I''ve now had chance to experiment with both bridges and routed setups (copying Toms example on the web site) for Xen, here are a few observations : Bridged: Default setup, easy to get the network going. Shorewall works but has some limitations in a bridged environment, but in dom-u''s works just like a real single interface machine. Routed: Harder to set up the networking Removes limitations of firewalling in a bridge Dom-U''s don''t get broadcasts from parent network One issue took a bit of sorting out : The environment I''ll be wanting to run will involve a variable number of guest machines, and some of them may not be started automatically. This caught me out this morning when I switched on my test server and couldn''t access it. Shorewall failed to start at bootup because all the interfaces weren''t present. I tried setting the interfaces file to use a wildcard (ethx+), but that still left the proxyarp stetting where>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >192.168.1.181 ethx1 eth0 no yesproduced this error>Setting up Proxy ARP... >Cannot find device "ethx1" > ERROR: Command "ip route replace 192.168.1.181 dev ethx1" FailedBut since the vif-route script creates the route, I don''t think the haveroute=no setting is required, so I''ve set that to yes and now Shorewall will start (with a warning if the guest using ethx1 is not running). Next step was to add a "shorewall restart" command to the vif-route script - actually I wrote a wrapper script called vif-route-shorewall containing :>#!/bin/bash >dir=$(dirname "$0") >${dir}/vif-route $@ >shorewall restartSo in proxyarp I have :>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >192.168.1.181 ethx1 eth0 yes >192.168.1.182 ethx2 eth0 yesand in interfaces I have :>#ZONE INTERFACE BROADCAST OPTIONS >net $EXT_IF - logmartians,tcpflags,nosmurfs >xen ethx+ 192.168.1.255 tcpflags,nosmurfs,routebackAnything I''ve missed here ? Is there any problem with multiple processes calling "shorewall restart" - ie if multiple guests are shutdown simultaneously ? I assume the answer is "they''ll just block and execute in turn" as Shorewall uses a lockfile, and that is what appears to happen. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Simon Hobson wrote:> I''ve now had chance to experiment with both bridges and routed setups > (copying Toms example on the web site) for Xen, here are a few > observations : > > Bridged: > > Default setup, easy to get the network going. > Shorewall works but has some limitations in a bridged environment, > but in dom-u''s works just like a real single interface machine. > > > Routed: > > Harder to set up the networking > Removes limitations of firewalling in a bridge > Dom-U''s don''t get broadcasts from parent network > > > > One issue took a bit of sorting out : > > The environment I''ll be wanting to run will involve a variable number > of guest machines, and some of them may not be started automatically. > This caught me out this morning when I switched on my test server and > couldn''t access it. Shorewall failed to start at bootup because all > the interfaces weren''t present. >I developed the ''optional'' interface option exactly to take care of this issue. List each interface in /etc/shorewall/interfaces as ''optional''.> So in proxyarp I have : >> #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >> 192.168.1.181 ethx1 eth0 yes >> 192.168.1.182 ethx2 eth0 yesWhich is what I do.> > and in interfaces I have : >> #ZONE INTERFACE BROADCAST OPTIONS >> net $EXT_IF - logmartians,tcpflags,nosmurfs >> xen ethx+ 192.168.1.255 tcpflags,nosmurfs,routeback > > Anything I''ve missed here ?For Shorewall-perl, the address in the BROADCAST column is bogus.> > Is there any problem with multiple processes calling "shorewall > restart" - ie if multiple guests are shutdown simultaneously ? I > assume the answer is "they''ll just block and execute in turn" as > Shorewall uses a lockfile, and that is what appears to happen.That''s why there is a lockfile. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Wed, Aug 01, 2007 at 11:50:17AM +0100, Simon Hobson wrote:> I''ve now had chance to experiment with both bridges and routed setups > (copying Toms example on the web site) for Xen, here are a few > observations : > > Bridged: > > Default setup, easy to get the network going. > Shorewall works but has some limitations in a bridged environment, > but in dom-u''s works just like a real single interface machine. >What I really like about bridged is that (from a networking perspective) each domU is indistinguishable from a physical host on the same network as the dom0. Depending on your needs, that may be good or bad. However, I tend to think of it as a very good thing. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Wed, Aug 01, 2007 at 06:46:30PM -0400, Roberto C. S?nchez wrote:> On Wed, Aug 01, 2007 at 11:50:17AM +0100, Simon Hobson wrote: > > I''ve now had chance to experiment with both bridges and routed setups > > (copying Toms example on the web site) for Xen, here are a few > > observations : > > > > Bridged: > > > > Default setup, easy to get the network going. > > Shorewall works but has some limitations in a bridged environment, > > but in dom-u''s works just like a real single interface machine. > > > What I really like about bridged is that (from a networking perspective) > each domU is indistinguishable from a physical host on the same network > as the dom0. Depending on your needs, that may be good or bad. > However, I tend to think of it as a very good thing.It basically reduces to the question of: Is your purpose in using Xen just to segregate some virtual hosts as an alternative to buying several boxes, or to create hosts with more restricted capabilities than a normal one? ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Andrew Suffield wrote:> On Wed, Aug 01, 2007 at 06:46:30PM -0400, Roberto C. S?nchez wrote: >> On Wed, Aug 01, 2007 at 11:50:17AM +0100, Simon Hobson wrote: >>> I''ve now had chance to experiment with both bridges and routed setups >>> (copying Toms example on the web site) for Xen, here are a few >>> observations : >>> >>> Bridged: >>> >>> Default setup, easy to get the network going. >>> Shorewall works but has some limitations in a bridged environment, >>> but in dom-u''s works just like a real single interface machine. >>> >> What I really like about bridged is that (from a networking perspective) >> each domU is indistinguishable from a physical host on the same network >> as the dom0. Depending on your needs, that may be good or bad. >> However, I tend to think of it as a very good thing. > > It basically reduces to the question of: > > Is your purpose in using Xen just to segregate some virtual hosts as > an alternative to buying several boxes, or to create hosts with more > restricted capabilities than a normal one? >I agree. And if you need more restricted capabilities than a normal one then you should consider running a firewall in front of the Xen host or you should consider switching to a configuration other than one where you run Shorewall in your bridged Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/