Rebuild based on 2.6.32.55 kernel version. Changelogs are as follows:

1
2
3
4
5
6
7

* Tue Feb 07 2012 Steven Haigh <netwiz@crc.id.au>
- Re-enable all but the digitv USB DVB modules.
  Sadly, digitv still fails to build.
- Minor tweak of the kernel-xen-devel package.

* Wed Feb 01 2012 Steven Haigh <netwiz@crc.id.au>
- Attempt to create kernel-xen-devel package able to build modules from.

There has been success in building the drbd kernel module against this kernel-xen-devel package - so hopefully others should be buildable without too many issues as well.

I’ve also included a new bridge-utils package that removes the errors associated with the stock EL6 bridge-utils when doing brctl show.

Ok, so I’ve had quite a few requests to get a kernel-xen-devel package happening so people can build third party kernel modules against my Xen Dom0 kernel.

Now I think that I’ve got this sorted out - but before I inflict it on the world I’d like to get a few testers to check if it works at all. It seems the most common request is to build the drbd module from somewhere (not quite sure where).

As such, I’m hunting for at least one or two people that can install my kernel RPMs + the kernel-xen-devel package and see if they succeed in building third party modules, then let me know if it works or not.

Email me if you’re able to help!

I’ve recently set up a new Xen Dom0 for use by a lot of people - many of whom I may not know very well. This being the case, I want to make sure that people behave and don’t take more than they are allocated. The big thing that I needed to solve was people just taking IP addresses out of the /24 assigned to the server.

Xen 3.4.1 had a working solution, however it seems to be completely broken in 4.x.

So, to solve this, I found that you can do some magic in iptables to give the same result.

1) Enable iptables on bridging interfaces in /etc/sysctl.conf

1

net.bridge.bridge-nf-call-iptables = 1

Then reload the file using sysctl -p

2) Write the rules in /etc/sysconfig/iptables:

1
2
3
4
5
6
7
8
9
10
11
12

*filter
:INPUT ACCEPT [26:2197]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [444:63703]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
-A FORWARD -s 192.168.1.11/32 -m mac --mac-source 11:22:33:44:55:67 -j ACCEPT
-A FORWARD -j DROP
COMMIT

3) When you set up the DomU config file in /etc/xen, alter your vif line to specify the MAC address:

1

vif             = [ 'mac=11:22:33:44:55:66,bridge=br0' ]

Now for the explanation. When a packet gets sent TO the DomU, the destination rule is hit and the packet flows TO the DomU. When the DomU replies, if its MAC address doesn’t match the one in –mac-source, then the packet is dropped.

The added benefit here is that as we DROP everything else, if the DomU tries to change IP or grab an IP not associated with a MAC, the packets will just get dropped.

Sadly, theres nothing you can do to stop people from using other entries you put on the list - however it does stop random resource grabs for IPs.

Ok, so I’ve neglected to put a lot of new up here lately…

1) kernel-xen packages have been updated to 2.6.32.50.

2) Started up a new photography site to try and get some great images to people. I really enjoy taking photos, but DAMN the equipment is expensive. I’m hoping to invest anything made on that site back into equipment to take more photos etc..

3) Damn, Christmas AND New Years has passed. It was the first real Christmas dinner with family and friends that I’d been a part of in my own home for waaay too long. Emma really pulled it all together and I couldn’t have done any of it without her.

Just a quick note to say I’ve updated Xen to 4.1.2 and my Dom0 linux kernel to 2.6.32.50. They should be automatically updated via yum. Remember to edit your grub.conf correctly after updating the kernel.