[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Enabling domU to create other domUs


  • To: "Hayawardh V" <hayawardh@xxxxxxxxx>
  • From: "Derek Murray" <Derek.Murray@xxxxxxxxxxxx>
  • Date: Tue, 8 Jul 2008 17:25:03 +0100
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 08 Jul 2008 09:26:00 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to :mime-version:content-type:content-transfer-encoding :content-disposition:references:x-google-sender-auth; b=xrarYF6pcGbUk+RJxhJGOD7qqM0Veq2B87DWtpV/7LCqDp+xB3TZnE0wHOegk43Crt Qy4wBnwL1V2qhmbgI6c+KXaLfGC3urAgXayDxW1gjI8FHXt3yudHjw9578T/zE1GwrYy 2CmOYn9R7Tv4P8Wq06HQoKTiLGwRFEIyf3RjI=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Hi Hayawardh,

There are (at least) a couple of architectural reasons why xend will
not work in a DomU: it assumes that XenStore is running in the same
domain, and it assumes that the domain running it is privileged. In a
normal Xen system, only Dom0 has the privileged bit set (when it is
loaded at boot); it is not possible to create another privileged
domain using the regular tools.

If you did make your DomU privileged, this would make it privileged
over all domains, which requires you to trust each DomU with this
privilege. This is probably not acceptable from a security
point-of-view. If you had the inclination, you could probably conjure
up a Xen Security Module that enforced hierarchical privilege, but you
would probably still have to modify the tools.

If you simply want to be able to create domains from a DomU, have you
considered installing xm in that domain and configuring it to use the
instance of xend that runs in Dom0?

Regards,

Derek Murray.

On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@xxxxxxxxx> wrote:
> Hi,
>
> What changes would have to be made if I wanted to have a domU create VMs?
> I tried installing the xen tools into a domU rootfs image, and then booted
> the domU. However, xend refuses to start inside the domU.
>
> I realise the changes might be extensive, but I just want an idea of what
> needs to be done.
>
> Also, I find that hardcoded checks like
> if (current-> domain->domain_id != 0)
> return -EPERM
> are extremely few in the current hypervisor.
>
> Regards,
> Hayawardh
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.