[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] can I boot privilleged dom like dom0 via xm create


  • To: "Mark Williamson" <mark.williamson@xxxxxxxxxxxx>
  • From: "ruby young" <yangyang@xxxxxxxxxxxxxxx>
  • Date: Fri, 20 Jun 2008 00:49:00 +0800
  • Cc: Derek.Murray@xxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 19 Jun 2008 09:49:25 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=C+u/BLmxA10YhS92/LDcMrLvOSi/s7P/veIC9sZVFGM9sIVn9Ozc26hNbjsEwjLc/8 mNuIMFmE0d/eALCgHYnKegMXvcswE74qsdJvh90EHnoDvlJED1nQvBzTUlHJNgbT5Vyq 51cYEV2cyBzLI+8Y6lLxO7oL0wwZQMpLBqrPk=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Thanks, Mark
What you said helps me a lot!
 
But I have an another quesiton:
I compared the configuration of xen, xen0 and xenU(the config file are in the directory named build-linux-2.6.18-xen/xen0/xenU_x86_32). As my expected, xen0 and xenU config the necessary devices they want and xen config more things such as more network options and others. But the size of the kernels is  below:
vmlinux-syms-2.6.18-xen    4080677
vmlinux-syms-2.6.18-xen0  51225377
vmlinux-syms-2.6.18-xenU 28080922
why the kernel, vmlinux-syms-2.6.18-xen, is the smallest? I think it may be largest.
 
Eager for your answering~
Best wishes !
 
Ruby Young


On 6/19/08, Mark Williamson <mark.williamson@xxxxxxxxxxxx> wrote:
Ruby,

Further to what Derek has said, I'd like to point out that what kernel you use
never affects the privilege of the guest.

All the -xen0 kernel name means is that the kernel /can/ do dom0 stuff.  This
is as opposed to a -xenU kernel, which has had the dom0 support removed from
it.  Removing the dom0 support in a xenU kernel is done /only to make the
kernel smaller/.  It doesn't have any effect on security or privilege.

Actually, most distributions seem to now supply one -xen kernel that is used
both in dom0 and domU.

This is because, as Derek mentioned, Xen enforces the privileges of guests
itself and doesn't have to trust their kernels.  This is different to how
User Mode Linux works, since in that system the kernel itself enforces the
virtual machine boundaries.  You can securely run any kernel you want in a
domU - even one supplied by the user - because Xen will contain it.

Cheers,
Mark

> At present, there is no way to do this with xm. In the hypervisor,
> each struct domain has an is_privileged attribute (which is at present
> only set when dom0 is created at boot). You could add a domctl to
> control the setting of this bit, and then write a small C program that
> uses do_domctl from libxc to set the privilege on a domain.
>
> However, simply running two privileged domains with parallel sets of
> Xen tools is unlikely to work, for example because you will end up
> with two instances of XenStore.
>
> Regards,
>
> Derek Murray.
>
> 2008/6/13 ruby young <yangyang@xxxxxxxxxxxxxxx>:
> > Hi all,
> >     I'm using vmlinuz-2.6.18-xen0 as domU kernel and I boot it via xm
> > create. But the kernel didn't panic, it's running but all of xen tools
> > can not work. I am surprised at this.
> >     Now My question whether I can boot privilleged dom like dom0 via xm
> > create ? and how can I do it?
> >     I am looking forwards to your suggestions.
> >
> > Best wishes
> >
> >                                       Ruby Young
> >
> > -------------------------------------------------------------------------
> >--------------------------------------------------------------------------
> >------------------------------------------------ 杨漾
> > 北京航空航天大学计算机学院体系结构研究所
> > 电话:010-82338059-132
> > 邮件:9907yruby@xxxxxxxxx
> > 地址:北京市海淀区学院路37号北京航空航天大学新主楼 G座1026
> > -------------------------------------------------------------------------
> >------- Yang Yang
> > Institute of Computer Architecture and System
> > BeiHang University(BUAA)
> > Tel: (86-10)82338059-132
> > Email: 9907yruby@xxxxxxxxx
> > Addr: Room 1026,Building G,The New Main Building,37# Xueyuan Rd.,Haidian
> > District, Beijing 100083, PRC
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-devel



--
Push Me Pull You - Distributed SCM tool (http://www.cl.cam.ac.uk/~maw48/pmpu/)



--
Best wishes

杨漾
北京航空航天大学计算机学院体系结构研究所
电话:010-82338059-132
邮件:9907yruby@xxxxxxxxx
地址:北京市海淀区学院路37号北京航空航天大学新主楼 G座1026
--------------------------------------------------------------------------------
Yang Yang
Institute of Computer Architecture and System
BeiHang University(BUAA)
Tel: (86-10)82338059-132
Email: 9907yruby@xxxxxxxxx
Addr: Room 1026,Building G,The New Main Building,37# Xueyuan Rd.,Haidian District, Beijing 100083, PRC
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.