Re: Opinion on firewall virtualization with Xen
On 11/22/06, Rene Mayrhofer <rene.mayrhofer@gibraltar.at> wrote:
I'm in the process of doing exactly this right now. One domU for each
services, e.g. DNS, mail, web, etc. Works well so far (but the HA aspect is
still missing). How would you approach this? One drbd device per domU or 2
drbds with disk images on it?
Since we only need to keep iptables rules replicated in paired domUs
not really sure how to accomplish this.
Answering your question, I think one drbd device per domU pair is
preferable. The best would be having this device on a network storage
device (i.e. a SAN). When I use Xen I use LVM rather than disk images
for the domUs, and that's why I would choose using one drbd device per
domU. Don't like the idea of having a filesystem inside a filesystem
because of the probability of data corruption.
I think a solution would be importing a drbd device from a shared
storage device to dom0 and presenting this drbd device to the domUs as
a partition. If you don't have a network storage device you can use
partitions in dom0's local disk.
One aspect against using drbd is the impossibility of having the drbd
device simultaneously mounted on both domU nodes. We'll have to wait
for version 0.8. Maybe using a shared storage filesystem is too much
for our purposes.
In any case another problem is having the same ruleset replicated
amongst the domU pairs. Not sure how to apply changes made in the
master domU to the backup domU, although I have some ideas.
Reply to: