Xen users - Jan 2006 - Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0

Dear list,

I''m running Xen 3.0.0 (release, binary download) on a dualcore
Athlon64-X2 with debian sarge (3.1), AMD64 on Dom0 and some
64bit/amd64 domUs (which work fine) and some 32bit/i386 domUs.

The 32bit domUs come from my old server (old P4 with Xen 2.0.7) and
should stay 32bit, in order to move them back to the server.

But I''m unable to use iptables, the modules are loaded, but the
userspace tools can not communicate with the kernel.

Does anyone know how to fix this, what to do?
-- 
Goetz Bock       (c) 2006 as     blacknet.de - Munich - Germany   /"\
IT Consultant  Creative Commons  secure mobile Linux everNETting  \ /
                                                                   X
 ASCII Ribbon Campaign against HTML email & microsoft attachments / \

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Goetz Bock wrote:
> I''m running Xen 3.0.0 (release, binary download) on a dualcore
> Athlon64-X2 with debian sarge (3.1), AMD64 on Dom0 and some
> 64bit/amd64 domUs (which work fine) and some 32bit/i386 domUs.
> 
> The 32bit domUs come from my old server (old P4 with Xen 2.0.7) and
> should stay 32bit, in order to move them back to the server.
> 
> But I''m unable to use iptables, the modules are loaded, but the
> userspace tools can not communicate with the kernel.
> 
> Does anyone know how to fix this, what to do?
I think I see your problem.

As I understand it you are using a 64bit DomU kernel with
32bit userspace installed on the [DomU] root filesystem.
And you have to use the 64bit DomU kernel because that is
what the 64bit Xen hypervisor requires you to use.

I have learned (from lurking on the netfilter-devel mailing
list) that 32bit userspace iptables does not work with a
64bit kernel. The ''compatability code'' is missing from the
kernel. At least one developer is working on it, but it is not
going to appear anytime soon.

Your only hope in the mean time is to use a 64bit userspace
iptables. But that isn''t likely to work either because (64bit)
iptables will need all the 64bit libraries installed so it can
link against them. You  won''t have these installed on your 32bit
filesystem image.

I freely admit to being confused by this 32/64bit stuff.

HOWEVER...
how about this as a work around. Don''t put your firewall
rules in the DomU. Put them in the FORWARD chain on the
Dom0 machine instead.

I have done this on the Xen cluster that I run. It is not
very convenient because the DomU''s can''t change their
firewall rules. You have to manually update the firewall
rules on the Dom0 instead. But that inconvenience becomes
an advantage if you are wanting to run a locked down
system and you don''t want or trust your DomU''s to maintain
their own firewall rules.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Thanks for the post. I just ran into this myself.

I''ll see if I can build a statically compiled iptables binary in a 64
bit
system...

hhmm, that actually seems to work...  at least I get output from

   iptables -L -n

for anyone following, get the iptables tarball from netfilter.org,
read the INSTALL file to get the following to parameters to make
NO_SHARED_LIBS=1 DO_MULTI=1

and do it...

   make NO_SHARED_LIBS=1 DO_MULTI=1

the resulting iptables binary seems to run in my old (redhat 7.2) 32 bit
user space... note that the linking step produces warnings like

   warning: Using ''getaddrinfo'' in statically linked
applications requires at
   runtime the shared libraries from the glibc version used for linking

so obviously full functionality (that looks like dns type
hostname correction) isn''t present, but it looks to me like as
long as you name all the ip addresses and services, it will work
fine.

e.g. I can fix these:

   iptables v1.3.4: invalid TCP port/service `smux'' specified
   iptables v1.3.4: host/network `overload1'' not found

-Tom


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users