View previous topic :: View next topic |
Author |
Message |
trickygnome n00b
Joined: 17 May 2017 Posts: 12
|
Posted: Sat Mar 10, 2018 6:30 am Post subject: Xen Network Driver Domain (rtorrent, vnc) |
|
|
The goal is to deattach network device from all Domains.
Have one Domain with Ethernet controller - network driver domain.
Route internet connections from all DomU( and Dom0 ) through network driver domain.
domain - Dom0, DomU
driver domain - DomU wth pci-attach
network driver domain - DomU with Ethernet controller or any network device attached.
phisical xen connections: Dom0.br0<-DomN.eth1,(enp0s0),br2<-DomU.eth0
logical: Dom0 -> DomN <- DomU
We create network driver domain
1) Create DomU disk
Code: | dd if=/dev/zero of=~/tdisk.img bs=1 seek=8G count=1
mkfs.ext4 tdisk.img |
2) Install base system
Code: | mount -o loop tdisk.img /mnt/img
cd /mnt/img |
(! download gentoo tarball here !)
(! see gentoo handbook - installing base system !) Code: |
mount -t proc /proc proc
mount --rbind /sys sys
mount --rbind /dev dev
chroot /mnt/img /bin/bash
source /etc/profile
export PS1="(chrooted) $PS1" |
(!install system!)
3) Copy properly compiled kernel with all supported Xen entries ( see https://wiki.gentoo.org/wiki/Xen )
cp /usr/src/linux/vmlinux /mnt/img/boot/vmlinux
4) install xen-tools (configure /etc/portage/package.use/xen by himself)
emerge --ask app-emulation/xen-tools
5) /etc/init.d/xendriverdomain - not working, but it has working xl devd.
We create /etc/local.d/xen.start with
Code: | xl devd -F >> /var/log/xldevd & |
And add it to startup:
Code: | rc-update add local |
6)Start up script domnet.cfg for our network driver domain
Code: | # Guest name
name = "domnet"
# Kernel image to boot
kernel = "/boot/vmlinux"
# Ramdisk (optional)
#ramdisk = "/boot/initrd.gz"
# Kernel command line options
extra = "root=/dev/xvda1"
# Initial memory allocation (MB)
memory = 128
# Number of VCPUS
vcpus = 1
# Network devices
# A list of 'vifspec' entries as described in
# docs/misc/xl-network-configuration.markdown
# br0 - bridge at Dom0 to connect it through this
vif = [ 'mac=00:21:cc:bb:5d:50, bridge=br0, model=e1000, vifname=vifd1, bridge=br0' ]
# Disk Devices
# A list of `diskspec' entries as described in
# docs/misc/xl-disk-configuration.txt
#disk = [ '/dev/sda5,raw,hda,rw', 'format=raw, vdev=hdc, access=ro, devtype=cdrom, target=/home/user/image.iso' ]
disk = [ '/root/myxen/ext4domnet.img,raw,xvda1,rw' ]
#paravirtualization optios
bootloader = "pygrub"
#root = "/dev/xvda1"
# pci
pci=['00:19.0']
|
7) Configure network at this network driver domain
Code: |
#becouse of pci-attachmen "1" created instead of eth0
config_eth1="192.168.0.12/24 brd 192.168.0.255"
#i am using pppoe
config_ppp0="ppp"
link_ppp0="enp0s0"
plugins_ppp0="pppoe"
username_ppp0='username_password_not_here'
pppd_ppp0="
noauth
defaultroute
usepeerdns
holdoff 3
child-timeout 60
lcp-echo-interval 15
lcp-echo-failure 3
persist
debug
noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp"
#rc_net_ppp0_need="net.enp0s0"
#bridge for inbound other DomU, network must differ from eth1!
bridge_br2=""
config_br2="192.168.1.2 netmask 255.255.255.0"
bridge_stp_state_br2="0"
bridge_froward_delay_br2="0"
bridge_hello_time_br2="1000"
|
we create net.eth1, net.br2
Code: | cd /etc/init.d/
ln -s net.lo net.eth1
ln -s net.lo net.br2
rc-update add net.eth1
rc-update add net.br2 |
8) iptables for route and firewall
here we block any direct access to hosts.
open two ports 6881 6890 for rtorrent.
I am not good with iptables here may be impove
Code: | #!/bin/bash
export WAN=ppp0
export LAN2=br2
export LAN0=eth1
#export WAN=enp0s0
# clear current ruleset
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t filter -F
ip6tables -F
ip6tables -X
ip6tables -Z
# set the default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#comment it
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#
iptables -P FORWARD DROP
#iptables -P FORWARD ACCEPT
#iptables -A INPUT -i eth0 -j ACCEPT
#iptables -A OUTPUT -o eth0 -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
#loopback for VNC
#iptables -A INPUT -i lo -j ACCEPT
#forwarding for eth0 and br2
iptables -A FORWARD -i ${LAN0} -s 192.168.0.0/24 -o ${WAN} -j ACCEPT
iptables -A FORWARD -o ${LAN0} -d 192.168.0.0/24 -i ${WAN} -j ACCEPT
iptables -A FORWARD -i ${LAN2} -s 192.168.1.0/24 -o ${WAN} -j ACCEPT
iptables -A FORWARD -o ${LAN2} -d 192.168.1.0/24 -i ${WAN} -j ACCEPT
#masquerade
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ${WAN} -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ${WAN} -j MASQUERADE
#no incoming
iptables -A FORWARD -i ${WAN} -o ${LAN2} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${WAN} -o ${LAN0} -m state --state RELATED,ESTABLISHED -j ACCEPT
# DNAT
iptables -t nat -A PREROUTING -i ${WAN} -j DNAT -p udp --dport 6881 --to-destinatio 192.168.1.44
iptables -t nat -A PREROUTING -i ${WAN} -j DNAT -p tcp --dport 6890 --to-destinatio 192.168.1.44
#uncomment it
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#
iptables -A FORWARD -j DROP
iptables -Z
|
Code: | rc-service iptables save
rc-update add iptables |
9) /etc/sysctl.conf
Code: | net.ipv4.ip_forward = 1
net.ipv4.icmp_echo_ignore_all = 1
|
Configure Dom0 for eth1
1) Instal xen,xen-tools.
br0 to connect with network driver domain
Code: | cd /etc/init.d
ln -s net.lo net.br0 |
2) start script for network driver domain
Code: | rc-service net.br0 start
xl pci-assignable-add 00:19.0
xl create /root/myxen/domnet.cfg |
Configure DomU for br2
just getnoo with /boot/vmlinux of ours
VNC access and rtorrent
1) xen script
Code: |
builder="general"
# Guest name
name = "dom2"
# Kernel image to boot
kernel = "/boot/vmlinux"
# Kernel command line options
#extra = "root=/dev/xvda1 xenfb.video=32,1280,1024"
extra = "root=/dev/xvda1 xen-fbfront.video=32,1600,900"
# Initial memory allocation (MB)
memory = 1224
# Number of VCPUS
vcpus = 2
# Network devices
# A list of 'vifspec' entries as described in
# docs/misc/xl-network-configuration.markdown
vif = [ 'bridge=br2, mac=00:16:2E:0d:13:21, model=e1000, vifname=viftr1, backend=domnet' ]
# Disk Devices
# A list of `diskspec' entries as described in
# docs/misc/xl-disk-configuration.txt
#disk = [ '/dev/sda5,raw,hda,rw', 'format=raw, vdev=hdc, access=ro, devtype=cdrom, target=/home/user/image.iso' ]
disk = [ '/mnt/sda5/toruser.img,raw,xvda1,rw', '/mnt/sda5/tdisk.img,raw,xvda2,rw' ]
#disk = [ '/mnt/sda5/toruser.img,raw,xvda1,rw' ]
#paravirtualization optios
bootloader = "pygrub"
root = "/dev/xvda1"
#vnc
vfb = [ 'type=vnc' ]
#should fix mouse missmatch but usb disabled ^:(
#usbdevice='tablet'
#usb=1
|
2) vnc access from Dom0
Code: | alias vnc="vncviewer -AutoSelect=0 -FullScreen -NoJpeg -CompressLevel=2 -PreferredEncoding=raw 127.0.0.1" |
3) rtorrent configuration file (offtopic)
Code: | # This is an example resource file for rTorrent. Copy to
# ~/.rtorrent.rc and enable/modify the options as needed. Remember to
# uncomment the options you wish to enable.
# Maximum and minimum number of peers to connect to per torrent.
#min_peers = 40
#max_peers = 100
# Same as above but for seeding completed torrents (-1 = same as downloading)
#min_peers_seed = 10
#max_peers_seed = 50
# Maximum number of simultanious uploads per torrent.
#max_uploads = 15
# Global upload and download rate in KiB. "0" for unlimited.
#download_rate = 0
#upload_rate = 0
# Default directory to save the downloaded torrents.
directory = /mnt/xvda2/torrents
# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /mnt/xvda2/session
# Watch a directory for new torrents, and stop those that have been
# deleted.
#schedule = watch_directory,5,5,load_start=./watch/*.torrent
#schedule = untied_directory,5,5,stop_untied=
# Close torrents when diskspace is low.
#schedule = low_diskspace,5,60,close_low_diskspace=100M
# The ip address reported to the tracker.
#ip = 127.0.0.1
#ip = rakshasa.no
# The ip address the listening socket and outgoing connections is
# bound to.
#bind = 127.0.0.1
#bind = rakshasa.no
# Port range to use for listening.
#port_range = 6890-6999
port_range = 6890-6890
# Start opening ports at a random position within the port range.
port_random = no
# Check hash for finished torrents. Might be usefull until the bug is
# fixed that causes lack of diskspace not to be properly reported.
#check_hash = no
# Set whether the client should try to connect to UDP trackers.
#use_udp_trackers = yes
# Alternative calls to bind and ip that should handle dynamic ip's.
#schedule = ip_tick,0,1800,ip=rakshasa
#schedule = bind_tick,0,1800,bind=rakshasa
# Encryption options, set to none (default) or any combination of the following:
# allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext
#
# The example value allows incoming encrypted connections, starts unencrypted
# outgoing connections but retries with encryption if they fail, preferring
# plaintext to RC4 encryption after the encrypted handshake
#
# encryption = allow_incoming,enable_retry,prefer_plaintext
encryption = allow_incoming,try_outgoing,enable_retry
# Enable DHT support for trackerless torrents or when all trackers are down.
# May be set to "disable" (completely disable DHT), "off" (do not start DHT),
# "auto" (start and stop DHT as needed), or "on" (start DHT immediately).
# The default is "off". For DHT to work, a session directory must be defined.
#
dht = auto
# UDP port to use for DHT.
#
dht_port = 6881
# Enable peer exchange (for torrents not marked private)
#
peer_exchange = yes
#http_proxy = px1.blockme.site:3128
#polipo for tracker connection only, not peering!
http_proxy = 127.0.0.1:8123
|
4) rtorrent connected to polipo connected to tor. (off topic)
emerge --ask net-proxy/polipo
/etc/polipo/config
Code: | daemonise=false
#diskCacheRoot=/var/cache/polipo/
proxyAddress=127.0.0.1
proxyName=localhost
serverSlots=4
serverMaxSlots=8
#cacheIsShared=true
allowedClients=127.0.0.1
diskCacheRoot=
cacheIsShared=false
#running Tor Browser
socksParentProxy=localhost:9150
socksProxyType=socks5
disableLocalInterface=true
allowedPorts = 1-65535
tunnelAllowedPorts = 1-65535
|
----------------
Xen Network Driver Domain
Xen Network Driver Domain
google verify this page please.
[Moderator edit: Moved poster's self-response into main post, then deleted that self-response to return the thread to the unanswered list. (Although, in this case, the self response makes no sense.)
OP: Generally, if post length permits, you should edit extra information into your first post instead of replying to it. Some users run a canned search for threads with zero replies as a way of finding posts to answer. When you replied to yourself, you removed your thread from that list, even though you were not replying to announce that the thread was solved. Thus, they would no longer see your thread on the list of unanswered threads.
-Hu] _________________ if posts > 50 then; eat(shit); fi
Shitty laptop with two cores 2.3GHz. Updating took one night per week.
I work with powersave CPU governor! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|