The documentation for Xen mentions that iptables in dom0 may affect
domUs. If iptables and ipvsadm is heavily used in a domU, how does this
impact dom0?
In my particular case, I want both dom0 and ONE domU (FW_domu) to be visible
to the external network (eth1). There will be several other domU''s
that
will be behind FW_domU).
as far as the domUs are concerned, this is the layout.
FW_domU
|
LB_domU
|
+-----+--+--------+
| | |
domU1 domU2 domU3
what''s the best way to set this up. LB_domU runs LVS (ipvsadm). Is
this
configuration even supported in Xen.
Thanks for any help.
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
On Tue, May 01, 2007 at 04:33:02PM -0700, Fong Vang wrote:> The documentation for Xen mentions that iptables in dom0 may affect > domUs. If iptables and ipvsadm is heavily used in a domU, how does this > impact dom0?Depends on how your network is setup.> In my particular case, I want both dom0 and ONE domU (FW_domu) to be visible > to the external network (eth1). There will be several other domU''s that > will be behind FW_domU). > > as far as the domUs are concerned, this is the layout. > > FW_domU > | > LB_domU > | > +-----+--+--------+ > | | | > domU1 domU2 domU3 > > what''s the best way to set this up. LB_domU runs LVS (ipvsadm). Is this > configuration even supported in Xen.It''s supported, but complex. You''re going to have to know an awful lot about bridging, routing, and such to be able to set this up and keep it running in any sort of good order. If I were consulting on this, I''d question the underlying assumptions that have led to this design first, as there''s probably some much simpler way of laying it all out. But the diagram above, if given as a virtual network layout, is certainly doable, if perhaps not optimal. You can certainly run both iptables and ipvsadm in a Xen domU; it''s been an integral part of one of my clients'' setups for about 9 months now, and it works a treat. - Matt -- I''m not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else''s. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, 2007-05-01 at 16:33 -0700, Fong Vang wrote:> The documentation for Xen mentions that iptables in dom0 may affect > domUs. If iptables and ipvsadm is heavily used in a domU, how does > this impact dom0? > > In my particular case, I want both dom0 and ONE domU (FW_domu) to be > visible to the external network (eth1). There will be several other > domU''s that will be behind FW_domU). > > as far as the domUs are concerned, this is the layout. > > FW_domU > | > LB_domU > | > +-----+--+--------+ > | | | > domU1 domU2 domU3I would combine the FW and LB. If this is just http/https load balancing try pound first, http://apsis.ch/pound/ . You will end up with far less moving parts that can break. Since this is all on one physical server, anyway, there isn''t much sense in breaking them up. I''m not saying what you sketched won''t work though. With only 3 nodes you shouldn''t run into too much spaghetti. Odd breakage happens more when you have more nodes, and more NATing around the LB directly to the guests. Were you going to use a popular FW helper like Shorewall, or put something together yourself? Did you figure on using two bridges?> what''s the best way to set this up. LB_domU runs LVS (ipvsadm). Is > this configuration even supported in Xen.Sure, as long as there is modular support for everything you want to do (and corresponding modules to load) on the dom-u for iptables, its no different than anything else for most purposes. Good luck :) --Tim _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users