Xen and vlans

7/7/2008

During a big lab move at work a few months ago, we decided that our utility virt server needed VLAN support. The dhcp vm needed interfaces on three different networks and it seemed rather silly to add extra physical interface for the minimal traffic generated.

The first issue we encountered was the rather interesting bridging script installed by default. It does wonders for being able to bridge the primary interface and can be used to bridge multiple interface, but it fails entirely for VLAN interfaces. Best bet is just to disable any network scripts in /etc/xen/xend-config.sxp and let the os handle it. We’re using RHEL5, so we created the VLAN interface along with the bridge using the normal configs in /etc/sysconfig/network-scripts. Our naming scheme for the devices was ${DEVICE_TYPE}{$VLAN_NUMBER}.conf.

Example vlan123.conf:

DEVICE=vlan123
VLAN=yes
VLAN_NAME_TYPE=VLAN_PLUS_VID_NO_PAD
PHYSDEV=eth1
BOOTPROTO=static
ONBOOT=yes
BRIDGE=xenbr123

As you can see, eth1 is the physical interface connected to the switch port tagged with the vlans. We added the ‘VLAN_PLUS_VID_NO_PAD’ param to use the vlan${NUMBER} scheme. We aren’t bringing the interface up with an ip as it’s gonna be part of a bridge.

xenbr123.conf:

DEVICE=xenbr123
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes

This brings up our bridge without an ip address. The dom0 doesn’t need an ip on this VLAN, so no point in enabling it. To use the bridge in your domu’s, just specify the interface in the config file (or at creation time).

Example domu def file with multiple interfaces:

name = "example"
uuid = "62e4f71f-a46c-25f7-e947-f161aaad6f00"
maxmem = 512
memory = 512
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ ]
disk = [ "phy:/dev/vm/example,xvda,w" ]
vif = [ "mac=00:16:3e:4b:a5:46,bridge=xenbr123", "mac=00:16:3e:4b:a5:4a,bridge=xenbr456", mac=00:16:3e:4b:a5:47,bridge=xenbr789"]

The above was pretty straightforward, but after putting it in place we ran into a very odd issue. The vm’s couldn’t actually communicate via the vlan’d interfaces. After a bit of tcpdumping we discovered the default firewall was allowing outbound traffic on the bridge, but incoming was getting rejected. Easy fix was to add the following lines to /etc/sysconfig/iptables:


-A RH-Firewall-1-INPUT -i xenbr+ -j ACCEPT
-A RH-Firewall-1-INPUT -o xenbr+ -j ACCEPT

Note that this allows all traffic to pass on all xenbr devices. Since the dom0 doesn’t have an ip bound it’s not an issue in our configuration since the only traffic on the bridges are for the domu’s. If you do use the devices in your dom0, you’ll need to adjust the firewall accordingly or you’ll end up with a gaping hole in your security scheme.

By Matthew Schick | Posted in Work | Tagged , , | Comments (2)

virt-install

4/7/2007

My favorite RHEL5 feature by far is the new ‘virt-install’ utility. Being able to do a VM install by running:

virt-install -p --location=nfs:SOMESERVER:/PATH/TO/INSTALL/TREE --noautoconsole --file=/dev/LVM/VOLUME --name=FOO --ram=512 --vnc -x "ks=http://KSSERVER/KICKSTART.ks ip=IP netmask=NETMASK dns=DNS gateway=GW"

absolutely rocks.

By Matthew Schick | Posted in Work | Tagged , , | Comments (3)

RHEL5 XEN nat’ing

3/23/2007

Been playing with the new virt layer in RHEL5 and having a blast. I did have to make some changes to get NAT to work with guest domains. Nothing huge, just created a dummy network device and bridged to that instead of the normal eth0 as such -

/etc/sysconfig/network-scripts/ifcfg-dummy0:
# Dummy interface for Xen
DEVICE=dummy0
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=x.x.x.x
ARP=yes

/etc/xen/xend-config.sxp – changed (network-script network-bridge) to (network-script 'network-bridge netdev=dummy0')

I then enabled NAT for the interfaces -

/etc/sysctl.conf – changed net.ipv4.ip_forward = 1 to net.ipv4.ip_forward = 1 and ran sysctl -p to make the change live

Last step was doing the needful iptables setup. Running iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE will setup the basics, you may also have to add a rule to allow the traffic on the dummy interface iptables -I INPUT -i dummy+ -j ACCEPT. The ‘-I’ is important with the default RHEL firewall as it is evaluated before the other rules.

By Matthew Schick | Posted in Work | Tagged , , , | Comments (0)

New host

6/21/2006

Finally got setup on a proper hosting service I think I’ll be able to live with for a while. My requirements never seemed all that exotic, but I couldn’t ever find anything I felt all that comfortable with. Until now.

Thanks to Xen, I now have a fully functional VPS running Dapper. I decided to try out VPSLand because they are cheap, and folks seemed to be pretty happy with em.

So far I’m quite happy with the level of service. My one support request was taken care of promptly and correctly. My server was setup just as advertised, but I am gonna move up from my current 96 MB plan to 192 MB. I figured it wasn’t gonna be enough, but I didn’t wanna commit any more cash than I had to just to try it out…

By Matthew Schick | Posted in Projects | Tagged , , , , , , | Comments (0)

Hiatus

6/1/2006

hmmm… Last post was back in February, lot’s changed since then.

For starters, we are now living in Cary, NC. Why you ask? Well, I got a job offer I couldn’t refuse from Red Hat . I’m working as the sole sysadmin for the release engineering team, but rapidly taking over more of the general engineering boxes (like bugzilla). There’s a ton of work to be done, and it’s an unbelievably cool atmosphere. I’ve often pondered about what goes on behind the scenes at RH, and even scoffed at some of the decisions made over the years. Now all of the sudden I’m right in the thing of things under that sometimes obscuring Fedora and I’m loving every minute of it. It’s also been the reason I’ve not kept things updated here recently… ;)

We moved in quite a hurry (approx. two weeks!) but we managed to get a really nice apt, or at least a huge step up from our place in the Burg. The move was a bit hectic, but we’ve fallen in love with this area. So much to do, so many educational opportunities for the girls. Housing is a bit high in Cary proper and it is a bit suburban for my tastes, but there’s some really nice areas just a stone’s throw from here.

One unfortunate consequence of everything has been my extended hiatus from BreakMyGentoo. I really miss it and would like to think I’ll be back in it sometime soon, but the reality is I just don’t see that happening. It’s been fun, met some really great folks I still keep in touch with and learned a ton. But it’s time to move on. For now… ;)

I’ll be updating more over the short-term, have a ton of stories I need to put up before the details get cold. I’ve also got a patch someone sent me for the shoutcast stuff to keep pace with some upstream changes. I’ll get that applied and updated soon as well.

I’m also looking for a good Xen-based VPS company to move this and a few other sites to. Right now, RimuHosting is looking pretty attractive but I’m open to all suggestions.

By Matthew Schick | Posted in Life | Tagged , , , , | Comments (0)