Xen VM's & NAT Bridging

I have a dedicated box at an ISP that provide me a base IP for the box and a /29 range. I'm using Xen to create VM's on this box and I wanted to maximize the use of IP's for my hosts.

The default configuration one would use would result in 2 IP's being assigned to the Xen host.

Lets say I have a default IP of 1.2.3.4 on the main box, and the ISP has issued me 5.6.7.24/29, leaving me with 5.6.7.25-29 as usable IP's. One of the /29 range has to be applied to the base box to serve as a gateway, meaning that one IP is wasted (or you could say even 2 are wasted if you include the 1.2.3.4 address).

I didn't want to loose these 2 valuable IP's, so I used iptables with SNAT/DNAT to make use of all the assigned IP's.

The first steps were simple when I found this page: http://grml.org/xen/, so the bulk of the following code is copied from there.

Using a debian system, I entered the following extra config into my /etc/network/interfaces to make the Xen host listen to my public IP's and perform DNAT/SNAT to private IP addresses.

auto xenintbr
iface xenintbr inet static
  pre-up brctl addbr xenintbr
  post-down brctl delbr xenintbr
  address 10.1.1.1
  netmask 255.255.255.0
  bridge_fd 0
  bridge_hello 0
  bridge_stp off

auto eth0:25
iface eth0:25 inet static
  address 5.6.7.25
  netmask 255.255.255.248
  post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.25 -j SNAT --to 5.6.7.25
  post-up iptables -t nat -A PREROUTING -d 5.6.7.25 -j DNAT --to-destination 10.1.1.25

Next make xend set up the bridge correctly in /etc/xen/xend-config.sxp. This tells xend to set up the bridge between the guest and the bridge setup above, but instead of using the default network-bridge, we simply do routing, and let the iptables rules above perform the routing to the outside world.

(network-script    network-route)
(vif-bridge        xenintbr)
(vif-script        vif-bridge)

And in the guest machine configure the network on the private subnet.

auto eth0
iface eth0 inet static
  address 10.1.1.25
  netmask 255.255.255.0
  gateway 10.1.1.1

You can check the status of the iptables rules with:

iptables -L -vn
iptables -t nat -L -vn

Debian Sarge from VMWare to Xen DomU

Now I have a good Gentoo Xen instance, I want to migrate my VMWare environments to Xen DomU's.

My mobo is the Via Epia EN12000 with a Via C7 Esther CPU, and only has the cmov CPU flag, so no chance of getting HVN working. I had to build the standard Gentoo Xen Linux Sources at version 2.6.20. That's better than the stock Xen Kernel which is currently 2.6.18, but it still doesn't have specific support for the Via C7. Not a problem though.

I have an old Debian Sarge that hasn't been updated in a while. To get it working I had to add the sarge-backports source to /etc/apt/sources.list. Once that was done it was still a bit of a problem getting a Xen kernel installed. In the end I figured out the dependencies to work.

Aptitude didn't give very helpful details so I had to get the info I needed by using "dpkg -i" on packages. Eventually the following commands got me where I wanted to get:

aptitude install klibc-utils
aptitude -V -f install udev=0.105-4~bpo.1
aptitude -V -f install initramfs-tools
aptitude -V -f install linux-image-2.6-xen-686

The key to this seems to have been the packages removed and installed by klibc-utils. After that you could probably skip to installing linux-image-2.6-xen-686.

For reference, the main error from aptitude that was killing me was:

The following packages have unmet dependencies:
 initramfs-tools: Depends: udev (>= 0.086-1) but it is not installable

even though udev-0.105-4~bpo.1 was installed.

Once the kernels were installed I tried to boot the domain in Xen and faced another problem. The linux-image-2.6.18-4-xen-686 in Sarge Backports now supports PAE, so I had to rebuild my dom0 kernel and apps-emulation/xen with PAE support.