WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0

To: Goetz Bock <bock@xxxxxxxxxxx>
Subject: Re: [Xen-users] Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0
From: Robbie Dinn <robbie@xxxxxxxxxxxx>
Date: Thu, 19 Jan 2006 15:09:33 +0000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 19 Jan 2006 15:17:27 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20060119135811.GD4735@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20060119135811.GD4735@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041207)
Goetz Bock wrote:
I'm running Xen 3.0.0 (release, binary download) on a dualcore
Athlon64-X2 with debian sarge (3.1), AMD64 on Dom0 and some
64bit/amd64 domUs (which work fine) and some 32bit/i386 domUs.

The 32bit domUs come from my old server (old P4 with Xen 2.0.7) and
should stay 32bit, in order to move them back to the server.

But I'm unable to use iptables, the modules are loaded, but the
userspace tools can not communicate with the kernel.

Does anyone know how to fix this, what to do?

I think I see your problem.

As I understand it you are using a 64bit DomU kernel with
32bit userspace installed on the [DomU] root filesystem.
And you have to use the 64bit DomU kernel because that is
what the 64bit Xen hypervisor requires you to use.

I have learned (from lurking on the netfilter-devel mailing
list) that 32bit userspace iptables does not work with a
64bit kernel. The 'compatability code' is missing from the
kernel. At least one developer is working on it, but it is not
going to appear anytime soon.

Your only hope in the mean time is to use a 64bit userspace
iptables. But that isn't likely to work either because (64bit)
iptables will need all the 64bit libraries installed so it can
link against them. You  won't have these installed on your 32bit
filesystem image.

I freely admit to being confused by this 32/64bit stuff.

HOWEVER...
how about this as a work around. Don't put your firewall
rules in the DomU. Put them in the FORWARD chain on the
Dom0 machine instead.

I have done this on the Xen cluster that I run. It is not
very convenient because the DomU's can't change their
firewall rules. You have to manually update the firewall
rules on the Dom0 instead. But that inconvenience becomes
an advantage if you are wanting to run a locked down
system and you don't want or trust your DomU's to maintain
their own firewall rules.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>