Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Users
vifs and networking
root at xen0
Jun 1, 2005, 10:04 PM
Post #1 of 7 (1125 views)
Permalink
I have a "flat" network working great, dom0 and three guests (dom1-3) I
can all ping the net from each of the 4 dom's, and each dom can ping the
other dom.

Guests one and two (dom1 and dom2) have the following config file with
nics specified at 3 and 2 respectively:

The Firewall (dom1)
# Number of network interfaces. Default is 1.
nics=3

# Optionally define mac and/or bridge for the network
interfaces.
# Random MACs are assigned if not given.
vif = [ 'mac=00:00:00:00:00:10, bridge=xen-br0',
'mac=00:00:00:00:00:11', 'mac=00:00:00:00:00:12' ]
***********************************************************************
THE APP SERVER (dom2)
# Number of network interfaces. Default is 1.
nics=2

# Optionally define mac and/or bridge for the network
interfaces.
# Random MACs are assigned if not given.
vif = [ 'mac=cc:00:00:00:00:10, bridge=xen-br0',
'mac=cc:00:00:00:00:11' ]

The dom3, the Web Server has the following configuration with nics and
vif's commented out to use the default settings:
The Webserver dom3
# Number of network interfaces. Default is 1.
# nics=2

# Optionally define mac and/or bridge for the network
interfaces.
# Random MACs are assigned if not given.
# vif = [ 'mac=bb:00:00:00:00:10, bridge=xen-br0',
'mac=bb:00:00:00:00:11' ]

If I un-comment the vif statement in dom3 (Webserver) then I lose
connectivity to xen-br0 and eth0 to the outside world, but I do get the
7 vif's attached to xen-br0.

What I really want is vif1.0 vif2.0 vif3.0 attached to xen-br0 and
vif 1.1 and vif 3.1 atached to a bridge called xen-=brDMZ and vif1.2
and vif2.1 attached to a bridge called xen-brINTERNAL.

1.) does eth0 have a limit of devices that can be attached to it ?

2.) if I un-comment out the vif statement in dom 3 (WebServer) I get all
7 vif's associated with xen-br0, but I lose connectivity to xen-br0
from dom3 (WebServer)? (dom 1 and dom 2 stay connected to xen-br0)

note to self: when adding config files to /etc/xen/auto/ they will
execute in alphabetical order by domain name, regardless if you think
the DMZ should fire up before the App server or whether you assign an
numeric order to mac's.

Thanks to all/whomever

(is there a xen unselfish advisor of the year award, I nominate Ian
Pratt)




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: vifs and networking [ In reply to ]
james at xensource
Jun 8, 2005, 6:47 AM
Post #2 of 7 (1118 views)
Permalink
On Thu, 2005-06-02 at 06:04, root wrote:
> # vif = [ 'mac=bb:00:00:00:00:10, bridge=xen-br0',
> 'mac=bb:00:00:00:00:11' ]

These are multicast MAC addresses. If you choose you own MACs then make
sure the low bit of the first byte (i.e. bb in this case) is zero. I
suggest only manually assigning MACs when you need to use DHCP;
otherwise let xend do it. You can just specify "vif = [
'bridge=xen-br0', ... ]"

> 1.) does eth0 have a limit of devices that can be attached to it ?

The limit will be on the bridge, this is set to 256 and 1024 in current
versions of Linux 2.4 and 2.6 respectively.

> 2.) if I un-comment out the vif statement in dom 3 (WebServer) I get all
> 7 vif's associated with xen-br0, but I lose connectivity to xen-br0
> from dom3 (WebServer)? (dom 1 and dom 2 stay connected to xen-br0)

Almost certainly use of multicast addresses, see above.

> note to self: when adding config files to /etc/xen/auto/ they will
> execute in alphabetical order by domain name, regardless if you think
> the DMZ should fire up before the App server or whether you assign an
> numeric order to mac's.

This is akin to the way most Linux distributions' initscripts work (i.e.
rcX.d. If you don't want to name the config files in alphabetical
startup order then you can name the symlink in the auto directory,
perhaps prefixing with a number:

e.g.

/etc/xen/auto/10DMZ -> ../xm-my-dmz-domain
/etc/xen/auto/20app -> ../xm-my-app-domain

HTH,

James



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: vifs and networking [ In reply to ]
james at xensource
Jun 13, 2005, 3:19 AM
Post #3 of 7 (1122 views)
Permalink
root wrote:
> Thanks, that helped a lot, I am back to a "flat" network all 7 vif's
> talking to xen-br0, 4 DHCP IP addresses, all 3 domU's pinging each other
> and dom0 and the outside world.
>
> I tried to connect vif1.1 and vif2.1 to the bridge xen-brDMZ and vif1.2
> and vif3.1 to the bridge xen-brINT. I got some error that iptables was
> not installed. I activated iptables 1.2.11 (Fedora Core 3 for dom0 and
> all three domU's) in both dom0 and domU. Now in dom 0 and domU I get:
>
> FATAL: Module ip_tables not found.
> iptables v1.2.11: can't initialize iptables table `filter': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
> When I boot to the non-xen kernel iptables is started and enter
> iptables -L it shows the rules. When I boot to xen0, or any domU,
> kernel the status of iptables is stopped. Restart and iptables -L i get
> the above error.

The default configs for our dom0 and domU kernels has CONFIG_KMOD set
which should allow the relevant modules to be automatically loaded when
the iptables command is run.

Can you check you have the modules installed in dom0 correctly and that
/lib/modules/2.6.11.11-xen0/kernel/net/ipv4/netfilter/ (varied for your
kernel version) is full of modules including ip_tables.ko and
iptables_netfilter.ko. You could also try a 'depmod -a' and reboot.

Our default domU config doesn't include netfilter so rebuild the domU
kernel (remember to use ARCH=xen in all Linux 'make' invocations) to
include the required options. (You should also be able to use a dom0
kernel and /lib/modules tree for a domU. The former has the needed
netfilter modules.)

> Is there a step-by-step on how to get iptables running on dom0 and
> domU?

In general setting up iptables is the same on Xen domains as it is on
multiple physical boxes. The main gotchas are:

1. The interface that dom0 sees as it's external interface is the name
of the bridge it attaches to (usually xen-br0).
2. The bridging in dom0 interacts with iptables. Even bridged packets
traverse some chains (this will apply to non-xen boxes using Linux
bridging too).

> Thanks again this forum is indispensable.

Even more so if you reply to the list rather than just to me :-). Please
can you post with a legitimate email address rather than
root@xen0.localdomain.

> (I could put a firewall box in front of of this 4 OS box, but I think
> there has to be a way to get this DMZ to work on one box in xen. [.I
> this multi zoned network working on one box in VMWare 5.0])


James

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
vifs and networking [ In reply to ]
m-d-hoesing at cox
Jun 14, 2005, 5:10 AM
Post #4 of 7 (1121 views)
Permalink
1.) files in /lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter/
(James you are correct conntrack not "connecttrack")
ip_conntrack_ftp.ko
ip_conntrack.ko
ip_tables.ko

2.) which .config file?

Thanks




################################################################$#
Mike & Deb Hoesing wrote:
> Thanks James
> My /lib/modules/2.6.10-xen0/build/include/linux/netfilter directory
has
> the file ip_tables.ko but does not have the file
iptables_netfilter.ko.

Oops, my Monday morning mistake (I should have actually looked at a
machine first): should be iptable_filter.ko.

> depmod -av complains that ip_connecttrack can not find
> ip_connecttrack_expect_related
> ip_connecttrack_expect_put
> ip_connecttrack_expect_allocate
> ip_connecttrack_helper_register
> ip_connecttrack_helper_unregister

(I assume they were all "conntrack"?)

Interesting, those functions are implemented by that module as far I
know.

Did you build your own xen0 kernel? If so, can you post your .config as
an attachment and maybe also a listing of
/lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter/



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: vifs and networking [ In reply to ]
james at xensource
Jun 15, 2005, 2:44 AM
Post #5 of 7 (1113 views)
Permalink
Mike & Deb Hoesing wrote:
> 1.) files in /lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter/
> (James you are correct conntrack not "connecttrack")
> ip_conntrack_ftp.ko
> ip_conntrack.ko
> ip_tables.ko

But no iptable_filter.ko?

> 2.) which .config file?

The one you used for building linux-2.6.10-xen0. (Assuming you build the
kernel yourself. If not, did you use xen-2.0.5-install.tgz from the
Cambridge web page?)

James

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
vifs and networking [ In reply to ]
root at xen0
Jun 15, 2005, 4:54 AM
Post #6 of 7 (1119 views)
Permalink
Mike & Deb Hoesing wrote:
> 1.) files in /lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter/
> (James you are correct conntrack not "connecttrack")
> ip_conntrack_ftp.ko
> ip_conntrack.ko
> ip_tables.ko

But no iptable_filter.ko?
****************************************************************
From the suggestion above I copied iptable_filter.ko
from /lib/modules/2.6.11-xen0/kernel/net/ipv4/netfilter
to /lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter
(I don't know why I even have a 2.6.11 build, I followed the
instructions in the Jerone Young post for a specific 2.6.10 build?)
****************************************************************


2.) which .config file?

The one you used for building linux-2.6.10-xen0. (Assuming you build
the
kernel yourself. If not, did you use xen-2.0.5-install.tgz from the
Cambridge web page?)
****************************************************************
I found .config files in :
/lib/modules/2.6.11-xen0/build/
/lib/modules/2.6.11-1.14_FC3/build/
/lib/modules/2.6.11-xenU/build/
/lib/modules/2.6.9-1.667/build/
(but not in 2.6.10-xen0)
I did find /boot/config-2.6.10-xen0 and
/boot/config-2.6.10-xenU

*****************************************************************

Thanks again for the help, this is appreciated, we are seeing some
tremendous academic (no budget) applications when we get this working.

Mike








_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: vifs and networking [ In reply to ]
james at xensource
Jun 16, 2005, 8:59 AM
Post #7 of 7 (1119 views)
Permalink
So:

Did the module copy from 2.6.11 to 2.6.10 (!) fix the problem?

You seem to have a bizarre mix of different xenlinux kernel versions
hanging around. I've lost track of which version(s) were causing
trouble. I'd be very tempted to clean everything up and start afresh to
avoid any confusion.

James

root wrote:
> Mike & Deb Hoesing wrote:
>
>>1.) files in /lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter/
>> (James you are correct conntrack not "connecttrack")
>> ip_conntrack_ftp.ko
>> ip_conntrack.ko
>> ip_tables.ko
>
>
> But no iptable_filter.ko?
> ****************************************************************
>>From the suggestion above I copied iptable_filter.ko
> from /lib/modules/2.6.11-xen0/kernel/net/ipv4/netfilter
> to /lib/modules/2.6.10-xen0/kernel/net/ipv4/netfilter
> (I don't know why I even have a 2.6.11 build, I followed the
> instructions in the Jerone Young post for a specific 2.6.10 build?)
> ****************************************************************
>
>
> 2.) which .config file?
>
> The one you used for building linux-2.6.10-xen0. (Assuming you build
> the
> kernel yourself. If not, did you use xen-2.0.5-install.tgz from the
> Cambridge web page?)
> ****************************************************************
> I found .config files in :
> /lib/modules/2.6.11-xen0/build/
> /lib/modules/2.6.11-1.14_FC3/build/
> /lib/modules/2.6.11-xenU/build/
> /lib/modules/2.6.9-1.667/build/
> (but not in 2.6.10-xen0)
> I did find /boot/config-2.6.10-xen0 and
> /boot/config-2.6.10-xenU
>
> *****************************************************************
>
> Thanks again for the help, this is appreciated, we are seeing some
> tremendous academic (no budget) applications when we get this working.
>
> Mike
>
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal