Hi Marcus,
Marcus Brown wrote:
>Hi all,
>
>I've managed to setup a Xen firewall/server host.
>I used a design similar to one posted previously,
>except that my internal interfaces aren't bridged.
>It looks something like this (in my head;)):
>
>-------------------------------------------------------------------------------------------
>CURRENT SETUP
>=============
> ______________________________________
> | dom0 |
> | __________________ |
> | | Firewall | |
>Local eth0 =|========| (Shorewall) |==========|= eth1 Internet
> | |________________| |
> | vif2.0 | | vif3.0 |
> | __________|___ __|____________ |
> | | Web Server | | Mail Server | |
> | | (Apache2) | | (Courier) | |
> | |____________| |_____________| |
> |____________________________________|
>
> DETAILS:
> - Xen 2.0.7 stable
> - dom0:
> - 128MB RAM
> - Debian sid (sid has ext2resize)
> - boot and root on plain ext3 (no raid or lvm)
> - striped swap on 2 drives (64MB + 64MB)
> - all other filesystems on raid0+lvm
> - eth0 and eth1 are hidden
> - the domUs are autoloaded in order at boot time
> using numbered links in /etc/xen/auto:
> 01-Firewall --> ../Firewall
> 02-WebServer --> ../WebServer
> 03-MailServer ..> ../MailServer
> - Firewall (!dom0)
> - priviliged driver domain using eth0 and eth1
> - exports backend network interfaces to domUs
> - WebServer (domU)
> - 80MB RAM, 64MB swap
> - MailServer (domU)
> - 64MB RAM, 64MB swap
>
> Before you get over excited about hardware, the host is a
> P3/650 with 640MB RAM on an Asus P2B-VM with 2 x 3c905 nics,
> 2 x 4.3GB IDE, 1 x 6.4GB IDE, 1 x CD/DVD, and 1 x USB2.0 PCI.
>
> PROBLEMS:
> - As dom0 has no network access, so I'm unable to update the
> system clock using ntpdate. With the clocks of the domUs
> being tied to the dom0 clock it is not possible to have
> the time automatically updated.
>
>
There was a discussion a few weeks ago about setting the time in domUs.
Quoting Ian and Franck from the thread "[Xen-users] Setting the date
not working in xen":
"echo 1 > /proc/sys/xen/independent_wallclock
> ntpdate ntp0.oleane.net
independent_wallclock=1 on the kernel command line should fix this too."
As far as I understand, it is not what the xen architects had in mind,
but it seems to work.
> - There are no hotplug events associated with the backend
> network for the driver domain, so to bring the vif interfaces
> up in the Firewall a 1 minute cron script checks vif2.0 & 3.0.
> Crude.
>
>
No idea here. Doesn't iptables allow to insert rules for interfaces that
aren't running yet?
> - The domUs can not be restarted at will as the vifs created
> in the Firewall are assigned new numbers.
>
>
Let me see if I understand you, "you mean, that after an xm shutdown +
xm create your vif is no longer vif2.0 but for example vif4.0?". In this
case, try to append another option in the vif line in your domains
config file:
vif = [ 'mac=aa:00:00:56:0e:c4, bridge=xen-br0, vifname=e.g.websv' ]
This way your domU's vif will always have the same name. There are some
mroe interesting options to be found in /usr/lib/python/xen/xm/create.py .
I liked your ASCII drawings ;-). Hope I could help you a little.
Regards,
Andreas
>-------------------------------------------------------------------------------------------
>POSSIBLE SOLUTIONS
>==================
>To get around the problems above, would I be better off with dom0
>handling some/all bridging and networks (and ntpdate)? A few posts in the
>list have suggested something like this, but I can't see how it's done.
>I can think of a few possibilities, but so far have been unable to
>implement any of them (hence this verbose and messy post;)).
>
>Option A
>========
> ________________________________________
> | ____________________ |
> | | Firewall | |
> | | (Shorewall) | |
> | |__________________| |
> | | | | |
> | ______________ | | | _______________ |
> | | Web Server | | | | | Mail Server | |
> | | (Apache2) | | | | | (Courier) | |
> | |____________| | | | |_____________| |
> | | | | | | |
> | | | | | | |
> | ___|____|_|_|____|___ |
> | | | |
>Local eth0 =|========| dom0 |=========|= eth1 Internet
> |________|___________________|_________|
>
>
> DETAILS:
> - dom0
> - eth0 and eth1 are associated with separate bridges which
> are exported to the Firewall.
> - backend network interfaces are exported to the domUs and
> associated with an internal DMZ bridge (also exported to
> the Firewall).
>
>Option B
>========
> ________________________________________
> | ____________________ |
> | | Firewall | |
> | | (Shorewall) |==========|= eth1 Internet
> | |__________________| |
> | | | |
> | ______________ | | _______________ |
> | | Web Server | | | | Mail Server | |
> | | (Apache2) | | | | (Courier) | |
> | |____________| | | |_____________| |
> | | | | | |
> | | | | | |
> | ___|____|___|____|___ |
> | | | |
>Local eth0 =|========| dom0 | |
> |________|___________________|_________|
>
> DETAILS:
> - dom0 exports a bridge with eth0 to Firewall, and
> a bridge with network backends to the domUs
>
>Option C
>========
> ________________________________________
> | ____________________ |
> | | Firewall | |
>Local eth0 =|========| (Shorewall) |==========|= eth1 Internet
> | |__________________| |
> | | |
> | ______________ | _______________ |
> | | Web Server | | | Mail Server | |
> | | (Apache2) | | | (Courier) | |
> | |____________| | |_____________| |
> | | | | |
> | | | | |
> | ___|______|______|___ |
> | | | |
> | | dom0 | |
> |________|___________________|_________|
>
>
> DETAILS:
> - dom0 exports a network backend which is bridged
> to domUs as they are brought up
>
>-------------------------------------------------------------------------------------------
>
>So far, Option C looks like a possibility ...
>however, as with this email, I got stuck :)
>
>Thanks for reading the preamble, now on to my question:
>
>QUESTION:
>I think I've explained what I want ... how do I do it?
>
>Marcus.
>
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@xxxxxxxxxxxxxxxxxxx
>http://lists.xensource.com/xen-users
>
>
>
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home