This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Very technical question about ballooning

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Very technical question about ballooning
From: Moritz Duge <md@xxxxxxxxxxx>
Date: Thu, 12 Aug 2010 16:38:26 +0200
Delivery-date: Thu, 12 Aug 2010 07:39:55 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; de; rv: Gecko/20100711 Lightning/1.0b2 Thunderbird/3.0.6
Hi there!
I'm having a quite difficult question about the ballooning feature of Xen.

The scenario is like this: I'm having a dom0 and some domUs. But I don't trust the operating-system inside one of the domUs. Please don't ask me why I just don't trust this operating-system! I can give you 1001 reasons for it. This domU operating-system could be managed by an evil administrator or it could just be unsecure, so someone can break into it and gain root access.

Nevertheless, I would like to use ballooning for all of the domUs, also the untrusted one. Mainly because the memory requirements of the domUs change sometimes, but I don't want to reboot them. That's why I want to use ballooning. And the added maxmem-values (not the memory values) will be more then the physical memory I have.

So the question is: Does Xen ensure, that the untrusted guest doesn't cheats the ballooning model? What will happen, if memory is set to 512 mb for example and maxmem is 768 mb. And then, the guest just unloads the ballooning stuff from it's operating-system kernel.

- Will the guest be able to "see" (by using the linux-command free in the guest for example) it's maxmem (768 mb)?

- And what will happend, if the guest tries to use it's full maxmem (768 mb), not just the 512 mb? Will the guest crash???

- What happends if the guest can use maxmem and the whole system (dom0 and the real hardware computer) runs out of memory? Will the whole real computer crash? Or just the malicious domU? Or all the domUs, but not the dom0???

Think of that: In the scenario I'm talking about, the bad domU is not really under my control. For shure, I wouldn't use more memory then I have. But in this case it's not my decision. It's the decision of somebody evil who gained the control over the domU (as I said, don't ask me why - there are enough exploids and undiscovered security holes out there).

At last:

- Are there differences concerning this, when using the paravirtualized mode (linux) and using the hvm mode with paravirtualized hvm drivers???

- Are there differences between the versions of the or the available xen-linux-kernels?

- It's not so hard to have a Xen Kernel without ballooning. For example look at Fedora 9. It brings a Xen-PV Kernel without ballooning!

At very last: Is there any detailed documentation for this?

Moritz Duge

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>