Re: [Xen-devel] Enabling domU to create other domUs

To:	"Hayawardh V" <hayawardh@xxxxxxxxx>
Subject:	Re: [Xen-devel] Enabling domU to create other domUs
From:	"Derek Murray" <Derek.Murray@xxxxxxxxxxxx>
Date:	Tue, 8 Jul 2008 17:25:03 +0100
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Tue, 08 Jul 2008 09:26:00 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :sender:to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=YWXGty7pHWdc1qN9kXh5c6h6vcqEDA72uIKo4756fos=; b=YKOi7JGocMBVmu9t5iDLbtOgfvXKw0wloIXwH1yLVyFpk7dJXP2McY55cpFoGaSAVM 1faMgAjCeMF+uoYWNAmVx0b5rpQ9DXoqet5YqLH9s/tkyFNAO3NKsJwaH6CYpdkg99c9 dUMu1mvdIeInvAD2MD4Zzgsg+D3kM8QK7J+Wg=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to :mime-version:content-type:content-transfer-encoding :content-disposition:references:x-google-sender-auth; b=xrarYF6pcGbUk+RJxhJGOD7qqM0Veq2B87DWtpV/7LCqDp+xB3TZnE0wHOegk43Crt Qy4wBnwL1V2qhmbgI6c+KXaLfGC3urAgXayDxW1gjI8FHXt3yudHjw9578T/zE1GwrYy 2CmOYn9R7Tv4P8Wq06HQoKTiLGwRFEIyf3RjI=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<68f1f87c0807071014y69c3d573y2ef0d6c487371710@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<68f1f87c0807071014y69c3d573y2ef0d6c487371710@xxxxxxxxxxxxxx>
Reply-to:	Derek.Murray@xxxxxxxxxxxx
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

Hi Hayawardh,

There are (at least) a couple of architectural reasons why xend will
not work in a DomU: it assumes that XenStore is running in the same
domain, and it assumes that the domain running it is privileged. In a
normal Xen system, only Dom0 has the privileged bit set (when it is
loaded at boot); it is not possible to create another privileged
domain using the regular tools.

If you did make your DomU privileged, this would make it privileged
over all domains, which requires you to trust each DomU with this
privilege. This is probably not acceptable from a security
point-of-view. If you had the inclination, you could probably conjure
up a Xen Security Module that enforced hierarchical privilege, but you
would probably still have to modify the tools.

If you simply want to be able to create domains from a DomU, have you
considered installing xm in that domain and configuring it to use the
instance of xend that runs in Dom0?

Regards,

Derek Murray.

On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@xxxxxxxxx> wrote:
> Hi,
>
> What changes would have to be made if I wanted to have a domU create VMs?
> I tried installing the xen tools into a domU rootfs image, and then booted
> the domU. However, xend refuses to start inside the domU.
>
> I realise the changes might be extensive, but I just want an idea of what
> needs to be done.
>
> Also, I find that hardcoded checks like
> if (current-> domain->domain_id != 0)
> return -EPERM
> are extremely few in the current hypervisor.
>
> Regards,
> Hayawardh
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

Re: [Xen-devel] Enabling domU to create other domUs