[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Dummy ethernet device setup

Hello Philipp,

Philipp Jäggi schrieb:
So, my question is about how to setup cleanly the bridges, the veth2. I don't want to create a shell script that makes all the necessary steps as I perform it in the shell. So where do I specify the bridge configuration,
You can setup a bridge in /etc/network/interfaces (or wherever your interfaces are described in your distro) like any other interface. 

I have used that on my home firewall, e.g.:


auto xen-br0
iface xen-br0 inet static
        address 192.168.137.254
#       hwaddress ether 00:00:00:78:bd:01
        netmask 255.255.255.0
        network 192.168.137.0
        broadcast 192.168.137.255
        pre-up brctl addbr xen-br0
        post-down brctl delbr xen-br0
Only assigning the MAC address to the bridge seems not to work, everything else does. Of course you have to disable the bridge-setup-script xen uses when starting. I did not bother to find out if xen can be forced not to start a networking script at all, so I simply added "exit 0" to the beginning of the bridged networking script - that is quick and dirty and works.
where do I store the veth2 config? 
I would write that into the config file for the domX.
My idea about is at the moment, to create a folder /etc/sysconfig/xen-nework, where I store the bridge information and the ifcfg-veth2. But for this I need a wrapper scripts that start all up cleanly, something like /etc/rc.d/init.d/xen-network. By my problem is, to find the right point in the XEN startup process, where I have to start the network.
That was the reason why I set up the bridge as interface with the base system.
Because Xen itself start also the network for eth0 and eth1. This I would like to take out of the /etc/rc.d/init.d/xend script and paste it into my xen-network script, so that finally everything that belongs to network is started in one block.
I have to do this issues, because in a productive environment with just a couple of people working in the IT and high security requirements, configuration safety is everything. 
Let's say, nowadays security is everything - everywhere.
But nevertheless: you could add the domUs to the bridge connected to the physical interface and have a firewall on every domU (I use shorewall for that kind of setup). Or have a firewall in dom0 and NAT the traffic to the domUs. Or push the physical interface in a domU that is a separate firewall of its own.
That why the whole system will be administrated with the help of cfengine.
What is cfengine? What does it help concerning security? I am quite interested in these things.
As a result of this I have to separate and concernat everything in clean blocks of config files and startup scripts. To do this I requested a guide to clean xen network setup, where everything works after the bootsquence... :-) 


Hope you can still help me...
We will see. :-) At least I can try. By the way, if we keep the discussion on the list there will be more input from experienced people - there are quite some people out there having solved the same problems. 

Dirk




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.