[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Using 32bit Debian /w 64bit DomU kernel on Xen3.0.0

Goetz Bock wrote:

I'm running Xen 3.0.0 (release, binary download) on a dualcore
Athlon64-X2 with debian sarge (3.1), AMD64 on Dom0 and some
64bit/amd64 domUs (which work fine) and some 32bit/i386 domUs.

The 32bit domUs come from my old server (old P4 with Xen 2.0.7) and
should stay 32bit, in order to move them back to the server.

But I'm unable to use iptables, the modules are loaded, but the
userspace tools can not communicate with the kernel.

Does anyone know how to fix this, what to do?


I think I see your problem.

As I understand it you are using a 64bit DomU kernel with
32bit userspace installed on the [DomU] root filesystem.
And you have to use the 64bit DomU kernel because that is
what the 64bit Xen hypervisor requires you to use.

I have learned (from lurking on the netfilter-devel mailing
list) that 32bit userspace iptables does not work with a
64bit kernel. The 'compatability code' is missing from the
kernel. At least one developer is working on it, but it is not
going to appear anytime soon.

Your only hope in the mean time is to use a 64bit userspace
iptables. But that isn't likely to work either because (64bit)
iptables will need all the 64bit libraries installed so it can
link against them. You  won't have these installed on your 32bit
filesystem image.

I freely admit to being confused by this 32/64bit stuff.

HOWEVER...
how about this as a work around. Don't put your firewall
rules in the DomU. Put them in the FORWARD chain on the
Dom0 machine instead.

I have done this on the Xen cluster that I run. It is not
very convenient because the DomU's can't change their
firewall rules. You have to manually update the firewall
rules on the Dom0 instead. But that inconvenience becomes
an advantage if you are wanting to run a locked down
system and you don't want or trust your DomU's to maintain
their own firewall rules.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.