This shows you the differences between two versions of the page.
system:xen:network [2013/08/26 00:11] admin created |
system:xen:network [2013/08/26 20:57] (current) admin |
||
---|---|---|---|
Line 55: | Line 55: | ||
===== Usual configuration ===== | ===== Usual configuration ===== | ||
- | [[more to come... sleep time]] | + | When you tend to have multiple DomU that should be split into different |
+ | networks, the usual configuration is to have a bridge on the Dom0 for each | ||
+ | network segment, and the DomUs to join them. | ||
+ | |||
+ | If you want to also include a backend between two of your DomUs, you | ||
+ | would have to get a bridge just for the two of them, and try to avoid | ||
+ | Dom0's firewalling those packets. | ||
+ | |||
+ | <code> | ||
+ | .-----------------. | ||
+ | | Dom0 | | ||
+ | |-----------------| .-----------. | ||
+ | | .----------. | | DomU: foo | | ||
+ | | | br0 | | |-----------| | ||
+ | | | .--------. .------. | | ||
+ | | | | vifX.0 |<---------->| eth0 | | | ||
+ | | | '--------' '------' | | ||
+ | | | .--------. .------. | | ||
+ | | | | vifY.0 |<-. .->| eth1 | | | ||
+ | | | '--------' \ / '------' | | ||
+ | | '----------' | \ / '-----------' | ||
+ | | | \/ .-----------. | ||
+ | | .----------. | /\ | DomU: bar | | ||
+ | | | br1 | | / \ |-----------| | ||
+ | | | .--------. / \ .------. | | ||
+ | | | | vifX.1 |<-' `->| eth0 | | | ||
+ | | | '--------' '------' | | ||
+ | | | .--------. .------. | | ||
+ | | | | vifY.1 |<---------->| eth1 | | | ||
+ | | | '--------' '------' | | ||
+ | | '----------' | '-----------' | ||
+ | '-----------------' | ||
+ | </code> | ||
+ | |||
+ | * br1: only used for foo/bar communications. | ||
+ | * br0: used for external network connectivity | ||
+ | |||
+ | Xen configuration files: | ||
+ | <code> | ||
+ | foo.cfg: | ||
+ | |||
+ | vif = [ | ||
+ | 'mac=00:16:3E:00:00:02,bridge=br0', | ||
+ | 'mac=00:16:3E:00:01:02,bridge=br1', | ||
+ | ] | ||
+ | |||
+ | |||
+ | bar.cfg: | ||
+ | |||
+ | vif = [ | ||
+ | 'mac=00:16:3E:00:00:03,bridge=br0', | ||
+ | 'mac=00:16:3E:00:01:03,bridge=br1', | ||
+ | ] | ||
+ | </code> | ||
+ | |||
+ | |||
+ | On br1, you would have to take very extra care not to firewall anything. | ||
+ | When both DomU talks to each other through br1, Dom0 would copy the data | ||
+ | around, and send it back to the other DomU. | ||
+ | |||
+ | ===== Direct backend to an other DomU ===== | ||
+ | |||
+ | Lets say we would like foo and bar to talk directly to each other. | ||
+ | Network connections should look something like : | ||
+ | |||
+ | |||
+ | <code> | ||
+ | .-----------------. | ||
+ | | Dom0 | | ||
+ | |-----------------| .-----------. | ||
+ | | .----------. | | DomU: foo | | ||
+ | | | br0 | | |-----------| | ||
+ | | | .--------. .------. | | ||
+ | | | | vifX.0 |<---------->| eth0 | | | ||
+ | | | '--------' '------' | | ||
+ | | | .--------. .---------. | | ||
+ | | | | vifY.0 |<-. .-->| vif.bar | | | ||
+ | | | '--------' \ | '---------' | | ||
+ | | '----------' | \ | '-----------' | ||
+ | | | \ | .-----------. | ||
+ | | | \ | | DomU: bar | | ||
+ | | | \| |-----------| | ||
+ | | | \ .------. | | ||
+ | | | |`->| eth0 | | | ||
+ | | | | '------' | | ||
+ | | | | .------. | | ||
+ | | | '-->| eth1 | | | ||
+ | | | '------' | | ||
+ | | | '-----------' | ||
+ | '-----------------' | ||
+ | </code> | ||
+ | |||
+ | Well, it is possible. You just have to get the network backend in a | ||
+ | different domain (not the dom0, but an other existing domain!) | ||
+ | |||
+ | Here is an example of configuration for such: | ||
+ | <code> | ||
+ | foo.cfg: | ||
+ | |||
+ | vif = [ | ||
+ | 'mac=00:16:3E:00:00:02,bridge=br0', | ||
+ | ] | ||
+ | |||
+ | |||
+ | bar.cfg: | ||
+ | |||
+ | vif = [ | ||
+ | 'mac=00:16:3E:00:00:03,bridge=br0', | ||
+ | 'mac=00:16:3E:00:01:03,backend=bar,script=vif-bridge-manual,bridge=brbar', | ||
+ | ] | ||
+ | </code> | ||
+ | |||
+ | Lets see the different options : | ||
+ | * ip - supposed IP of the DomU. Can be used for documentation, accessible by the vif script if it require to deal stupid firewall rules (As you can see, I don't use that option) | ||
+ | * mac - mac address of the interface on the DomU | ||
+ | * backend - name of the domain that should get the backend. Default is the dom0 | ||
+ | * script - name of the script to launch on the backend domain when the interface is added. The script must be present on the specified domain | ||
+ | * bridge - option passed to the vif script, usually the name of the bridge the interface backend should be added to. | ||
+ | |||
+ | |||
+ | With all that, we can get a whole network between our DomUs, without the dom0 seeing any of those interfaces! | ||