Linux – Xen mixed routing

linuxroutingxen

On a decidated root server with 1+X public IP addresses in a hosted environment, running Debian Lenny with Xen 3.2, I want to install multiple domUs. Bridged network route is not an option due to hosting company requirements. They recommend routed setup but as far as I can understand this requires spending two public IPs on the dom0 which I can't affort.

In my setup, X domUs will have a public facing IP address and should be reachable from the network. Other domUs should be in private subnets (e.g. 10.0.. / 192.168..) and not reachable from the outside. domUs in the same private subnets should be able to reach each other but not domUs in other private subnets. A plus would be if all traffic (incl. the domUs with public IP addresses) were routed through the dom0 which could act as firewall (iptables?).

Is there anybody who has a similar setup as I and is willing to share some configuration files and tips?

Best Answer

You should setup two bridges on dom0. You can use the standard entries in /etc/network/interfaces for this. Let's assume your real card is eth0 (and there's a DHCP server behind it) and you have bridge-utils installed. The file could look like this:

auto br0
iface br0 inet dhcp
    bridge_ports eth0
    bridge_maxwait 0

auto br1
iface br1 inet static
    bridge_ports none
    bridge_maxwait 0
    address 192.168.0.1
    netmask 255.255.255.0

You configure /etc/xen/xend-config.sxp with network-brigde and vif-bridge. In each domU config file, you select whether you want it to have direct external access (via br0) or if it should get only access via br1. For this you can use vif lines like those:

vif = ['bridge=br0']
vif = ['bridge=br1']

Of course, you still have to setup the NAT/masquerading over br1 and the network configuration of the domU should match (i.e. those on br0 should used DHCP and those on br1 should have a static IP in my example above).

Related Solutions

Xen 3.2 networking: private and public hosts

You could simply create a virtual bridge, which is not connected to any physical interfaces for your domU3 and domU4. You other 2 domU's can have an interface on each bridge (physical and virtual) and you can use NAT on dom0 to allow domU3/4 to access the internet through the virtual bridge, by assigning it an IP in dom0. RedHat's libvirt does just this by creating a default "virbr0" which can be used for creating a private domU LAN.

With debian you can easily setup a bridge on startup by: a. installing "bridge-utils" (which you most likely already have if you have xen installed) b. adding something along the following to /etc/network/interfaces:

auto virbr0
iface br0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.1

and adding an interface to your domU's which is connected to virbr0 in your domU configuration

vif = [ "bridge=virbr0" ]

Eth1 doesn’t come up at boot on dom0

"The Xen Networking wiki and the Debian Xen wiki both point me toward using Xen's bridging scripts"

The problem with wikis is that any idiot can edit them -- and they usually do. The Debian Xen wiki page is wrong, so very, very wrong; I don't even have the heart to look at the Xen networking wiki. There used to be useful networky docs in the README.Debian for the xen-utils package, but they seem to have gone walkabout at some stage.

My answer in Bringing up network interface without IP configured in Debian, for XEN dom0 probably won't work for you because it's solving a very different problem. You should probably re-read the question to discover the differences.

That mailing list thread is full of gibberish (and Nabble's usual brain-meltingly stupid formatting) so I'm not going to try and work out exactly where you're seeing a need to put an IP address on both the interface and the bridge, but I can assure you that you don't need to do that -- just an IP address on the bridge will be perfectly sufficient.

The simple way to fix your network config is probably to:

Set (network-script network-dummy) and then chattr +i /etc/xen/xend-config.sxp (to discourage you from trying to fiddle with it any more)
Delete the br-* stanzas you have currently
Delete the gateway line from the eth0:1 stanza
/allow_hotplug/d
s/eth0/br0/; s/eth1/br1/
Add bridge_ports eth0 to your now-br0 config
Add bridge_ports eth1 to your now-br1 config
/etc/init.d/networking restart

Best Answer

Related Solutions

Xen 3.2 networking: private and public hosts

Eth1 doesn’t come up at boot on dom0

Related Topic