Xen users - Apr 2005 - Recipe for ''Thin Domain 0'' request

I have two identical ''Enterprise Level'' machines on a bastion
network.

(The Internet)
       |        Host 1
  (firewall)--<
       |        Host 2
(internal net)

The Internal net is NAT''d, I have a full support development
environment and
a 2.4TB raid. Host 1 and Host 2 are currently serving public IP.

What I would like to do is replace Host 1 and Host 2 with Xen Domain0''s
running on an RFC 1918 network, and have those domains be as thin as
possible. I''m hoping to learn how to PXE boot the two hosts. I need as
thin
as possible a Xen Domain 0 image to pass to the host coming up. The Domain 0
image (A PXE readonly image) then needs to start guest domains from readonly
images. Each domain then picks up on the portion it can write back to.

At this time, Host 1 and Host 2 have their own 600GB raided hard drives.
Once the guest domains have their readonly image, they can then mount their
write-back portion for spools, guest home directories and so on. The
write-back will be LVMs on the hosts 600G raids for the moment, with
consideration of having portions of the 2.4 TB leased to bastions and
removing the drives later.

One particularly nasty thought is to have Host 1 and Host 2 each serve
''firewall'' guest domains. We have one routing IP outside of
our ''public'' IP
network, and our provider will allow us a second routing IP. I would need to
prove the theory that I can isolate the NIC device and its traffic from
Domain 0 and all other domains in a firewall application.

I would like assistance with a recipe that presumes a development
environment on a separate host, builds a ''minimal domain 0''
host 1 and lets
me steer towards the project I describe above.

--Romaq




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

William (Andy) Smith wrote:
>One particularly nasty thought is to have Host 1 and Host 2 each serve
>''firewall'' guest domains. We have one routing IP outside
of our ''public'' IP
>network, and our provider will allow us a second routing IP. I would need to
>prove the theory that I can isolate the NIC device and its traffic from
>Domain 0 and all other domains in a firewall application.
>  
>
I can attest that this works quite well. I have a domU acting as a 
router/firewall, and aside from having to hack the bridging script to 
support 3 nics, it worked without a problem.

The machine has 3 nics (internet, dmz, internal), and the dom0 boots up 
with an IP address only on the internal nic (eth1, eth2, xen-br1, and 
xen-br2 are all "up", but with no address assigned. The router domU is
given access to all 3 nics:
nics=3
vif = [ ''mac=cc:cc:cc:cc:cc:19, bridge=xen-br0'',
''mac=cc:cc:cc:cc:cc:20,
bridge=xen-br1'', ''mac=cc:cc:cc:cc:cc:21,
bridge=xen-br2'' ]
while all the other domU''s are only given access to the dmz nic. The 
router domU then runs pppoe (for DSL), and standard iptables natting and 
routing using the shorewall package, though any iptables based routing 
approach should work fine.

This has been working quite stably for me for a while, starting with xen 
2.0.4, then 2.0.5, and right now, unstable 3.0 as of a week or so ago.

Let me know (on or off list) if you have any questions about this setup.

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> -----Original Message-----
> From: Tupshin Harper [mailto:tupshin@tupshin.com]
> Sent: Sunday, April 03, 2005 6:08 PM
> To: romaq@members.limitless.org
> Cc: xen-users@lists.xensource.com
> Subject: Re: [Xen-users] Recipe for ''Thin Domain 0''
request
<snip>
> Let me know (on or off list) if you have any questions about this setup.
It''s the issue of having a ''thinest possible Dom0''
I''m working towards at
the moment. I need to get some DomN''s up as quickly as possible, and
I''m
caught wishing I knew enough about Xen to make a bootable ISO Dom0 so I
could have the entire 600GB raid available for LVM use. If only I had PXE
already working, I''d skip the ISO.

If the business of a ''thin Dom0'' will take some time to get
worked out,
should I work on having Host 1 boot LVM root + Dom0? The unfortunate side of
this project comes with a number of unrelated technologies that I''m new
to
that all need to work in order to achieve the end goal.

I don''t want to cover the non Xen stuff here, of course. I just need to
start and make progress in *some* direction and move services to a working
DomN.

--Romaq




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sun, 3 Apr 2005, William (Andy) Smith wrote:
> I would need to prove the theory that I can isolate the NIC device and 
> its traffic from Domain 0 and all other domains in a firewall 
> application.
I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <->
[eth0]
(no IP)                                    (dom0''s IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Rik van Riel wrote:
>On Sun, 3 Apr 2005, William (Andy) Smith wrote:
>
>  
>
>>I would need to prove the theory that I can isolate the NIC device and 
>>its traffic from Domain 0 and all other domains in a firewall 
>>application.
>>    
>>
>
>I guess you could do the following, where I assume that
>eth1 contains your untrusted traffic:
>
>[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0]
<-> [eth0]
>(no IP)                                    (dom0''s IP)
>
>This way eth0 is firewalled from external network traffic.
>Yes, the packets will travel through dom0 to get to the
>domU firewall - but dom0 does not have any IP addresses
>before that firewall, so it will be much harder to attack.
>
>  
>
This is exactly what I do, and it works great. I find it hard to imagine 
a succesful attck against the dom0 when it doesn''t have an IP address
on
the interface. I guess if you were really paranoid, you would do PCI 
delegation of that NIC to the domU, but I''m not (that paranoid).

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

William (Andy) Smith wrote:
>It''s the issue of having a ''thinest possible
Dom0'' I''m working towards at
>the moment. I need to get some DomN''s up as quickly as possible,
and I''m
>caught wishing I knew enough about Xen to make a bootable ISO Dom0 so I
>could have the entire 600GB raid available for LVM use. If only I had PXE
>already working, I''d skip the ISO.
>
There are a lot of ways of getting a network bootable (diskless) 
install, including etherboot from a floppy or booting from a usb flash 
drive.  If you can get a minimal version of your preferred dom0 distro 
booted in such a way, it should be pretty easy to make that approach xen 
compatible.

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users