[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Separate kernel on domU's

On Wed, Feb 22, 2012 at 12:28:51PM +0100, eva wrote:
> Hello,
> I am still learning about Xen.. I am trying to setup Xen hypervisor
> for the first time. I was reading the howto here:
> http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
> and I stopped here:
> "(To use the default Ubuntu kernel instead of Debian's Xen kernel in
> the guest, you can also comment out the kernel and initrd lines in
> /etc/xen-tools/xen-tools.conf.)"

I don't remember a lot about xen-tools, and others have given you
some pointers on how to manually specify a DomU kernel from the Dom0-

Personally, though, I find it much easier to keep the DomU kernel in
the DomU.  With proper configuration (installation of grub-legacy 
on some platforms, so the guest updates the grub1 configuration
file rather than the grub2 configuration file in the guest)  
It is possible to set things up so that the guest can upgrade the
guest kernel without the dom0 doing anything.  PyGRUB, I think is
the recommended debian way to do this, but PyGRUB isn't very secure
if you don't trust the guest administrators.   PV-GRUB solves 
those problems, and  can call itself, but you'd need to compile it
from source and copy it over, as it doesn't come with debian.  (It will
work fine with the rest of the xen setup, debian just doesn't package

here is some info on PVGRUB and how I use it with my untrusted users - the
document is kind of out of date, but I think still correct in the important


I create a pvgrub config file on a read-only partition and boot off that;
but that menu.lst calls pvgrub with the menu.lst on the user-writable 
partition after two seconds, so by default, the user's menu.lst is what
boots the kernel, but if for whatever reason the user screws that up,
they can boot off the read-only partition and fix it without
bugging me. 

I've got some basic info about pygrub above that in the same document.
Like I said, I think pygrub is not suitable for untrusted guests because
of security problems and because if the guest messes up the grub config,
they need dom0 administrator help to fix it.   But, on the plus side,
I think there are recent versions of pygrub support grub2 format config

Note, pvgrub protects you from the recent exploits in the code to unzip
kernels, pygrub does not.  

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.