Hello everybody, I have two physical machines running by a provider. Each of them has 2 physical network cards. Eth0 is connected to the internet and eth1 connects the two machines directly. As you may divine, we like to have a high available setup. But because the provider does not allow to take the IPs of one machine to the other and for security reason I decided to run the virtual machines with a bridged private network on eth1 and masquerade virtual machines which needs internet access or where the outside world needs access. The idea behind it. If the machine where the webserver resides fails, the server moves to the other machine and there heartbeat starts an emergency nameserver as well, which provides the new official IPs. The nameservers have a short TTL, so after about 10 minutes the new IPs should be known by everyone. So far everthing works fine. But I have two problems. The first one. I can not access the service which is running on the virtual machine with its official IP on the same machine or in dom0. e.g. the virtual machine runs a webserver and has the IP 192.168.1.10. It has to be reachable by the outsite world with the IP 10.0.0.10. On dom0 I do a -A PREROUTING -d 10.0.0.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10 to assign the official address to the virtual machine and a -A POSTROUTING -s 192.168.1.10/32 -d ! 192.168.1.0/24 -j SNAT --to-source 10.0.0.10 so that the virtual machine gets internet access. If I now try to access the website with lynx on the virtual machine with the IP 10.0.0.10 I get a timeout. On dom0 lynx tells me, the site is not reachable. On the other site a ping or traceroute is working. The second problem affects the mailserver which is running on a virtual machine as well. Some clients tell me now, they are sometimes not able to send eMails with an attachment. The attachment is not that big. May 1-4MB. But if the client tries to send the mail, he gets a timeout after a while. Sometimes after 10%, sometimes after 99% of the upload and sometimes the same mail gets through. I can not reproduce the problem. If I try to send a eMail with an attachment it gets through all the time. But it seems to have something to do with the masquerading. On another machine with XEN and the same setting of the mailserver but without masquerading the clients have no problem to send mails with huge attachments. May somebody has an idea what I''m doing wrong. Thanks in advance. By Michael _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Michael, [Note: I don''t usually do this, but I''m leaving a full quote below because I''m not going to give answers to specific sentences] What Dom0 kernel are you using? The old non-pvops Dom0 kernel (unless it has changed in the meantime) had some non-standard hacks to avoid unnecessary checksumming of the packets between the Dom0 and DomU''s. These hacks unfortunately broke Dom0 NAT. I believe the problem was that outgoing packets (the packets leaving Dom0 on an actual network card) had the wrong checksum or something like that. In case you are using such a kernel and still want to use this kind of NAT setup without changing the kernel, I can try to dig up the kernel patch that I made for this. It adds some Xen-specific hacks to the NAT code to fix things up. Cheers, Christophe> Hello everybody, > > I have two physical machines running by a provider. Each of them has 2 > physical network cards. Eth0 is connected to the internet and eth1 > connects the two machines directly. As you may divine, we like to have a > high available setup. But because the provider does not allow to take > the IPs of one machine to the other and for security reason I decided to > run the virtual machines with a bridged private network on eth1 and > masquerade virtual machines which needs internet access or where the > outside world needs access. The idea behind it. If the machine where the > webserver resides fails, the server moves to the other machine and there > heartbeat starts an emergency nameserver as well, which provides the new > official IPs. The nameservers have a short TTL, so after about 10 > minutes the new IPs should be known by everyone. So far everthing works > fine. But I have two problems. > The first one. I can not access the service which is running on the > virtual machine with its official IP on the same machine or in dom0. > e.g. the virtual machine runs a webserver and has the IP 192.168.1.10. > It has to be reachable by the outsite world with the IP 10.0.0.10. > On dom0 I do a > -A PREROUTING -d 10.0.0.10/32 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.1.10 > to assign the official address to the virtual machine and a > -A POSTROUTING -s 192.168.1.10/32 -d ! 192.168.1.0/24 -j SNAT > --to-source 10.0.0.10 > so that the virtual machine gets internet access. > If I now try to access the website with lynx on the virtual machine with > the IP 10.0.0.10 I get a timeout. On dom0 lynx tells me, the site is not > reachable. > On the other site a ping or traceroute is working. > The second problem affects the mailserver which is running on a virtual > machine as well. > Some clients tell me now, they are sometimes not able to send eMails > with an attachment. The attachment is not that big. May 1-4MB. But if > the client tries to send the mail, he gets a timeout after a while. > Sometimes after 10%, sometimes after 99% of the upload and sometimes the > same mail gets through. I can not reproduce the problem. If I try to > send a eMail with an attachment it gets through all the time. But it > seems to have something to do with the masquerading. On another machine > with XEN and the same setting of the mailserver but without masquerading > the clients have no problem to send mails with huge attachments. > May somebody has an idea what I''m doing wrong. > Thanks in advance. > > By Michael_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hello Christophe, thanks for your reply. I''m using the standard xen kernel which comes with debian lenny on dom0 and domu. Its 2.6.26-2-xen-amd64 #1 SMP in the moment. I don''t know if this version applies to the hacks you mentioned. On 25.09.2010 16:15, Christophe Saout wrote:> Hi Michael, > > [Note: I don''t usually do this, but I''m leaving a full quote below > because I''m not going to give answers to specific sentences] > > What Dom0 kernel are you using? The old non-pvops Dom0 kernel (unless > it has changed in the meantime) had some non-standard hacks to avoid > unnecessary checksumming of the packets between the Dom0 and DomU''s. > These hacks unfortunately broke Dom0 NAT. I believe the problem was > that outgoing packets (the packets leaving Dom0 on an actual network > card) had the wrong checksum or something like that. > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hey Michael,> thanks for your reply. I''m using the standard xen kernel which comes > with debian lenny on dom0 and domu. > Its 2.6.26-2-xen-amd64 #1 SMP in the moment. > I don''t know if this version applies to the hacks you mentioned.I just checked and I would assume that it does, since that kernel still uses the "proto_data_valid"/"proto_csum_blank" hack in the networking stack. If I ported my patch to that version, would that help you? (I currently have it for 2.6.19) I mean, you could add it to the debian source package and rebuild the packages (which you would need to repeat every time you update the kernel, unless at some point Debian switches to the new pvops Dom0 kernels) Cheers, Christohe _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hello Christophe, I checked the debian backport and there is a new version of the xen-kernel and xen v4 availible. May I should switch to that version, provided that this version has the new pvops Dom0 kernel. Can you tell me, how I can check this or may you can check this for me? If the new kernel still use the old hack, it would be nice if you could provide the patch for the debian kernel. Cheers, Michael On 25.09.2010 20:01, Christophe Saout wrote:> Hey Michael, > > >> thanks for your reply. I''m using the standard xen kernel which comes >> with debian lenny on dom0 and domu. >> Its 2.6.26-2-xen-amd64 #1 SMP in the moment. >> I don''t know if this version applies to the hacks you mentioned. >> > I just checked and I would assume that it does, since that kernel still > uses the "proto_data_valid"/"proto_csum_blank" hack in the networking > stack. > > If I ported my patch to that version, would that help you? (I currently > have it for 2.6.19) I mean, you could add it to the debian source > package and rebuild the packages (which you would need to repeat every > time you update the kernel, unless at some point Debian switches to the > new pvops Dom0 kernels) > > Cheers, > Christohe > > >-- Electric Solutions GbR<br> Rembrandtstr. 8<br> 99099 Erfurt<br> Tel. Büro Erfurt: 0361 / 340 41 42<br> Tel. Büro Röttenbach bei Erlangen: 091 95 / 921 8019<br> Handy: 0170 / 968 57 44<br> Fax: 0361 / 340 41 49<br> info@electric-solutions.de<br> www.electric-solutions.de<br> <br> weitere Projekte:<br> www.avanando.de<br> www.partytool.de<br> www.webfixx.net<br> www.preispokal.de<br> www.modesuche24.de<br> _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
The debian squeeze kernel (2.6.32) for xen is pvops. Regards, Mark On 25 Sep 2010, at 21:07, Michael Grosseck <liox@elso.mine.nu> wrote:> Hello Christophe, > > I checked the debian backport and there is a new version of the xen-kernel and xen v4 availible. > May I should switch to that version, provided that this version has the new pvops Dom0 kernel. > Can you tell me, how I can check this or may you can check this for me? > If the new kernel still use the old hack, it would be nice if you could provide the patch for the debian kernel. > > Cheers, Michael > > On 25.09.2010 20:01, Christophe Saout wrote: >> Hey Michael, >> >> >>> thanks for your reply. I''m using the standard xen kernel which comes >>> with debian lenny on dom0 and domu. >>> Its 2.6.26-2-xen-amd64 #1 SMP in the moment. >>> I don''t know if this version applies to the hacks you mentioned. >>> >> I just checked and I would assume that it does, since that kernel still >> uses the "proto_data_valid"/"proto_csum_blank" hack in the networking >> stack. >> >> If I ported my patch to that version, would that help you? (I currently >> have it for 2.6.19) I mean, you could add it to the debian source >> package and rebuild the packages (which you would need to repeat every >> time you update the kernel, unless at some point Debian switches to the >> new pvops Dom0 kernels) >> >> Cheers, >> Christohe >> >> >> > > > > -- > Electric Solutions GbR<br> > Rembrandtstr. 8<br> > 99099 Erfurt<br> > Tel. Büro Erfurt: 0361 / 340 41 42<br> > Tel. Büro Röttenbach bei Erlangen: 091 95 / 921 8019<br> > Handy: 0170 / 968 57 44<br> > Fax: 0361 / 340 41 49<br> > info@electric-solutions.de<br> > www.electric-solutions.de<br> > <br> > weitere Projekte:<br> > www.avanando.de<br> > www.partytool.de<br> > www.webfixx.net<br> > www.preispokal.de<br> > www.modesuche24.de<br> > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users