Hi there, I''m researching our upgrade path from Debian Etch to Debian Lenny and the newer version of Xen which that brings to the table. There have been some networking issues which I''ve been unable to resolve. Example: I have two servers each server has four NICs. One NIC should be for the exclusive use of dom0 and is not used in any domU. The rest of the NICs should be bridged to the domUs and should not have IP addresses assigned in dom0. At least one (bridged) interface per server is on our internet front end. We don''t want to waste address space on the dom0s plus we don''t want the security exposure of dom0 having an interface directly on the internet. Therefore in the past I have not allocated these interfaces IP addresses. In earlier versions of Xen I had this working fine, under Debian Etch, by using configurations in /etc/network/interfaces such as: auto eth3 iface eth3 inet manual up /etc/xen/scripts/network-bridge start vifnum=3 bridge=xenbr3 netdev=eth3 in the newer version of Xen this is simpler and we have: up /etc/xen/scripts/network-bridge start netdev=eth3 Lovely. And with the updated format of the network-bridge script brctl show reveals the correct assignment of bridges. However, this only actually *works* (for the domUs) if the interface is assigned an address in dom0. Ie: auto eth2 iface eth2 inet static address 172.16.2.253 netmask 255.255.255.0 up /etc/xen/scripts/network-bridge start netdev=eth2 works while this: auto eth2 iface eth2 inet manual up /etc/xen/scripts/network-bridge start netdev=eth2 does not. I''m not sure if what is going wrong here is a problem with my understanding of Xen or Debian Lenny networking... -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Feb-23 02:37 UTC
Re: [Xen-users] multiple bridges on non-addressed interfaces
On Mon, Feb 23, 2009 at 7:23 AM, Steve Wray <steve.wray@cwa.co.nz> wrote:> However, this only actually *works* (for the domUs) if the interface is > assigned an address in dom0. > > Ie: > > auto eth2 > iface eth2 inet static > address 172.16.2.253 > netmask 255.255.255.0 > up /etc/xen/scripts/network-bridge start netdev=eth2 > > works while this: > > auto eth2 > iface eth2 inet manual > up /etc/xen/scripts/network-bridge start netdev=eth2 > > does not. >Why don''t you simply create the bridge in Lenny? Here''s what I use in Ubuntu auto br11 iface br11 inet manual bridge_ports eth0.11 This is a bridge-on-vlan config. I don''t even need to specifiy settings for eth0 or eth0.11, Ubuntu takes care of them automatically. If you want to bridge eth2 then something like this should work. auto br2 iface br2 inet manual bridge_ports eth2 Then you simply set your domU to use br2 on it''s vif settings. br2 and eth2 should be up, without any ipv4 address assigned. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Steve Wray
2009-Feb-23 19:30 UTC
Re: [Xen-users] multiple bridges on non-addressed interfaces
Fajar A. Nugraha wrote:> On Mon, Feb 23, 2009 at 7:23 AM, Steve Wray <steve.wray@cwa.co.nz> wrote: >> However, this only actually *works* (for the domUs) if the interface is >> assigned an address in dom0. >> >> Ie: >> >> auto eth2 >> iface eth2 inet static >> address 172.16.2.253 >> netmask 255.255.255.0 >> up /etc/xen/scripts/network-bridge start netdev=eth2 >> >> works while this: >> >> auto eth2 >> iface eth2 inet manual >> up /etc/xen/scripts/network-bridge start netdev=eth2 >> >> does not. >> > > Why don''t you simply create the bridge in Lenny? Here''s what I use in Ubuntu > > auto br11 > iface br11 inet manual > bridge_ports eth0.11 > > This is a bridge-on-vlan config. I don''t even need to specifiy > settings for eth0 or eth0.11, Ubuntu takes care of them automatically. > If you want to bridge eth2 then something like this should work. > > auto br2 > iface br2 inet manual > bridge_ports eth2 > > Then you simply set your domU to use br2 on it''s vif settings. br2 and > eth2 should be up, without any ipv4 address assigned.Ok this works, thanks for the tip! I had thought that the Xen scripts for setting up the bridges had some magic to hook them into Xen but apparently not. I''m curious why it doesn''t work ''the old way''; whether this is a change in Xen or in Debian. It seems odd.> > Regards, > > Fajar-- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users