WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Network issues with SuSE firewall

To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Network issues with SuSE firewall
From: "Gregory Newby" <newby@xxxxxxxx>
Date: Fri, 7 Nov 2003 16:39:17 -0900
Delivery-date: Sat, 08 Nov 2003 01:42:48 +0000
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: <E1AIHng-0003MI-00@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <20031108010722.GB1727@xxxxxxxxxxxxxxxxxxx> <E1AIHng-0003MI-00@xxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.1i
I hope folks on the xen-devel list don't mind all these
messages.  I think it's been fascinating to see answers to
all these questions, and hope you agree.  My view is that
the mailing list archive is, currently, a strong supplement
to the documentation :-)

More:

On Sat, Nov 08, 2003 at 01:22:03AM +0000, Ian Pratt wrote:
> 
> > > > $ xenctl script -f/etc/xen-mydom  (the default script)
> > > > $ xenctl domain start -n2
> > > 
> > > The /etc/xen-mydom should automatically start the domain.
> > 
> > It doesn't.  (You saw my prior "xenctl domain list" output, which said
> > it was stopped.)
> 
> This is really odd. The last line of the script contains a
> "domain start". Is there a missing LF or something?

No, the file looks OK, but the answer below about /usr probably
explains this.

> > > > As I mentioned in my other message, it would be great to be able to
> > > > see console messages, but they are either being firewalled or
> > > > otherwise redirected.
> > > 
> > > Have you been using xen_read_console?  You should be able to
> > > watch the other domain booting, and check that it comes up OK.
> > 
> > I run it (in the background) but never see anything.  Even
> > when I reboot, I don't get shutdown messages (they don't
> > appear on the physical console).
> 
> Very odd. Any chance you can get a serial line on the system?
> The other domain's boot messages should also come out on serial.

Yes, I brought in a null modem.  I'll try this.

> > > Please can you send me the output from running xenctl, and the
> > > console message from the booting domain.
> > 
> > Yep.  Maybe the output from the "xenctl script..." startup is
> > informative.  This is with the default /etc/xen-mynewdom, containing:
> 
> I take it that you're wanting to boot with the initrd copied
> off the CD, and use the CD for the new domain's /usr ?

Huh?  No, that's the first I heard about that.

I'm using the standard /usr

This could explain a lot.  How am I supposed to make
the CD's /usr available to the domains?

All I did was copy the xeno-clone/install/bin/ programs
to /usr/local/bin , and the xen_nat_enable from the CD
to /usr/local/bin


> > peabody(root) ~ [6] > telnet 169.254.1.3 22
> > Trying 169.254.1.3...
> > telnet: connect to address 169.254.1.3: Connection refused
> 
> AFAIK, Our CD doesn't run a telnetd by default. There should be
> an sshd, but I think your problem lies elsewhere...

sshd listens on port 22.  By "telnet HOSTNAME 22" I'm trying
to connect to the ssh port.  The advantage of doing it this way
is that the client & negotiation don't matter...  just the
ability to connect.

The NAT rules in iptables redirects port 22 on 169.254.1.3
(in this case) to port 2203 on 169.254.1.0.  So, theoretically,
"telnet 169.254.1.3 22" is the same as "telnet 169.254.1.0 2203".
To actually login,
        ssh root@xxxxxxxxxxx
or      ssh -p 2203 root@xxxxxxxxxxx

(right?)

> Connection refused is a slightly odd message. If the domain was
> totally dead, I'd expect the telnet to hang. 
> 
> What happens if you run tcpdump in domain0. Do you see any
> packets arriving at 169.254.1.0 ?

Yes.  Here is "grep 169" from a tcpdump log while I tried (from
domain0) "telnet 169.254.1.3 22" (yes, the arp reply matches 
eth0's MAC):

16:27:44.364911 peabody.arsc.edu.1028 > 137.229.18.15.domain:  49905+ PTR? 
3.1.254.169.in-addr.arpa. (42) (DF)
16:27:44.366554 arp who-has 169.254.1.3 tell 169.254.1.0
16:27:44.366633 arp reply 169.254.1.3 is-at 0:b0:d0:df:fa:ed
16:27:44.366644 169.254.1.0.1041 > 169.254.1.3.ssh: S 2092748429:2092748429(0) 
win 5840 <mss 1460,sackOK,timestamp 283781 0,nop,wscale 0> (DF) [tos 0x10] 
16:27:44.366727 169.254.1.3.ssh > 169.254.1.0.1041: R 0:0(0) ack 2092748430 win 
0 (DF) [tos 0x10] 
16:27:44.367337 peabody.arsc.edu.1028 > 137.229.18.15.domain:  28243+ PTR? 
3.1.254.169.in-addr.arpa. (42) (DF)

  -- Greg


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel