| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
RE: [Xen-users] Very technical question about ballooning
Adding Dan Magenheimer for his thoughts..
-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Moritz Duge
Sent: Thursday, August 12, 2010 10:38 AM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Very technical question about ballooning
Hi there!
I'm having a quite difficult question about the ballooning feature of Xen.
The scenario is like this: I'm having a dom0 and some domUs. But I don't
trust the operating-system inside one of the domUs. Please don't ask me
why I just don't trust this operating-system! I can give you 1001
reasons for it. This domU operating-system could be managed by an evil
administrator or it could just be unsecure, so someone can break into it
and gain root access.
Nevertheless, I would like to use ballooning for all of the domUs, also
the untrusted one. Mainly because the memory requirements of the domUs
change sometimes, but I don't want to reboot them.
That's why I want to use ballooning. And the added maxmem-values (not
the memory values) will be more then the physical memory I have.
So the question is: Does Xen ensure, that the untrusted guest doesn't
cheats the ballooning model?
What will happen, if memory is set to 512 mb for example and maxmem is
768 mb. And then, the guest just unloads the ballooning stuff from it's
operating-system kernel.
- Will the guest be able to "see" (by using the linux-command free in
the guest for example) it's maxmem (768 mb)?
- And what will happend, if the guest tries to use it's full maxmem (768
mb), not just the 512 mb? Will the guest crash???
- What happends if the guest can use maxmem and the whole system (dom0
and the real hardware computer) runs out of memory? Will the whole real
computer crash? Or just the malicious domU? Or all the domUs, but not
the dom0???
Think of that: In the scenario I'm talking about, the bad domU is not
really under my control. For shure, I wouldn't use more memory then I
have. But in this case it's not my decision. It's the decision of
somebody evil who gained the control over the domU (as I said, don't ask
me why - there are enough exploids and undiscovered security holes out
there).
At last:
- Are there differences concerning this, when using the paravirtualized
mode (linux) and using the hvm mode with paravirtualized hvm drivers???
- Are there differences between the versions of the or the available
xen-linux-kernels?
- It's not so hard to have a Xen Kernel without ballooning. For example
look at Fedora 9. It brings a Xen-PV Kernel without ballooning!
At very last: Is there any detailed documentation for this?
Thanks!
Moritz Duge
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home