Goetz Bock
2006-Jan-19 13:58 UTC
[Xen-users] Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0
Dear list, I''m running Xen 3.0.0 (release, binary download) on a dualcore Athlon64-X2 with debian sarge (3.1), AMD64 on Dom0 and some 64bit/amd64 domUs (which work fine) and some 32bit/i386 domUs. The 32bit domUs come from my old server (old P4 with Xen 2.0.7) and should stay 32bit, in order to move them back to the server. But I''m unable to use iptables, the modules are loaded, but the userspace tools can not communicate with the kernel. Does anyone know how to fix this, what to do? -- Goetz Bock (c) 2006 as blacknet.de - Munich - Germany /"\ IT Consultant Creative Commons secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Robbie Dinn
2006-Jan-19 15:09 UTC
Re: [Xen-users] Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0
Goetz Bock wrote:> I''m running Xen 3.0.0 (release, binary download) on a dualcore > Athlon64-X2 with debian sarge (3.1), AMD64 on Dom0 and some > 64bit/amd64 domUs (which work fine) and some 32bit/i386 domUs. > > The 32bit domUs come from my old server (old P4 with Xen 2.0.7) and > should stay 32bit, in order to move them back to the server. > > But I''m unable to use iptables, the modules are loaded, but the > userspace tools can not communicate with the kernel. > > Does anyone know how to fix this, what to do?I think I see your problem. As I understand it you are using a 64bit DomU kernel with 32bit userspace installed on the [DomU] root filesystem. And you have to use the 64bit DomU kernel because that is what the 64bit Xen hypervisor requires you to use. I have learned (from lurking on the netfilter-devel mailing list) that 32bit userspace iptables does not work with a 64bit kernel. The ''compatability code'' is missing from the kernel. At least one developer is working on it, but it is not going to appear anytime soon. Your only hope in the mean time is to use a 64bit userspace iptables. But that isn''t likely to work either because (64bit) iptables will need all the 64bit libraries installed so it can link against them. You won''t have these installed on your 32bit filesystem image. I freely admit to being confused by this 32/64bit stuff. HOWEVER... how about this as a work around. Don''t put your firewall rules in the DomU. Put them in the FORWARD chain on the Dom0 machine instead. I have done this on the Xen cluster that I run. It is not very convenient because the DomU''s can''t change their firewall rules. You have to manually update the firewall rules on the Dom0 instead. But that inconvenience becomes an advantage if you are wanting to run a locked down system and you don''t want or trust your DomU''s to maintain their own firewall rules. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
tbrown@baremetal.com
2006-Jan-19 21:18 UTC
Re: [Xen-users] Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0
Thanks for the post. I just ran into this myself. I''ll see if I can build a statically compiled iptables binary in a 64 bit system... hhmm, that actually seems to work... at least I get output from iptables -L -n for anyone following, get the iptables tarball from netfilter.org, read the INSTALL file to get the following to parameters to make NO_SHARED_LIBS=1 DO_MULTI=1 and do it... make NO_SHARED_LIBS=1 DO_MULTI=1 the resulting iptables binary seems to run in my old (redhat 7.2) 32 bit user space... note that the linking step produces warnings like warning: Using ''getaddrinfo'' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking so obviously full functionality (that looks like dns type hostname correction) isn''t present, but it looks to me like as long as you name all the ip addresses and services, it will work fine. e.g. I can fix these: iptables v1.3.4: invalid TCP port/service `smux'' specified iptables v1.3.4: host/network `overload1'' not found -Tom _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users