thr3ads.net - Xen users - [Xen-users] Xen 3.2 Setup advice pretty please [Oct 2008]

If this information is useful, please help other people find it:
Share via:

Lists

2008-Oct-21 16:24 UTC

[Xen-users] Xen 3.2 Setup advice pretty please

Hi all,

I have been trying various failing solutions so I turn to the gurus for guidance
in times of trouble.

I have a Xen 3.2-1 server running on a Debian etch (2.6.18-6-xen-vserver-686) in
a remote data centre.
I also have 5 public IPs in different ranges and only one NIC.

What I want to do is simple.  Have the applications running on my DomUs
available to the internet.

Dom0 - Web proxy for routing to the correct Dom(2/3).
Dom1 - Mail
Dom2 - Web
Dom3 - Web

I''d like it as secure as possible.

I tried using IP aliasing on my NIC + bridge but that didn''t work.
I tried nat but I can''t seem to get the firewall to work properly.


In short:

                       |-> Dom0
WAN <--->   eth0   <---|-> Dom1
        91.111.100.50  |-> Dom2
        100.10.121.30  |-> Dom3
        98.66.100.125
        96.130.120.14
        95.85.140.121


If anyone has any advice at all, I''d greatly appreciate it. 
I''m at a loss.

Thanks
--
eco

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Dustin Henning

2008-Oct-21 16:48 UTC

head link

RE: [Xen-users] Xen 3.2 Setup advice pretty please

If you are using bridging and the connection to eth0 already supports all of
these addresses, you should simply assign one address to each domU directly. 
There is an ip= switch for the vif line in PV domUs, but I believe it is not for
bridging.  That said, I think you want to remove the aliases and the IPs f9om
dom0 and manually configure the eth0 in each domU just as you would a normal
machine (with an IP, netmask, gateway, etc).  If the IPs can be used from dom0
and bridging is working properly, this should allow them to be used exclusively
from their respective domUs.
	Dustin 

-----Original Message-----
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Lists
Sent: Tuesday, October 21, 2008 12:24
To: xen-users
Subject: [Xen-users] Xen 3.2 Setup advice pretty please

Hi all,

I have been trying various failing solutions so I turn to the gurus for guidance
in times of trouble.

I have a Xen 3.2-1 server running on a Debian etch (2.6.18-6-xen-vserver-686) in
a remote data centre.
I also have 5 public IPs in different ranges and only one NIC.

What I want to do is simple.  Have the applications running on my DomUs
available to the internet.

Dom0 - Web proxy for routing to the correct Dom(2/3).
Dom1 - Mail
Dom2 - Web
Dom3 - Web

I''d like it as secure as possible.

I tried using IP aliasing on my NIC + bridge but that didn''t work.
I tried nat but I can''t seem to get the firewall to work properly.


In short:

                       |-> Dom0
WAN <--->   eth0   <---|-> Dom1
        91.111.100.50  |-> Dom2
        100.10.121.30  |-> Dom3
        98.66.100.125
        96.130.120.14
        95.85.140.121


If anyone has any advice at all, I''d greatly appreciate it. 
I''m at a loss.

Thanks
--
eco

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Dustin Henning

2008-Oct-21 17:08 UTC

head link

RE: [Xen-users] Xen 3.2 Setup advice pretty please

-----Original Message-----
From: edoardo@precognet.com [mailto:edoardo@precognet.com] On Behalf Of
lists@precognet.com
Sent: Tuesday, October 21, 2008 12:58
To: Dustin Henning
Subject: Re: [Xen-users] Xen 3.2 Setup advice pretty please

----- "Dustin Henning" <Dustin.Henning@prd-inc.com> wrote:
> If you are using bridging and the connection to eth0 already supports
> all of these addresses, you should simply assign one address to each
> domU directly.  There is an ip= switch for the vif line in PV domUs,
> but I believe it is not for bridging.  That said, I think you want to
> remove the aliases and the IPs f9om dom0 and manually configure the
> eth0 in each domU just as you would a normal machine (with an IP,
> netmask, gateway, etc).  If the IPs can be used from dom0 and bridging
> is working properly, this should allow them to be used exclusively
> from their respective domUs.
> 	Dustin 
> 
> -----Original Message-----
> From: xen-users-bounces@lists.xensource.com
> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Lists
> Sent: Tuesday, October 21, 2008 12:24
> To: xen-users
> Subject: [Xen-users] Xen 3.2 Setup advice pretty please
> 
> Hi all,
> 
> I have been trying various failing solutions so I turn to the gurus
> for guidance in times of trouble.
> 
> I have a Xen 3.2-1 server running on a Debian etch
> (2.6.18-6-xen-vserver-686) in a remote data centre.
> I also have 5 public IPs in different ranges and only one NIC.
> 
> What I want to do is simple.  Have the applications running on my
> DomUs available to the internet.
> 
> Dom0 - Web proxy for routing to the correct Dom(2/3).
> Dom1 - Mail
> Dom2 - Web
> Dom3 - Web
> 
> I''d like it as secure as possible.
> 
> I tried using IP aliasing on my NIC + bridge but that didn''t work.
> I tried nat but I can''t seem to get the firewall to work properly.
> 
> 
> In short:
> 
>                        |-> Dom0
> WAN <--->   eth0   <---|-> Dom1
>         91.111.100.50  |-> Dom2
>         100.10.121.30  |-> Dom3
>         98.66.100.125
>         96.130.120.14
>         95.85.140.121
> 
> 
> If anyone has any advice at all, I''d greatly appreciate it. 
I''m at a
> loss.
> 
> Thanks
> --
> eco
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
Thanks Dustin,

I''ll give that a go and report how I do.  Does that mean the bridge can
support IPs that are not clustered into one specific range (98.121.150.XXX)?

--
Eco

	I believe the bridge is basically a virtual layer 2 switch.  As such, it has no
knowledge of layer 3 (IP in this case).  That said, and after re-reading your
post, it is worth mentioning that most people feel that running applications on
dom0 is inherently insecure.  I don''t know what your web proxy does,
but if it reroutes traffic based on subdomains, you should just set the
sudomains to point at the proper domU IPs at your DNS server/service.  On the
other hand, if it does something more than that, it should (based on this
security theory) be in a separate domU itself.  Finally, also regarding
security, you should probably run a firewall on each domU if you aren''t
already, as they will exposed directly to the internet (unless they are behind a
hardware firewall).
	Dustin



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Dustin Henning

2008-Oct-21 18:50 UTC

head link

RE: [Xen-users] Xen 3.2 Setup advice pretty please

-----Original Message-----
From: edoardo@precognet.com [mailto:edoardo@precognet.com] On Behalf Of
lists@precognet.com
Sent: Tuesday, October 21, 2008 14:46
To: Dustin Henning
Subject: Re: [Xen-users] Xen 3.2 Setup advice pretty please

----- "Dustin Henning" <Dustin.Henning@prd-inc.com> wrote:
> If you are using bridging and the connection to eth0 already supports
> all of these addresses, you should simply assign one address to each
> domU directly.  There is an ip= switch for the vif line in PV domUs,
> but I believe it is not for bridging.  That said, I think you want to
> remove the aliases and the IPs f9om dom0 and manually configure the
> eth0 in each domU just as you would a normal machine (with an IP,
> netmask, gateway, etc).  If the IPs can be used from dom0 and bridging
> is working properly, this should allow them to be used exclusively
> from their respective domUs.
> 	Dustin 
> 
> -----Original Message-----
> From: xen-users-bounces@lists.xensource.com
> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Lists
> Sent: Tuesday, October 21, 2008 12:24
> To: xen-users
> Subject: [Xen-users] Xen 3.2 Setup advice pretty please
> 
> Hi all,
> 
> I have been trying various failing solutions so I turn to the gurus
> for guidance in times of trouble.
> 
> I have a Xen 3.2-1 server running on a Debian etch
> (2.6.18-6-xen-vserver-686) in a remote data centre.
> I also have 5 public IPs in different ranges and only one NIC.
> 
> What I want to do is simple.  Have the applications running on my
> DomUs available to the internet.
> 
> Dom0 - Web proxy for routing to the correct Dom(2/3).
> Dom1 - Mail
> Dom2 - Web
> Dom3 - Web
> 
> I''d like it as secure as possible.
> 
> I tried using IP aliasing on my NIC + bridge but that didn''t work.
> I tried nat but I can''t seem to get the firewall to work properly.
> 
> 
> In short:
> 
>                        |-> Dom0
> WAN <--->   eth0   <---|-> Dom1
>         91.111.100.50  |-> Dom2
>         100.10.121.30  |-> Dom3
>         98.66.100.125
>         96.130.120.14
>         95.85.140.121
> 
> 
> If anyone has any advice at all, I''d greatly appreciate it. 
I''m at a
> loss.
> 
> Thanks
> --
> eco
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

Hi Dustin,

I gave it a go and locked myself out of the box.  For some reason it disabled my
nic.

   [
Oct 21 19:01:51 Dom0 kernel: ADDRCONF(NETDEV_UP): peth0: link is not ready
Oct 21 19:01:54 Dom0 kernel: e1000: peth0: e1000_watchdog: NIC Link is Up 1000
Mbps Full Duplex
Oct 21 19:01:54 Dom0 kernel: ADDRCONF(NETDEV_CHANGE): peth0: link becomes ready
Oct 21 19:01:54 Dom0 kernel: device peth0 entered promiscuous mode
Oct 21 19:01:54 Dom0 kernel: audit(1224608514.938:2): dev=peth0 prom=256
old_prom=0 auid=4294967295
Oct 21 19:01:54 Dom0 kernel: eth0: port 1(peth0) entering learning state
Oct 21 19:01:54 Dom0 kernel: eth0: topology change detected, propagating
Oct 21 19:01:54 Dom0 kernel: eth0: port 1(peth0) entering forwarding state
Oct 21 19:02:49 Dom0 kernel: device vif4.0 entered promiscuous mode
Oct 21 19:02:49 Dom0 kernel: audit(1224608569.399:3): dev=vif4.0 prom=256
old_prom=0 auid=4294967295
Oct 21 19:02:49 Dom0 kernel: ADDRCONF(NETDEV_UP): vif4.0: link is not ready
Oct 21 19:02:50 Dom0 kernel: ADDRCONF(NETDEV_CHANGE): vif4.0: link becomes ready
Oct 21 19:02:50 Dom0 kernel: eth0: port 2(vif4.0) entering learning state
Oct 21 19:02:50 Dom0 kernel: eth0: topology change detected, propagating
Oct 21 19:02:50 Dom0 kernel: eth0: port 2(vif4.0) entering forwarding state
Oct 21 19:02:53 Dom0 kernel: e1000: peth0: e1000_watchdog: NIC Link is Down
Oct 21 19:02:53 Dom0 kernel: eth0: port 1(peth0) entering disabled state
Oct 21 19:12:43 Dom0 kernel: input: AT Translated Set 2 keyboard as
/class/input/input1
Oct 21 19:15:09 Dom0 kernel: e1000: peth0: e1000_watchdog: NIC Link is Up 1000
Mbps Full Duplex
Oct 21 19:15:09 Dom0 kernel: eth0: port 1(peth0) entering learning state
Oct 21 19:15:09 Dom0 kernel: eth0: topology change detected, propagating
Oct 21 19:15:09 Dom0 kernel: eth0: port 1(peth0) entering forwarding state
Oct 21 19:29:36 Dom0 kernel: e1000: peth0: e1000_watchdog: NIC Link is Down
Oct 21 19:29:36 Dom0 kernel: eth0: port 1(peth0) entering disabled state
Oct 21 19:56:09 Dom0 -- MARK --
Oct 21 20:09:11 Dom0 syslogd 1.4.1#18: restart.
Oct 21 20:09:12 Dom0 kernel: klogd 1.4.1#18, log source = /proc/kmsg started.
Oct 21 20:09:12 Dom0 kernel: Linux version 2.6.18-6-xen-vserver-686 (Debian
2.6.18.dfsg.1-22etch2) (dannf@debian.org) (gcc version 4.1.2 20061115
(prerelease) (Debian 4.1.1-21)) #1 SMP Mon Aug 18 13:34:50 UTC 2008
   ]

Here are my config files

# grep -v ^# xend-config.sxp|grep ..
(network-script network-nat)
(vif-script     vif-nat)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '''')

/etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 95.128.150.5
        netmask 255.255.255.0
        network 95.128.150.0
        broadcast 95.128.150.255
        gateway 95.128.150.254

test01.precognet.com.cfg
kernel      = ''/boot/vmlinuz-2.6.18-6-xen-vserver-686''
ramdisk     = ''/boot/initrd.img-2.6.18-6-xen-vserver-686''
memory      = ''64''

root        = ''/dev/sda2 ro''
disk        = [

''phy:/dev/vm/test01.precognet.com-swap,sda1,w'',

''phy:/dev/vm/test01.precognet.com-disk,sda2,w'',
              ]

name        = ''test01''
vif         = [ ''mac=00:16:3E:36:A5:FE'' ]

on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''

------------

Any thoughts on what I might have done wrong.  I''ve been at it for so
long I''m just muddled up and unable to see the obvious.  Time for a
good nights rest.

Thanks
--
Eco

I''m not sure, but my first thought would be that this:

# grep -v ^# xend-config.sxp|grep ..
(network-script network-nat)
(vif-script     vif-nat)

Should be changed.  Presumably to this:
# grep -v ^# xend-config.sxp|grep ..
(network-script network-bridge)
(vif-script     vif-bridge)

I''m not sure on that, though, as I can''t look at any live Xen
machines right now and I don''t even use the network script, I configure
bridging permanently (manually) instead of having the scripts run with Xen
startup.

Dustin

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Xen users - Oct 2008 - Xen 3.2 Setup advice pretty please

[Xen-users] Xen 3.2 Setup advice pretty please

RE: [Xen-users] Xen 3.2 Setup advice pretty please

RE: [Xen-users] Xen 3.2 Setup advice pretty please

RE: [Xen-users] Xen 3.2 Setup advice pretty please