On Wed, Mar 14, 2007 at 11:08:49PM -0400, Russell Horn wrote:
>
> My dom0 is connected to the outside world via eth1
>
> I have a distinct /29 allocated to me which is routed to my eth1 IP
> xxx.yyy.82.76
>
<snip/>
> I have set up a dummy0 interface as follows:
>
> inet addr:xxx.yyy.93.105 Bcast:xxx.yyy.93.111 Mask:255.255.255.248
>
Hi Russell
The following is a configuration that should work on Debian Etch (and
probably on Sarge, and on Ubuntu also). If you're running some other
distro you might like to read through this stuff anyway and see if you
can adapt it to your needs. The key is that your distribution should
support the creation of briges in their network startup scripts. You
don't even actually need to use their startup scripts as you can just
create a brige yourself using "brctl addbr xbr0". Anyway, read on and
see what you think.
To make this simple for people who find this in the future, we will
assume that your hosting provider gave you the block 10.0.0.0 with a
netmask of 255.255.255.248 - in other words, they gave you 10.0.0.0/29.
We'll also assume that the external ip that they gave you was
172.16.82.76/24 with a gateway of 172.16.82.1 - but these external
addresses don't matter for our purposes, they're just for illustration.
First you set up /etc/network/interfaces to create an anonymous bridge
(ie a bridge that doesn't presently have anything attached to it). We'll
call our bridge xbr0. Your interfaces config file should look like:
# /etc/network/interfaces
auto lo
iface lo inet loopback
# no config for eth0 yet
auto eth1
iface eth1 inet static
address 172.16.82.76
netmask 255.255.255.0
gateway 172.16.82.1
auto xbr0
iface xbr0 inet manual
bridge_ports none
up ip addr add 10.0.0.1/29 dev ${IFACE}
Now bring up the bridge by doing "ifup xbr0" and check the output
of ifconfig to see that it's UP.
Okay, since we'll be routing you'll need to set up your Dom0 to
forward traffic. Do this by:
echo 1 > /proc/sys/net/ipv4/ip_forward
To make this setting permenant across reboots, edit /etc/sysctl.conf
and make sure it contains:
net.ipv4.conf.default.forwarding=1
Now change your /etc/xen/xend-config.sxp to look like:
(network-script network-dummy)
(vif-script vif-bridge)
No, this isn't a typo! :-) For those of you from non-debian distro's,
the network-dummy script does nothing, it just contains "exit 0".
You don't need anything special in your domain configuration files, the
following is fine:
vif = [ '' ]
Okay, let's just check the state of the bridge before we start any
DomUs. You should see something like:
$ brctl show
bridge name bridge id STP enabled interfaces
xbr0 8000.000000000000 no
Notice the way it has no interfaces at the moment. Let's start a domain
and then look at the bridge again:
# xm create yabba.cfg
# brctl show
bridge name bridge id STP enabled interfaces
xbr0 8000.feffffffffff no vif1.0
Now configure your DomU as you normally would, eg:
ifconfig eth0 10.0.0.2 netmask 255.255.255.248
Then try and ping it, etc. If traffic isn't getting through, check the
firewall on Dom0. You're mostly interested in the FORWARD chain, and you
can watch it in real time to see if it's dropping packets using:
# watch iptables -vnL
or for just the FORWARD chain
# watch iptables -vnL FORWARD
So, in summary, the xen vif-bridge script will add your DomU interfaces
to a bridge that *you* configured if such a bridge exists. Also, you
don't need a dummy interface because you have given an address to the
bridge itself.
Personally, I don't use a configuration like this because there are more
secure alternatives. The downside to this configuration from a security
point of view is that the DomU decides what address it wants to have.
This allows for spoofing of addresses on your bridge. However, the
main alternative is to use pure routing and this can be much more
complicated to set up - assuming you want your DomUs to be able to talk
to one another. I'm just a bit of a control freak, that's all.
Let us know how you get on. Also, if you run into difficulties just
shout as I may have overlooked a step here.
jez
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home