[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] domU kernel

  • To: Steve Wray <steve.wray@xxxxxxxxx>
  • From: Nico Kadel-Garcia <nkadel@xxxxxxxxx>
  • Date: Mon, 15 Oct 2007 07:44:35 +0100
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Sun, 14 Oct 2007 23:38:35 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=F61MI6GmhkPuZiboUEBdd+KIJyvK2VfZTNBNNCqGl3xxZSbgIla1FAtikCl5bWiYsuFTt6fM1EG4p4j+HiqmJ7pzDe2oWbHDZikXLKmqQAttZs5fU5QK8JLFY3r0zuE6UnOwuKCzJpqolAY8xfubSLL+U6ecGrw85A3Vr+WLj6o=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Steve Wray wrote:
Christian Horn wrote:
On Fri, Oct 12, 2007 at 12:14:02AM -0400, IDAGroup - R.W.Muller wrote:
Hi, I found lots of threads where people talk about domU kernel sitting in /boot of dom0. The only kernel I can see there is the one the machine and dom0 booted from (vmlinuz-2.6.18-8.el5xen)

Two places are common:
- domU-kernel placed on dom0-filesystem directly, 'kernel' option in xen-
  config for the domU is used then. Only possible for paravirt-domU.
  pros: - kernel is directly reachable from dom0
cons: - domU depends on files outside of its disc-image, so you have to keep an eye of what domU uses what kernel-file
        - on upgrading the domU-kernel is a bit more complicated, keep
          kernel, maybe existing initrd and modules-directory in sync

- domU-kernel placed inside the domU-diskimage. Works for both HVM and
  paravirt-domU. One sees mostly this nowadays. Kernel is located/booted
  by pygrub (or a script mounting the partition, making a copy of the
  kernel inside to dom0, and starting it then)
pros: - easy updating, i.e. just 'yum update' from the domU updates the
          kernel, initrd, modules and kernel is booted on next domU-boot

You forgot the con.

cons: Security. You now have a domU in which a local exploit could result in code being executed in dom0 at the next boot of that domU. By the way, this actually happened. See CVE-2007-4993

IMHO putting the kernel in domU and using pygrub was always asking for trouble.

In my opinion it is completely crazy to expose dom0 to potential exploits from domU.

So far as I am aware this is the *only* way to so expose dom0 to domU security holes and I am deeply shocked if it is true that "One sees mostly this nowadays"

There's a big advantage to pygrub: kernel update procedures for DomU have nothing to do with Dom0's kernel. This prevents version and feature conflicts with package management sytems, and allows updates and reboots of DomU without having to write to Dom0. This was particularly troublesome with the Xensource kernels for RHEL 4 and RHEL 5, which had such different versions for kernel-xen on the server and kernel-xenU on the guest that it made RHEL whine quite hard about the Dom0 getting such an old kernel installed on it. And if you tried to use kernel-xen on the DomU, it created conflicts because the RHEL 4 kernel and RHEL 5 kernels had the same names and file names, and it could screw up which kernel you wound up with.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.