[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Jean Baptiste FAVRE <xen-users@xxxxxxxxxxx>
Date: Tue, 21 Dec 2010 09:24:37 +0100
Delivery-date: Tue, 21 Dec 2010 00:25:47 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

Le 20/12/2010 23:00, Peter Viskup a écrit :
> On 12/20/2010 10:46 PM, Jean Baptiste FAVRE wrote:
>> Le 20/12/2010 21:02, Simon Hobson a écrit :
>>   
>>> Jean Baptiste FAVRE wrote:
>>>
>>>     
>>>> I don't care about dom0 network as it's just near me (test machine) :)
>>>> But I do care about domU network and I'm not sure I understand your
>>>> "vif
>>>> bridged on lo-device".
>>>>        
>>> I'd suggest you try manually creating a bridge with no network
>>> interfaces attached to it*. You can add an IP address directly to the
>>> bridge interface, and then the Dom0 and any DomUs you attach to it can
>>> communicate between themselves. But with no external interface attached
>>> to the bridge, nothing will have access to an outside network other than
>>> through the firewall DomU.
>>>
>>> Apart from the lack of external NIC, this is how I run my home network.
>>> I do PCI passthrough to hide a NIC (connected to an ADSL modem) from
>>> Dom0, and all outside traffic passes though the virtual firewall in
>>> order to reach the outside world.
>>>
>>> * IRC something like this ought to do it :
>>>
>>> brctl addbr br0
>>> ip addr add w.x.y.z/n dev br0
>>> and then specify br0 when configuring VIFs in your guests.
>>>      
>> Thanks for explanations, I'll try it.
>> Regards,
>> JB
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
>>
>>    
> 
> Hello Jean,
> I am using this configuration with bridging of 'internal virtual'
> network for domU interconnection. Let me know in case you will be
> interested in and I can send you my domU config + dom0's
> /etc/network/interfaces.
> I have two servers interconnected with two Ethernet ports in bonding +
> bridge on both sides and all domU's on both servers can reach each other
> via this bridged network.
> Works pretty well.

Hello Peter,
Of course I'm interested :)

For now, I've 2 old servers for tests, both connected via 2 ethernet
ports in bonding + bridge for wan. "Lan" part is used for DRBD
replication as well as live migration.

I have documented the initial setup here:
http://publications.jbfavre.org/virtualisation/cluster-xen-corosync-pacemaker-drbd-ocfs2.en

Now I've removed heartbeat/pacemaker and am trying to harden dom0
security and domU isolation.
That's why I would like to remove network stuff from dom0, but I think I
will still have the bridge in it.

Thanks anyway,
JB

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE
- [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Mike Fröhner
- Re: [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE
- [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Mike Fröhner
- Re: [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE
- Re: [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Simon Hobson
- Re: [Xen-users] Re: Network isolation - PCI passthrough question
  - From: Jean Baptiste FAVRE

Prev by Date: Re: [Xen-users] Re: Network isolation - PCI passthrough question
Next by Date: Re: [Xen-users] VGA Passthrough
Previous by thread: Re: [Xen-users] Re: Network isolation - PCI passthrough question
Next by thread: Re: [Xen-users] Network isolation - PCI passthrough question
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.