Xen users - Dec 2007 - Routed dom0 setup problem -- second time around

I''m still having problems getting a new Xen system to work properly in
a "routed" configuration.

I thought I had it figured out a few days ago, but when I couldn''t get
the Shorewall firewall application to work properly, it became evident
that my Xen configuration was seriously messed up and that I really
needed to start over with the networking from scratch.

I''m running Xen 3.1 / Ubuntu 7.10 (kernel = 2.6.22-14-xen). 
Here''s my
current xend-config.sxp file:

(xen-api-server ((unix)))
(xend-http-server yes)
(xend-unix-server yes)
(xend-relocation-server no)
(xend-port 8000)
(xend-address '''')
(xend-relocation-hosts-allow '''')
(network-script ''network-route netdev=dmz0'')
(vif-script vif-route)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '''')

My plan is to have my domU''s operate in a subnet (172.31.53.0/24) that
is in use by a network card which I''ve assigned the name
"dmz0" (using
an entry in /etc/udev/rules.d/70-persistent-net.rules to name the NIC).

Xen comes up OK, and the dom0 appears fine (using 384M of RAM).  Just
to confirm that I''m not accidentally constructing a bridged/routed
hodgepodge configuration, I did "brctl show", which showed that NO
network interfaces were assigned to ANY bridges.

The next thing I tried to do was to launch a domU, using the following
configuration file:

kernel      = ''/boot/vmlinuz-2.6.22-14-xen''
ramdisk     = ''/boot/initrd.img-2.6.22-14-xen''
memory      = ''512''
root        = ''/dev/hda1 ro''
disk        = [ ''phy:vg1/wonttell-disk,hda1,w'',
                ''phy:vg1/wonttell-swap,hda2,w'' ]
name        = ''wonttell''
vif         = [ ''mac=ee:01:72:31:53:05, ip=172.31.53.5,
vifname=eth3'' ]
on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''
extra       = ''xencons=tty''

However, when I do an "xm create" with the above configuration, it
fails
without any intelligible error message anywhere.  /var/log/daemon.log has
some comments about "vif-route failed; error detected", but nary a
clue
as to what kind of error is happening.

I''m reasonably confident that most of the above domU configuration is
OK,
since when I was doing a (sort of) bridged network setup (and naming a
"bridge" in the "vif" line instead of a
"vifname"), the domU came up and
seemed to work OK (except that its networking was messed up in some way
that gave Shorewall heartburn and made it impossible for me to set up my
firewalling properly).

I haven''t been able to find very much comprehensible documentation
about
Xen networking, so I realize I could easily be missing some subtle point.
Does anyone see anything obviously wrong with the above configuration?
What should I try next, or what additional info should I post?

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Rich Wales schrieb:
> I''m still having problems getting a new Xen system to work
properly in
> a "routed" configuration.
> 
> I thought I had it figured out a few days ago, but when I couldn''t
get
> the Shorewall firewall application to work properly, it became evident
> that my Xen configuration was seriously messed up and that I really
> needed to start over with the networking from scratch.
> 
> I''m running Xen 3.1 / Ubuntu 7.10 (kernel = 2.6.22-14-xen). 
Here''s my
> current xend-config.sxp file:
> 
> (xen-api-server ((unix)))
> (xend-http-server yes)
> (xend-unix-server yes)
> (xend-relocation-server no)
> (xend-port 8000)
> (xend-address '''')
> (xend-relocation-hosts-allow '''')
> (network-script ''network-route netdev=dmz0'')
Hi,

without a deeper look into it, i assume network-script is called via some
kind of exec() and ''network-route netdev=dmz0'' is trivially
not found.


For easier use, I always use a wrapper script at this line.

e.g.
(network-script ''my-network-route'')

--- /etc/xen/scripts/my-network-route (chmod +x) ---
#!/bin/sh
# start bridge on dmz0

XENDIR="/etc/xen/scripts"

$XENDIR/network-bridge "$@" netdev=dmz0 bridge=xenbr0 vifnum=0
------

Greetings

Stephan
> (vif-script vif-route)
> (dom0-min-mem 196)
> (dom0-cpus 0)
> (vncpasswd '''')
> 
-- 
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: www.netz-haut.de <http://www.netz-haut.de/>

registriergericht: amtsgericht würzburg, hra 5054



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Stephan Seitz schrieb:
> Rich Wales schrieb:
>> I''m still having problems getting a new Xen system to work
properly in
>> a "routed" configuration.
>>
>> I thought I had it figured out a few days ago, but when I
couldn''t get
>> the Shorewall firewall application to work properly, it became evident
>> that my Xen configuration was seriously messed up and that I really
>> needed to start over with the networking from scratch.
>>
>> I''m running Xen 3.1 / Ubuntu 7.10 (kernel = 2.6.22-14-xen). 
Here''s my
>> current xend-config.sxp file:
>>
>> (xen-api-server ((unix)))
>> (xend-http-server yes)
>> (xend-unix-server yes)
>> (xend-relocation-server no)
>> (xend-port 8000)
>> (xend-address '''')
>> (xend-relocation-hosts-allow '''')
>> (network-script ''network-route netdev=dmz0'')
At a second thought, you do have an interface named dmz0? Or, do you
want your bridge named dmz0?
> Hi,
> 
> without a deeper look into it, i assume network-script is called via some
> kind of exec() and ''network-route netdev=dmz0'' is
trivially not found.
> 
> 
> For easier use, I always use a wrapper script at this line.
> 
> e.g.
> (network-script ''my-network-route'')
> 
> --- /etc/xen/scripts/my-network-route (chmod +x) ---
> #!/bin/sh
> # start bridge on dmz0
> 
> XENDIR="/etc/xen/scripts"
> 
> $XENDIR/network-bridge "$@" netdev=dmz0 bridge=xenbr0 vifnum=0
> ------
> 
> Greetings
> 
> Stephan
> 
>> (vif-script vif-route)
>> (dom0-min-mem 196)
>> (dom0-cpus 0)
>> (vncpasswd '''')
>>
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

-- 
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: www.netz-haut.de <http://www.netz-haut.de/>

registriergericht: amtsgericht würzburg, hra 5054



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Stephan Seitz wrote:

> without a deeper look into it, i assume network-script is called
> via some kind of exec() and ''network-route netdev=dmz0''
is trivially
> not found.  For easier use, I always use a wrapper script at this line.
Thanks.  It was my understanding that the syntax I was using was correct.
However, just in case, I tried making a custom copy of network-route, in
which the default value of "netdev" was changed to "dmz0",
and changed
xend-config.sxp to invoke this custom script (without any arguments or
quote marks) instead of network-route.

It ran just fine -- I verified this by checking the "proxy_arp" values
for dmz0 and my other network interfaces, and proxy_arp was set to 1
only for dmz0 and not for any other interface (as expected if you look
at the contents of the network-route script).

However, my problem remains.  I can''t get my domU to start, even when
using this customized network-route script.
> On second thought, you do have an interface named dmz0?  Or, do you
> want your bridge named dmz0?
I have an interface named dmz0, which has an IP address in the same
network range as I''m hoping to use for my domU''s.

I''m trying to set up a routed configuration -- which, as I understand
this right now, means I don''t want to be using bridges at all.  I need
to use a routed (NOT bridged) configuration in order for the Shorewall
firewall to work properly in my dom0.

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Rich Wales schrieb:
> I''m trying to set up a routed configuration -- which, as I
understand
> this right now, means I don''t want to be using bridges at all.  I
need
> to use a routed (NOT bridged) configuration in order for the Shorewall
> firewall to work properly in my dom0.
Sorry, I missed this.

I''ve never used xen with network-route.

A similar problem has been discussed here:

http://lists.xensource.com/archives/html/xen-users/2006-03/msg00954.html


greetings




-- 
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: www.netz-haut.de <http://www.netz-haut.de/>

registriergericht: amtsgericht würzburg, hra 5054



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Stephan Seitz wrote:
> Sorry, I missed this.  I''ve never used xen with network-route.
OK, thanks anyway for your willingness to try to help.
> A similar problem has been discussed here:
> http://lists.xensource.com/archives/html/xen-users/2006-03/msg00954.html
I do need to say that it doesn''t give me extreme confidence when I see
something (like the above) where someone asked -- almost two years ago --
if anyone had ever successfully set up Shorewall with network-route, and
NO ONE REPLIED. (!)

Once again, if ANYONE out there has successfully set up a routed Xen
configuration (routed, NOT bridged), I would be EXTREMELY grateful if
you could help me out with the details.  I''ve tried everything
I''ve been
able to find on the net so far regarding this, and so far at least, it
simply DOES NOT WORK for me AT ALL.  I''ve seen numerous descriptions on
the net claiming a routed configuration is easy, but I simply can''t get
it to work -- I can''t even get a domU to start -- when I try, I get
some
cryptic comments about vif-route failing to set up a network link, and
the domU drops dead.  (Even when I use "xm create -c" to connect to
the
domU''s console immediately, it''s no use -- I never see any
output from
the domU console -- the domU apparently never starts, or else dies right
away and never has a chance to do anything at all.)

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

OK, I finally managed to fix my earlier problem (routed configuration
refusing to launch domU''s).

The answer turned out to be that if the network interface to be used
by the domU''s is anything other than the default "eth0", the
interface
name must be explicitly passed (via a netdev= parameter) to vif-route
-- NOT just to network-route.

Here is a xend-config.sxp that appears to work for me now:

(xen-api-server ((unix)))
(xend-http-server yes)
(xend-unix-server yes)
(xend-relocation-server no)
(xend-port 8000)
(xend-address '''')
(xend-relocation-hosts-allow '''')
(network-script ''network-route netdev=dmz0'')
(vif-script ''vif-route netdev=dmz0'')
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '''')

Note that my non-default network interface (dmz0) is given as a parameter
to vif-route, as well as to network-route.  This point wasn''t mentioned
anywhere in any of the documentation or discussions I could find online,
and I had to trace through the vif-route script, a line at a time, before
finally discovering that the reason it was failing was because it
wasn''t
able to identify the network interface on its own.

I hope this info can be incorporated into some FAQ''s and
how-to''s, so
that other people won''t have to suffer the way I did.

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Friday 28 December 2007 08:19:38 pm Rich Wales wrote:
> Note that my non-default network interface (dmz0) is given as a parameter
> to vif-route, as well as to network-route.  This point wasn''t
mentioned
> anywhere in any of the documentation or discussions I could find online,
Hmm - if you read between the lines the comments in xend-config.sxp about 
vif-BRIDGE:

# If you have overridden the bridge name using
# (network-script ''network-bridge bridge=<name>'') then
you may wish to do the
# same here.  The bridge name can also be set when creating a domain or
# configuring a new vif, but a value specified here would act as a default.

Apparently the same rules apply to the netdev= parm, and since the -route 
and -nat sections are just non-commented alternatives to the -bridge section, 
it should be assumed the same rules for specifying bridge= and netdev=  for 
both the network-route/nat and vif-route/nat scripts apply. Isn''t
guessing
what they mean fun :-) !

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users