Skip to content


Centos5.5使用xen 3.0.3安装Linux虚拟机

网上一些中文资料不够详细,一直没装成功,经历数十次的失败现成功安装
通过桥接和端口转发,宿主机和虚拟机都可对外服务.

一.安装xen
1.系统信息
dell r410
5506*2,4G*4,SAS146G*2

cat /etc/issue
CentOS release 5.5 (Final)

uname -a
Linux beetel 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

机器名:server_dom0
公网ip:61.xxx.xx.xx
虚拟机ip:192.168.122.11

查看虚似化支持
grep -E ‘(vmx|svm)’ /proc/cpuinfo

flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc pni vmx est ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm

2.设置网易源更新组件
xen安装方式有yum,二进制,编译
我选择yum方式最方便
cd /etc/yum.repos.d
wget http://mirrors.163.com/.help/CentOS-Base-163.repo
yum makecache
yum groupinstall “Development Libraries”
yum groupinstall “Development Tools”
yum install transfig wget texi2html libaio-devel dev86 glibc-devel e2fsprogs-devel gitk mkinitrd iasl xz-devel bzip2-devel pciutils-libs pciutils-devel SDL-devel libX11-devel gtk2-devel bridge-utils PyXML qemu-common qemu-img mercurial

2.安装centos5.5自带的xen 3.0.3-105.el5_5.5
这个是07年版的,最新为xen3.4.3
yum groupinstall Virtualization

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
gnome-applet-vm x86_64 0.1.2-1.el5 base 76 k
kernel-xen x86_64 2.6.18-194.32.1.el5 updates 20 M
libvirt i386 0.6.3-33.el5_5.3 updates 2.0 M
libvirt x86_64 0.6.3-33.el5_5.3 updates 2.0 M
virt-manager x86_64 0.6.1-12.el5 base 1.5 M
virt-viewer x86_64 0.0.2-3.el5 base 25 k
xen x86_64 3.0.3-105.el5_5.5 updates 1.9 M
Installing for dependencies:
libvirt-python x86_64 0.6.3-33.el5_5.3 updates 137 k
python-virtinst noarch 0.400.3-9.el5_5.1 updates 380 k

Transaction Summary
================================================================================
Install 9 Package(s)
Upgrade 0 Package(s)

Total download size: 28 M
Is this ok [y/N]: y

3.修改其中的default=1为default=0,启用xen内核
vi /etc/grub.conf

default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-194.32.1.el5xen)
root (hd0,0)
kernel /xen.gz-2.6.18-194.32.1.el5
module /vmlinuz-2.6.18-194.32.1.el5xen ro root=/dev/VolGroup00/LogVol02
module /initrd-2.6.18-194.32.1.el5xen.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol02
initrd /initrd-2.6.18-194.el5.img

4.重新启动计算机
reboot

5.重启后登录系统,检查XEN是否正常

5.1 内核版本
uname -a
Linux beetel 2.6.18-194.32.1.el5xen #1 SMP Wed Jan 5 18:44:24 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

5.2 xen信息
xm info

host : server_dom0
release : 2.6.18-194.32.1.el5xen
version : #1 SMP Wed Jan 5 18:44:24 EST 2011
machine : x86_64
nr_cpus : 8
nr_nodes : 1
sockets_per_node : 2
cores_per_socket : 4
threads_per_core : 1
cpu_mhz : 2128
hw_caps : bfebfbff:28100800:00000000:00000140:009ce3bd:00000000:00000001
total_memory : 16371
free_memory : 383
node_to_cpu : node0:0-7
xen_major : 3
xen_minor : 1
xen_extra : .2-194.32.1.el5
xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p
xen_pagesize : 4096
platform_params : virt_start=0xffff800000000000
xen_changeset : unavailable
cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)
cc_compile_by : mockbuild
cc_compile_domain : centos.org
cc_compile_date : Wed Jan 5 17:43:03 EST 2011
xend_config_format : 2

5.3查看xen日志
ls -lh /var/log/xen

5.4查看网卡
ifconfig

eth0 Link encap:Ethernet HWaddr 7x:2x:Cx:0x:5x:Cx
inet addr:61.xxx.xx.xx Bcast:61.xxx.xx.xx Mask:255.255.255.128
inet6 addr: fe80::xxxxxxxxxxxxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22251 errors:0 dropped:0 overruns:0 frame:0
TX packets:10210 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20696752 (19.7 MiB) TX bytes:796183 (777.5 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:23591 errors:0 dropped:0 overruns:0 frame:0
TX packets:10233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21590086 (20.5 MiB) TX bytes:876169 (855.6 KiB)
Interrupt:25 Memory:da000000-da012800

vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:10212 errors:0 dropped:0 overruns:0 frame:0
TX packets:22251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:796563 (777.8 KiB) TX bytes:20696752 (19.7 MiB)

virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)

xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:5505 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:273968 (267.5 KiB) TX bytes:0 (0.0 b)

新增了peth0,vif0.0,virbr0,xenbr0
peth0为物理网卡
eth0为宿主机(dom0)虚拟网络设备
vif0.0第x个虚拟机(domu)中的第x块网卡,这里为dom0的接口
virbr0和xenbr0为软桥接接口

brctl show

bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
xenbr0 8000.feffffffffff no peth0
vif0.0

5.5查看宿主iptables
cat /etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Thu Mar 31 01:08:25 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -p udp -m udp –dport 123 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Mar 31 01:08:25 2011
# Generated by iptables-save v1.3.5 on Thu Mar 31 01:08:25 2011
*nat
:PREROUTING ACCEPT [166:7018]
:POSTROUTING ACCEPT [1:80]
:OUTPUT ACCEPT [1:80]
COMMIT
# Completed on Thu Mar 31 01:08:25 2011
# Generated by iptables-save v1.3.5 on Thu Mar 31 01:08:25 2011
*mangle
:PREROUTING ACCEPT [224:12218]
:INPUT ACCEPT [58:5200]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:6304]
:POSTROUTING ACCEPT [47:6304]
COMMIT
# Completed on Thu Mar 31 01:08:25 2011

二、安装XEN的Linux客户机系统

准备好安装源
1.从网易下载centos5.5的bt
http://mirrors.163.com/centos/5.5/isos/x86_64/CentOS-5.5-x86_64-bin-DVD.torrent

2.刻盘

3.从cdrom 复制源到硬盘
mkdir /mnt/cdrom
mkdir /opt/iso
dd if=/dev/cdrom of=/opt/iso/centos.iso
ll -h /opt/iso/centos.iso
mount -o loop -t iso9660 /opt/iso/centos.iso /mnt/cdrom
ll /mnt/cdrom

4.制作映像文件
xen能安装和运行在实际的物理分区上,lvm分区上,一个映像文件中,或NFS等网络文件系统中

映像文件安全性和io性能比较低,但是很方便.
mkdir /opt/vm1
cd /opt/vm1
dd if=/dev/zero of=vm1.img bs=1M seek=15000 count=1

1+0 records in
1+0 records out
1048576 bytes (1.0 MB) copied, 0.002058 seconds, 510 MB/s

#这里创建15G大小

5.安装源获取方式

有http,ftp,nfs等方试

直接使用在线源
http://mirrors.163.com/centos/5.5/os/x86_64/
在设置完IP后就没有反应了
python -m SimpleHTTPServer
在setuptool安装时失败

使用nfs方式
vi /etc/exports
/mnt/cdrom *(sync,ro)

yum install nfs-utils portmap
nfs会使用随机端口,先把iptables关了
/etc/init.d/portmap start
/etc/init.d/nfs start
exportfs -rv

6.查看iptables
iptables-save

# Generated by iptables-save v1.3.5 on Thu Mar 31 01:15:31 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i virbr0 -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp –dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp –dport 67 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -p udp -m udp –dport 123 -j ACCEPT
-A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT –reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT –reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Mar 31 01:15:31 2011
# Generated by iptables-save v1.3.5 on Thu Mar 31 01:15:31 2011
*nat
:PREROUTING ACCEPT [602:26675]
:POSTROUTING ACCEPT [1:73]
:OUTPUT ACCEPT [1:73]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE –to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE –to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 31 01:15:31 2011
# Generated by iptables-save v1.3.5 on Thu Mar 31 01:15:31 2011
*mangle
:PREROUTING ACCEPT [717:40264]
:INPUT ACCEPT [147:16162]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [129:19329]
:POSTROUTING ACCEPT [129:19329]
COMMIT
# Completed on Thu Mar 31 01:15:31 2011

系统重启后xen会再生成一次,会有重复,不作保存直接关了.
/etc/init.d/iptables stop

7.安装虚拟机

virt-install -n vm1 -r 2048 –vcpus=2 –file=/opt/vm1/vm1.img –nographics -p –location=nfs:192.168.122.1:/mnt/cdrom –bridge=virbr0

创建名为”vm1″的虚拟机,分配2G内存,2个cpu,使用”/opt/vm1/vm1.img”映像文件,半虚似化,使用nfs源,使用virbr0网桥
192.168.122.1为宿主virbr0的ip
我装了好N次卡在获取hostname那里,带上–bridge=virbr0参数就可以顺利通过

8.安装中
■语言选择english
■手动配置ipv4;ip:192.168.122.11/255.255.255.0,Gateway:192.168.122.1,Name Server: 192.168.122.1
如果virt-install的网络配置错误,会一直卡在这里
■下一步是选择”Use text mode”还是”Start VNC”,使用文本模式
■分区

/dev/xvda ^ |
| xvda1 1 13 101M ext3 /boot : |
| xvda2 14 144 1027M swap : |
| xvda3 145 1912 13868M ext3 / : |

■Use GRUB Boot Loader,4个ok
■配置网卡ip

IP Address Prefix (Netmask) |
| 192.168.122.11__ / 255.255.255.0___

■网关和dns

| Gateway: 192.168.122.1____________________________ |
| Primary DNS: 192.168.122.1____________________________ |
| Secondary DNS: 8.8.8.8__________________________________ |

■机器名设置:vm1
■时区设置:不使用utc,Asia/Shanghai
■root密码:
■安装包选择:去掉上面的*,使用自定义
选择Administration Tools,Base,Development Tools ,Editors,Text-based Internet
■依赖关系检查后按”OK”,系统开始格式化文件系统并复制文件
■重启

三、配置宿主机及虚拟机
1.进入虚拟机
重启后在sendmail和sm-client会卡一会
出来authconfig-tui的乱码配置界面,不停的闪啊闪,键盘也不听控制,不用操作,等它闪个一分钟就会自动关了

CentOS release 5.5 (Final)
Kernel 2.6.18-194.el5xen on an x86_64

vm1 login: root

输入root和密码进去后没有光标

退出并新开一个控制台然后重新进入
在宿主机
xm console vm1

2.虚拟机网卡配置
eth0 Link encap:Ethernet HWaddr 00:16:36:47:A2:89
inet addr:192.168.122.11 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::216:36ff:fe47:a289/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:354 errors:0 dropped:0 overruns:0 frame:0
TX packets:59 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18489 (18.0 KiB) TX bytes:7066 (6.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

3.虚拟机设置

3.1执行firstboot解决authconfig-tui乱码问题

3.2关闭服务方便测试
chkconfig sendmail off
chkconfig iptables off

4.测试虚拟机网络
ping 61.192.168.122.1 通
ping 61.xxx.xx.xx 通
ping 8.8.8.8 不通

因为宿主机刚才安装时关了iptables,所以不通

5.宿主机设置

5.1重启服务器
先reboot,xen会自动生成iptables

5.2启动虚拟机
xm create vm1 -c

6.虚传机安装http服务
6.1测试外网
ping 8.8.8.8 通

6.2安装apache
cd /etc/yum.repos.d
wget http://mirrors.163.com/.help/CentOS-Base-163.repo
yum makecache
yum -y install httpd

6.3生成个测试首页
echo ‘vm1’>/var/www/html/index.html
service httpd start
chkconfig httpd on

6.4测试本机
wget 192.168.122.11

–2011-03-31 11:54:23– http://192.168.122.11/
Connecting to 192.168.122.11:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4 [text/html]
Saving to: `index.html.1′

100%[======================================>] 4 –.-K/s in 0s

2011-03-31 11:54:23 (217 KB/s) – `index.html.1′ saved [4/4]

cat index.html.1
vm1

7.宿主机测试
7.1内存分配了2G给虚传机
cat /proc/meminfo

MemTotal: 14319616 kB
MemFree: 13720696 kB

7.2新增了个网卡

vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:158 errors:0 dropped:0 overruns:0 frame:0
TX packets:1958 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:9679 (9.4 KiB) TX bytes:114685 (111.9 KiB)

7.3虚拟机配置文件
cat /etc/xen/vm1

name = “vm1”
uuid = “85386e79-9f79-e243-9b62-3c9da736ae9f”
maxmem = 2048
memory = 2048
vcpus = 2
bootloader = “/usr/bin/pygrub”
on_poweroff = “destroy”
on_reboot = “restart”
on_crash = “restart”
disk = [ “tap:aio:/opt/vm1/vm1.img,xvda,w” ]
vif = [ “mac=00:16:36:47:a2:89,bridge=virbr0,script=vif-bridge” ]

7.4xend配置文件
cat /etc/xen/xend-config.sxp |grep -v “^#”|grep -v ^$

(xend-unix-server yes)
(xend-unix-path /var/lib/xend/xend-socket)
(xend-relocation-hosts-allow ‘^localhost$ ^localhost\\.localdomain$’)
(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 256)
(dom0-cpus 0)

(vncpasswd ”)
(keymap ‘en-us’)

7.5虚传机列表
xm list

Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 13984 8 r—– 40.1
vm1 1 2047 2 -b—- 5.5

7.6 测试80端口http服务
wget 192.168.122.11

2011-03-31 11:55:17 (178 KB/s) – `index.html’ saved [4/4]

也没有问题

8.客户端测试
在本地电脑浏览器中输入61.xxx.xx.xx
无法连接

9.宿主机设置
9.1打开ip转发
echo ‘1’ > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

9.2转发公网80端口至虚传机80端口
公网ip:61.xxx.xx.xx
eht0为公网网卡
虚传机ip:192.168.122.11

iptables -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80
下面可加可不加
iptables -A POSTROUTING -t nat -d 192.168.122.11 -p tcp -m tcp –dport 80 -j SNAT –to 61.xxx.xx.xx

9.3增加forward充许
iptables -nL

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all — 192.168.122.0/24 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in vif1.0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in vif2.0

reject-with icmp-port-unreachable这两条规则禁止了方问
解决方式一:
执行下面命令删除规则(不推荐)

iptables -D FORWARD 4
iptables -D FORWARD 4

解决方式二:
增加新的充许规则

iptables -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT



iptables -I FORWARD -o virbr0 -j ACCEPT

宿主最后的iptables

# Generated by iptables-save v1.3.5 on Thu Mar 31 15:33:44 2011
*filter
:INPUT DROP [72:2903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2973]
-A INPUT -i virbr0 -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp –dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp –dport 67 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -p udp -m udp –dport 123 -j ACCEPT
-A FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT
-A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT –reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT –reject-with icmp-port-unreachable
-A FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT
-A FORWARD -m physdev –physdev-in vif1.0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Mar 31 15:33:44 2011
# Generated by iptables-save v1.3.5 on Thu Mar 31 15:33:44 2011
*nat
:PREROUTING ACCEPT [15745:680363]
:POSTROUTING ACCEPT [195:14508]
:OUTPUT ACCEPT [191:14292]
-A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.122.11:80
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE –to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE –to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 31 15:33:44 2011
# Generated by iptables-save v1.3.5 on Thu Mar 31 15:33:44 2011
*mangle
:PREROUTING ACCEPT [51572:51647208]
:INPUT ACCEPT [35843:50960353]
:FORWARD ACCEPT [214:22186]
:OUTPUT ACCEPT [31200:2591886]
:POSTROUTING ACCEPT [31414:2614072]
COMMIT
# Completed on Thu Mar 31 15:33:44 2011

客户端再次测试成功访问

9.4开机后添加iptables
xen的iptables规则是在开机后添加到现有的iptables中,其中有一条是清空FORWARD链,所以要重新再加一次
echo ‘iptables -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80’ >> /etc/rc.local
echo ‘iptables -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT’ >> /etc/rc.local

vi /opt/shell/vm_iptables.sh

#!/bin/sh
IPTABLES=/sbin/iptables

KERNEL=`/bin/uname -r`

if [ ${KERNEL: -3} = “xen” ]
then
#vm1 web
$IPTABLES -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80

#vm1 ssh
$IPTABLES -A INPUT -p tcp -m tcp –dport 7022 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i eth0 –dport 7022 -j DNAT –to 192.168.122.11:22
$IPTABLES -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT
else
#nothing
exit
fi

chmod 750 /opt/shell/vm_iptables.sh
echo ‘/opt/shell/vm_iptables.sh’ >> /etc/rc.local

9.5让虚传机随宿主启动
cd /etc/xen/auto
ln -s ../vm1 ./vm1

9.6重启宿主并测试

四、安装提示
注意
1.安装源建议使用本地的http或nfs服务,并打开相应端口
2.virt-install后面带上–bridge=virbr0
3.默认网关为192.168.122.1,虚拟机ip要在一个网段
配置在/usr/share/libvirt/networks/default.xml
4.虚拟机首次重启乱码,稍等一会后会自动关闭
5.虚拟机开启http服务后注意打相应iptables端口
6.宿主机增加iptables并放在rc.local中

iptables -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80
iptables -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT

提示
1.开启虚拟机并进入
xm create vm1 -c
2.立即终止一个虚传机
xm destroy vm1
3.进入虚拟机
xm console vm1
4.跳出虚拟机
ctrl+]
5.重排虚拟机id
/etc/init.d/xend restart
6.完整删除虚拟机
这个没有找到
7.移除xen
yum groupremove Virtualization

参考:
http://caishu.name/content/%E4%BD%BF%E7%94%A8xm%E5%9C%A8centos%E4%B8%8A%E5%AE%89%E8%A3%85xen%E7%9A%84%E8%99%9A%E6%8B%9F%E6%9C%BA
http://wiki.kartbuilding.net/index.php/Xen_Networking
http://cooker.techsnail.com/index.php/XEN,_KVM,_Libvirt_and_IPTables#The_default_iptables_rules_on_a_XEN_physical_host

Posted in 技术, 虚拟化/xen.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.