On Sun, Jun 1, 2014 at 8:45 PM, lee <lee at yun.yagibdah.de> wrote: > Hi, > > what is the proposed way to create domU guests on centos 6.5? At first > I tried to follow the documentation on the xen project website which > recommends using xl. I created a config file and ended up with getting > a message that the kernel is not bootable when trying to create a guest. > I also had to stop some daemon (xend?) because it said that xl isn`t > compatible with it and the daemon must be stopped first. > > Then I followed redhat documentation which suggests to use virt-manager > --- which doesn`t work because servers don`t have GUIs. So I finally > managed to create a guest with virt-install. I can start and stop the > guest (which is also running centos), though I don`t think this is the > right way to create one. > > So how exactly are you supposed to create guests? Servers *can* have GUI's. Even if you don't want to install the full Gnome/KDE/display manager toolkits, it's possible to set up enough to run X based applications form another host. And virt-manager can be run from a client, with authenticated access to the libvirt server, though I've generally not done that. If you don't want to bother with that, you'll need to learn 'virsh', which is the actual tool that libvirt uses to do almost everything. > Now I can`t get the networking to work. I`ve been reading lots of > documentation and still don`t understand how that is supposed to work. > As far as I understand, you get three different network interfaces: > > > dom0: a bridge (virbr0) > dom0: a virtual network interface (vifN.X) > domU: a virtual network interface which doesn`t appear to be virtual to > domU [Xen specific network questions skipped, I've not been using Xen lately] > Do I have to set up shorewall (or the like) on dom0 to be able to handle > network access for guests? Would I need to create a bridge for every > guest to be able to handle them separately for firewalling purposes > because otherwise packets circumvent firewall rules by directly going > over the bridge? If so, why are bridges needed? You need to pick. One approach is to set up a bridged connection with one VM, with a second localized VLAN connection, and run shorewall or other firewalls on that VM to manage connections to the rest of the VM's. This leaves your bandwidth trapped at the capacity of that firewall VM, but it's not an uncommon soluiton, especially when running complex firewalls and/or proxies in small environments. Whether you need bridges then depends on where your firewall is. If it lives on another host on your network, yes, your guests need bridges. If it's on a VM with two connections, as I described above, it's potentially much easier to set up on a single firewall VM. But migrating the firewall among multiple VM servers means establishing, and maintaining, a multiple VM server internal network, and if doing that, *THOSE* might mandate bridges. > I would understand doing things like adding those guests that are > visible to the LAN only to the same bridge to have them all reachable > likewise. When doing that, it would seem to make sense to use a > different subnet for guests in the DMZ. It Depends(tm). > All the documentation tells you many different things, none of them work > and it`s totally confusing. Is there any /good/ documentation > somewhere? I suggest what you need to accomplish first. Do you have, or want to build, firewalls? Are you isolating DMZ hosts or public facing webservers that need heightened isolation and security?