Re: [vserver] assigning less than /64 to individual guests
>>>>> "Eugen" == Eugen Leitl <email@example.com> writes:
>> If you are saying that you will allocate /80s to each vserver,
>> but actually they will not be layer-2 isolated from each other,
>> this is just an administrative partition, then I think it's a
>> good idea.
Eugen> The Linux vserver patch is a very lightweight
Eugen> virtualization. It doesn't share the network stack, shares
Eugen> the physical NIC MAC and only recently were the vserver
Eugen> guests given 127.0.0.1 that is distinct from the host's
Eugen> localhost -- as far as I known ::1 hasn't been given that
Eugen> treatment yet.
Yes, I know it well, because it added lots of namespace arguments inside
the kernel to lots of network code (like IPsec). The list of IP
addresses is per-vserver, but the list of interfaces is not.
Do the containers share the same mac address? I think so, right?
Or do you have a virtual interface adapter per vserver with a fake mac
Eugen> How much autoconfig do I need? Each physical host will be
Eugen> given a private /64 (out of the /56 I have total), just the
Eugen> guests will be given an /80, allocated from a different /64.
I think you can just give out a seperate /80, and since you won't care
about privacy extensions for a link that nobody can see or use, you
leave them off, and arrange for bit 6 to always be 0. Allocate your
/80s out of the prefix:0000::/71. Is 512 vservers per physical host enough?
Eugen> I'm not really familiar with IPv6 advanced uses, at the
Eugen> moment I'm treating it just like a bigger version of IPv4, at
Eugen> least as far as guests are concerned. I don't really know
Eugen> what users would want to run on their own /80s
If I had such a system, I'd want to put each of my HTTP 1.1 virtual
hosts on a seperate IPv6 address, assuming that I didn't have seperate
vservers already. Why? Because it sure makes it easier to host
different sensitivities of content (adult vs child friendly).
I'd want the mail, pop3, imap, ftp, and ssh targets to be different,
because that would like me move them around as it might make sense.
And of course, SSL port 443 (and IMAPS, and SMTPS and...) can now have
sensible CNs that match the name in DNS.
>> Permitting autoconfig to work seems like a nice thing to retain.
Eugen> If the guests can all use the host's (different) /64, will
Eugen> that work?
I think that you just want autoconfig to work well enough so that if you
install a new machine in the rack, it can autoconfig up an address
easily, and you can finish the install via ssh :-)
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] firstname.lastname@example.org http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.