Network Configuration Examples (Xen 4.1+)

From Xen

Overview

When using the xl toolstack the host networking configuration is not configured by the toolstack but rather administrators are required to setup an appropriate network configuration using the tools provided by their host distribution.

There are three main styles of network setup for a Xen host, bridged, routed and nat. The default and most common is bridged. From Xen 4.3 onwards, openvswitch is also supported. See Xen Networking for a general discussion of what each of these options mean.

From Xen 4.1 onwards the xend toolstacks network-bridge script will only reconfigure the host network stack if the network stack does not appear to have been configured already (e.g. no bridges currently exist). This change allows administrators who wish to configure the network stack themselves to do so by default while preserving the existing behaviour for those who do not. Other network-* scripts will still unconditionally reconfigure networking when called by xend. To force xend to never try and reconfigure networking edit /etc/xen/xend-config.sxp and remove any (network-script ...) options.

Other toolstack's requirements may differ. e.g. XCP contains its own mechanisms for configuring networking which should be used instead.

When using bridging it is recommended to use the xenbrN naming convention for maximum compatibility.

Distribution Network Configuration Examples

The following sections contain examples of common network configurations for various Linux distributions.

Bridging

A host with correctly configured bridged networking should have a bridge device (or "shared physical device" in libvirt terms), to which guests can be attached and have full LAN access. This can be seen in the output of the brctl show command.

 bridge name     bridge id               STP enabled     interfaces
 xenbr0          8000.000e0cb30550       yes             eth0

Note: Your system may be configured several bridges. e.g. libvirt will create a bridge called virbr0.

Disable Netfilter on Bridges (All Distributions)

In addition to the per distribution examples below it is highly recommended for performance and security reasons that netfilter is disabled on all bridges by adding the following to /etc/sysctl.conf. See Fedora Bug #512206 for more details.

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Then run, as root:

# sysctl -p /etc/sysctl.conf

Alternatively you can configure iptables to allow all traffic to be forwarded across the bridge by adding the following rule:

-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

The manner in which this can be achieved is distro specific.

Example Debian-style bridge configuration (e.g. Debian, Ubuntu)

Under Debian (and its derivative distributions) the basic network configuration is managed by the ifupdown tool and configured via the /etc/network/interfaces configuration file which is described in the interfaces(5) man page. The Linux bridge configuration tools are supplied in the bridge-utils package which integrates support into /etc/network/interfaces as described in the bridge-utils-interfaces(5) man page.

The following examples show /etc/network/interfaces stanzas which setup common network configurations. Substitute xenbr0 and eth0 as necessary. In most cases you will also want to include an auto xenbr0 line to cause the bridge to be brought up on boot.

IMPORTANT NOTE !
The IP configuration of the bridge device should replace the IP configuration 
of the underlying interface, i.e. remove the IP settings from eth0 and move
them to the bridge interface. 
eth0 will function purely as the physical uplink from the bridge so it can't have any IP (L3) settings on it!

Example 1: A single bridged network using eth0 configured with a local IP address via DHCP

iface eth0 inet manual

iface xenbr0 inet dhcp
	bridge_ports eth0


Example 2: A single bridged network using eth0 configured with a static local IP address

iface eth0 inet manual

iface xenbr0 inet static
        bridge_ports eth0
        address 192.168.1.2
        broadcast 192.168.1.255
        netmask 255.255.255.0
        gateway 192.168.1.1


Example 3: A single bridged network using eth0 with no local IP address

iface eth0 inet manual

iface xenbr0 inet manual
	bridge_ports eth0


Example 4: An internal bridge with no external connectivity. Note that $IFACE here can be entered literally, it is substituted automatically by ifupdown

iface xenbr0 inet manual
	pre-up brctl addbr $IFACE
	up ip link set $IFACE up
	post-down brctl delbr $IFACE
	down ip link set $IFACE down

Example 5: A bridge on VLAN #2 of device eth0:

iface xenbr0.2 inet dhcp
	bridge_ports eth0.2

The syntax for supporting VLANs in this way is described in the vlan-interfaces(5) man page. VLAN support requires the vconfig tool from the vlan package is installed.

Some other useful options to use in any stanza in a virtualised environment are:

	bridge_stp off		# disable Spanning Tree Protocol
	bridge_waitport 0	# no delay before a port becomes available
	bridge_fd 0		# no forwarding delay

For some environments, when using openvswitch, you may need to add the following line:

allow-hotplug xenbr0

Further information about configuring bridging on Debian-like systems is available in the Debian Wiki.

Red Hat-style bridge configuration (e.g. RHEL, Fedora, CentOS)

As of the time of writing (Fedora 12), NetworkManager still does not support bridging, so it is necessary to use "classic" network initscripts for the bridge, and to explicitly mark them as independent from NetworkManager (the "NM_CONTROLLED=no" lines in the scripts below).

If desired you can completely disable the NetworkManager by running the following commands:

Example 1: Disabling NetworkManager

# chkconfig NetworkManager off
# chkconfig network on
# service NetworkManager stop
# service network start

In order to create a bridged network configuration on a Red Hat-style system it is necessary to create two ifcfg configuration files under /etc/sysconfig/network-scripts//. The first configures the physical network device to be placed on a specific bridge. The second (see Example 2 onwards) configures the bridge itself and includes any necessary IP address configuration.

All ifcfg files are case sensitive. In particular Bridge must be written exactly as shown.

Example 1: A physical network device on a bridge: /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
HWADDR=00:16:76:D6:C9:45
ONBOOT=yes
BRIDGE=xenbr0
NM_CONTROLLED=no

Change the HWADDR to match your actual NIC's address. This configuration is the counterpart used by all of the following xenbr0 examples.

Example 2: A single bridged network configured with a local IP address via DHCP: /etc/sysconfig/network-scripts/ifcfg-xenbr0

DEVICE=xenbr0
TYPE=Bridge
BOOTPROTO=dhcp
ONBOOT=yes
DELAY=0
NM_CONTROLLED=no

Example 3: A single bridged network configured with a static local IP address: /etc/sysconfig/network-scripts/ifcfg-xenbr0

DEVICE=xenbr0
TYPE=Bridge
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.2
NETMASK=255.255.255.0
ONBOOT=yes
DELAY=0
NM_CONTROLLED=no

Example 4: A single bridged network with no local IP address: /etc/sysconfig/network-scripts/ifcfg-xenbr0

DEVICE=xenbr0
TYPE=Bridge
BOOTPROTO=none
ONBOOT=yes
DELAY=0
NM_CONTROLLED=no

Example 5: An internal bridge with no external connectivity: /etc/sysconfig/network-scripts/ifcfg-xenbr0

An internal bridge can be created as per Example 4 but omitting the eth0 configuration shown in example 1.

Some other useful options to use in any stanza are:

MTU=9000                        # Configure Jumbo frames

After changing this restart networking by running:

# service network restart

As discussed above it is recommended to disable netfilter for bridges. However you can alternatively you can configure iptables to allow all traffic to be forwarded across the bridge as follows:

echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > /etc/sysconfig/iptables-forward-bridged
lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
service libvirtd reload

Further information is available in the libvirt wiki.

Openvswitch

The configuration for openvswitch is persistent across reboots. Supposing that you want to create a bridge called 'xenbr0' and attach it to physical nic 'eth0', after installation you can use the following commands:

ovs-vsctl add-br xenbr0
ovs-vsctl add-port xenbr0 eth0

xenbr0 will still need to be set up to acquire an IP address just as Linux bridging does; see above for examples on how to set this up for the various distributions.

Routing

In order to configure routed networking on a host it is necessary to enable IP forwarding on the host.

In addition unless you control the routing tables of the upstream gateway it will also be necessary to enable proxy ARP for the physical devices which will be handling traffic. This will cause the domain 0 kernel to reply to ARP requests on behalf of the guests in order to cause traffic for those guests to be routed to domain 0 such that they can be forwarded to the domain.

In these examples we assume that eth0 is the physical interface used to route traffic.

Enabling Routing (All Distributions)

These options are controlled via the sysctl interface and are documented in networking/ip-sysctl.txt in the Linux kernel source.

To enable these options edit the file /etc/sysctl.conf and add or uncomment the following lines:

net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1

To make this change take effect immediately run, as root:

# sysctl -p /etc/sysctl.conf

Network Address Translation (NAT)

Enabling NAT is similar to enabling routing in that you must enable IP forwarding. You also need to configure Masquerading in the host firewall using iptables.

In addition you may optionally wish to configure a DHCP server to provide IP addresses to the guests on the private network. This is not required and you can also just use static IP addresses configured in the guests themselves.

Enabling NAT (All Distributions)

The IP forwarding option is controlled via the sysctl interface (documented in networking/ip-sysctl.txt in the Linux kernel source).

To enable edit the file /etc/sysctl.conf and add or uncomment the following line:

net.ipv4.ip_forward = 1

To make this change take effect immediately run, as root:

# sysctl -p /etc/sysctl.conf

To enable masquerading via the device eth0 add the following rule to iptables:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Making this change permanent is distro specific (TBD: HOW?)

TBD: Setting up a DHCP controller.

Distribution Specific Resources

In general most host level networking configuration is done using the tools provided by the domain 0 Operating System and is not in any way specific to Xen. This section links to various resources provided by distributions.

Debian & Ubuntu

Fedora

Gentoo