Hi,
On Thu, 2009-08-20 at 10:00 -0400, weiming wrote:
> Hi VIncent,
>
> Yes, I'm considering adding a TCP socket for xenstored.
>
> Since xen apis can be called remotely, there's no reason to prevent
> accessing xenstore in the same way.
We did this when working on an experiment to use Xen on a single system
image. Our implementation utilized a private back-end LAN which was not
exposed to dom-u's that faced the public, so no authentication mechanism
was needed. We needed to set up remote watches to facilitate a sort of
'cluster wide upstart for xen'.
I would warn you, XenStore is fragile and often fickle, I've crashed it
many times within a guest while working on split drivers for various
character devices.
If you expose it via sockets, without having the API as a buffer to take
most 'brute force' abuse, be sure to code very defensively and utilize
iptables to restrict access. While xend can be re-started , xenstored
can not.
Yes, API's can be called remotely, however some diligence prevails
before the API actually talks to xenstore.
Cheers,
--Tim
>
> thanks,
> Weiming
>
> On Thu, Aug 20, 2009 at 5:24 AM, Vincent Hanquez
> <vincent.hanquez@xxxxxxxxxxxxx> wrote:
>
> weiming wrote:
> Hi,
>
> Is it possible to read/write the xenstore from another
> physical machine?
>
> I know it uses Unix socket. So it looks hard to access
> it remotely, isn't it?
> Hi weiming,
>
> whilst it's not possible at the moment and certainly a bad
> idea security wise, make xenstored listen on a tcp socket
> along with the unix socket is very easy.
>
> cheers,
> --
> Vincent
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
--
Monkey + Typewriter = Echoreply ( http://echoreply.us )
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home