On Thu, 2009-08-20 at 10:00 -0400, weiming wrote:
> Hi VIncent,
> Yes, I'm considering adding a TCP socket for xenstored.
> Since xen apis can be called remotely, there's no reason to prevent
> accessing xenstore in the same way.
We did this when working on an experiment to use Xen on a single system
image. Our implementation utilized a private back-end LAN which was not
exposed to dom-u's that faced the public, so no authentication mechanism
was needed. We needed to set up remote watches to facilitate a sort of
'cluster wide upstart for xen'.
I would warn you, XenStore is fragile and often fickle, I've crashed it
many times within a guest while working on split drivers for various
If you expose it via sockets, without having the API as a buffer to take
most 'brute force' abuse, be sure to code very defensively and utilize
iptables to restrict access. While xend can be re-started , xenstored
Yes, API's can be called remotely, however some diligence prevails
before the API actually talks to xenstore.
> On Thu, Aug 20, 2009 at 5:24 AM, Vincent Hanquez
> <vincent.hanquez@xxxxxxxxxxxxx> wrote:
> weiming wrote:
> Is it possible to read/write the xenstore from another
> physical machine?
> I know it uses Unix socket. So it looks hard to access
> it remotely, isn't it?
> Hi weiming,
> whilst it's not possible at the moment and certainly a bad
> idea security wise, make xenstored listen on a tcp socket
> along with the unix socket is very easy.
> Xen-devel mailing list
Monkey + Typewriter = Echoreply ( http://echoreply.us )
Xen-devel mailing list