vnet without epair

Teske, Devin Devin.Teske at
Sun Feb 10 14:34:44 UTC 2013

On Sun, 10 Feb 2013, Nikos Vassiliadis wrote:

> On 2/10/2013 3:56 PM, Teske, Devin wrote:
> >
> > Excellent! This is precisely what I was after when I wrote the vimage package and its contents. I'm familiar with IMUNES and netgraph fits the bill well (especially with "ngctl dot" being useful in providing visual confirmation when you've achieved the desired network layout -- when "ngctl dot | dot -Tsvg -o netgraph.svg" starts to look like your IMUNES graph, then you know you're making progress toward having the right configuration).
> You'll be soon hearing from me then!

Here's some examples of "ngctl dot | dot -Tsvg -o<file>" run on various servers running my vimage package:

A server with two network interfaces (igb0 and igb1). igb0 is bridged to 5 vimages (named "kps0a_dev", "kps64a_dev", "kws411a_dev", "kws411b_dev", and "kws82a_dev"). Each vimage has a single bridge to the same igb0 interface and are talking on a single subnet (see next example for more complex layout). Meanwhile, igb1 is used exclusively for the host machine (netgraph displays this in a "disconnected" cluster because it's not in-use by the netgraph system). The "ngctl99755" element off to the right is the "ngctl" program's connection to the netgraph system to dump the dot(1) output for the creation of the SVG image itself.

A server with 5 network interfaces (em0, em1, em2, igb0, igb1). igb0 is bridged between the host machine, a vimage named "stats" and a vimage named "beefcake". igb1 is bridged between the host machine, a vimage named "bafug1", and 6 other vimages. Of the 6 other vimages, the special one is "cfg0_vlbxrich" which has 2 bridges to the same interface (the host machine's rc.conf has vimage_cfg0_vlbxrich_bridges="igb0 igb0") but is speaking different subnets on each of the bridged interfaces within the jail (saying ifconfig in that vimage produces two interfaces -- beside lo0 -- named ng0_cfg0_vlbxri, and ng1_cfg0_vlbxri; these are configured to 2 different subnets in the jails's /etc/rc.conf). There are more vimages that can't be seen as netgraph does not show vimages that are using whole interfaces (a single PHY on a quad-port NIC for example; or a tap/tun pair); however you can see the interfaces em0, em1, and em2. What's cute is that those vimages are often purposed as "high security" vimages and as-such we view it as a value-add that they don't appear in the netgraph layout. (but to be honest, this is an older output and I can't remember what those interfaces were used for -- our vimage servers have grown and changed since then).

A high security server (that was decommissioned last Friday) where each vimage gets an entire PHY (read: netgraph is not used, whole interfaces are moved into the vimages -- see /etc/rc.conf.d/vimage specifically vimage_example_vnets). So naturally, this graph appears to be rather boring (all the interfaces are in the "disconnect" cluster) because netgraph isn't using the interfaces.


The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

More information about the freebsd-questions mailing list