IPFire as Xen (4.1) DomU



The following procedure is inspired by this article on the IPFire Wiki, this article being a summary of the previous one as well as this article on the Panticz web site.
The directories locations that are used in this example are based on this wiki's Sample Configuration, but YMMV.
You should also read the README file, inside the ipfire/ directory that's extracted from the archive.

In case you didn't do so already, it is also recommended that you get at least the base concepts that IPFire relies on by ready through their website, you should, at the minimum, grasp the "colored" concept of the IPFire firewalling.

Also read this IPFire article to understand why it's recommended to install IPFire as a HVM.



Setting up a firewall implies having at least 2 physical NICs on the host machine.

TBC



Get the IPFire image


Getting to the IPFire download page didn't provide us the link to the latest “scon” release… Let's have a look at the IPFire torrent tracker: BINGO ! we have a torrent for ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz

Now use your favorite torrent app to download to the compressed image to your workstation, and transfer the image on your Xen Host.

> cd /directory/of/image/dowload/
> sftp root@<your_xen_host_ip>
sftp> cd /opt/xen/X-Local-ISO
sftp> put ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz

Create the IPFire Virtual Hard Disk


We intend to generally use FBD (File Based Devices) VDIs in our deployment, so we'll create an FBD:

> zcat ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz > /opt/xen/X-Local-VMS/ipfire
> fallocate -l 4G /opt/xen/X-Local-VMS/ipfire

If we were to use LVM VDIs, we'd use:

> lvcreate -L 4G -n ipfire vg0
> zcat ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz > /dev/vg0/ipfire

Create VM configuration file


By convention, Xen VMs configuration files should end in .cfg, but to help differentiate Paravirts and HVMs, we'll use the .hvm suffix. Thus we'll create /opt/xen/X-Local-VMS/ipfire.hvm

To get more details about the configuration's options, you can refer to the original article this procedure is inspired from.

> nano /opt/xen/X-Local-VMS/ipfire.hvm

kernel="hvmloader"
builder='hvm'
device_model='qemu-dm'
memory = 512 # adjust this as needed, though 512M is enough for most purposes
name = "ipfire"
vcpus=1 # adjust as needed, though a single processor is fine

# this is the heart of the matter, setting up the correct network interfaces
# the bridge should match your configuration (must be defined to Xen)
# the mac address must be unique in YOUR network
# vifname simply allows you to find the interface from the DOM0 using ifconfig
vif         = [
                  'mac=00:17:3e:be:b1:1a, bridge=xenbr0,vifname=fw_green',  ## Green
                  'mac=00:17:3e:be:b1:1b, bridge=xenbr1,vifname=fw_red',    ## Red
#                  'mac=00:17:3e:be:b1:1c, bridge=xenbr2,vifname=fw_blue',   ## Blue
#                  'mac=00:17:3e:be:b1:1d, bridge=xenbr3,vifname=fw_orange', ## Orange
               ]

# points to the storage used for this DOMU
disk = [
                'file:/opt/xen/X-Local-VMS/ipfire,hda,w',
# for LVM partitions: 'phy:/dev/vg0/ipfire,hda,w',
       ]


localtime=0  # take time from server clock
serial='pty' # allow us to connect from xl console
boot="c"
sdl=0
acpi=1
apic=1
pae=1
usbdevice='tablet'
# do not use VNC since console is redirected to DOM0
#vnc=1
#vncdisplay=1

Start the VM


Now we'd like to start the virtual machine.

Unfortunately, we're using the XAPI toolstack which doesn't provide an equivalent to the xl create <vm> -c.
Well have to modify the toolstack and reboot (had no time to search how to only reboot the toolstack itself).

> nano /etc/default/xen

TOOLSTACK=xl

> reboot

Start the virtual with

> cd /opt/xen/X-Local-VMS/
> xl create ipfire -c

It will boot, do some housekeeping and reboot. During the reboot you will lose your console, and must reconnect.

the -c tells xl to connect you to the console immediately. You can watch as the housekeeping is done (mainly, enlarging the / partition), then you will see the reboot message. When you are back at the DOM0 prompt, reconnect with

> xl console ipfire

Then configure the router. Remember, if you are connected over a terminal window on your workstation (likely via ssh), the size of the window should be as close as possible to 80 char x 24 lines. This is an ongoing issue with the scon install, and one that can not be easily fixed.

STOP

Deprecated method (click to see)


See deprecated method