Xen on Via C3 (Eden/Samuel 2) - Success Story

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Xen on Via C3 (Eden/Samuel 2) - Success Story

Rupert Schlick
This is a long outstanding report on Adam Sulmicki's 4kB Patches on a
Via C3 CPU.

Some CPUs from the VIA C3 series have only support for 4kb-Pages. Adam
Sulmicki provided a patch for Xen to support this group of CPUs
(http://lists.xensource.com/archives/html/xen-devel/2004-12/msg00083.html).

This Patch is running happily on my Lex Light with Xen 2.0 release since
January 2005 with no troubles (at least no troubles related to Xen or
the patch).

The networking setup is far from efficient, but gives full abstraction
of the firewall policy from "real"/physical network setup and a nice Xen
show case.

The machine serves as my local routing firewall, vpn-endpoint,
dns-server and apt-proxy (and more to come). All of these functions are
separated in different unprivileged domains, providing:
- the possibility to separate them easily into different machines later
- a stronger separation of the services than possible on one machine
without virtualisation (at the cost of more resources and some more
complexity), giving more security and reducing the risk of one service
monopolizing the CPU.

The firewall domain is now controlling 16 virtual interfaces, having
each domain and physical server in an own DMZ:
- 1 internet connection (SDSL)
- 4 local other domains (including dom0)
- 6 xen domains on a second machine (including dom0)
- 2 domains running on demand (local or remote)
- 3 more physical machines

The interface of dom0 can be shutdown when no maintenance work has to be
done.

- all five NICs of the machine (3 onboard, 2 USB) are connected to the
firewall-domain via bridging (one own bridge and vif for each NIC).
- all local domains are bridged to separate firewall-vifs
- the domains from the second Xen-Server are bridged via VLANS and also
routed by the firewall domain with no direct connection to their dom0 or
between them.

One of the next steps is to add a file integrity assessment (host based
IDS) running from dom0 or on the daily backup data and therefore fully
invisible from guest domains.

Thanks to the Xen team for a great software and to Adam Sulmicki for his
patch allowing me to do all of the above with a fanless booksize PC.

Rupert


_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users