How to build zones that are in a different subnet/vlan than the global, and have them route correctly

How to build zones that are in a different subnet/vlan than the global, and have them route correctly

AKA: vlan tagging, zones, and independent routing from the zones

================================
The IP details for this example.
================================

global dracko = 10.220.128.125 255.255.255.0 GW 10.220.128.11

zone dracko-zn1 = 10.220.44.20 255.255.255.0 GW 10.220.44.10 VLAN 44

zone dracko-zn2 = 10.220.43.20 255.255.255.0 GW 10.220.43.10 VLAN 43

====================================
1. add the netmasks to /etc/netmasks
====================================

dracko:/: cat /etc/netmasks
10.220.128.0 255.255.255.0
10.220.44.0 255.255.255.0
10.220.43.0 255.255.255.0

===================================
2. DO NOT add to /etc/defaultrouter
===================================

dracko:/: cat /etc/defaultrouter
10.220.128.11

==================
3. Plumb the VLANS
==================

the formula is adaptername[vlan * 1000][+ adapter number]

Our main NIC is e1000g0 so:

e1000g and 44 * 1000 + 0 for VLAN 44
e1000g and 43 * 1000 + 0 for VLAN 43

dracko:/: ifconfig e1000g44000 plumb up
dracko:/: ifconfig e1000g43000 plumb up

===============
4. Now we have:
===============

dracko:/: ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849 mtu 8232 index 1
zone dracko-zn1
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849 mtu 8232 index 1
zone dracko-zn2
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000843 mtu 1500 index 2
inet 10.220.128.125 netmask ffffff00 broadcast 10.220.128.255
ether 0:14:4f:7e:56:46
e1000g43000: flags=201000842 mtu 1500 index 4
inet 0.0.0.0 netmask 0
ether 0:14:4f:7e:56:46
e1000g44000: flags=201000842 mtu 1500 index 3
inet 0.0.0.0 netmask 0
ether 0:14:4f:7e:56:46

dracko:/: dladm show-link
e1000g0 type: non-vlan mtu: 1500 device: e1000g0
e1000g44000 type: vlan 44 mtu: 1500 device: e1000g0
e1000g43000 type: vlan 43 mtu: 1500 device: e1000g0
e1000g1 type: non-vlan mtu: 1500 device: e1000g1
e1000g2 type: non-vlan mtu: 1500 device: e1000g2
e1000g3 type: non-vlan mtu: 1500 device: e1000g3

=====================
5. Make it permanent:
=====================

touch /etc/hostname.e1000g44000
touch /etc/hostname.e1000g43000

DO NOT put anything in these files! They are just so the interfaces are plumbed on reboot

==========================
6. Modify each zone config
==========================

dracko:/: zonecfg -z dracko-zn1
zonecfg:dracko-zn1> remove net
zonecfg:dracko-zn1> add net
zonecfg:dracko-zn1:net> set physical=e1000g44000 <---- the VLAN device zonecfg:dracko-zn1:net> set address=10.220.44.20
zonecfg:dracko-zn1:net> set defrouter=10.220.44.10 <---- set default route here, not in the global zonecfg:dracko-zn1:net> end
zonecfg:dracko-zn1> verify
zonecfg:dracko-zn1> exit

Note: rinse and repeat for all zones

=================
7. boot the zones
=================

dracko:/: zoneadm -z dracko-zn1 boot
dracko:/: zoneadm -z dracko-zn2 boot

=================================================
8. Now lets look at the ifconfig from the global:
=================================================

dracko:/: ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849 mtu 8232 index 1
zone dracko-zn1
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849 mtu 8232 index 1
zone dracko-zn2
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000843 mtu 1500 index 2
inet 10.220.128.125 netmask ffffff00 broadcast 10.220.128.255
ether 0:14:4f:7e:56:46
e1000g43000: flags=201000842 mtu 1500 index 4
inet 0.0.0.0 netmask 0
ether 0:14:4f:7e:56:46
e1000g43000:1: flags=201000843 mtu 1500 index 4
zone dracko-zn2
inet 10.220.43.20 netmask ffffff00 broadcast 10.220.43.255
e1000g44000: flags=201000842 mtu 1500 index 3
inet 0.0.0.0 netmask 0
ether 0:14:4f:7e:56:46
e1000g44000:1: flags=201000843 mtu 1500 index 3
zone dracko-zn1
inet 10.220.44.20 netmask ffffff00 broadcast 10.220.44.255
dracko:/:

===============================
9: Netstat -nr from the global:
===============================

dracko:/: netstat -nr

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
——————– ——————– —– —– ———- ———
default 10.220.128.11 UG 1 12
default 10.220.44.10 UG 1 0 e1000g44000
default 10.220.43.10 UG 1 0 e1000g43000
10.220.128.0 10.220.128.125 U 1 2 e1000g0
224.0.0.0 10.220.128.125 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 1 0 lo0
dracko:/:

=================================
10: A network view from the zone:
=================================

dracko:/: zlogin -C dracko-zn1
[Connected to zone ‘dracko-zn1’ console]

# bash
bash-3.2#
bash-3.2# ifconfig -a
lo0:1: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g44000:1: flags=201000843 mtu 1500 index 3
inet 10.220.44.20 netmask ffffff00 broadcast 10.220.44.255
bash-3.2# netstat -nr

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
——————– ——————– —– —– ———- ———
default 10.220.44.10 UG 1 0 e1000g44000
10.220.44.0 10.220.44.20 U 1 1 e1000g44000:1
224.0.0.0 10.220.44.20 U 1 0 e1000g44000:1
127.0.0.1 127.0.0.1 UH 4 122 lo0:1
bash-3.2#
bash-3.2# ping 10.220.44.10
10.220.44.10 is alive <-- woohoo!

Solaris 11.3 – Bye bye resolv.conf

In the good old days, setting up DNS was just a quick edit of /etc/resolv.conf

like:

~# cat /etc/resolv.conf
search dracko.local
nameserver 192.168.128.130
nameserver 192.168.128.131

But in Solaris 11 you see this:

~# cat /etc/resolv.conf
#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.
# See resolv.conf(4) for details.

Soooooo, here is what you do:

root@dracko2:/# svccfg -s network/dns/client
svc:/network/dns/client> setprop config/search = astring: (“dracko.local”)
svc:/network/dns/client> setprop config/nameserver = net_address: (192.168.128.130 192.168.128.131)
svc:/network/dns/client> exit
root@dracko2:/# svcadm refresh dns/client
root@dracko2:/# svcadm restart dns/client

It Works!

root@dracko2:~# nslookup google.com
Server: 192.168.128.131
Address: 192.168.128.131#53

Non-authoritative answer:
Name: google.com
Address: 172.217.4.206

Now we do nsswitch.conf

# svccfg -s system/name-service/switch
svc:/system/name-service/switch> setprop config/host = astring: “files dns”
svc:/system/name-service/switch>exit

#svcadm refresh name-service/switch

#svcadm restart name-service/switch

Setting up passwordless SSH


Setting up passwordless SSH


SERVER1

SERVER2

Check /etc/ssh/sshd_config for

PubkeyAuthentication yes

If it's not set add it to bottom of file and do a:

# svcadm restart ssh


Check /etc/ssh/sshd_config for

PubkeyAuthentication yes

If it's not set add it to bottom of file and do a:

# svcadm restart ssh


Check home directory for .ssh

If it is not there do a mkdir .ssh

If it is there verify that it contains:

-rw-r--r-- 1 jcore
399 Jun 21 08:59 authorized_keys

-rw-r--r-- 1 jcore
399 Jun 21 08:59 authorized_keys2

-rw------- 1 jcore
887 Jun 21 09:00 id_rsa

-rw-r--r-- 1 jcore
231 Jun 21 09:00 id_rsa.pub

 


Check home directory for .ssh

If it is not there do a mkdir .ssh

If it is there verify that it contains:

-rw-r--r-- 1 jcore
399 Jun 21 08:59 authorized_keys

-rw-r--r-- 1 jcore
399 Jun 21 08:59 authorized_keys2

-rw------- 1 jcore
887 Jun 21 09:00 id_rsa

-rw-r--r-- 1 jcore
231 Jun 21 09:00 id_rsa.pub

 


If ~ /.ssh/ does not contain the 4 files do the following:

# ssh-keygen -t rsa

Hit return for all questions, DO NOT SET A PASSPHRASE


If ~ /.ssh/ does notcontain the 4 files do the following:

# ssh-keygen -t rsa

Hit return for all questions, DO NOT SET A PASSPHRASE


Copy ~/.ssh/id_rsa.pub to the other server

scp ~/.ssh/id_rsa.pub ${LOGIN}@${SERVER2}:${SERVER1}.id_rsa.pub


Copy ~/.ssh/id_rsa.pub to the other server

scp ~/.ssh/id_rsa.pub ${LOGIN}@${SERVER1}:${SERVER2}.id_rsa.pub


Now on each server:

# cat ${SERVER2}.id_rsa.pub >> ~/. ssh/authorized_keys

# cat ${ SERVER2}.id_rsa.pub >> ~/. ssh/authorized_keys2

# rm -f ${ SERVER2}.id_rsa.pub


Now on each server:

# cat ${ SERVER1}.id_rsa.pub >> ~/. ssh/authorized_keys

# cat ${ SERVER1}.id_rsa.pub >> ~/. ssh/authorized_keys2

# rm -f ${ SERVER1}.id_rsa.pub


Test:

ssh SERVER2


Test:

ssh SERVER2

 

Or Script it!

From SERVER1

ssh-keygen -t rsa

echo "now doing copies to ${SERVER2} - you will need the password"

scp ~/. ssh/id_rsa.pub${LOGIN}@${SERVER2}:id_rsa.pub

ssh ${LOGIN}@${SERVER2} 'if [ !-d .ssh ];then mkdir .ssh; fi'

ssh ${LOGIN}@${SERVER2} 'catid_rsa.pub >> .ssh/authorized_keys'

ssh ${LOGIN}@${SERVER2} 'catid_rsa.pub >> .ssh/authorized_keys2; rm id_rsa.pub'

scp ${LOGIN}@${SERVER2}:.ssh/id_rsa.pub remote.id_rsa.pub

cat remote.id_rsa.pub >> ~/. ssh/authorized_keys

cat remote.id_rsa.pub >> ~/. ssh/authorized_keys2

rm -f remote.id_rsa.pub

grep "PubkeyAuthentication /etc/ssh/sshd_config

if [ $? -ne 0 ]

then

echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config

svcadm restart ssh

fi

 

The Bottom Line

1. Each server MUST have PubkeyAuthentication yes in /etc/ssh/sshd_config
2. Each server user (aka root) MUST have a id_rsa and a id_rsa.pub in .ssh/, because you have to swap public keys between servers
3. You concatenate server B’s id_rsa.pub to server A’s .ssh/authorized_keys and .ssh/authorized_keys2
4. You concatenate server A’s id_rsa.pub to server B’s .ssh/authorized_keys and .ssh/authorized_keys2