[Openais] Two questions; Intro to AIS? and TOTEM errors in fence loop

Darren Thompson darrent at akurit.com.au
Mon Nov 2 22:20:48 PST 2009 

Madison et al (sorry I did not realise Kelly was
 your surname ;-) 

To provide increased protection for you Dom0s, what you can do is
configure the last bridge (br2) (e.g. the one that your VM will be
attaching to), as a "bind bridge".

By that I mean remove the IP address from the ethernet port and the
Bridge. The bridge is a layer 2 device so does not need an IP address to
function and it adds one more layer of isolation between the Internet
and your Dom0 servers.

I currently use this style for some Internet facing servers myself and
so far (touch wood) no one has yet managed to comprise any of my Dom0
servers, and I'm sure that brighter minds than mine have tried... :-)

The down side of that is that the VM's will not be able to communicate
with the Dom0 servers (except through an external router/firewall). You
can still access the VMs consoles through 'virt-manager' as it sets up
some sort of VNC proxy port.

Again

I hope this helps

Darren

On Mon, 2009-11-02 at 20:47 -0500, Madison Kelly wrote:
> Steven Dake wrote:
> > On Tue, 2009-11-03 at 08:46 +1030, Darren Thompson wrote:
> >> Kelly et al
> >>
> >> My experience is from SLES (SUSE Enterprise) so you may need to
> >> "localise" this for your distribution.
> >>
> >> First of all, get rid of that crappy "network bridge fudge script" that
> >> XEN uses to monkey around with your comms when XEND starts. Find the
> >> file Xendconfig.sxp (or the equivalent xend config file).
> >> Find the network section where it explains the various bridging methods
> >> and look for the line "network-bridge". REM this line out completely.
> >>
> >> Now using the appropriate network tools create a network bridge for each
> >> real NIC that you have (in this case br0, br1, br2).
> >> Within the bridge script, connect each of your real Ethernet ports to
> >> the bridge, remove any IP configuration from the Ethernet port, add the
> >> network configuration to the bridge. Do the same for both nodes.
> >> Note; you can also bond the NICs first, then connect the bond to the
> >> bridge and this also works, now with NIC redundancy,
> >>
> >> This way the bridging is intrinsically set up from network
> >> initialisation and is not change part of the way through the boot
> >> process (the ugly Xen network script caused me all sorts of hassles with
> >> clusters which is why I now do it this way).
> >>
> >> I hope this helps.
> >>
> >> Regards
> >> Darren
> >>
> >>
> > 
> > Darren
> > 
> > Thanks for the detailed explination.
> > 
> > There are numerous issues with xend and openais operating together
> > because xen does wierd networking stuff after openais is started.
> > 
> > I hope the above helps.
> > 
> > Regards
> > -steve
> 
> Thanks to both of you! I was starting to think I was on my own. :)
> 
> Steve is right, it turned out to be a startup order issue. Basically, 
> Xen would come up after the cluster was online and kick it's legs out 
> from under it.
> 
> Now I've got it working stably with the Xen networking in place. This I 
> needed because a VM will be my firewall and I wanted dom0 out of the 
> equation.
> 
> I really appreciate both of you replying to me, thanks again!
> 
> Madi
>

More information about the Openais mailing list