| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Dummy ethernet device setup
Hello Philipp,
Philipp Jäggi schrieb:
So, my question is about how to setup cleanly the bridges, the veth2. I
don't want to create a shell script that makes all the necessary steps as
I perform it in the shell. So where do I specify the bridge configuration,
You can setup a bridge in /etc/network/interfaces (or wherever your
interfaces are described in your distro) like any other interface.
I have used that on my home firewall, e.g.:
auto xen-br0
iface xen-br0 inet static
address 192.168.137.254
# hwaddress ether 00:00:00:78:bd:01
netmask 255.255.255.0
network 192.168.137.0
broadcast 192.168.137.255
pre-up brctl addbr xen-br0
post-down brctl delbr xen-br0
Only assigning the MAC address to the bridge seems not to work,
everything else does. Of course you have to disable the
bridge-setup-script xen uses when starting. I did not bother to find out
if xen can be forced not to start a networking script at all, so I
simply added "exit 0" to the beginning of the bridged networking script
- that is quick and dirty and works.
where do I store the veth2 config?
I would write that into the config file for the domX.
My idea about is at the moment, to
create a folder /etc/sysconfig/xen-nework, where I store the bridge
information and the ifcfg-veth2. But for this I need a wrapper scripts
that start all up cleanly, something like /etc/rc.d/init.d/xen-network. By
my problem is, to find the right point in the XEN startup process, where I
have to start the network.
That was the reason why I set up the bridge as interface with the base
system.
Because Xen itself start also the network for
eth0 and eth1. This I would like to take out of the /etc/rc.d/init.d/xend
script and paste it into my xen-network script, so that finally everything
that belongs to network is started in one block.
I have to do this issues, because in a productive environment with just a
couple of people working in the IT and high security requirements,
configuration safety is everything.
Let's say, nowadays security is everything - everywhere.
But nevertheless: you could add the domUs to the bridge connected to the
physical interface and have a firewall on every domU (I use shorewall
for that kind of setup). Or have a firewall in dom0 and NAT the traffic
to the domUs. Or push the physical interface in a domU that is a
separate firewall of its own.
That why the whole system will be
administrated with the help of cfengine.
What is cfengine? What does it help concerning security? I am quite
interested in these things.
As a result of this I have to
separate and concernat everything in clean blocks of config files and
startup scripts. To do this I requested a guide to clean xen network
setup, where everything works after the bootsquence... :-)
Hope you can still help me...
We will see. :-) At least I can try. By the way, if we keep the
discussion on the list there will be more input from experienced people
- there are quite some people out there having solved the same problems.
Dirk
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home