Xen project Mailing List

On Tue, May 15, 2012 at 10:43 AM, Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx> wrote:

My actual question (of how to do the same under CentOS 5.8 + GITCO_Xen_4.1.2) will be a followup to this posting.

A few issues have arisen, attempting to duplicate this technique under more recent versions of Xen & their corresponding tools.

Installation process is:

Base CentOS 5.7 install.

# cd /etc/yum.repos.d

# wget http://www.gitco.de/repo/GITCO-XEN4.1.2_x86_64.repo

# yum update

# yum groupinstall Xen

# vi /etc/grub.conf

--> default = 0

# rm /etc/libvirt/qemu/network/autostart/default.xml

# chkconfig --list NetworkManager

# chkconfig --list network

# cd /etc/sysconfig/network-scripts

# cp ifcfg-eth0 ifcfg-xenbr0

# vi ifcfg-eth0

--> DEVICE=eth0

--> HWADDR= (preserve setting)

--> >

--> BRIDGE=xenbr0

--> NM_CONTROLLED=no

--> remove all other lines

# vi ifcfg-xenbr0

--> remove HWADDR line

--> preserve all other lines

--> DEVICE=xenbr0

--> TYPE=Bridge

--> DELAY=0

--> NM_CONTROLLED=no

The preceding installation notes install a base operating system, removes the virtual bridge & private (NAT) network default for libvirt, and duplicates the xenbr0 needed for a "physically bridged ethernet" setting used in virt-manager for installation. Using these steps, NetworkManager is not activated, as confirmed by the chkconfig --list commands.

Both "xm" and "xl" tool sets appear to be available.

Using CentOS 5.7 and the "Virtualization" groupinstall (or CentOS 5.8 and the "Xen" groupinstall), I have successfully achieved implementing firewalls at the host dom0 for each guest domU, using iptables and the default vif-bridge scripts, and a named vif= configuration in the xm .cfg file.

Using virt-manager to create virtual machines, it does not appears to create the /etc/xen/XYZZY.cfg file which allow changing of the vif= parameter setting, nor the addition of drives after the fact while using a configuration file. What is the right way to accomplish this? I realize I can work around the named-vif technique using the (new) "xm domid XYZZY" command.

I also have used the .CFG file to "clone" a virtual machine, with suitable changes in uuid, mac address, drive block-storage specifications and name. What is the right way to accomplish this?

The output from "iptables -L -n -v" is subtly different, related to physdev matching.

Under CentOS xen 3.1,

Chain FORWARD (policy ACCEPT 1957M packets, 291G bytes)

pkts bytes target prot opt in out source destination

1952M 290G XYZZY all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in peth0 --physdev-out XYZZY

2306M 13T ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in XYZZY

Under CentOS xen 4.1.2,

[root@xm00 ~]# iptables -L -n -v

Chain FORWARD (policy ACCEPT 16 packets, 3564 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 --physdev-is-bridged

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 --physdev-is-bridged

What changes are necessary for the FORWARD chain to run the XYZZY firewall matching rules BEFORE passing on the packets in the ACCEPT rules?

Additional information:

[root@xm00 ~]# xm list

Name ID Mem VCPUs State Time(s)

Domain-0 0 768 1 r----- 259.8

W2008BASE 1 2048 1 r----- 1.1

[root@xm00 ~]# brctl show

bridge name bridge id STP enabled interfaces

xenbr0 8000.00a0cc62a23f no vif1.0

tap1.0

eth0

[root@xm00 ~]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:A0:CC:62:A2:3F

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:51748 errors:1 dropped:0 overruns:0 frame:0

TX packets:1480 errors:3 dropped:0 overruns:0 carrier:3

collisions:0 txqueuelen:1000

RX bytes:10843019 (10.3 MiB) TX bytes:214447 (209.4 KiB)

Interrupt:20 Base address:0xe000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:8 errors:0 dropped:0 overruns:0 frame:0

TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

tap1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:11 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:500

RX bytes:0 (0.0 b) TX bytes:1278 (1.2 KiB)

vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF

UP BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:500

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

xenbr0 Link encap:Ethernet HWaddr 00:A0:CC:62:A2:3F

inet addr:10.110.210.50 Bcast:10.110.210.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:51745 errors:0 dropped:0 overruns:0 frame:0

TX packets:1515 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:10085885 (9.6 MiB) TX bytes:219145 (214.0 KiB)

[root@xm00 ~]# xm info

host : xm00.h.heroengine.net

release : 2.6.18-308.4.1.el5xen

version : #1 SMP Tue Apr 17 17:49:15 EDT 2012

machine : x86_64

nr_cpus : 4

nr_nodes : 1

cores_per_socket : 4

threads_per_core : 1

cpu_mhz : 2400

hw_caps : bfebfbff:20100800:00000000:00000940:0000e3bd:00000000:00000001:00000000

virt_caps : hvm

total_memory : 3327

free_memory : 2518

free_cpus : 0

xen_major : 4

xen_minor : 1

xen_extra : .2

xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64

xen_scheduler : credit

xen_pagesize : 4096

platform_params : virt_start=0xffff800000000000

xen_changeset : unavailable

xen_commandline : dom0_mem=786432 dom0_max_vcpus=1

cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)

cc_compile_by : root

cc_compile_domain : gitco.tld

cc_compile_date : Wed Nov 9 22:31:30 CET 2011

xend_config_format : 4

[root@xm00 ~]# rpm -q -a | egrep "xen|libvirt|iptables|kernel"

xen-libs-3.0.3-135.el5_8.2

xen-libs-4.1.2-1.el5

libvirt-client-0.9.4-1

libvirt-0.9.4-1

xen-4.1.2-1.el5

libvirt-0.8.2-25.el5

kernel-2.6.18-274.el5

iptables-1.3.5-9.1.el5

iptables-ipv6-1.3.5-9.1.el5

kernel-2.6.18-308.4.1.el5

libvirt-python-0.9.4-1

kernel-xen-2.6.18-308.4.1.el5

plugh# xm info
host : plugh

release : 2.6.18-274.17.1.el5xen
version : #1 SMP Tue Jan 10 18:06:37 EST 2012

machine : x86_64
nr_cpus : 16
nr_nodes : 1

sockets_per_node : 2
cores_per_socket : 4
threads_per_core : 2

cpu_mhz : 2400
hw_caps : bfebfbff:2c100800:00000000:00000940:029ee3ff:00000000:00000001

total_memory : 32755
free_memory : 0
node_to_cpu : node0:0-15

xen_major : 3
xen_minor : 1
xen_extra : .2-274.17.1.el5

xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64
xen_pagesize : 4096

platform_params : virt_start=0xffff800000000000
xen_changeset : unavailable
cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-51)
cc_compile_by : mockbuild

cc_compile_domain : centos.org
cc_compile_date : Tue Jan 10 17:17:20 EST 2012

xend_config_format : 2

plugh# rpm -q -a | egrep "xen|libvirt|iptables|kernel"

kernel-2.6.18-274.el5
libvirt-0.8.2-22.el5
xen-libs-3.0.3-132.el5_7.2

iptables-ipv6-1.3.5-5.3.el5_4.1
libvirt-python-0.8.2-22.el5
kernel-xen-2.6.18-274.17.1.el5

libvirt-0.8.2-22.el5
kernel-headers-2.6.18-274.18.1.el5
iptables-1.3.5-5.3.el5_4.1

kernel-2.6.18-274.17.1.el5
xen-libs-3.0.3-132.el5_7.2
xen-3.0.3-132.el5_7.2

plugh# brctl show
bridge name bridge id STP enabled interfaces

xenbr0 8000.feffffffffff no XYZZY
vif0.0

peth0

plugh# xm list

Name ID Mem(MiB) VCPUs State Time(s)
XYZZY 1 31744 16 r----- 1211120.0

Domain-0 0 369 16 r----- 241894.7

plugh# ifconfig

XYZZY Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1

RX packets:2305072735 errors:0 dropped:0 overruns:0 frame:0
TX packets:1951016493 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:500
RX bytes:12515299595253 (11.3 TiB) TX bytes:317211039272 (295.4 GiB)

eth0 Link encap:Ethernet HWaddr 78:2B:CB:6D:59:9A
inet addr:127.128.129.130 Bcast:127.128.129.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2781233 errors:0 dropped:0 overruns:0 frame:0

TX packets:2965482 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

RX bytes:277225631 (264.3 MiB) TX bytes:664291498 (633.5 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:91216 errors:0 dropped:0 overruns:0 frame:0
TX packets:91216 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0
RX bytes:21207426 (20.2 MiB) TX bytes:21207426 (20.2 MiB)

peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1

RX packets:1953731878 errors:0 dropped:0 overruns:0 frame:0
TX packets:9393179558 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000
RX bytes:327141737804 (304.6 GiB) TX bytes:13053452783524 (11.8 TiB)

Interrupt:23 Memory:da000000-da012800

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:172.16.128.254 P-t-P:172.16.128.253 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1

RX packets:2965480 errors:0 dropped:0 overruns:0 frame:0
TX packets:2781233 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0
RX bytes:664291294 (633.5 MiB) TX bytes:277225631 (264.3 MiB)

xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1

RX packets:78311 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0
RX bytes:3597130 (3.4 MiB) TX bytes:0 (0.0 b)

Re: [Xen-users] Implementing firewall functionality in dom0 host on behalf of domU guests