Carsten Aulbert
2007-Mar-27 10:31 UTC
[Xen-users] confused: How to put packetfilter into domU and isolate dom0 completely?
Hi,
after two days of harvesting the web and the mailing list archive I am
completely lost and confused. The set-up I want to achieve is not that
complex, but killing me right now. I''ll try to make the description as
short a possible:
I have set-up a small Ubuntu feisty Xen installation, I can create domU
via debootstrap and they are all running fine, especially with the
default xenbr0 every domU gets its IP via dhcp from the local network.
However, I want to reinstall everything "in the wild" with slightly
different needs.
I have got a single server with a single external IP. My dream is to
set-up a totally isolated dom0, where I can enter only via a remote
serial console or open ssh whenever there is need. Otherwise dom0 should
not do anything except managing the domUs. The remaining domU should be
dedicated to certain tasks (web, email, users, etc) and one domU (say
dom1) should do the firewalling, SNAT/DNAT stuff. Let me try some crude
aart:
Internet (public IP)
|
eth0(physical)
|
brextern?
|
dom1/eth0
|
brintern
|
+------+------+
| | |
dom2 dom3 dom0(from time to time)
My questions now are (if this piece of art is understandable):
Shall I
(1) Use two bridges (brextern, brintern) or
(2) delegate the physical interface to dom1
If (1)
right now I''m playing around with hard coded brctl/ip/ifup codes
without
the fancy network-bridge script. My current problem is, eth0 is still
visible from dom0 and I cannot get rid off it. Maybe I''m stopped by not
understanding the peth0 and veth0 business here.
Anyone can tell me roughly how to achieve a solution here?
If (2)
How can I delegate the physical interface to dom1? I''ve looked around,
but only found pages where this is mentioned, but not done. Anyone can
give me the correct words to use in search engines? I''ve seen
pciback.hide for the dom0 kernel, but how can I make certain that the
filtering domU will get that card?
Thanks for any possible help, and sorry if I confuse you as well :)
Cheers
Carsten
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Angel Lopez
2007-Mar-27 12:29 UTC
Re: [Xen-users] confused: How to put packetfilter into domU and isolate dom0 completely?
Hi,> the fancy network-bridge script. My current problem is, eth0 is still > visible from dom0 and I cannot get rid off it. Maybe I''m stopped by not > understanding the peth0 and veth0 business here. > Anyone can tell me roughly how to achieve a solution here?You have a good explanation about virtual and physical network interfaces in the wiki: http://wiki.xensource.com/xenwiki/XenNetworking If I''m not wrong, in a network-bridge setup, peth0 interface is the physical NIC (the original eth0) and eth0 is a virtual NIC. The vethX interfaces are Dom0 virtual interfaces directly linked to the vif0 .X interfaces. The vifX.Y and pethX interfaces are assigned to bridges.> give me the correct words to use in search engines? I''ve seen > pciback.hide for the dom0 kernel, but how can I make certain that the > filtering domU will get that card?I have done this. First, you have to know the PCI ID of the NIC, you can get this with the lspci command. Second, you have to tell the PCI ID to the kernel, you can indicate this with the pciback.hide parameter. Third, you assign the PCI ID to the VM with the pci parameter in the VM config file. The hidden NIC doesn''t appears in Dom0, you won''t see it with ifconfig, and it will be available in the DomU that the NIC was assigned to. I only have a problem with this, if I hide eth3 to Dom0 and assign it to a DomU, I see the interface in the DomU as eth3 not as eth0... how can I rename it? with the "ip link set name" command? Bye. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Carsten Aulbert
2007-Mar-27 13:25 UTC
Re: [Xen-users] confused: How to put packetfilter into domU and isolate dom0 completely?
Hi, Angel Lopez wrote:>> give me the correct words to use in search engines? I''ve seen >> pciback.hide for the dom0 kernel, but how can I make certain that the >> filtering domU will get that card?> I have done this. First, you have to know the PCI ID of the NIC, you can > get this with the lspci command. Second, you have to tell the PCI ID to > the kernel, you can indicate this with the pciback.hide parameter. Third, > you assign the PCI ID to the VM with the pci parameter in the VM config > file.Thanks a lot, I somehow missed that part, that pci needed to be on its own. I always tried to put it into the vif line.> The hidden NIC doesn''t appears in Dom0, you won''t see it with ifconfig, > and it will be available in the DomU that the NIC was assigned to.Yes, I''m seeing that right now :)> I only have a problem with this, if I hide eth3 to Dom0 and assign it to a > DomU, I see the interface in the DomU as eth3 not as eth0... how can I > rename it? with the "ip link set name" command?I don''t see that, however I just have a single NIC in the computer. With these settings, I get: vif = [''bridge=mybridge''] pci=[''00:04.0''] eth0 is attached to mybridge eth1 is the physical nic (physical server has only single nic) if I set vif = ['''',''bridge=mybridge''] pci=[''00:04.0''] eth0 is unused eth1 is attached to bridge eth2 is the physical nic Thus it seems the pci device is set always behind the defined vifs. Thanks for your help, it seems this solution is much easier to handle than multiple bridges! Cheers Carsten _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users