WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Network isolation - PCI passthrough question
From: Jean Baptiste FAVRE <xen-users@xxxxxxxxxxx>
Date: Tue, 21 Dec 2010 09:24:37 +0100
Delivery-date: Tue, 21 Dec 2010 00:25:47 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D0FD1EC.5040509@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D0F6353.9020305@xxxxxxxxxxx> <ienqak$hic$1@xxxxxxxxxxxxxxx> <4D0F6E75.9060704@xxxxxxxxxxx> <ienv5g$bdh$1@xxxxxxxxxxxxxxx> <4D0F8314.4020908@xxxxxxxxxxx> <p06240840c93565a24140@xxxxxxxxxxxxxxxxxxxxxx> <4D0FCECE.90003@xxxxxxxxxxx> <4D0FD1EC.5040509@xxxxxxxxx>
Reply-to: xen-users@xxxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
Le 20/12/2010 23:00, Peter Viskup a écrit :
> On 12/20/2010 10:46 PM, Jean Baptiste FAVRE wrote:
>> Le 20/12/2010 21:02, Simon Hobson a écrit :
>>   
>>> Jean Baptiste FAVRE wrote:
>>>
>>>     
>>>> I don't care about dom0 network as it's just near me (test machine) :)
>>>> But I do care about domU network and I'm not sure I understand your
>>>> "vif
>>>> bridged on lo-device".
>>>>        
>>> I'd suggest you try manually creating a bridge with no network
>>> interfaces attached to it*. You can add an IP address directly to the
>>> bridge interface, and then the Dom0 and any DomUs you attach to it can
>>> communicate between themselves. But with no external interface attached
>>> to the bridge, nothing will have access to an outside network other than
>>> through the firewall DomU.
>>>
>>> Apart from the lack of external NIC, this is how I run my home network.
>>> I do PCI passthrough to hide a NIC (connected to an ADSL modem) from
>>> Dom0, and all outside traffic passes though the virtual firewall in
>>> order to reach the outside world.
>>>
>>> * IRC something like this ought to do it :
>>>
>>> brctl addbr br0
>>> ip addr add w.x.y.z/n dev br0
>>> and then specify br0 when configuring VIFs in your guests.
>>>      
>> Thanks for explanations, I'll try it.
>> Regards,
>> JB
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
>>
>>    
> 
> Hello Jean,
> I am using this configuration with bridging of 'internal virtual'
> network for domU interconnection. Let me know in case you will be
> interested in and I can send you my domU config + dom0's
> /etc/network/interfaces.
> I have two servers interconnected with two Ethernet ports in bonding +
> bridge on both sides and all domU's on both servers can reach each other
> via this bridged network.
> Works pretty well.

Hello Peter,
Of course I'm interested :)

For now, I've 2 old servers for tests, both connected via 2 ethernet
ports in bonding + bridge for wan. "Lan" part is used for DRBD
replication as well as live migration.

I have documented the initial setup here:
http://publications.jbfavre.org/virtualisation/cluster-xen-corosync-pacemaker-drbd-ocfs2.en

Now I've removed heartbeat/pacemaker and am trying to harden dom0
security and domU isolation.
That's why I would like to remove network stuff from dom0, but I think I
will still have the bridge in it.

Thanks anyway,
JB

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users