Saturday, December 1, 2007

Xen Network bridging with hiding interfaces from Dom0

I don't usually allow all network interfaces in dom0 to be up and running with an ip address on it. I use those interfaces to bridge network traffics to the guests. The default xen scripts brigs up those interfaces in Dom0 and adds to the bridges specified. To prevent this I use the below configuration. Having multiple interfaces on Dom0 also disturbs my routing.

- Copy /etc/xen/scripts/network-bridge as /etc/xen/scripts/network-bridge-noifup. Edit /etc/xen/scripts/network-bridge-noifup and comment out "do_ifup ${bridge}" lines. Line 201 and 228.

- Edit /etc/xen/xend-config.sxp and change

(network-script network-bridge)

To

(network-script network-bridge-custom)

- Create /etc/xen/scripts/network-bridge-custom with the below contents. Below is taken from my system which has four interfaces.

#!/bin/sh
/etc/xen/scripts/network-bridge $1 netdev=eth0 bridge=xenbr0 vifnum=0
/etc/xen/scripts/network-bridge-noifup $1 netdev=eth1 bridge=xenbr1 vifnum=1
/etc/xen/scripts/network-bridge-noifup $1 netdev=eth2 bridge=xenbr2 vifnum=2
/etc/xen/scripts/network-bridge-noifup $1 netdev=eth3 bridge=xenbr3 vifnum=3

I usually reboot the system after making this sort of changes.

After this I would export these devices to guests through the vif = parameter in the guest configuration file. Eg,

vif = [ "mac=00:16:3e:7b:0e:a4,bridge=xenbr0", "mac=xx:xx:xx:xx:xx:xx, bridge=xenbr1" ]

This has worked very nicely for me.

13 comments:

Sam said...

found this very useful, can I forward this to my blog ?

Sadique Puthen said...

Sure, u can.

why said...

can u do an example for hvm? I can't seem to get the network running.

Sadique Puthen said...

The example given in the post is applicable to both paravirt and hvm. If u can explain ur problems, I can help u further.

why said...

Ok I have this setup

Xen 3.3.1
Dom0 - Debian lenny AMD64 64bit
DomU - Pfsense Bsd 32bit

I have 3 nics 1 onboard and 2 PCI-E all 1 Gbps

PCI-E are eth0 and eth1
onboard eth2

I want the eth0 and eth1 to be used by pfsense with a dummy0 for internal domus.
So basically eth0 = wan
eth1 = lan
dummy0 = dmz

the eth2 to be used as management to dom0

why said...

hehe sorry forgot to tell u my problem after I did it with you script.
Everything went well with the domu recognizing the vif parameters and have 2 nics as le0 and le1 and i can assign an ip to it. but the problem was that I cannot access the web page on there and cannot ping out. cause if I use only 1 nic with a dummy there is no problem.

why said...

another thing is that the state is -b----

Sadique Puthen said...

Does the networking works properly if you configure it by following the usual way? ie, without hiding interface from Dom0

why said...

i will try that. I am really banging my head on this.

why said...

ok I reinstalled the whole server from beginning. b4 i installed xen I made sure the network cards are functioning. All of them are on dhcp and getting ips from the router and I can ssh into the server from each ip. Then I installed xen 3.3.1 with kernel 2.6.26-2-xen-amd64 and then check t nics b4 doing any settings and no problems. I installed xen from source except the kernel. Then I followed ur instruction and then i could not ssh into the server. So i logging in from the server itself. Checking the nics they have ips but they are not showing on the router. Even with the ip i could not ssh in, Pinging internally with the domus and dom0 its pingable but not outside not even the router. Then using the script when the come up one of the bridges gets an ip but not the other one. As I left eth0 out of the config I can ssh without problems. If I change the config back to not hiding its the other bridge that gets the ip. And after each change I reboot. I have not set any domU yet.

why said...

I want to kill myself

why said...

WEET! I think I might have it now! I am testing it out and will let you know soon.

why said...

For Debian Lenny I needed to just add the lines in network-bridge-custom like this exactly :) :-

#!/bin/sh
dir=$(dirname "$0")
"$dir/network-bridge" "$@" netdev=eth0
"$dir/network-bridge" "$@" netdev=eth1
"$dir/network-bridge" "$@" netdev=eth2

Now all my routes is good. In the vm.cfg just use ethX and not xenbro :) and the dom0 is accessible from all interfaces so your ifup script is helpful to isolate only one interface.