[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Very technical question about ballooning


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Moritz Duge <md@xxxxxxxxxxx>
  • Date: Thu, 12 Aug 2010 16:38:26 +0200
  • Delivery-date: Thu, 12 Aug 2010 07:39:55 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi there!
I'm having a quite difficult question about the ballooning feature of Xen.

The scenario is like this: I'm having a dom0 and some domUs. But I don't trust the operating-system inside one of the domUs. Please don't ask me why I just don't trust this operating-system! I can give you 1001 reasons for it. This domU operating-system could be managed by an evil administrator or it could just be unsecure, so someone can break into it and gain root access.

Nevertheless, I would like to use ballooning for all of the domUs, also the untrusted one. Mainly because the memory requirements of the domUs change sometimes, but I don't want to reboot them. That's why I want to use ballooning. And the added maxmem-values (not the memory values) will be more then the physical memory I have.


So the question is: Does Xen ensure, that the untrusted guest doesn't cheats the ballooning model? What will happen, if memory is set to 512 mb for example and maxmem is 768 mb. And then, the guest just unloads the ballooning stuff from it's operating-system kernel.

- Will the guest be able to "see" (by using the linux-command free in the guest for example) it's maxmem (768 mb)?

- And what will happend, if the guest tries to use it's full maxmem (768 mb), not just the 512 mb? Will the guest crash???

- What happends if the guest can use maxmem and the whole system (dom0 and the real hardware computer) runs out of memory? Will the whole real computer crash? Or just the malicious domU? Or all the domUs, but not the dom0???


Think of that: In the scenario I'm talking about, the bad domU is not really under my control. For shure, I wouldn't use more memory then I have. But in this case it's not my decision. It's the decision of somebody evil who gained the control over the domU (as I said, don't ask me why - there are enough exploids and undiscovered security holes out there).


At last:

- Are there differences concerning this, when using the paravirtualized mode (linux) and using the hvm mode with paravirtualized hvm drivers???

- Are there differences between the versions of the or the available xen-linux-kernels?

- It's not so hard to have a Xen Kernel without ballooning. For example look at Fedora 9. It brings a Xen-PV Kernel without ballooning!


At very last: Is there any detailed documentation for this?


Thanks!
Moritz Duge

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.