Re: [Xen-devel] Enabling domU to create other domUs

["Hayawardh V" <hayawardh@xxxxxxxxx>]

On Tue, Jul 8, 2008 at 12:25 PM, Derek Murray <Derek.Murray@xxxxxxxxxxxx> wrote:

Hi Hayawardh,


If you did make your DomU privileged, this would make it privileged
over all domains, which requires you to trust each DomU with this
privilege. This is probably not acceptable from a security
point-of-view. If you had the inclination, you could probably conjure
up a Xen Security Module that enforced hierarchical privilege, but you
would probably still have to modify the tools.

This is exactly what I have in mind. Can you just give me a few additional pointers of what needs to be done with the tools, and the hypervisor?

Thanks a lot!

If you simply want to be able to create domains from a DomU, have you
considered installing xm in that domain and configuring it to use the
instance of xend that runs in Dom0?

Regards,

Derek Murray.

On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@xxxxxxxxx> wrote:
> Hi,
>
> What changes would have to be made if I wanted to have a domU create VMs?
> I tried installing the xen tools into a domU rootfs image, and then booted
> the domU. However, xend refuses to start inside the domU.
>
> I realise the changes might be extensive, but I just want an idea of what
> needs to be done.
>
> Also, I find that hardcoded checks like
> if (current-> domain->domain_id != 0)
> return -EPERM
> are extremely few in the current hypervisor.
>
> Regards,
> Hayawardh
>

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel