[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Is it possible to access XenStore remotely?



Hi,

On Thu, 2009-08-20 at 10:00 -0400, weiming wrote:
> Hi VIncent,
> 
> Yes, I'm considering adding a TCP socket for xenstored. 
> 
> Since xen apis can be called remotely, there's no reason to prevent
> accessing xenstore in the same way.

We did this when working on an experiment to use Xen on a single system
image. Our implementation utilized a private back-end LAN which was not
exposed to dom-u's that faced the public, so no authentication mechanism
was needed. We needed to set up remote watches to facilitate a sort of
'cluster wide upstart for xen'. 

I would warn you, XenStore is fragile and often fickle, I've crashed it
many times within a guest while working on split drivers for various
character devices.

If you expose it via sockets, without having the API as a buffer to take
most 'brute force' abuse, be sure to code very defensively and utilize
iptables to restrict access. While xend can be re-started , xenstored
can not.

Yes, API's can be called remotely, however some diligence prevails
before the API actually talks to xenstore.

Cheers,
--Tim



> 
> thanks,
> Weiming
> 
> On Thu, Aug 20, 2009 at 5:24 AM, Vincent Hanquez
> <vincent.hanquez@xxxxxxxxxxxxx> wrote:
>         
>         weiming wrote:
>                 Hi,
>                 
>                 Is it possible to read/write the xenstore from another
>                 physical machine?
>                 
>                 I know it uses Unix socket. So it looks hard to access
>                 it remotely, isn't it?
>         Hi weiming,
>         
>         whilst it's not possible at the moment and certainly a bad
>         idea security wise, make xenstored listen on a tcp socket
>         along with the unix socket is very easy.
>         
>         cheers,
>         --
>         Vincent
>         
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
-- 
Monkey + Typewriter = Echoreply ( http://echoreply.us )


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.