|
|
|
|
|
|
|
|
|
|
xen-devel
RE: [Xen-devel] Enabling domU to create other domUs
There have been a few (brief) discussions about disaggregating dom0
(see Derek’s slides from the 2007 Xen Summit: http://xen.org/files/xensummit_fall07/22_DerekMurray.pdf)
and they all involved de-privileging the domain builder.
If you’re up for doing some work, I’d recommend that
approach as it will not only solve your problem but also bring the community a
step closer to a de-privileged dom0.
joe
From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Hayawardh V
Sent: Tuesday, July 08, 2008 7:46 PM
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Enabling domU to create other domUs
On Tue, Jul 8, 2008 at 12:25 PM,
Derek Murray <Derek.Murray@xxxxxxxxxxxx>
wrote:
Hi Hayawardh,
If you did make your DomU privileged, this would make it privileged
over all domains, which requires you to trust each DomU with this
privilege. This is probably not acceptable from a security
point-of-view. If you had the inclination, you could probably conjure
up a Xen Security Module that enforced hierarchical privilege, but you
would probably still have to modify the tools.
This is exactly what I have in mind. Can you just give me a few additional
pointers of what needs to be done with the tools, and the hypervisor?
Thanks a lot!
If you simply want to be able to create domains from a DomU, have you
considered installing xm in that domain and configuring it to use the
instance of xend that runs in Dom0?
Regards,
Derek Murray.
On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@xxxxxxxxx> wrote:
> Hi,
>
> What changes would have to be made if I wanted to have a domU create VMs?
> I tried installing the xen tools into a domU rootfs image, and then booted
> the domU. However, xend refuses to start inside the domU.
>
> I realise the changes might be extensive, but I just want an idea of what
> needs to be done.
>
> Also, I find that hardcoded checks like
> if (current-> domain->domain_id != 0)
> return -EPERM
> are extremely few in the current hypervisor.
>
> Regards,
> Hayawardh
>
>
_______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>
>
|
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
|
|