Xen Networking.docx
- 文档编号:5403861
- 上传时间:2022-12-16
- 格式:DOCX
- 页数:36
- 大小:257.94KB
Xen Networking.docx
《Xen Networking.docx》由会员分享,可在线阅读,更多相关《Xen Networking.docx(36页珍藏版)》请在冰豆网上搜索。
XenNetworking
XenNetworking
Contents
1.VirtualEthernetinterfaces
2.MACaddresses
3.Bridging
1.Packetflowinbridging
2.network-bridge
3.vif-bridge
4.AdditionalNotes
5.Links
4.Routing
1.network-route
2.vif-route
3.Reference
5.VirtualNetwork
1.Links
6.Interfacenames
7.VLANs
1.1stmethodofhavingVMsusingvlaninterfaceswithXEN.
2.2ndmethodforXENwithvlans:
modifynetwork-bridgescript
8.YetAnotherASCIIGraphicsDescriptionofXenNetworking
1.Xen3.1-Networking
2.Xen3.2+Networking
3.AlternativeXenNetworkingArchitecture
4.XenNetworkingwithvlan
5.XenNetworkingwithbonding
6.XenNetworkingwithvlanonbonding
9.CollectionofExamples
10.Reference
VirtualEthernetinterfaces
Xencreates,bydefault,sevenpairof"connectedvirtualethernetinterfaces"forusebydom0.Thinkofthemastwoethernetinterfacesconnectedbyaninternalcrossoverethernetcable.veth0isconnectedtovif0.0,veth1isconnectedtovif0.1,etc,uptoveth7->vif0.7.YoucanusethembyconfiguringIPandMACaddressesontheveth#end,thenattachingthevif0.#endtoabridge.
DiagramofPhysicalandLogicalnetworkcards:
EverytimeyoucreatearunningdomUinstance,itisassignedanewdomainidnumber.Youdon'tgettopickthenumber,sorry.ThefirstdomUwillbeid#1.Thesecondonestartedwillbe#2,evenif#1isn'trunninganymore.
ForeachnewdomU,Xencreatesanewpairof"connectedvirtualethernetinterfaces",withoneendindomUandtheotherindom0.ForlinuxdomU's,thedevicenameitseesisnamedeth0.Theotherendofthatvirtualethernetinterfacepairexistswithindom0asinterfacevif
Logicalnetworkcardsconnectedbetweendom0anddom1:
WhenadomUisshutdown,thevirtualethernetinterfacesforitaredeleted.
MACaddresses
VirtualisednetworkinterfacesindomainsaregivenEthernetMACaddresses.Bydefaultxendwillselectarandomaddress,thiswilldifferbetweeninstantiationsofthedomain.IfitisrequiredtohaveafixedMACaddressforadomain(e.g.forusingwithDHCP)thenthiscanbeconfiguredusingthemac=optiontothevifconfigurationdirective(e.g.vif = ['mac=aa:
00:
00:
00:
00:
11']).
WhenchoosingMACaddressestouse,ensureyouchooseaunicastaddress.Thatis,onewiththelowbitofthefirstoctetsettozero.Forexample,anaddressstartingaa:
isOKbutab:
isnot.Itisbesttokeeptotherangeofaddressesdeclaredtobe"locallyassigned"(ratherthanallocatedgloballytohardwarevendors).Thesehavethesecondlowestbitsettooneinthefirstoctet.Forexample,aa:
isOK,a8:
isn't.
Insummary,anaddressofthefollowingformshouldbeOK:
XY:
XX:
XX:
XX:
XX:
XX
whereXisanyhexadecimaldigit,andYisoneof2,6,AorE.
It'srecommendedtouseaMACaddressinsidetherange00:
16:
3e:
xx:
xx:
xx.ThisaddressrangeisreservedforusebyXen.
Bridging
Illustrationonnetwork-bridgeandvif-bridge:
ThedefaultXenconfigurationusesbridgingwithindomain0toallowalldomainstoappearonthenetworkasindividualhosts.Ifextensiveuseofiptablesismadeindomain0(e.g.afirewall)thenthiscanaffectbridgingbecausebridgedpacketspassthroughthePREROUTING,FORWARDandPOSTROUTINGiptableschains.Thismeansthatpacketsbeingbridgedbetweenguestdomainsandtheexternalnetworkwillneedtobepermittedtopassthosechains.ThemostlikelyproblemistheFORWARDchainbeingconfiguredtoDROPorREJECTpackets(thisisdifferentfromIPforwardinginthekernel).
iptableFORWARDingcanbedisabledforallpackets;topreventthedom0fromactingasanIProuter:
echo 0 > /proc/sys/net/ipv4/ip_forward.
Aslightlymoresecuremethodistoallowingpacketforwarding(attheiptableslevel)betweentheexternalphysicalinterfaceandthevifsfortheguests.Foramachinewithasingleethernetcardthiswouldbe:
iptables-AFORWARD-mphysdev--physdev-ineth0--physdev-out'!
'eth0-jACCEPT
iptables-AFORWARD-mphysdev--physdev-outeth0--physdev-in'!
'eth0-jACCEPT
(needstheipt_physdev[akaxt_physdev]moduletobeavailable).
Theebtablesprojecthasaninterestingdocumentontheinteractionofbridgingandiptables.
Packetflowinbridging
(ByErnstBachman)
Packetarrivesathardware,ishandledbydom0Ethernetdriverandappearsonpeth0.peth0isboundtotothebridge,soitspassedtothebridgefromthere.ThisstepisrunonEthernetlevel,noIPaddressesaresetonpeth0orbridge.
Nowthebridgedistributesthepacket,justlikeaswitchwould.Filteringatthisstagewouldbepossiblewithebtables.
Nowthere'sanumberofvifX.Yconnectedtothebridge,itdecideswheretoputthepacketbasedonthereceiver'sMAC.
ThevifinterfaceputsthepacketintoXen,whichthenputsthepacketbacktothedomainthevifleadsto(itsalsodonethatwayfordom0,hencethevif0.0->(v)eth0pair).
Thetargetdeviceinthedom0/domUfinallyhasanIPaddress,youcanapplyiptablesfilteringhere.
network-bridge
Whenxendstartsup,itrunsthenetwork-bridgescript,which:
1.createsanewbridgenamedxenbr0
2."real"ethernetinterfaceeth0isbroughtdown
3.theIPandMACaddressesofeth0arecopiedtovirtualnetworkinterfaceveth0
4.realinterfaceeth0isrenamedpeth0
5.virtualinterfaceveth0isrenamedeth0
6.peth0andvif0.0areattachedtobridgexenbr0. Pleasenoticethatinxen3.3,thedefaultbridgenameisthesamethantheinterfaceitisattachedto.Eg:
bridgenameeth0,eth1orethX.VlanID
7.thebridge,peth0,eth0andvif0.0arebroughtup
Itisgoodtohavethephysicalinterfaceandthedom0interfaceseparated;thusyoucane.g.setupafirewallondom0thatdoesnotaffectthetraffictothedomUs(justforprotectingdom0alone).
vif-bridge
WhenadomUstartsup,xend(runningindom0)runsthevif-bridgescript,which:
1.attachesvif
2.vif
AdditionalNotes
∙youcanchangethebridgenamefromxenbr0using:
∙(network-script'network-bridgebridge=mybridge')
inxend-config.sxpandrebootingorrestartingxend
∙remembertoconfigurethebridgetoattachtointhedomU'sconfigfileusing:
∙vif=['bridge=mybridge']
orperhapssomethinglike:
vif=['mac=00:
16:
3e:
01:
01:
01,bridge=mybridge']
∙youcancreatemultiplenetworkinterfaces,andattachthemtodifferentbridgesusing:
∙vif=['mac=00:
16:
3e:
70:
01:
01,bridge=br0','mac=00:
16:
3e:
70:
02:
01,bridge=br1']
∙ifyouwanttousemultiplebridges,youmustcreatethemyourself,eithermanually,orviayourownstartupscript,orviaacustomscripttoreplacenetwork-bridge.Forexample:
∙$cd/etc/xen/scripts
∙$cpnetwork-bridgenetwork-custom
∙$cpvif-bridgevif-custom
∙$vi/etc/xen/xend-config.sxp
∙(network-scriptnetwork-custom)
∙(vif-scriptvif-custom)
∙$vinetwork-custom
∙#whateveryouwant
∙beforeyouconnectaphysicalinterfacetoabridge,remembertoresetit'smacandturnarpoff.Forexample:
∙#iplinkseteth1down
∙#iplinkseteth1macfe:
ff:
ff:
ff:
ff:
ffarpoff
∙#brctladdifbr1eth1
∙#iplinkseteth1up
∙WithXen3.0thebestmethodforadditionalbridgesistousethedefaultXenscriptswithaslightmodification.FollowingtheXenBug#332.Forexampleinatwobridgenetworkwitheth0andeth1.Create/etc/xen/scripts/my-network-scriptwith
∙#!
/bin/sh
∙dir=$(dirname"$0")
∙"$dir/network-bridge""$@"vifnum=0
∙"$dir/network-bridge""$@"vifnum=1
∙WithXen3.2.1(testedonDebianEtch4.0r3),hereisascriptexamplethatcreatestwovirtualinterfacescorrespondingtothe2physicalnetworkinterfaces
∙#xemacs/etc/xen/scripts/network-bridge-wrapper
∙#!
/bin/sh
∙/etc/xen/scripts/network-bridge"$@"netdev=eth0
∙/etc/xen/scripts/network-bridge"$@"netdev=eth1
The$1willusetheargumentofxend(inthe/etc/xen/xend-config.sxpconfigurationfile).Ifthereisadefaultphysicalnetworkinterface,thestandardnetwork-bridgescriptofXenwillcreateavifforthisinterface,andnottheotheronesalso.
∙(Additionalnotebysteve_from_moreover-Maybestatingtheobviousbutremembertodo-chmod755/etc/xen/scripts/my-network-scriptorwhenyourebootitwillsilentlynotbeabletorunthisscript).
∙OnSuSELinux(atleast),eachinterfacerequiresanifcfgscriptin/etc/sysconfig/network,e.g./etc/sysconfig/network/ifcfg-eth1.Otherwise,network-bridgewillcreatethebridgewithnointerfacesattached.
∙Thenchange/etc/xen/xend-config.sxpwiththefollowing(network-scriptmy-network-script).
∙Thesameprinciplecanapplytonetworkswithoutaphysicalethernetdevice.Useadummyinterfacewith
∙"$dir/network-bridge""$@"vifnum=2netdev=dummy0
Links
Somerelevanttopicsfromthemailinglist:
∙eth0IPindom02005/01/14
∙Bridgingvs.Routing2005/01/13
∙Bridgingvs.Routing2004/07/18
∙AnattempttoexplainXennetworking2006-02-01
∙FirewallindomUwithbridging
∙XenandShorewall(withbridging)
∙XenandtheArtofConsolidation(withbridging)
∙AnotherwayformakingmultipleXenbridges
∙Advancedbridging(2007/05)Youcanalsohavealookto:
Routing
Thissectionappliesonlyifyouchoosetousenetwork-routeandvif-routeinsteadofnetwork-bridgeandvif-bridge.
Illustrationonnetwork-routeandvif-route:
Routingcreatesapoint-to-pointlinkbetweendom0andeachdomU.RoutestoeachdomUareaddedtodom0'sroutingtable,sodomUmusthaveaknown(static)IP.DHCPdoesn'twork,becausethe
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Xen Networking