Xen devel - Jul 2004 - Communication between Domain0 and Domain1

Hello,

I am using ''xen unstable / xenolinux 2.4.26'' and I am having
some problems
to get the domain0 and domain1 to communicate with each other. The python 
scripts xc_dom_create.py is not available on the xen unstable release. If 
I try to run the copy xc_dom_create.py that I have from xen 1.2 I get an 
error on the line "xc = Xc.new()". So this is what I did to start a
new
domain1 on xen unstable. From within domain0 I ran the following:

1.) run ''xend start''

2.) run the script xen_nat_enable that I got from xen1.2

3.) I ran the following command from within a bash script
    xm create -c vmid=1 \
		 name=domain1 \
		 kernel=/boot/vmlinuz-2.4.26-xenU \
		 memory=64 \
		 disk=phy:hda9,hda9,w \
		 ipaddr=169.254.1.1 \
		 root=/dev/hda9 ro \
		 ip=169.254.1.1 \
		 gateway=169.254.1.0 \
		 netmask=255.255.0.0 \
		 hostname=host_dom1
		 
    Domain1 is loaded and I can successfully login to domain1           
    through the console. Note: leaving ''mingetty tty1'' in the
    inittab file of domain1 is fine. I read somewhere that I should
    disable that.
    
However, I cannot ssh into domain1 from domain0.
==========================================================[root@domain0 /]# ssh
169.254.1.1
ssh: connect to host 169.254.1.1 port 22: No route to host
==========================================================
Below I have copied & paste the network configuration for domain0 and 
domain1. I am sorry if I include a lot of junk in the email.

Here is the network configuration of domain0
==================================================================[root@domain0
/]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0E:A6:6B:70:CC
          inet addr:128.100.241.161  Bcast:128.100.241.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4228 errors:0 dropped:0 overruns:0 frame:0
          TX packets:400 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:493895 (482.3 Kb)  TX bytes:60050 (58.6 Kb)
          Interrupt:22 Memory:feafc000-0
 
eth0:xen  Link encap:Ethernet  HWaddr 00:0E:A6:6B:70:CC
          inet addr:169.254.1.0  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:22 Memory:feafc000-0
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:19836 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19836 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1357481 (1.2 Mb)  TX bytes:1357481 (1.2 Mb)
 
vif1.0    Link encap:Ethernet  HWaddr AA:00:01:75:09:CB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
	  
[root@domain0 /]# route
Kernel IP routing table
Destination    Gateway Genmask       Flags Metric  Ref    Use Iface
128.100.241.0   *      255.255.255.0   U     0      0        0 eth0
169.254.0.0     *      255.255.0.0     U     0      0        0 eth0
169.254.0.0     *      255.255.0.0     U     0      0        0 eth0
127.0.0.0       *      255.0.0.0       U     0      0        0 lo
default        bcit-ec 0.0.0.0         UG    0      0        0 eth0
==================================================================
Here is the network configuration of domain1
==================================================================[root@domain1
/]# ifconfig
eth0      Link encap:Ethernet  HWaddr AA:00:00:75:09:CB
          inet addr:169.254.1.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
	  
[root@domain1 /]# route
Kernel IP routing table
Destination  Gateway      Genmask      Flags Metric Ref   Use Iface
169.254.0.0     *         255.255.0.0     U   0     0       0 eth0
127.0.0.0       *         255.0.0.0       U   0     0       0 lo
default      169.254.1.0  0.0.0.0         UG  0     0       0 eth0	  
===================================================================	  

Also, it seems that the way to control XEN on the xen unstable release is 
a bit different from xen1.2. The python scripts to use are a bit 
different. There a few scripts that I do not know what they do, example 
xend, netfix and xfrd. That is probably because it is my 1st experience 
with Python. Are there any documentation ?

Thanks
Richard

 



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> Hello,
> 
> I am using ''xen unstable / xenolinux 2.4.26'' and I am
having some problems
> to get the domain0 and domain1 to communicate with each other. The python 
> scripts xc_dom_create.py is not available on the xen unstable release. If 
> I try to run the copy xc_dom_create.py that I have from xen 1.2 I get an 
> error on the line "xc = Xc.new()". So this is what I did to start
a new
> domain1 on xen unstable. From within domain0 I ran the following:
Don''t mix the tools!  The ''xm'' command replaces all
the old xc_*
tools. 
 
> 1.) run ''xend start''
> 
> 2.) run the script xen_nat_enable that I got from xen1.2
I''m not sure this script is still useful. We tend to use bridging
rather than routing by default, but I believe bridge-nf still
enables you to NAT onto an outgoing interface. 

I haven''t tried this, though.
> 3.) I ran the following command from within a bash script
>     xm create -c vmid=1 \
> 		 name=domain1 \
> 		 kernel=/boot/vmlinuz-2.4.26-xenU \
> 		 memory=64 \
> 		 disk=phy:hda9,hda9,w \
> 		 ipaddr=169.254.1.1 \
> 		 root=/dev/hda9 ro \
> 		 ip=169.254.1.1 \
> 		 gateway=169.254.1.0 \
> 		 netmask=255.255.0.0 \
> 		 hostname=host_dom1
> 		 
>     Domain1 is loaded and I can successfully login to domain1           
>     through the console. Note: leaving ''mingetty tty1'' in
the
>     inittab file of domain1 is fine. I read somewhere that I should
>     disable that.
tty1 works fine now, as you''ve observed.
> Here is the network configuration of domain0
> ==================================================================>
[root@domain0 /]# ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:0E:A6:6B:70:CC
>           inet addr:128.100.241.161  Bcast:128.100.241.255
Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:4228 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:400 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:493895 (482.3 Kb)  TX bytes:60050 (58.6 Kb)
>           Interrupt:22 Memory:feafc000-0
>  
> eth0:xen  Link encap:Ethernet  HWaddr 00:0E:A6:6B:70:CC
>           inet addr:169.254.1.0  Bcast:169.254.255.255  Mask:255.255.0.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>           Interrupt:22 Memory:feafc000-0
>  
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:19836 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:19836 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1357481 (1.2 Mb)  TX bytes:1357481 (1.2 Mb)
>  
> vif1.0    Link encap:Ethernet  HWaddr AA:00:01:75:09:CB
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
When you ran ''xend start'' a bridge device should have been
created.

Have you got the bridge utils installed (/sbin/brctl) ?
> Also, it seems that the way to control XEN on the xen unstable release is 
> a bit different from xen1.2. The python scripts to use are a bit 
> different. There a few scripts that I do not know what they do, example 
> xend, netfix and xfrd. That is probably because it is my 1st experience 
> with Python. Are there any documentation ?
''xm'' is the main user tool -- netfix and xfrd are internal
rather
than user tools.

We do desperately need to update the documentation -- sorry.

Ian


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

On Jul 16, 2004, at 8:08 PM, Richard Ta-Min wrote:
> Hello,
>
> I am using ''xen unstable / xenolinux 2.4.26'' and I am
having some
> problems
> to get the domain0 and domain1 to communicate with each other. The 
> python
Hi Richard,
In addition to what Ian mentioned, I''ve found it''s personally
best to
assign static IP to your host OSs.  It removes any question of what IP 
they may be getting assigned which removes one variable from any 
networking/connectivity debugging.

The way the networking works currently (-unstable) is just like a 
typical router/firewall type setup:

(internet) <-> [fw eth0] <-routing-> [fw eth1] <-> [host eth0]

is equivalent to how the networking is set up with Xen between the dom0 
host and the VMs:

(internet) <-> [dom0 eth0] <-routing-> [dom0 vif] <-> [VM
eth0]

If you''re comfortable with using bridging, then when you create the 
bridge interface and bind the dom0 eth0 and vif to it, you''re 
essentially telling the dom0 OS to copy any packets it recieves on the 
eth0 physical device to also go to the dom0 vif, which will pass that 
traffic to the eth0 of the virtual host.  It''s bypassing any explicit 
routing decisions on dom0 and just saying "pass all traffic directly to 
the vif as if it were plugged into the external interface."  The dom0 
host should be able to access the VM host via whatever IP address 
you''ve assigned as well since it should "see" that IP
directly just as
anything else on the network will.  (I haven''t had the best luck with 
Linux bridging though.  Occasionally the bridge just "goes away" and 
mysteriously stops passing traffic to the bridge interfaces...)

An alternative (and the way I prefer because of the bridge issues) is 
to skip the bridging and just use your dom0 host as a firewall.  Assign 
the dom0 vif an IP like 192.168.1.1, then assign the VM eth0 an IP like 
192.168.1.2 and point to 192.168.1.1 as the default route for the VM.  
Create an ethernet alias on the dom0 host for whatever external IP you 
wish to assign to the VM, and use iptables to NAT traffic to/from that 
interface.  Everyone else on the network will see the VM as the 
external IP you''ve assigned, but the dom0 host itself will use the 
192.168.1.2 address to access the VM.  This is the way I''ve set up my 
Xen dev box and it''s working great for me.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I think that''s what they mean by   |
"nickels a day can feed a child."   |       http://www.eff.org/
I thought, "How can food be so      | http://www.anti-dmca.org/
cheap over there?"  It''s not, they  |--------------------------
just eat the nickels." -- Peter Nguyen



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> An alternative (and the way I prefer because of the bridge issues) is 
> to skip the bridging and just use your dom0 host as a firewall.  Assign 
> the dom0 vif an IP like 192.168.1.1, then assign the VM eth0 an IP like 
> 192.168.1.2 and point to 192.168.1.1 as the default route for the VM.  
> Create an ethernet alias on the dom0 host for whatever external IP you 
> wish to assign to the VM, and use iptables to NAT traffic to/from that 
> interface.  Everyone else on the network will see the VM as the 
> external IP you''ve assigned, but the dom0 host itself will use the
> 192.168.1.2 address to access the VM.  This is the way I''ve set up
my
> Xen dev box and it''s working great for me.
I haven''t had any problems with bridging, but I agree that the L3
routing solution may be better under some circumstances. 

It''s a slight pain that the vifx.y interface in dom0 needs to be
given it''s own an IP address, as it won''t accept being
operated
in ''pointopoint'' mode. I suspect there''s some ioctl
we could add
to the backend driver that would enable this. Anyone know about
this?

It would be good to have a ''vif-router'' script to use as an
alternative to ''vif-bridge'' for users wanting to operate a
routed
configuration. If you''ve got something suitable we could check in
to the repo that would be great. I guess a modified ''network''
script would be required too.

Ian


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote:
> I haven''t had any problems with bridging, but I agree that the L3
> routing solution may be better under some circumstances.
I haven''t had great luck with bridging in linux period, not just with 
Xen.  Fortunately I''ve rarely needed it.

In any case, the reason I''m personally using VMs is to strictly control
what is allowed in and out of each particular VM and to be able to 
control through firewalling anyway, and doing some VM-based solution is 
a heck of a lot cheaper than buying a dozen physical pieces of hardware 
and putting them all on a DMZ behind a dedicated firewall, especially 
if all one of those VMs may be doing is DNS.  It''s a little more load 
on the box overall to have your dom0 doing the packet filtering, but if 
your boxes were overloaded anyway, you probably wouldn''t be doing VMs.
  :)
> It would be good to have a ''vif-router'' script to use as
an
> alternative to ''vif-bridge'' for users wanting to operate
a routed
> configuration. If you''ve got something suitable we could check in
> to the repo that would be great. I guess a modified
''network''
> script would be required too.
If I can get the VMs stabilized, I''ll work on that next since right now
I''ve just got everything in script I wrote that "brute-force"
ups a
bunch of aliases and adds a bunch of NAT rules that I''m running 
manually.

I haven''t looked real close at the bridge config/script so I
don''t know
if it handles downing a VM gracefully; iptables isn''t very good at 
dynamically removing rules.  You have to know what order they went in 
to be able to remove it in the order it was created.  i.e. you can 
create a rule by saying "from source IP such and destination IP such, 
do thusly" but you can''t remove it with the same terminology, you
have
to say "remove rule number twelve."  So bringing up a VIP and
assigning
an eth0 alias and creating a NAT rule is pretty easy, but there''s no 
graceful way to handle removing the NAT rule if you want to down the 
VM/VIP.

The way we''ve been dealing with this issue where I work, using UML, is 
to have the VM "up" and "down" scripts modify a set of
iptables rules
to either include or exclude the config for a particular VM, and then 
require that the rules be reloaded after up or down a VM which will 
re/create any necessary aliases and reload all the iptables rules.  
It''s not as elegant, but it does work.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"We all enter this world in the    | Support Electronic Freedom
same way: naked; screaming; soaked |        http://www.eff.org/
in blood. But if you live your     |  http://www.anti-dmca.org/
life right, that kind of thing     |---------------------------
doesn''t have to stop there." -- Dana Gould



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> 
> On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote:
> 
> > I haven''t had any problems with bridging, but I agree that
the L3
> > routing solution may be better under some circumstances.
> 
> I haven''t had great luck with bridging in linux period, not just
with
> Xen.  Fortunately I''ve rarely needed it.
> 
> In any case, the reason I''m personally using VMs is to strictly
control
> what is allowed in and out of each particular VM and to be able to 
> control through firewalling anyway, and doing some VM-based solution is 
> a heck of a lot cheaper than buying a dozen physical pieces of hardware 
With the bridge-nf patch that we build into dom0 by default its
possible to do all the normal iptables firewalling with a bridge setup.
> > It would be good to have a ''vif-router'' script to
use as an
> > alternative to ''vif-bridge'' for users wanting to
operate a routed
> > configuration. If you''ve got something suitable we could
check in
> > to the repo that would be great. I guess a modified
''network''
> > script would be required too.
> 
> If I can get the VMs stabilized, I''ll work on that next since
right now
> I''ve just got everything in script I wrote that
"brute-force" ups a
> bunch of aliases and adds a bunch of NAT rules that I''m running 
> manually.
> 
> I haven''t looked real close at the bridge config/script so I
don''t know
> if it handles downing a VM gracefully; iptables isn''t very good at
> dynamically removing rules.  You have to know what order they went in 
> to be able to remove it in the order it was created.  i.e. you can 
> create a rule by saying "from source IP such and destination IP such, 
> do thusly" but you can''t remove it with the same terminology,
you have
> to say "remove rule number twelve."  So bringing up a VIP and
assigning
> an eth0 alias and creating a NAT rule is pretty easy, but there''s
no
> graceful way to handle removing the NAT rule if you want to down the 
> VM/VIP.
Yep, iptables isn''t so smart. I wander if its possible to do
something by having rules for a particular domain on a single
chain, and then jsut delete the whole chain when a VM dies?

Ian


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

>>I haven''t looked real close at the bridge config/script so I
don''t know
>>if it handles downing a VM gracefully; iptables isn''t very good
at
>>dynamically removing rules.  You have to know what order they went in 
>>to be able to remove it in the order it was created.  i.e. you can 
>>create a rule by saying "from source IP such and destination IP
such,
>>do thusly" but you can''t remove it with the same
terminology, you have
>>to say "remove rule number twelve."  So bringing up a VIP and
assigning
>>an eth0 alias and creating a NAT rule is pretty easy, but
there''s no
>>graceful way to handle removing the NAT rule if you want to down the 
>>VM/VIP.
I''m not sure that''s the case. If you''ve added a rule
with -A, specifying
the syntax, you can remove it by specifying -D and the same syntax. 
It''ll remove one rule that exactly matches the syntax you specify to
-D.

I often use this to drop a LOG rule in temporarily:

# iptables -A INPUT -j LOG

... stuff happens ...

# iptables -D INPUT -j LOG

This is in addition to the -D <rule number> behaviour, which is indeed a 
real pain to use.

Cheers,
Chris.


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel