[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] PV DomU kernel 2.4(.34) for IPCop


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Paul Schulze <avlex@xxxxxxx>
  • Date: Fri, 20 Jun 2008 15:05:54 +0200
  • Delivery-date: Fri, 20 Jun 2008 06:06:41 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:content-transfer-encoding:message-id:content-type:to :subject:date:x-mailer:from:sender; b=ufoBVJ5E+m+mNzNJesAi9nSWj35wi5G2cqUrBLCBz4Hy/StB6C2eZxuY3MyIkPMuIs 3iLpHdZLPs1H+BLZc7e1bO79r+Q/4x0BwL0rZDwE4ojgLqwcgjN1jnSCOXhQpXBkXo0o zfbcgHpXsDG8Djc/tZNfS5u9gm+aR5SoGm30c=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi everyone,

I am currently in the process of setting up a firewall/access point DomU and I would like to know if there is any way to run a linux kernel 2.4(.34) based system as a DomU. The primary reason for this is that I want to run IPCop on such a kernel, but also that I consider kernel 2.4 based systems to be more suitable for some applications, especially for use as a firewall.

The main problem is, that I can't run it in a HVM, since the setup I plan to use involves passing all the necessary PCI NICs to the DomU and my current CPU (AMD X2 e series on an AMD 780g chip-set) does not support VT-d, making PCI passthrough to a HVM impossible (according to my research at least). Using network bridges is also out of the question, since I do not want the Dom0 to be aware of those devices (or at least nothing but pciback in Dom0) and the network traffic to and from the other DomU's should be handled by dummy interfaces only (whereby I still have to figure out how to isolate Dom0 from those access-wise but still let them have access to the DomU's). A future expansion of the system also includes a PCI Wifi NIC that has to be passed to the DomU to be able to configure HostAP with the firewalls web interface and isolate it from Dom0. The Dom0 itself does not need an internet connection and should only be accessible using a special dedicated DomU via network (that does not use any of the other services) or via physical access.

I also looked into the possibilities of using another firewall distribution, but the best one I could come up with is the Endian Firewall. It is based on kernel 2.6 and seems to work with Xen, but the community release is lacking some of the features I do not want to miss, like RADIUS integration (for use with a LDAP server DomU mainly, though that one is not running just yet) and Captive Portal (for easy access for neighbors and friends).

So my question now is: Does anyone know a way to make IPCop use kernel 2.6 or preferably how to run a kernel 2.4 paravirtualized system on Xen 3.2? Has anyone tried something like this before and can maybe share his experiences?

Thanks,


Paul.

P.S.: I know, this setup sounds kind of paranoid, isolating Dom0 that much and I might hit a wall somewhere because certain things are not possible yet (thats actually one of the points of this experiment, to see what Xen can do). I also realize it is pointless unless I use a system with IOMMU in a PCI passthrough setup (ultimately enabling PCI Passthrough to HVM), but for me it is more like a proof of concept, than a security concern for the machine in question and I prefer to run Linux on Xen paravirtualized anyway. If anyone has some thoughts on this, he or she would like to share, I am always thankful for advise or another point of view.

--
Paul Schulze
avlex@xxxxxxx
Public Key: http://solaris-net.dyndns.org/keys/key_avlex.asc

"Making mistakes is human,
but to really fuck things up you need Computers"



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.