[Translation] xen networking

Document directory

• Additional instructions
• Related Links
• Network-route script
• VIF-route script
• Related Links

Xennetworking for xenwiki
Translated by Wang Xu

 

[Note: this is a wiki
The article is edited by multiple users. It is inevitable that there are some traces of inconsistency, but the content is very detailed and helpful. The translation keeps the original text state, and less comments are added.]

Virtual ethernet interface

By default, xen creates 7 pairs of "Connected Virtual Ethernet interfaces" for dom0 ". It is the Ethernet port connected to the crossover line. Connect to veth0
Vif0.0, veth1 connect to vif0.1, etc. Know that veth7 is connected to vif0.7. You can configure the IP address and MAC address on veth #.
And the other end, vif0. # is added to a bridge.

Each time a domu instance is created, a new domain ID is assigned. Unfortunately, this number cannot be selected. The ID of the first domu is
1, the second is 2, even if the first has been shut down, it will not re-use its ID.

For each new domu, xen creates a pair of "connected Ethernet ports" for it, one end is in domu, and the other end is in dom0. For
Linux domu, which is usually named eth0. This virtual ethernet interface is called
VIF <ID #>. 0. For example, the eth0 of domu 5 is connected to vif5.0. If multiple network ports are created for one domu, that is
Eth0, eth1 .... In dom0, Vif <ID #>. 0, Vif <ID #>. 1...

When domu is shut down, the corresponding virtual ethernet interface will also be deleted.

MAC address

The virtual pseudo-Ethernet interface also has an Ethernet MAC address. By default, xend will randomly allocate an address. In this way, the same domain
Different instances have different addresses. If you want a domain to have a fixed MAC address (for example, for DHCP), you can use it in VIF configuration.
"Mac =" option (for example, Vif = ['mac = AA: 00: 00: 00: 00: 11']).

When selecting the MAC address you want to use, make sure that you are using a unicast address. That is to say, the first byte should have the highest position of 0. For example, an AA
The address at the beginning is correct, while AB is incorrect. It is recommended that the address be "allocated locally" (instead of allocated globally to the hardware vendor ). In this way, the next low level of the first byte is
1. For example, AA is correct, and A8 is not.

In short, an address should be in this form

XY:XX:XX:XX:XX:XX

X is any hexadecimal number, while y is one of 2, 6, A, and E.

In addition, we recommend that you use the MAC address of the 00: 16: 3E: XX section. This address is reserved for xen.

Bridging

According to the default xen configuration, the bridge is performed in dom0 to allow all domains to appear on the network as they are on an independent host. If it is widely used in dom0
Iptables (for example, building a firewall) may affect the bridging, because the bridging package will pass through prerouting, forward, and postrouting.
Three iptables chains. That is to say, the customer domain bridge to the outside package needs to pass through these three chains. The most common problem may be that the forward chain is configured as a REJECT packet or packet loss.
(This is different from the IP Forwarding in the kernel ).

Iptables forwarding can be set to prohibit forwarding of all packets. In this way, dom0 is disabled as a router:Echo 0>/proc/sys/NET/IPv4/ip_forward
.

A safer approach is to allow packet forwarding between external physical interfaces and VIF. For example, a computer with only one ethernet card can be set as follows:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j ACCEPTiptables -A FORWARD -m physdev –physdev-out eth0 –physdev-in ‘!’ eth0  -j ACCEPT

(Ipt_physdev [XT-physdev] module is required here ).

The ebtables project has an interesting document about bridging and iptables interactions.
.

Packet Flow in the bridge (
Ernst Bachman
)

When the package arrives at the hardware, it is processed by the Ethernet driver in dom0 and appears on peth0. Peth0
The package is bound to the bridge, so it is sent to the bridge. This step runs on the Ethernet layer (Layer 2). The peth0 or bridge does not have an IP address configured.

Now, the bridge will distribute packets, just like a switch. The filtering in this phase can be performed by ebtables
And other tools.

Next, because a group of vifx. Y is connected to the bridge, it will decide which packets will be placed on which receiving end based on the Mac.

The VIF interface will hand over the package to xen, which will send the package to the corresponding port of VIF (also in dom0, then vif0.0-> (v) eth0
This interface ).

In the end, the target devices in dom0/domu have IP addresses. You can filter them using iptables.

Network-bridge script

When xend is started, it will run the network-bridge script, which will

1. Build a bridge called xenbr0
2. Disable the real Ethernet interface eth0
3. Copy the IP address and MAC address of eth0 to veth0.
4. Rename the real interface eth0 to peth0
5. Rename veth0 as eth0
6. Connect peth0 and vif0.0 to the Net Bridge xenbr0
7. Activate the bridge, peth0, eth0, and vif0.0

Separating physical Ethernet interfaces from dom0 interfaces is a beneficial design. For example, you can configure a firewall for dom0 without affecting domu (only protection
Dom0 ).

VIF-bridge script

When a domu is started, the xend running in dom0 will run the VIF-bridge script, which will:

1. Connect VIF <ID #>. 0 to xenbr0
2. Activate VIF <ID #>. 0

Additional instructions

• You can switch to the following configuration in the xend-config.sxp file and restart xend to modify the name of the bridge xenbr0:

  (network-script 'network-bridge bridge=mybridge')

• Of course, remember to modify the name of the bridge to be connected in the domu configuration file:

  vif=[ 'bridge=mybridge' ]

  Or the configuration is as follows:

  vif=[ 'mac=00:16:3e:01:01:01,bridge=mybridge' ]

• You can also create multiple network interfaces and connect them to different bridges:

  vif=[ 'mac=00:16:3e:70:01:01,bridge=br0', 'mac=00:16:3e:70:02:01,bridge=br1' ]

• If you want to have multiple bridges, you must manually create them, either manually or through the startup script or by modifying the network-bridge script. For example

  $ cd /etc/xen/scripts$ cp network-bridge network-custom$ cp vif-bridge vif-custom$ vi /etc/xen/xend-config.sxp        (network-script network-custom)        (vif-script vif-custom)$ vi network-custom        # whatever you want

• Before connecting a physical interface to a bridge, reset its MAC address and disable arp. For example:

  # ip link set eth1 down# ip link set eth1 mac fe:ff:ff:ff:ff:ff arp off# brctl addif br1 eth1# ip link set eth1 up

• For xen 3.0, the best way to add a bridge is to use a slightly modified xen default configuration script. Follow xenbug
  #332
  . For example, you can create
  /Etc/xen/scripts/My-Network-script:

  #!/bin/shdir=$(dirname “$0″)“$dir/network-bridge” “$@” vifnum=0“$dir/network-bridge” “$@” vifnum=1

  • (The additional description of steve_from_moreover -- it may be obvious, but remember to make
    The access permission of/etc/xen/scripts/My-Network-script is 755. Otherwise, you will find that it remains silent and does not run after restart ).
  • At least for SuSE Linux, ifcfg scripts under/etc/sysconfig/network must be configured for each interface. Otherwise
    Network-bridge will create a bridge with no interfaces connected to it.
  • Do not forget to modify the network configuration in the/etc/xen/xend-config.sxp
    My-Network-script ).
  • The same source can be used in an environment without a physical ethernet card. You can use the dummy interface:

    "$dir/network-bridge" "$@" vifnum=2 netdev=dummy0

Related Links

Some related topics in the email list:

• Eth0 IP in dom0 2005/01/14

• Bridging vs. Routing 2005/01/13

• Bridging vs. Routing 2004/07/18

• An attempt to explain xen networking 2006-02-01

• Firewall
  In domu with bridging

• Xen and shorewall

  (With bridging)

• Xen and the art
  Consolidation
  (With bridging)

• Another
  Way for making multiple xen Bridges

Routing

This section only applies when you select Network-route and VIF-route instead of Network-bridge and VIF-bridge.
.

Establish a point-to-point connection between dom0 and domu through routing. The route to each domu is added to the dom0 route table. Here, domu
You must have a fixed IP address. DHCP cannot work, because it cannot create a route, DHCP offer cannot be sent to domu.

Network-route script

When xend is started, it runs the network-route script to perform the following operations:

1. Open dom0 IP Forwarding

VIF-route script

When domu is started, xend (in dom0) runs the VIF-route script to perform the following operations:

1. Copy the IP address of eth0 to VIF <ID #>. 0
2. Activate VIF <ID #>. 0
3. Add a fixed host route for the domu IP address in the domu configuration file, pointing to the VIF <ID #>. 0 interface.

Virtual Network

Currently, a virtual network is a non-standard configuration.

The Virtual Network Configuration places all domu in a virtual network of dom0. In this way, domu is allowed to use the DHCP server provided by dom0.
Domu DHCP requests are sent to the physical network. (As far as I know, neither vif0.0 nor dummy0 is required .)

Related Links

• Sapphirecat virtual network and DHCP settings: http://www.sapphirepaw.org/pawprints/index.php? /Archives/127-xen-part-ii.html

• Setting for another virtual network: http://en.opensuse.org/Xen3_and_a_Virtual_Network

Interface Name

The default xen system configuration is bridging. When xend is started, it creates a bridge called xenbr0. Xend will set the IP address of eth0
The address is assigned to xenbr0 (as the name of the interface that dom0 connects to the Bridge ). Therefore, the external interface of dom0 is xenbr0.
Note that firewall and other configuration points to it. In the new xen version or the version used by the translator, this interface is renamed to eth0, while the physical eth0
It was renamed to peth0 .)

VLAN

If you configure 802.1Q VLAN to dom0, xen supports multiple label VLANs. Dom0 is required for each required VLAN.
Although an IP address is not required for a local interface in. Each VLAN can be configured with a bridge, and the customer OS can be connected to a suitable bridge.

Jamesbulpin
The net bridge tends to be regarded as an interface that is not automatically activated (for example, In Debian/etc/Network/interfaces, "auto" is not used"
Option)

iface xen-br293 inet manual    up vconfig add eth0 293    up /etc/xen/scripts/network start netdev=eth0.293 bridge=xen-br293 antispoof=no    up /sbin/ifconfig eth0.293 up    down /etc/xen/scripts/network stop netdev=eth0.293 bridge=xen-br293 antispoof=no    down vconfig rem eth0.293

Then, you can add an init. d script to start this interface between xend and xendomains.