WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] Enabling domU to create other domUs

To: "Hayawardh V" <hayawardh@xxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] Enabling domU to create other domUs
From: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Date: Tue, 8 Jul 2008 21:10:53 -0700
Cc:
Delivery-date: Tue, 08 Jul 2008 21:11:21 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <68f1f87c0807081945m72a886abn4fd5020cb4a57f2a@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <68f1f87c0807071014y69c3d573y2ef0d6c487371710@xxxxxxxxxxxxxx><617dbaa80807080925l85f43bfje39e15bb22954b70@xxxxxxxxxxxxxx> <68f1f87c0807081945m72a886abn4fd5020cb4a57f2a@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcjhbeiwXglvweMRS6qK1aU/y8GbPQACVl7Q
Thread-topic: [Xen-devel] Enabling domU to create other domUs

There have been a few (brief) discussions about disaggregating dom0 (see Derek’s slides from the 2007 Xen Summit: http://xen.org/files/xensummit_fall07/22_DerekMurray.pdf) and they all involved de-privileging the domain builder.

 

If you’re up for doing some work, I’d recommend that approach as it will not only solve your problem but also bring the community a step closer to a de-privileged dom0.

 

joe

 

From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Hayawardh V
Sent: Tuesday, July 08, 2008 7:46 PM
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Enabling domU to create other domUs

 

 

On Tue, Jul 8, 2008 at 12:25 PM, Derek Murray <Derek.Murray@xxxxxxxxxxxx> wrote:

Hi Hayawardh,


If you did make your DomU privileged, this would make it privileged
over all domains, which requires you to trust each DomU with this
privilege. This is probably not acceptable from a security
point-of-view. If you had the inclination, you could probably conjure
up a Xen Security Module that enforced hierarchical privilege, but you
would probably still have to modify the tools.


This is exactly what I have in mind. Can you just give me a few additional pointers of what needs to be done with the tools, and the hypervisor?

Thanks a lot!


If you simply want to be able to create domains from a DomU, have you
considered installing xm in that domain and configuring it to use the
instance of xend that runs in Dom0?

Regards,

Derek Murray.


On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@xxxxxxxxx> wrote:
> Hi,
>
> What changes would have to be made if I wanted to have a domU create VMs?
> I tried installing the xen tools into a domU rootfs image, and then booted
> the domU. However, xend refuses to start inside the domU.
>
> I realise the changes might be extensive, but I just want an idea of what
> needs to be done.
>
> Also, I find that hardcoded checks like
> if (current-> domain->domain_id != 0)
> return -EPERM
> are extremely few in the current hypervisor.
>
> Regards,
> Hayawardh
>

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>
>

 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel