[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] iptables and ipvsadm in domU



On Tue, 2007-05-01 at 16:33 -0700, Fong Vang wrote:
> The documentation for Xen mentions that iptables in dom0 may affect
> domUs.  If iptables and ipvsadm is heavily used in a domU, how does
> this impact dom0?
> 
> In my particular case, I want both dom0 and ONE domU (FW_domu) to be
> visible to the external network (eth1).  There will be several other
> domU's that will be behind FW_domU).   
> 
> as far as the domUs are concerned, this is the layout.
> 
>        FW_domU
>           |
>        LB_domU
>           |
>     +-----+--+--------+
>     |        |        | 
>     domU1    domU2   domU3

I would combine the FW and LB. If this is just http/https load balancing
try pound first, http://apsis.ch/pound/ . You will end up with far less
moving parts that can break. Since this is all on one physical server,
anyway, there isn't much sense in breaking them up. 

I'm not saying what you sketched won't work though. With only 3 nodes
you shouldn't run into too much spaghetti. Odd breakage happens more
when you have more nodes, and more NATing around the LB directly to the
guests.

Were you going to use a popular FW helper like Shorewall, or put
something together yourself? Did you figure on using two bridges?

> what's the best way to set this up.  LB_domU runs LVS (ipvsadm).  Is
> this configuration even supported in Xen.

Sure, as long as there is modular support for everything you want to do
(and corresponding modules to load) on the dom-u for iptables, its no
different than anything else for most purposes.

Good luck :)
--Tim


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.