you're doing lots of IO intensive stuff, using more than one physical NIC might be a good idea. Your mileage may vary, of course.
The steps to build this up follow.
First, create the etherstub for the private network and create a host vnic on it for the DHCP server. Then set a private net IP address on the vnic and check the configurations are all correct so far.
# dladm create-etherstub stub0
# dladm create-vnic -l stub0 vnic0 # ipadm create-ip vnic0
# ipadm create-addr -T static -a 192.168.0.1/24 vnic0/privaddr # dladm show-vnic vnic0 LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS vnic0 stub0 40000 2:8:20:83:3:95 random 0 # ipadm show-addr vnic0 ADDROBJ TYPE STATE ADDR vnic0/privaddr static ok 192.168.0.1/24Next, configure NAT and enable IP forwarding for the private network. Map your public-facing vanity net namein this step (e.g. net0, as shown below).
# cat /etc/ipf/ipnat.conf
map net0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
# ipadm set-prop -p forwarding=on ipv4
Configure a simple DHCP server for the private network. Customize settings according to your preferences.
# vi /etc/inet/dhcpd4.conf
option domain-name "us.oracle.com";
option domain-name-servers 192.135.82.132, 130.35.249.41, 130.35.249.52;
default-lease-time 86400;
max-lease-time -1;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.120;
option routers 192.168.0.1;
option broadcast-address 192.168.0.255;
}
Finally, turn on IP filtering and the DHCP server.
# svcadm enable svc:/network/ipfilter:default
# svcadm enable svc:/network/dhcp/server:ipv4
To make use of the new private DHCP server, just set the etherstub's name as your zone's lower-link via zonecfg and boot the zone.
# zonecfg -z zone1 "select anet id=0;set lower-link=stub0;end"
Zones booted on the etherstub should get private net IP addresses from the DHCP server and should be able to reach the public network.
This works really well for my purposes, feel free to suggest useful updates and I'll add them in.