On Thu, July 15, 2010 14:08, Rudi Ahlers wrote:

On Thu, Jul 15, 2010 at 9:03 PM, David Dyer-Bennet dd-b@dd-b.net wrote:

...

If I can log in to the guest through the console, I can of course find out what IP DHCP has assigned it.  If I configure a static IP I can of course connect to the system there (if it runs services, the firewall allows it, all the usual caveats).

Does there happen to be any way to determine from dom0 what IPs are participating in the network and which guests they belong to?  (I'm configuring everything as bridged; basically I want to use virtualization to pretend I have a bunch of independent systems visible to the outside.)

(I suppose just what the IPs are is enough; the number is small enough I could probe them until I found the system I wanted.  Obviously this is for use when I'm having trouble getting in through the console but have some reason to think the rest of the system is alive.)

grep DHCP /var/log/messages

or

grep DHCPACK /var/log/messages

My dom0 /var/log/messages doesn't have anything on assignments to guests. bs004 (ID 9), for example, currently has 192.168.1.143, but there's nothing about that IP in dom0 /var/log/messages.

Are you maybe running a dhcp server locally for local networking, rather than bridging your guest systems out to the general dhcp server?

On Fri, July 16, 2010 01:56, Rudi Ahlers wrote:

On Thu, Jul 15, 2010 at 10:06 PM, David Dyer-Bennet dd-b@dd-b.net wrote:

...

My dom0 /var/log/messages doesn't have anything on assignments to guests. bs004 (ID 9), for example, currently has 192.168.1.143, but there's nothing about that IP in dom0 /var/log/messages.

Are you maybe running a dhcp server locally for local networking, rather than bridging your guest systems out to the general dhcp server?

I don't run DHCP on dom0 (are you using XEN?) for this very reason. I don't want DHCP broadcasts all over the network, and don't want the domU's to accept DHCP requests from other hosts.

Yes, Xen. I'm not so far as I know running DHCP, but it might be configured by default.

DHCP *normally* logs to /var/log/messages, unless you configured it otherwise.

Haven't touched anything of that nature (and the install is only hours old, I still remember what I did :-) ).

try "grep dhcp /var/log/messages"

OR "tail -f /var/log/messages" and then "service network restart" on a domU to see if it shows anything on dom0. Can the domU's get their IP from another server? Try en eliminate this altogether.

The domU got it's ip from the corporate DHCP server, which is what I intended (that's why I'm running bridged, I'm using virtual servers to separate functions while conserving physical boxes, so I want them to present as separate systems to users on the network).

Can't retest right now, as I'm back to just a newly installed Dom0 for what I hope will be the actual production install.

I had the same issue on my local network (DHCP server could not update DNS) so I cobbled up a shell script that runs periodically to update DNS manually. It does a ping-sweep using "nmap -sP 192.168.1.0/24" and parses the output. The output (obfuscated and abbreviated) looks like this:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-07-16 20:53 CDT Host 192.168.1.1 appears to be up. MAC Address: **:**:**:**:**:** (Unknown) Host 192.168.1.2 appears to be up. MAC Address: **:**:**:**:**:** (Compaq Computer) Host workstation.local (192.168.1.5) appears to be up. MAC Address: **:**:**:**:**:** (Hewlett Packard) Host printer.local (192.168.1.9) appears to be up.

In my case, I added the MAC address/DNS name pairs in /etc/ethers and use that to drive the process. I've even got a few VMware hosts with bridged interfaces, they work the same as the physical machines.

Admittedly, it's a heck of a kludge.

JohnS wrote:

Awsome but a Day Late and a Dollar Short && Care to share that shell script please.

OK, but I warned you, it's a kludge.

#!/bin/bash # # Get a list of the hosts on the local network via nmap -sP and check # them against the ethers file to retrieve the host name, if any. # Check DNS to see if the DNS entries match it in the local domain and, # if not, make the necessary changes. # # $Id$ # Jay Leafey - 10/29/2009 #

TEST=0 test $# -gt 0 && TEST=1

NSUPDATES=$( mktemp -t dynamic_dns.XXXXXXXXXX ) ME=$( hostname -f )

echo "server localhost" > ${NSUPDATES}

nmap -sP 192.168.1.0/24 | \ while read f1 f2 f3 f4 f5 do if [ "${f1}" == "Host" ] then if [ "${f2}" == "${ME}" ] then continue fi read m1 m2 m3 m4 m5 MYIP="" if [ "${f2%.*}" == "192.168.1" ] then MYIP=${f2} else MYIP=$( echo "${f3}" | sed 's/[()]//g' ) fi MYMAC=${m3} MYHOST=$( grep -i "^${MYMAC}" /etc/ethers | awk "{ print $2 }" | tr A-Z a-z) #~ echo "${MYMAC} ${MYIP} ${MYHOST}"

            if [ "${MYHOST}" ]
            then
            #~ Set the "forward" DNS entry
                    DNSIP=$( host ${MYHOST} 2>/dev/null | awk '/ has address / { print $NF}' )
                    if [ -z "${DNSIP}" ]
                    then
                            echo -e "update add ${MYHOST}.local 2400 IN A ${MYIP}\n" >> ${NSUPDATES}
                    elif [ "${MYIP}" != "${DNSIP}" ]
                    then
                            echo "update delete ${MYHOST}.local IN A ${DNSIP}" >> ${NSUPDATES}
                            echo -e "update add ${MYHOST}.local 240 IN A ${MYIP}\n" >> ${NSUPDATES}
                    fi
                    #~ Set the "reverse" DNS entry
                    DNSRR=$( host ${MYIP} | awk '/ domain name pointer / { print $1 }' )
                    DNSPTR=$( host ${MYIP} | awk '/ domain name pointer / { print $NF }' )
                    if [ -z "${DNSPTR}" ]
                    then
                            echo -e "update add ${MYIP##*.}.1.168.192.in-addr.arpa 2400 IN PTR ${MYHOST}.local.\n" >> ${NSUPDATES}
                    elif [ "${DNSPTR}" != "${MYHOST}.local." ]
                    then
                            echo "update delete ${DNSRR} IN PTR" >> ${NSUPDATES}
                            echo -e "update add ${DNSRR} 2400 IN PTR ${MYHOST}.local.\n" >> ${NSUPDATES}
                    fi
            fi
    fi

done

if [ ${TEST} -gt 0 ] then cat ${NSUPDATES} exit fi

if [ $( wc -l ${NSUPDATES} ) -gt 1 ] then # cat ${NSUPDATES} nsupdate ${NSUPDATES} if [ $? -ne 0 ] then echo "nsupdate failed:" cat ${NSUPDATES} fi fi

rm -f ${NSUPDATES}

exit

The code makes a LOT of assumptions that may only be valid in my home network, but perhaps the ideas will be useful. I have considered rewriting this in Perl, but it works and I really need the time for other projects.

&& Why you scrub the MACS?

Sheer paranoia and long-standing habit.

Enjoy!

JohnS wrote:

...

...

&& Why you scrub the MACS?

Sheer paranoia and long-standing habit.

Elaborate, you that paranoid? Over paranoid gets you faster than scrubing MACs. I would worry about, does my router have holes in it? Plus let your MAC fly on the wireless network. I let my neighbor connect to mine, they can't afford the internet. One caveat, all they have is net access.

Back in the mists of time, when I was working with VAXen and DECnet Phase IV, the general practice in our shop was to be careful about making MAC addresses generally known. Seems a quaint habit considering the network today, but old habits are sometimes hard to break... and they are not always a bad thing!

As far as the security of my home network goes, I get a giggle every time I scan for wireless networks at home. Mine is the ONLY network that I can reach that is encrypted.

As far as paranoia goes, one of my mentors once told me that a mild degree was a useful attribute for a system administrator. It tends to make one spend more time thinking about what CAN go wrong, which is great if you actually put the results into practice.

On 07/19/2010 07:09 AM, m.roth@5-cent.us wrote:

Jay Leafey wrote:

...

As far as paranoia goes, one of my mentors once told me that a mild degree was a useful attribute for a system administrator. It tends to make one spend more time thinking about what CAN go wrong, which is great if you actually put the results into practice.

A buddy of mine, who was the sr. systems and network admin I worked with 10 years ago, used to say he was professionally paid to be paranoid.

      mark

'The question is not "Am I paranoid?", it is "Am I paranoid *enough*?"'

It's an old sysadmin adage.

On Mon, July 19, 2010 09:09, m.roth@5-cent.us wrote:

Jay Leafey wrote:

...

As far as the security of my home network goes, I get a giggle every time I scan for wireless networks at home. Mine is the ONLY network that I can reach that is encrypted.

Please - I've enabled WPA, whatever I can, on my ladyfriend's FIOS, and my own DSL, and push everyone else. It boggles my mind when I look for wireless networks in a residential neighborhood, and see so many that are just *open*.

On the other hand, Bruce Schneier does not really agree with you http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html.

There are two issues I see with wireless network security.

One is that people could use it to compromise your data. I think this is an inappropriate worry. What you should do is configure your systems so that they don't depend on the security of the network they're attached to. This is especially important for laptops -- if you ever take them away from home and connect to other networks, you *must* secure the *system*, not the network. (Bruce spends huge amounts of time away from home, so this is perhaps more obvious to him than to most people.)

The other is somebody using it to do something that draws unwanted attention (and possibly is criminal), but not *directly* harmful to you. This could indeed cause you annoyance; on the other hand, it's not very likely. And they could do the same by hacking into a supposedly secured system (probably) or otherwise compromising one of your computers. One of the biggest risks is probably an RIAA suit; how many people have they sued (it was 26,000 in 2008 when Bruce's article was written)? But that's 26,000 out of, it is widely believed, hundreds of millions of downloaders; not very high odds of being hit. AND you could still deploy the "some other dude done it" defense.

It's certainly very handy to have access to wireless when I visit friends, go to parties, and so forth. I have an unsecured network of my own at home that I turn on for parties (fairly small bandwidth).

On Mon, July 19, 2010 13:39, m.roth@5-cent.us wrote:

David Dyer-Bennet wrote:

...

On Mon, July 19, 2010 09:09, m.roth@5-cent.us wrote:

...

Jay Leafey wrote:

...

...

As far as the security of my home network goes, I get a giggle every time I scan for wireless networks at home. Mine is the ONLY network that I can reach that is encrypted.

Please - I've enabled WPA, whatever I can, on my ladyfriend's FIOS, and my own DSL, and push everyone else. It boggles my mind when I look for wireless networks in a residential neighborhood, and see so many that are just *open*.

On the other hand, Bruce Schneier does not really agree with you http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html.

Yeah, well, I'll talk to Bruce, next time he shows up at a con I'm at. I've *had* my IP blocked, and that was by, what, DNSORBS, or what was his name's thing, and what got blocked was the range of my ISP's range for the city. I also *do* worry about someone I know sending out crap having forged my email address, so, yeah, there's a lot of small-time nastiness out there, and so I *do* secure it as best I can.

I ought to email him, and see if he still feels that way.

He still did last time we talked about it, which wasn't too many months ago. Although some of the potential legal nastiness, particular if it's done deliberately as a frame rather than just exploiting the open bandwidth, does seem to be starting to worry him just a little. (Also he's in the position of being a more likely potential target for such things than most of us.)

...

There are two issues I see with wireless network security.

<snip> > It's certainly very handy to have access to wireless when I visit > friends, > go to parties, and so forth. I have an unsecured network of my own at > home that I turn on for parties (fairly small bandwidth).

Right. If I trust someone to come over who wants to use a laptop/netbook, I trust 'em enough to hand them the WPA key. I *don't* trust a wardriver at all.

Trouble is, a good key is enough trouble to type in that lots of people don't get it right, so there's *support* work too. So my party network is open.

Maybe I should load it onto a thumb drive to pass around; though that wouldn't help people like me that might want it on a smartphone or tablet (mini-tabled, Nokia N800 in my case) that doesn't read USB drives. But it at least covers the laptop people.

On 18/07/10 12:04, David Dyer-Bennet wrote:

...

An alternative, if you have some control over the DHCP server, might be to enforce a mapping of MAC addresses to IPs. You can pretty much set you guest MAC addresses to whatever you want so long as they don't conflict with anything else.

In the long run, they'll be static; but at the moment the permanent IPs haven't been assigned, and I'm just letting them pick something up via corporate DHCP (to avoid conflicting with anything else on the network). It's at this early experimental stage that it'd be handy to find out externally what they ended up being.

As a quick hack, while you experiment, you could just get the guest to send you an email on boot with its current IP. Say, by putting the following at the end of your /etc/rc.local

/sbin/ip ad | /bin/mailx -s "IP details for `hostname`" <emailaddr>

Kal

David Dyer-Bennet wrote:

On 16-Jul-10 19:17, Kahlil Hodgson wrote:

...

On 07/17/2010 12:39 AM, David Dyer-Bennet wrote:

...

The domU got it's ip from the corporate DHCP server, which is what I intended (that's why I'm running bridged, I'm using virtual servers to separate functions while conserving physical boxes, so I want them to present as separate systems to users on the network).

An alternative, if you have some control over the DHCP server, might be to enforce a mapping of MAC addresses to IPs. You can pretty much set you guest MAC addresses to whatever you want so long as they don't conflict with anything else.

In the long run, they'll be static; but at the moment the permanent IPs haven't been assigned, and I'm just letting them pick something up via corporate DHCP (to avoid conflicting with anything else on the network). It's at this early experimental stage that it'd be handy to find out externally what they ended up being.

Haven't really been following this thread, but why not set the guests VMs up with 192.168 IPs, and let the host serve DHCP with masquerading to them?

mark

On Mon, July 19, 2010 12:29, Les Mikesell wrote:

On 7/19/2010 9:22 AM, m.roth@5-cent.us wrote:

...

...

In the long run, they'll be static; but at the moment the permanent IPs haven't been assigned, and I'm just letting them pick something up via corporate DHCP (to avoid conflicting with anything else on the network). It's at this early experimental stage that it'd be handy to find out externally what they ended up being.

Haven't really been following this thread, but why not set the guests VMs up with 192.168 IPs, and let the host serve DHCP with masquerading to them?

Has anyone suggested arpwatch yet? I think it can send you email when a new mac/ip appears on the network and would be useful even outside the context of virtual machines.

Nobody has previously, that I've noticed anyway. Thanks, that sounds like it does just what I'm looking for.

Rudi Ahlers wrote, On 07/16/2010 02:56 AM:

On Thu, Jul 15, 2010 at 10:06 PM, David Dyer-Bennet dd-b@dd-b.net wrote:

...

My dom0 /var/log/messages doesn't have anything on assignments to guests. bs004 (ID 9), for example, currently has 192.168.1.143, but there's nothing about that IP in dom0 /var/log/messages.

is the dom0 a static IP or a static DNS name? If dom0 is static in some way, how about having the syslogs on all the domUs setup to all send their logs to the dom0? You might have to use logger(1) on boot (rc.local?) to add a message that will help you distinguish between the different hosts.

On Fri, Jul 16, 2010 at 8:40 AM, Les Mikesell lesmikesell@gmail.com wrote:

On 7/16/2010 10:11 AM, Akemi Yagi wrote:

...

Soon after I started using kvm and created guests with bridged network, I asked the same question as yours. I have not been able to find a clear answer to date.  If I'm not mistaken, there is no easy solution as you suspected. The host has no knowledge of the guests' IPs because an outside DHCP server (in my case at home, it is a router/cable modem) provides the IP addresses. So, I've been using the "console" method.

Your router/cablemodem most likely has a web interface where you can find a log and a mapping of MAC addresses to the IP addresses it has given out.  You might even be able to configure it to syslog to your centos box.  You should also be able to see the DHCP traffic activity by running tcpdump or wireshark on the bridged host physical interface as the guest starts.

Sure, I can retrieve the info from my cable modem. I also tried wireshark. I then decided looking at the console was much "quicker" for me. But if I'm in a situation where the guests are constantly created and there is a need for semi-automatic retrieval of guest's IPs, I would spend some time for that.

Akemi