[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Dummy ethernet device setup

Hello Philipp,

Philipp Jäggi schrieb:

So, my question is about how to setup cleanly the bridges, the veth2. I don't want to create a shell script that makes all the necessary steps as I perform it in the shell. So where do I specify the bridge configuration,
You can setup a bridge in /etc/network/interfaces (or wherever your interfaces are described in your distro) like any other interface.

I have used that on my home firewall, e.g.:

auto xen-br0
iface xen-br0 inet static
#       hwaddress ether 00:00:00:78:bd:01
        pre-up brctl addbr xen-br0
        post-down brctl delbr xen-br0

Only assigning the MAC address to the bridge seems not to work, everything else does. Of course you have to disable the bridge-setup-script xen uses when starting. I did not bother to find out if xen can be forced not to start a networking script at all, so I simply added "exit 0" to the beginning of the bridged networking script - that is quick and dirty and works.

where do I store the veth2 config?
I would write that into the config file for the domX.

My idea about is at the moment, to create a folder /etc/sysconfig/xen-nework, where I store the bridge information and the ifcfg-veth2. But for this I need a wrapper scripts that start all up cleanly, something like /etc/rc.d/init.d/xen-network. By my problem is, to find the right point in the XEN startup process, where I have to start the network.
That was the reason why I set up the bridge as interface with the base system.

Because Xen itself start also the network for eth0 and eth1. This I would like to take out of the /etc/rc.d/init.d/xend script and paste it into my xen-network script, so that finally everything that belongs to network is started in one block.

I have to do this issues, because in a productive environment with just a couple of people working in the IT and high security requirements, configuration safety is everything.
Let's say, nowadays security is everything - everywhere.
But nevertheless: you could add the domUs to the bridge connected to the physical interface and have a firewall on every domU (I use shorewall for that kind of setup). Or have a firewall in dom0 and NAT the traffic to the domUs. Or push the physical interface in a domU that is a separate firewall of its own.

That why the whole system will be administrated with the help of cfengine.

What is cfengine? What does it help concerning security? I am quite interested in these things.

As a result of this I have to separate and concernat everything in clean blocks of config files and startup scripts. To do this I requested a guide to clean xen network setup, where everything works after the bootsquence... :-)

Hope you can still help me...
We will see. :-) At least I can try. By the way, if we keep the discussion on the list there will be more input from experienced people - there are quite some people out there having solved the same problems.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.