Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Xen: Users

Recipe for 'Thin Domain 0' request

 

 

Xen users RSS feed   Index | Next | Previous | View Threaded


romaq at members

Apr 3, 2005, 3:49 PM

Post #1 of 6 (559 views)
Permalink
Recipe for 'Thin Domain 0' request

I have two identical 'Enterprise Level' machines on a bastion network.

(The Internet)
| Host 1
(firewall)--<
| Host 2
(internal net)

The Internal net is NAT'd, I have a full support development environment and
a 2.4TB raid. Host 1 and Host 2 are currently serving public IP.

What I would like to do is replace Host 1 and Host 2 with Xen Domain0's
running on an RFC 1918 network, and have those domains be as thin as
possible. I'm hoping to learn how to PXE boot the two hosts. I need as thin
as possible a Xen Domain 0 image to pass to the host coming up. The Domain 0
image (A PXE readonly image) then needs to start guest domains from readonly
images. Each domain then picks up on the portion it can write back to.

At this time, Host 1 and Host 2 have their own 600GB raided hard drives.
Once the guest domains have their readonly image, they can then mount their
write-back portion for spools, guest home directories and so on. The
write-back will be LVMs on the hosts 600G raids for the moment, with
consideration of having portions of the 2.4 TB leased to bastions and
removing the drives later.

One particularly nasty thought is to have Host 1 and Host 2 each serve
'firewall' guest domains. We have one routing IP outside of our 'public' IP
network, and our provider will allow us a second routing IP. I would need to
prove the theory that I can isolate the NIC device and its traffic from
Domain 0 and all other domains in a firewall application.

I would like assistance with a recipe that presumes a development
environment on a separate host, builds a 'minimal domain 0' host 1 and lets
me steer towards the project I describe above.

--Romaq




_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xensource.com/xen-users


tupshin at tupshin

Apr 3, 2005, 6:07 PM

Post #2 of 6 (489 views)
Permalink
Re: Recipe for 'Thin Domain 0' request [In reply to]

William (Andy) Smith wrote:

>One particularly nasty thought is to have Host 1 and Host 2 each serve
>'firewall' guest domains. We have one routing IP outside of our 'public' IP
>network, and our provider will allow us a second routing IP. I would need to
>prove the theory that I can isolate the NIC device and its traffic from
>Domain 0 and all other domains in a firewall application.
>
>
I can attest that this works quite well. I have a domU acting as a
router/firewall, and aside from having to hack the bridging script to
support 3 nics, it worked without a problem.

The machine has 3 nics (internet, dmz, internal), and the dom0 boots up
with an IP address only on the internal nic (eth1, eth2, xen-br1, and
xen-br2 are all "up", but with no address assigned. The router domU is
given access to all 3 nics:
nics=3
vif = [ 'mac=cc:cc:cc:cc:cc:19, bridge=xen-br0', 'mac=cc:cc:cc:cc:cc:20,
bridge=xen-br1', 'mac=cc:cc:cc:cc:cc:21, bridge=xen-br2' ]
while all the other domU's are only given access to the dmz nic. The
router domU then runs pppoe (for DSL), and standard iptables natting and
routing using the shorewall package, though any iptables based routing
approach should work fine.

This has been working quite stably for me for a while, starting with xen
2.0.4, then 2.0.5, and right now, unstable 3.0 as of a week or so ago.

Let me know (on or off list) if you have any questions about this setup.

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xensource.com/xen-users


romaq at members

Apr 3, 2005, 10:52 PM

Post #3 of 6 (492 views)
Permalink
RE: Recipe for 'Thin Domain 0' request [In reply to]

> -----Original Message-----
> From: Tupshin Harper [mailto:tupshin [at] tupshin]
> Sent: Sunday, April 03, 2005 6:08 PM
> To: romaq [at] members
> Cc: xen-users [at] lists
> Subject: Re: [Xen-users] Recipe for 'Thin Domain 0' request

<snip>

> Let me know (on or off list) if you have any questions about this setup.

It's the issue of having a 'thinest possible Dom0' I'm working towards at
the moment. I need to get some DomN's up as quickly as possible, and I'm
caught wishing I knew enough about Xen to make a bootable ISO Dom0 so I
could have the entire 600GB raid available for LVM use. If only I had PXE
already working, I'd skip the ISO.

If the business of a 'thin Dom0' will take some time to get worked out,
should I work on having Host 1 boot LVM root + Dom0? The unfortunate side of
this project comes with a number of unrelated technologies that I'm new to
that all need to work in order to achieve the end goal.

I don't want to cover the non Xen stuff here, of course. I just need to
start and make progress in *some* direction and move services to a working
DomN.

--Romaq




_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xensource.com/xen-users


riel at redhat

Apr 4, 2005, 10:27 AM

Post #4 of 6 (490 views)
Permalink
Re: Recipe for 'Thin Domain 0' request [In reply to]

On Sun, 3 Apr 2005, William (Andy) Smith wrote:

> I would need to prove the theory that I can isolate the NIC device and
> its traffic from Domain 0 and all other domains in a firewall
> application.

I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
(no IP) (dom0's IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xensource.com/xen-users


tupshin at tupshin

Apr 4, 2005, 2:34 PM

Post #5 of 6 (490 views)
Permalink
Re: Recipe for 'Thin Domain 0' request [In reply to]

Rik van Riel wrote:

>On Sun, 3 Apr 2005, William (Andy) Smith wrote:
>
>
>
>>I would need to prove the theory that I can isolate the NIC device and
>>its traffic from Domain 0 and all other domains in a firewall
>>application.
>>
>>
>
>I guess you could do the following, where I assume that
>eth1 contains your untrusted traffic:
>
>[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
>(no IP) (dom0's IP)
>
>This way eth0 is firewalled from external network traffic.
>Yes, the packets will travel through dom0 to get to the
>domU firewall - but dom0 does not have any IP addresses
>before that firewall, so it will be much harder to attack.
>
>
>
This is exactly what I do, and it works great. I find it hard to imagine
a succesful attck against the dom0 when it doesn't have an IP address on
the interface. I guess if you were really paranoid, you would do PCI
delegation of that NIC to the domU, but I'm not (that paranoid).

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xensource.com/xen-users


tupshin at tupshin

Apr 4, 2005, 2:48 PM

Post #6 of 6 (488 views)
Permalink
Re: Recipe for 'Thin Domain 0' request [In reply to]

William (Andy) Smith wrote:

>It's the issue of having a 'thinest possible Dom0' I'm working towards at
>the moment. I need to get some DomN's up as quickly as possible, and I'm
>caught wishing I knew enough about Xen to make a bootable ISO Dom0 so I
>could have the entire 600GB raid available for LVM use. If only I had PXE
>already working, I'd skip the ISO.
>
There are a lot of ways of getting a network bootable (diskless)
install, including etherboot from a floppy or booting from a usb flash
drive. If you can get a minimal version of your preferred dom0 distro
booted in such a way, it should be pretty easy to make that approach xen
compatible.

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xensource.com/xen-users

Xen users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.