以映像文件方式保存的虚拟机复制非常方便. 只要拷贝xen vm的img镜像文件和配置文件，并修改相应配置文就可以了

1.关闭虚拟机 xm shutdown vm1

2.复制虚拟机映像文件和配置文件 \cp /opt/vm1/vm1.img /opt/vm1/vm2.img \cp /etc/xen/vm1 /etc/xen/vm2

3.修改虚拟机配置文件 vi /etc/xen/vm2

name = “vm1” uuid = “85386e79-9f79-e243-9b62-3c9da736ae9f” maxmem = 2048 memory = 2048 vcpus = 2 bootloader = “/usr/bin/pygrub” on_poweroff = “destroy” on_reboot = “restart” on_crash = “restart” disk = [ “tap:aio:/opt/vm1/vm1.img,xvda,w” ] vif = [ “mac=00:16:36:47:a2:89,bridge=virbr0,script=vif-bridge” ]

修改name,uuid,mac保持唯一,通常将最后一位加1,修改disk路径. 修改后的配置

name = “vm2” uuid = “85386e79-9f79-e243-9b62-3c9da736ae0f” maxmem = 2048 memory = 2048 vcpus = 2 bootloader = “/usr/bin/pygrub” on_poweroff = “destroy” on_reboot = “restart” on_crash = “restart” disk = [ “tap:aio:/opt/vm1/vm2.img,xvda,w” ] vif = [ “mac=00:16:36:47:a2:80,bridge=virbr0,script=vif-bridge” ]

4.启动并进入虚拟机 vm create vm2 -c

5.修改主机名 5.1 hostname vm2

5.2 vi /etc/sysconfig/network

5.3 vi /etc/hosts

6.修改网卡ip和mac,和xen配置对应 vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.122.255 HWADDR=00:16:36:47:A2:80 IPADDR=192.168.122.12 NETMASK=255.255.255.0 NETWORK=192.168.122.0 ONBOOT=yes

7.重启网络,完成修改 /etc/init.d/network restart

8.测试 8.1 ctrl+]退出虚拟机 8.2启动”vm1″虚拟机 8.3测试vm1网络 ping 192.168.122.11 8.4测试vm2网络 ping 192.168.122.12 8.5测试虚拟机之间的网络 vm console vm2 ping 192.168.122.11

ps:随宿主启动及服务相关iptables不要忘记

网上一些中文资料不够详细,一直没装成功,经历数十次的失败现成功安装 通过桥接和端口转发,宿主机和虚拟机都可对外服务.

一.安装xen 1.系统信息 dell r410 55062,4G4,SAS146G*2

cat /etc/issue CentOS release 5.5 (Final)

uname -a Linux beetel 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

机器名:server_dom0 公网ip:61.xxx.xx.xx 虚拟机ip:192.168.122.11

查看虚似化支持 grep -E ‘(vmx|svm)’ /proc/cpuinfo

flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc pni vmx est ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm

2.设置网易源更新组件 xen安装方式有yum,二进制,编译 我选择yum方式最方便 cd /etc/yum.repos.d wget http://mirrors.163.com/.help/CentOS-Base-163.repo yum makecache yum groupinstall “Development Libraries” yum groupinstall “Development Tools” yum install transfig wget texi2html libaio-devel dev86 glibc-devel e2fsprogs-devel gitk mkinitrd iasl xz-devel bzip2-devel pciutils-libs pciutils-devel SDL-devel libX11-devel gtk2-devel bridge-utils PyXML qemu-common qemu-img mercurial

2.安装centos5.5自带的xen 3.0.3-105.el5_5.5 这个是07年版的,最新为xen3.4.3 yum groupinstall Virtualization

================================================================================ Package Arch Version Repository Size ================================================================================ Installing: gnome-applet-vm x86_64 0.1.2-1.el5 base 76 k kernel-xen x86_64 2.6.18-194.32.1.el5 updates 20 M libvirt i386 0.6.3-33.el5_5.3 updates 2.0 M libvirt x86_64 0.6.3-33.el5_5.3 updates 2.0 M virt-manager x86_64 0.6.1-12.el5 base 1.5 M virt-viewer x86_64 0.0.2-3.el5 base 25 k xen x86_64 3.0.3-105.el5_5.5 updates 1.9 M Installing for dependencies: libvirt-python x86_64 0.6.3-33.el5_5.3 updates 137 k python-virtinst noarch 0.400.3-9.el5_5.1 updates 380 k Transaction Summary ================================================================================ Install 9 Package(s) Upgrade 0 Package(s) Total download size: 28 M Is this ok [y/N]: y

3.修改其中的default=1为default=0，启用xen内核 vi /etc/grub.conf

default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.18-194.32.1.el5xen) root (hd0,0) kernel /xen.gz-2.6.18-194.32.1.el5 module /vmlinuz-2.6.18-194.32.1.el5xen ro root=/dev/VolGroup00/LogVol02 module /initrd-2.6.18-194.32.1.el5xen.img title CentOS (2.6.18-194.el5) root (hd0,0) kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol02 initrd /initrd-2.6.18-194.el5.img

4.重新启动计算机 reboot

5.重启后登录系统，检查XEN是否正常

5.1 内核版本 uname -a Linux beetel 2.6.18-194.32.1.el5xen #1 SMP Wed Jan 5 18:44:24 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

5.2 xen信息 xm info

host : server_dom0 release : 2.6.18-194.32.1.el5xen version : #1 SMP Wed Jan 5 18:44:24 EST 2011 machine : x86_64 nr_cpus : 8 nr_nodes : 1 sockets_per_node : 2 cores_per_socket : 4 threads_per_core : 1 cpu_mhz : 2128 hw_caps : bfebfbff:28100800:00000000:00000140:009ce3bd:00000000:00000001 total_memory : 16371 free_memory : 383 node_to_cpu : node0:0-7 xen_major : 3 xen_minor : 1 xen_extra : .2-194.32.1.el5 xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p xen_pagesize : 4096 platform_params : virt_start=0xffff800000000000 xen_changeset : unavailable cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-48) cc_compile_by : mockbuild cc_compile_domain : centos.org cc_compile_date : Wed Jan 5 17:43:03 EST 2011 xend_config_format : 2

5.3查看xen日志 ls -lh /var/log/xen

5.4查看网卡 ifconfig

eth0 Link encap:Ethernet HWaddr 7x:2x:Cx:0x:5x:Cx inet addr:61.xxx.xx.xx Bcast:61.xxx.xx.xx Mask:255.255.255.128 inet6 addr: fe80::xxxxxxxxxxxxxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22251 errors:0 dropped:0 overruns:0 frame:0 TX packets:10210 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:20696752 (19.7 MiB) TX bytes:796183 (777.5 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:23591 errors:0 dropped:0 overruns:0 frame:0 TX packets:10233 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:21590086 (20.5 MiB) TX bytes:876169 (855.6 KiB) Interrupt:25 Memory:da000000-da012800 vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:10212 errors:0 dropped:0 overruns:0 frame:0 TX packets:22251 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:796563 (777.8 KiB) TX bytes:20696752 (19.7 MiB) virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:468 (468.0 b) xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:5505 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:273968 (267.5 KiB) TX bytes:0 (0.0 b)

新增了peth0,vif0.0,virbr0,xenbr0 peth0为物理网卡 eth0为宿主机(dom0)虚拟网络设备 vif0.0第x个虚拟机(domu)中的第x块网卡,这里为dom0的接口 virbr0和xenbr0为软桥接接口

brctl show

bridge name bridge id STP enabled interfaces virbr0 8000.000000000000 yes xenbr0 8000.feffffffffff no peth0 vif0.0

5.5查看宿主iptables cat /etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Thu Mar 31 01:08:25 2011 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT -A INPUT -p udp -m udp –dport 123 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT # Completed on Thu Mar 31 01:08:25 2011 # Generated by iptables-save v1.3.5 on Thu Mar 31 01:08:25 2011 *nat :PREROUTING ACCEPT [166:7018] :POSTROUTING ACCEPT [1:80] :OUTPUT ACCEPT [1:80] COMMIT # Completed on Thu Mar 31 01:08:25 2011 # Generated by iptables-save v1.3.5 on Thu Mar 31 01:08:25 2011 *mangle :PREROUTING ACCEPT [224:12218] :INPUT ACCEPT [58:5200] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [47:6304] :POSTROUTING ACCEPT [47:6304] COMMIT # Completed on Thu Mar 31 01:08:25 2011

二、安装XEN的Linux客户机系统

准备好安装源 1.从网易下载centos5.5的bt http://mirrors.163.com/centos/5.5/isos/x86_64/CentOS-5.5-x86_64-bin-DVD.torrent

2.刻盘

3.从cdrom 复制源到硬盘 mkdir /mnt/cdrom mkdir /opt/iso dd if=/dev/cdrom of=/opt/iso/centos.iso ll -h /opt/iso/centos.iso mount -o loop -t iso9660 /opt/iso/centos.iso /mnt/cdrom ll /mnt/cdrom

4.制作映像文件 xen能安装和运行在实际的物理分区上，lvm分区上，一个映像文件中，或NFS等网络文件系统中

映像文件安全性和io性能比较低,但是很方便. mkdir /opt/vm1 cd /opt/vm1 dd if=/dev/zero of=vm1.img bs=1M seek=15000 count=1

1+0 records in 1+0 records out 1048576 bytes (1.0 MB) copied, 0.002058 seconds, 510 MB/s

#这里创建15G大小

5.安装源获取方式

有http,ftp,nfs等方试

直接使用在线源
http://mirrors.163.com/centos/5.5/os/x86_64/
在设置完IP后就没有反应了

python -m SimpleHTTPServer
在setuptool安装时失败

使用nfs方式 vi /etc/exports /mnt/cdrom *(sync,ro)

yum install nfs-utils portmap nfs会使用随机端口,先把iptables关了 /etc/init.d/portmap start /etc/init.d/nfs start exportfs -rv

6.查看iptables iptables-save

# Generated by iptables-save v1.3.5 on Thu Mar 31 01:15:31 2011 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp –dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp –dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp –dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp –dport 67 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT -A INPUT -p udp -m udp –dport 123 -j ACCEPT -A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state –state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT –reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT –reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT # Completed on Thu Mar 31 01:15:31 2011 # Generated by iptables-save v1.3.5 on Thu Mar 31 01:15:31 2011 *nat :PREROUTING ACCEPT [602:26675] :POSTROUTING ACCEPT [1:73] :OUTPUT ACCEPT [1:73] -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE –to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE –to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Thu Mar 31 01:15:31 2011 # Generated by iptables-save v1.3.5 on Thu Mar 31 01:15:31 2011 *mangle :PREROUTING ACCEPT [717:40264] :INPUT ACCEPT [147:16162] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [129:19329] :POSTROUTING ACCEPT [129:19329] COMMIT # Completed on Thu Mar 31 01:15:31 2011

系统重启后xen会再生成一次,会有重复,不作保存直接关了. /etc/init.d/iptables stop

7.安装虚拟机

virt-install -n vm1 -r 2048 –vcpus=2 –file=/opt/vm1/vm1.img –nographics -p –location=nfs:192.168.122.1:/mnt/cdrom –bridge=virbr0

创建名为”vm1″的虚拟机,分配2G内存,2个cpu,使用”/opt/vm1/vm1.img”映像文件,半虚似化,使用nfs源,使用virbr0网桥 192.168.122.1为宿主virbr0的ip 我装了好N次卡在获取hostname那里,带上–bridge=virbr0参数就可以顺利通过

8.安装中 ■语言选择english ■手动配置ipv4;ip:192.168.122.11/255.255.255.0,Gateway:192.168.122.1,Name Server: 192.168.122.1 如果virt-install的网络配置错误,会一直卡在这里 ■下一步是选择”Use text mode”还是”Start VNC”,使用文本模式 ■分区

/dev/xvda ^ | | xvda1 1 13 101M ext3 /boot : | | xvda2 14 144 1027M swap : | | xvda3 145 1912 13868M ext3 / : |

■Use GRUB Boot Loader,4个ok ■配置网卡ip

IP Address Prefix (Netmask) | | 192.168.122.11__ / 255.255.255.0___

■网关和dns

| Gateway: 192.168.122.1____________________________ | | Primary DNS: 192.168.122.1____________________________ | | Secondary DNS: 8.8.8.8__________________________________ |

■机器名设置:vm1 ■时区设置:不使用utc,Asia/Shanghai ■root密码: ■安装包选择:去掉上面的*,使用自定义 选择Administration Tools,Base,Development Tools ,Editors,Text-based Internet ■依赖关系检查后按”OK”,系统开始格式化文件系统并复制文件 ■重启

三、配置宿主机及虚拟机 1.进入虚拟机 重启后在sendmail和sm-client会卡一会 出来authconfig-tui的乱码配置界面,不停的闪啊闪,键盘也不听控制,不用操作,等它闪个一分钟就会自动关了

CentOS release 5.5 (Final) Kernel 2.6.18-194.el5xen on an x86_64 vm1 login: root

输入root和密码进去后没有光标

退出并新开一个控制台然后重新进入 在宿主机 xm console vm1

2.虚拟机网卡配置 eth0 Link encap:Ethernet HWaddr 00:16:36:47:A2:89
inet addr:192.168.122.11 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::216:36ff:fe47:a289/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:354 errors:0 dropped:0 overruns:0 frame:0 TX packets:59 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:18489 (18.0 KiB) TX bytes:7066 (6.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

3.虚拟机设置

3.1执行firstboot解决authconfig-tui乱码问题

3.2关闭服务方便测试 chkconfig sendmail off chkconfig iptables off

4.测试虚拟机网络 ping 61.192.168.122.1 通 ping 61.xxx.xx.xx 通 ping 8.8.8.8 不通

因为宿主机刚才安装时关了iptables,所以不通

5.宿主机设置

5.1重启服务器 先reboot,xen会自动生成iptables

5.2启动虚拟机 xm create vm1 -c

6.虚传机安装http服务 6.1测试外网 ping 8.8.8.8 通

6.2安装apache cd /etc/yum.repos.d wget http://mirrors.163.com/.help/CentOS-Base-163.repo yum makecache yum -y install httpd

6.3生成个测试首页 echo ‘vm1’>/var/www/html/index.html service httpd start chkconfig httpd on

6.4测试本机 wget 192.168.122.11

–2011-03-31 11:54:23– http://192.168.122.11/ Connecting to 192.168.122.11:80… connected. HTTP request sent, awaiting response… 200 OK Length: 4 [text/html] Saving to: `index.html.1′ 100%[======================================>] 4 –.-K/s in 0s 2011-03-31 11:54:23 (217 KB/s) – `index.html.1′ saved [4/4]

cat index.html.1 vm1

7.宿主机测试 7.1内存分配了2G给虚传机 cat /proc/meminfo

MemTotal: 14319616 kB MemFree: 13720696 kB

7.2新增了个网卡

vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:158 errors:0 dropped:0 overruns:0 frame:0 TX packets:1958 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:9679 (9.4 KiB) TX bytes:114685 (111.9 KiB)

7.3虚拟机配置文件 cat /etc/xen/vm1

name = “vm1” uuid = “85386e79-9f79-e243-9b62-3c9da736ae9f” maxmem = 2048 memory = 2048 vcpus = 2 bootloader = “/usr/bin/pygrub” on_poweroff = “destroy” on_reboot = “restart” on_crash = “restart” disk = [ “tap:aio:/opt/vm1/vm1.img,xvda,w” ] vif = [ “mac=00:16:36:47:a2:89,bridge=virbr0,script=vif-bridge” ]

7.4xend配置文件 cat /etc/xen/xend-config.sxp |grep -v “^#”|grep -v ^$

(xend-unix-server yes) (xend-unix-path /var/lib/xend/xend-socket) (xend-relocation-hosts-allow ‘^localhost$ ^localhost\\.localdomain$’) (network-script network-bridge) (vif-script vif-bridge) (dom0-min-mem 256) (dom0-cpus 0) (vncpasswd ”) (keymap ‘en-us’)

7.5虚传机列表 xm list

Name ID Mem(MiB) VCPUs State Time(s) Domain-0 0 13984 8 r—– 40.1 vm1 1 2047 2 -b—- 5.5

7.6 测试80端口http服务 wget 192.168.122.11

2011-03-31 11:55:17 (178 KB/s) – `index.html’ saved [4/4]

也没有问题

8.客户端测试 在本地电脑浏览器中输入61.xxx.xx.xx 无法连接

9.宿主机设置 9.1打开ip转发 echo ‘1’ > /proc/sys/net/ipv4/ip_forward vi /etc/sysctl.conf

# Controls IP packet forwarding net.ipv4.ip_forward = 1

9.2转发公网80端口至虚传机80端口 公网ip:61.xxx.xx.xx eht0为公网网卡 虚传机ip:192.168.122.11

iptables -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80 下面可加可不加 iptables -A POSTROUTING -t nat -d 192.168.122.11 -p tcp -m tcp –dport 80 -j SNAT –to 61.xxx.xx.xx

9.3增加forward充许 iptables -nL

Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all — 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all — 192.168.122.0/24 0.0.0.0/0 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ACCEPT all — 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in vif1.0 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in vif2.0

reject-with icmp-port-unreachable这两条规则禁止了方问 解决方式一: 执行下面命令删除规则(不推荐)

iptables -D FORWARD 4 iptables -D FORWARD 4

解决方式二: 增加新的充许规则

iptables -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT

或

iptables -I FORWARD -o virbr0 -j ACCEPT

宿主最后的iptables

# Generated by iptables-save v1.3.5 on Thu Mar 31 15:33:44 2011 *filter :INPUT DROP [72:2903] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24:2973] -A INPUT -i virbr0 -p udp -m udp –dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp –dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp –dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp –dport 67 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT -A INPUT -p udp -m udp –dport 123 -j ACCEPT -A FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT -A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state –state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT –reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT –reject-with icmp-port-unreachable -A FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT -A FORWARD -m physdev –physdev-in vif1.0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT # Completed on Thu Mar 31 15:33:44 2011 # Generated by iptables-save v1.3.5 on Thu Mar 31 15:33:44 2011 *nat :PREROUTING ACCEPT [15745:680363] :POSTROUTING ACCEPT [195:14508] :OUTPUT ACCEPT [191:14292] -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.122.11:80 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE –to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE –to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Thu Mar 31 15:33:44 2011 # Generated by iptables-save v1.3.5 on Thu Mar 31 15:33:44 2011 *mangle :PREROUTING ACCEPT [51572:51647208] :INPUT ACCEPT [35843:50960353] :FORWARD ACCEPT [214:22186] :OUTPUT ACCEPT [31200:2591886] :POSTROUTING ACCEPT [31414:2614072] COMMIT # Completed on Thu Mar 31 15:33:44 2011

客户端再次测试成功访问

9.4开机后添加iptables xen的iptables规则是在开机后添加到现有的iptables中,其中有一条是清空FORWARD链,所以要重新再加一次 echo ‘iptables -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80’ >> /etc/rc.local echo ‘iptables -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT’ >> /etc/rc.local

vi /opt/shell/vm_iptables.sh

#!/bin/sh IPTABLES=/sbin/iptables KERNEL=`/bin/uname -r` if [ ${KERNEL: -3} = “xen” ] then #vm1 web $IPTABLES -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80 #vm1 ssh $IPTABLES -A INPUT -p tcp -m tcp –dport 7022 -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -i eth0 –dport 7022 -j DNAT –to 192.168.122.11:22 $IPTABLES -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT else #nothing exit fi

chmod 750 /opt/shell/vm_iptables.sh echo ‘/opt/shell/vm_iptables.sh’ >> /etc/rc.local

9.5让虚传机随宿主启动 cd /etc/xen/auto ln -s ../vm1 ./vm1

9.6重启宿主并测试

四、安装提示 注意 1.安装源建议使用本地的http或nfs服务,并打开相应端口 2.virt-install后面带上–bridge=virbr0 3.默认网关为192.168.122.1,虚拟机ip要在一个网段 配置在/usr/share/libvirt/networks/default.xml 4.虚拟机首次重启乱码,稍等一会后会自动关闭 5.虚拟机开启http服务后注意打相应iptables端口 6.宿主机增加iptables并放在rc.local中

iptables -A PREROUTING -t nat -p tcp -i eth0 –dport 80 -j DNAT –to 192.168.122.11:80 iptables -I FORWARD -i eth0 -o virbr0 -p tcp -m state –state NEW -j ACCEPT

提示 1.开启虚拟机并进入 xm create vm1 -c 2.立即终止一个虚传机 xm destroy vm1 3.进入虚拟机 xm console vm1 4.跳出虚拟机 ctrl+] 5.重排虚拟机id /etc/init.d/xend restart 6.完整删除虚拟机 这个没有找到 7.移除xen yum groupremove Virtualization

参考: http://caishu.name/content/%E4%BD%BF%E7%94%A8xm%E5%9C%A8centos%E4%B8%8A%E5%AE%89%E8%A3%85xen%E7%9A%84%E8%99%9A%E6%8B%9F%E6%9C%BA http://wiki.kartbuilding.net/index.php/Xen_Networking http://cooker.techsnail.com/index.php/XEN,_KVM,_Libvirt_and_IPTables#The_default_iptables_rules_on_a_XEN_physical_host