ia64/xen-unstable

view docs/man/xm.pod.1 @ 16381:d1ac500f77c1

x86, hvm: Allow stdvga acceleration to work with 32-bit x86.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Nov 16 14:40:22 2007 +0000 (2007-11-16)
parents 6df47366830c
children 5255eac35270
line source
1 =head1 NAME
3 xm - Xen management user interface
5 =head1 SYNOPSIS
7 B<xm> I<subcommand> [I<args>]
9 =head1 DESCRIPTION
11 The B<xm> program is the main interface for managing Xen guest
12 domains. The program can be used to create, pause, and shutdown
13 domains. It can also be used to list current domains, enable or pin
14 VCPUs, and attach or detach virtual block devices.
16 The basic structure of every B<xm> command is almost always:
18 =over 2
20 B<xm> I<subcommand> I<domain-id> [I<OPTIONS>]
22 =back
24 Where I<subcommand> is one of the subcommands listed below, I<domain-id>
25 is the numeric domain id, or the domain name (which will be internally
26 translated to domain id), and I<OPTIONS> are subcommand specific
27 options. There are a few exceptions to this rule in the cases where
28 the subcommand in question acts on all domains, the entire machine,
29 or directly on the Xen hypervisor. Those exceptions will be clear for
30 each of those subcommands.
32 =head1 NOTES
34 All B<xm> operations rely upon the Xen control daemon, aka B<xend>.
35 For any B<xm> commands to run, xend must also be running. For this
36 reason you should start xend as a service when your system first boots
37 using Xen.
39 Most B<xm> commands require root privileges to run due to the
40 communications channels used to talk to the hypervisor. Running as
41 non root will return an error.
43 Most B<xm> commands act asynchronously, so just because the B<xm>
44 command returned doesn't mean the action is complete. This is
45 important, as many operations on domains, like create and shutdown,
46 can take considerable time (30 seconds or more) to bring the machine
47 into a fully compliant state. If you want to know when one of these
48 actions has finished you must poll through B<xm list> periodically.
50 =head1 DOMAIN SUBCOMMANDS
52 The following subcommands manipulate domains directly. As stated
53 previously, most commands take I<domain-id> as the first parameter.
55 =over 4
57 =item B<console> I<domain-id>
59 Attach to domain I<domain-id>'s console. If you've set up your domains to
60 have a traditional log in console this will look much like a normal
61 text log in screen.
63 This uses the back end xenconsole service which currently only
64 works for para-virtual domains.
66 The attached console will perform much like a standard serial console,
67 so running curses based interfaces over the console B<is not
68 advised>. Vi tends to get very odd when using it over this interface.
70 =item B<create> [B<-c>] I<configfile> [I<name>=I<value>]..
72 The create sub command requires a config file and can optionally take a
73 series of name value pairs that add to or override variables defined
74 in the config file. See L<xmdomain.cfg> for full details of that file
75 format, and possible options used in either the configfile or
76 I<name>=I<value> combinations.
78 I<configfile> can either be an absolute path to a file, or a relative
79 path to a file located in /etc/xen.
81 Create will return B<as soon> as the domain is started. This B<does
82 not> mean the guest OS in the domain has actually booted, or is
83 available for input.
85 B<OPTIONS>
87 =over 4
89 =item B<-c>
91 Attache console to the domain as soon as it has started. This is
92 useful for determining issues with crashing domains.
94 =back
96 B<EXAMPLES>
98 =over 4
100 =item I<with config file>
102 xm create Fedora4
104 This creates a domain with the file /etc/xen/Fedora4, and returns as
105 soon as it is run.
107 =item I<without config file>
109 xm create /dev/null ramdisk=initrd.img \
110 kernel=/boot/vmlinuz-2.6.12.6-xenU \
111 name=ramdisk nics=0 vcpus=1 \
112 memory=64 root=/dev/ram0
114 This creates the domain without using a config file (more specifically
115 using /dev/null as an empty config file), kernel and ramdisk as
116 specified, setting the name of the domain to "ramdisk", also disabling
117 virtual networking. (This example comes from the xm-test test suite.)
119 =back
121 =item B<destroy> I<domain-id>
123 Immediately terminate the domain I<domain-id>. This doesn't give the
124 domain OS any chance to react, and is the equivalent of ripping the
125 power cord out on a physical machine. In most cases you will want to
126 use the B<shutdown> command instead.
128 =item B<domid> I<domain-name>
130 Converts a domain name to a domain id using xend's internal mapping.
132 =item B<domname> I<domain-id>
134 Converts a domain id to a domain name using xend's internal mapping.
136 =item B<help> [B<--long>]
138 Displays the short help message (i.e. common commands).
140 The B<--long> option prints out the complete set of B<xm> subcommands,
141 grouped by function.
143 =item B<list> [B<--long> | B<--label>] [I<domain-id> ...]
145 Prints information about one or more domains. If no domains are
146 specified it prints out information about all domains.
148 An example format for the list is as follows:
150 Name ID Mem(MiB) VCPUs State Time(s)
151 Domain-0 0 98 1 r----- 5068.6
152 Fedora3 164 128 1 r----- 7.6
153 Fedora4 165 128 1 ------ 0.6
154 Mandrake2006 166 128 1 -b---- 3.6
155 Mandrake10.2 167 128 1 ------ 2.5
156 Suse9.2 168 100 1 ------ 1.8
158 Name is the name of the domain. ID the numeric domain id. Mem is the
159 desired amount of memory to allocate to the domain (although it may
160 not be the currently allocated amount). VCPUs is the number of
161 virtual CPUs allocated to the domain. State is the run state (see
162 below). Time is the total run time of the domain as accounted for by
163 Xen.
165 B<STATES>
167 =over 4
169 The State field lists 6 states for a Xen domain, and which ones the
170 current domain is in.
172 =item B<r - running>
174 The domain is currently running on a CPU.
176 =item B<b - blocked>
178 The domain is blocked, and not running or runnable. This can be caused
179 because the domain is waiting on IO (a traditional wait state) or has
180 gone to sleep because there was nothing else for it to do.
182 =item B<p - paused>
184 The domain has been paused, usually occurring through the administrator
185 running B<xm pause>. When in a paused state the domain will still
186 consume allocated resources like memory, but will not be eligible for
187 scheduling by the Xen hypervisor.
189 =item B<s - shutdown>
191 FIXME: Why would you ever see this state?
193 =item B<c - crashed>
195 The domain has crashed, which is always a violent ending. Usually
196 this state can only occur if the domain has been configured not to
197 restart on crash. See L<xmdomain.cfg> for more info.
199 =item B<d - dying>
201 The domain is in process of dying, but hasn't completely shutdown or
202 crashed.
204 FIXME: Is this right?
206 =back
208 B<LONG OUTPUT>
210 =over 4
212 If B<--long> is specified, the output for B<xm list> is not the table
213 view shown above, but instead is an S-Expression representing all
214 information known about all domains asked for. This is mostly only
215 useful for external programs to parse the data.
217 B<Note:> There is no stable guarantees on the format of this data.
218 Use at your own risk.
220 =back
222 B<LABEL OUTPUT>
224 =over 4
226 If B<--label> is specified, the security labels are added to the
227 output of B<xm list> and the lines are sorted by the labels (ignoring
228 case). The B<--long> option prints the labels by default and cannot be
229 combined with B<--label>. See the ACCESS CONTROL SUBCOMMAND section of
230 this man page for more information about labels.
232 ==back
234 B<NOTES>
236 =over 4
238 The Time column is deceptive. Virtual IO (network and block devices)
239 used by domains requires coordination by Domain0, which means that
240 Domain0 is actually charged for much of the time that a DomainU is
241 doing IO. Use of this time value to determine relative utilizations
242 by domains is thus very suspect, as a high IO workload may show as
243 less utilized than a high CPU workload. Consider yourself warned.
245 =back
247 =item B<mem-max> I<domain-id> I<mem>
249 Specify the maximum amount of memory the domain is able to use. I<mem>
250 is specified in megabytes.
252 The mem-max value may not correspond to the actual memory used in the
253 domain, as it may balloon down its memory to give more back to the OS.
255 =item B<mem-set> I<domain-id> I<mem>
257 Set the domain's used memory using the balloon driver. Because this
258 operation requires cooperation from the domain operating system, there
259 is no guarantee that it will succeed.
261 B<Warning:> There is no good way to know in advance how small of a
262 mem-set will make a domain unstable and cause it to crash. Be very
263 careful when using this command on running domains.
265 =item B<migrate> I<domain-id> I<host> [I<OPTIONS>]
267 Migrate a domain to another host machine. Xend must be running on
268 other host machine, it must be running the same version of Xen, it
269 must have the migration TCP port open and accepting connections from
270 the source host, and there must be sufficient resources for the domain
271 to run (memory, disk, etc).
273 Migration is pretty complicated, and has many security implications.
274 Please read the Xen User's Guide to ensure you understand the
275 ramifications and limitations on migration before attempting it in
276 production.
278 B<OPTIONS>
280 =over 4
282 =item B<-l>, B<--live>
284 Use live migration. This will migrate the domain between hosts
285 without shutting down the domain. See the Xen User's Guide for more
286 information.
288 =item B<-r>, B<--resource> I<Mbs>
290 Set maximum Mbs allowed for migrating the domain. This ensures that
291 the network link is not saturated with migration traffic while
292 attempting to do other useful work.
294 =back
296 =item B<pause> I<domain-id>
298 Pause a domain. When in a paused state the domain will still consume
299 allocated resources such as memory, but will not be eligible for
300 scheduling by the Xen hypervisor.
302 =item B<reboot> [I<OPTIONS>] I<domain-id>
304 Reboot a domain. This acts just as if the domain had the B<reboot>
305 command run from the console. The command returns as soon as it has
306 executed the reboot action, which may be significantly before the
307 domain actually reboots.
309 The behavior of what happens to a domain when it reboots is set by the
310 B<on_reboot> parameter of the xmdomain.cfg file when the domain was
311 created.
313 B<OPTIONS>
315 =over 4
317 =item B<-a>, B<--all>
319 Reboot all domains.
321 =item B<-w>, B<--wait>
323 Wait for reboot to complete before returning. This may take a while,
324 as all services in the domain will have to be shut down cleanly.
326 =back
328 =item B<restore> I<state-file>
330 Build a domain from an B<xm save> state file. See B<save> for more info.
332 =item B<save> I<domain-id> I<state-file>
334 Saves a running domain to a state file so that it can be restored
335 later. Once saved, the domain will no longer be running on the
336 system, thus the memory allocated for the domain will be free for
337 other domains to use. B<xm restore> restores from this state file.
339 This is roughly equivalent to doing a hibernate on a running computer,
340 with all the same limitations. Open network connections may be
341 severed upon restore, as TCP timeouts may have expired.
343 =item B<shutdown> [I<OPTIONS>] I<domain-id>
345 Gracefully shuts down a domain. This coordinates with the domain OS
346 to perform graceful shutdown, so there is no guarantee that it will
347 succeed, and may take a variable length of time depending on what
348 services must be shutdown in the domain. The command returns
349 immediately after signally the domain unless that B<-w> flag is used.
351 The behavior of what happens to a domain when it reboots is set by the
352 B<on_shutdown> parameter of the xmdomain.cfg file when the domain was
353 created.
355 B<OPTIONS>
357 =over 4
359 =item B<-a>
361 Shutdown B<all> domains. Often used when doing a complete shutdown of
362 a Xen system.
364 =item B<-w>
366 Wait for the domain to complete shutdown before returning.
368 =back
370 =item B<sysrq> I<domain-id> I<letter>
372 Send a I<Magic System Request> signal to the domain. For more
373 information on available magic sys req operations, see sysrq.txt in
374 your Linux Kernel sources.
376 =item B<unpause> I<domain-id>
378 Moves a domain out of the paused state. This will allow a previously
379 paused domain to now be eligible for scheduling by the Xen hypervisor.
381 =item B<vcpu-set> I<domain-id> I<vcpu-count>
383 Enables the I<vcpu-count> virtual CPUs for the domain in question.
384 Like mem-set, this command can only allocate up to the maximum virtual
385 CPU count configured at boot for the domain.
387 If the I<vcpu-count> is smaller than the current number of active
388 VCPUs, the highest number VCPUs will be hotplug removed. This may be
389 important for pinning purposes.
391 Attempting to set the VCPUs to a number larger than the initially
392 configured VCPU count is an error. Trying to set VCPUs to < 1 will be
393 quietly ignored.
395 =item B<vcpu-list> [I<domain-id>]
397 Lists VCPU information for a specific domain. If no domain is
398 specified, VCPU information for all domains will be provided.
400 =item B<vcpu-pin> I<domain-id> I<vcpu> I<cpus>
402 Pins the the VCPU to only run on the specific CPUs. The keyword
403 B<all> can be used to apply the I<cpus> list to all VCPUs in the
404 domain.
406 Normally VCPUs can float between available CPUs whenever Xen deems a
407 different run state is appropriate. Pinning can be used to restrict
408 this, by ensuring certain VCPUs can only run on certain physical
409 CPUs.
411 =back
413 =head1 XEN HOST SUBCOMMANDS
415 =over 4
417 =item B<dmesg> [B<-c>]
419 Reads the Xen message buffer, similar to dmesg on a Linux system. The
420 buffer contains informational, warning, and error messages created
421 during Xen's boot process. If you are having problems with Xen, this
422 is one of the first places to look as part of problem determination.
424 B<OPTIONS>
426 =over 4
428 =item B<-c>, B<--clear>
430 Clears Xen's message buffer.
432 =back
434 =item B<info>
436 Print information about the Xen host in I<name : value> format. When
437 reporting a Xen bug, please provide this information as part of the
438 bug report.
440 Sample output looks as follows (lines wrapped manually to make the man
441 page more readable):
443 host : talon
444 release : 2.6.12.6-xen0
445 version : #1 Mon Nov 14 14:26:26 EST 2005
446 machine : i686
447 nr_cpus : 2
448 nr_nodes : 1
449 cores_per_socket : 1
450 threads_per_core : 1
451 cpu_mhz : 696
452 hw_caps : 0383fbff:00000000:00000000:00000040
453 total_memory : 767
454 free_memory : 37
455 xen_major : 3
456 xen_minor : 0
457 xen_extra : -devel
458 xen_caps : xen-3.0-x86_32
459 xen_scheduler : credit
460 xen_pagesize : 4096
461 platform_params : virt_start=0xfc000000
462 xen_changeset : Mon Nov 14 18:13:38 2005 +0100
463 7793:090e44133d40
464 cc_compiler : gcc version 3.4.3 (Mandrakelinux
465 10.2 3.4.3-7mdk)
466 cc_compile_by : sdague
467 cc_compile_domain : (none)
468 cc_compile_date : Mon Nov 14 14:16:48 EST 2005
469 xend_config_format : 3
471 B<FIELDS>
473 =over 4
475 Not all fields will be explained here, but some of the less obvious
476 ones deserve explanation:
478 =item B<hw_caps>
480 A vector showing what hardware capabilities are supported by your
481 processor. This is equivalent to, though more cryptic, the flags
482 field in /proc/cpuinfo on a normal Linux machine.
484 =item B<free_memory>
486 Available memory (in MB) not allocated to Xen, or any other domains.
488 =item B<xen_caps>
490 The Xen version and architecture. Architecture values can be one of:
491 x86_32, x86_32p (i.e. PAE enabled), x86_64, ia64.
493 =item B<xen_changeset>
495 The Xen mercurial changeset id. Very useful for determining exactly
496 what version of code your Xen system was built from.
498 =back
500 =item B<log>
502 Print out the xend log. This log file can be found in
503 /var/log/xend.log.
505 =item B<top>
507 Executes the B<xentop> command, which provides real time monitoring of
508 domains. Xentop is a curses interface, and reasonably self
509 explanatory.
511 =back
513 =head1 SCHEDULER SUBCOMMANDS
515 Xen ships with a number of domain schedulers, which can be set at boot
516 time with the B<sched=> parameter on the Xen command line. By
517 default B<credit> is used for scheduling.
519 FIXME: we really need a scheduler expert to write up this section.
521 =over 4
523 =item B<sched-credit> [ B<-d> I<domain-id> [ B<-w>[B<=>I<WEIGHT>] | B<-c>[B<=>I<CAP>] ] ]
525 Set credit scheduler parameters. The credit scheduler is a
526 proportional fair share CPU scheduler built from the ground up to be
527 work conserving on SMP hosts.
529 Each domain (including Domain0) is assigned a weight and a cap.
531 B<PARAMETERS>
533 =over 4
535 =item I<WEIGHT>
537 A domain with a weight of 512 will get twice as much CPU as a domain
538 with a weight of 256 on a contended host. Legal weights range from 1
539 to 65535 and the default is 256.
541 =item I<CAP>
543 The cap optionally fixes the maximum amount of CPU a domain will be
544 able to consume, even if the host system has idle CPU cycles. The cap
545 is expressed in percentage of one physical CPU: 100 is 1 physical CPU,
546 50 is half a CPU, 400 is 4 CPUs, etc. The default, 0, means there is
547 no upper cap.
549 =back
551 =item B<sched-sedf> I<period> I<slice> I<latency-hint> I<extratime> I<weight>
553 Set Simple EDF (Earliest Deadline First) scheduler parameters. This
554 scheduler provides weighted CPU sharing in an intuitive way and uses
555 realtime-algorithms to ensure time guarantees. For more information
556 see docs/misc/sedf_scheduler_mini-HOWTO.txt in the Xen distribution.
558 B<PARAMETERS>
560 =over 4
562 =item I<period>
564 The normal EDF scheduling usage in nanoseconds
566 =item I<slice>
568 The normal EDF scheduling usage in nanoseconds
570 FIXME: these are lame, should explain more.
572 =item I<latency-hint>
574 Scaled period if domain is doing heavy I/O.
576 =item I<extratime>
578 Flag for allowing domain to run in extra time.
580 =item I<weight>
582 Another way of setting CPU slice.
584 =back
586 B<EXAMPLES>
588 I<normal EDF (20ms/5ms):>
590 xm sched-sedf <dom-id> 20000000 5000000 0 0 0
592 I<best-effort domains (i.e. non-realtime):>
594 xm sched-sedf <dom-id> 20000000 0 0 1 0
596 I<normal EDF (20ms/5ms) + share of extra-time:>
598 xm sched-sedf <dom-id> 20000000 5000000 0 1 0
600 I<4 domains with weights 2:3:4:2>
602 xm sched-sedf <d1> 0 0 0 0 2
603 xm sched-sedf <d2> 0 0 0 0 3
604 xm sched-sedf <d3> 0 0 0 0 4
605 xm sched-sedf <d4> 0 0 0 0 2
607 I<1 fully-specified (10ms/3ms) domain, 3 other domains share available
608 rest in 2:7:3 ratio:>
610 xm sched-sedf <d1> 10000000 3000000 0 0 0
611 xm sched-sedf <d2> 0 0 0 0 2
612 xm sched-sedf <d3> 0 0 0 0 7
613 xm sched-sedf <d4> 0 0 0 0 3
615 =back
617 =head1 VIRTUAL DEVICE COMMANDS
619 Most virtual devices can be added and removed while guests are
620 running. The effect to the guest OS is much the same as any hotplug
621 event.
623 =head2 BLOCK DEVICES
625 =over 4
627 =item B<block-attach> I<domain-id> I<be-dev> I<fe-dev> I<mode> [I<bedomain-id>]
629 Create a new virtual block device. This will trigger a hotplug event
630 for the guest.
632 B<OPTIONS>
634 =over 4
636 =item I<domain-id>
638 The domain id of the guest domain that the device will be attached to.
640 =item I<be-dev>
642 The device in the backend domain (usually domain 0) to be exported.
643 This can be specified as a physical partition (phy:sda7) or as a file
644 mounted as loopback (file://path/to/loop.iso).
646 =item I<fe-dev>
648 How the device should be presented to the guest domain. It can be
649 specified as either a symbolic name, such as /dev/hdc, for common
650 devices, or by device id, such as 0x1400 (/dev/hdc device id in hex).
652 =item I<mode>
654 The access mode for the device from the guest domain. Supported modes
655 are B<w> (read/write) or B<r> (read-only).
657 =item I<bedomain-id>
659 The back end domain hosting the device. This defaults to domain 0.
661 =back
663 B<EXAMPLES>
665 =over 4
667 =item I<Mount an ISO as a Disk>
669 xm block-attach guestdomain file://path/to/dsl-2.0RC2.iso /dev/hdc ro
671 This will mount the dsl ISO as /dev/hdc in the guestdomain as a read
672 only device. This will probably not be detected as a CD-ROM by the
673 guest, but mounting /dev/hdc manually will work.
675 =back
677 =item B<block-detach> I<domain-id> I<devid> [B<--force>]
679 Detach a domain's virtual block device. I<devid> may be the symbolic
680 name or the numeric device id given to the device by domain 0. You
681 will need to run B<xm block-list> to determine that number.
683 Detaching the device requires the cooperation of the domain. If the
684 domain fails to release the device (perhaps because the domain is hung
685 or is still using the device), the detach will fail. The B<--force>
686 parameter will forcefully detach the device, but may cause IO errors
687 in the domain.
689 =item B<block-list> [B<-l>|B<--long>] I<domain-id>
691 List virtual block devices for a domain. The returned output is
692 formatted as a list or as an S-Expression if the B<--long> option was given.
694 =head2 NETWORK DEVICES
696 =item B<network-attach> I<domain-id> [B<script=>I<scriptname>] [B<ip=>I<ipaddr>]
697 [B<mac=>I<macaddr>] [B<bridge=>I<bridge-name>] [B<backend=>I<bedomain-id>]
699 Creates a new network device in the domain specified by I<domain-id>. It
700 takes the following optional options:
702 B<OPTIONS>
704 =over 4
706 =item B<script=>I<scriptname>
708 Use the specified script name to bring up the network. Defaults to
709 the default setting in xend-config.sxp for B<vif-script>.
711 =item B<ip=>I<ipaddr>
713 Passes the specified IP Address to the adapter on creation.
715 FIXME: this currently appears to be B<broken>. I'm not sure under what
716 circumstances this should actually work.
718 =item B<mac=>I<macaddr>
720 The MAC address that the domain will see on its Ethernet device. If
721 the device is not specified it will be randomly generated with the
722 00:16:3e vendor id prefix.
724 =item B<bridge=>I<bridge-name>
726 The name of the bridge to attach the vif to, in case you have more
727 than one. This defaults to xenbr0.
729 =item B<backend=>I<bedomain-id>
731 The backend domain id. By default this is domain 0.
733 =back
735 =item B<network-detach> I<domain-id> I<devid>
737 Removes the network device from the domain specified by I<domain-id>.
738 I<devid> is the virtual interface device number within the domain
739 (i.e. the 3 in vif22.3).
741 FIXME: this is currently B<broken>. Network devices aren't completely
742 removed from domain 0.
744 =item B<network-list> [B<-l>|B<--long>]> I<domain-id>
746 List virtual network interfaces for a domain. The returned output is
747 formatted as a list or as an S-Expression if the B<--long> option was given.
749 =head2 VIRTUAL TPM DEVICES
751 =item B<vtpm-list> [B<-l>|B<--long>] I<domain-id>
753 Show the virtual TPM device for a domain. The returned output is
754 formatted as a list or as an S-Expression if the B<--long> option was given.
756 =back
758 =head1 VNET COMMANDS
760 The Virtual Network interfaces for Xen.
762 FIXME: This needs a lot more explanation, or it needs to be ripped
763 out entirely.
765 =over 4
767 =item B<vnet-list> [B<-l>|B<--long>]
769 List vnets.
771 =item B<vnet-create> I<config>
773 Create a vnet from a config file.
775 =item B<vnet-delete> I<vnetid>
777 Delete a vnet.
779 =back
781 =head1 ACCESS CONTROL SUBCOMMANDS
783 Access Control in Xen consists of two components: (i) The Access
784 Control Policy (ACP) defines security labels and access rules based on
785 these labels. (ii) The Access Control Module (ACM) makes access control
786 decisions by interpreting the policy when domains require to
787 communicate or to access resources. The Xen access control has
788 sufficient mechanisms in place to enforce the access decisions even
789 against maliciously acting user domains (mandatory access control).
791 Access rights for domains in Xen are determined by the domain security
792 label only and not based on the domain Name or ID. The ACP specifies
793 security labels that can then be assigned to domains and
794 resources. Every domain must be assigned exactly one security label,
795 otherwise access control decisions could become indeterministic. ACPs
796 are distinguished by their name, which is a parameter to most of the
797 subcommands described below. Currently, the ACP specifies two ways to
798 interpret labels:
800 (1) Simple Type Enforcement: Labels are interpreted to decide access
801 of domains to communication means and virtual or physical
802 resources. Communication between domains as well as access to
803 resources are forbidden by default and can only take place if they are
804 explicitly allowed by the security policy. The proper assignment of
805 labels to domains controls the sharing of information (directly
806 through communication or indirectly through shared resources) between
807 domains. This interpretation allows to control the overt (intended)
808 communication channels in Xen.
810 (2) Chinese Wall: Labels are interpreted to decide which domains can
811 co-exist (be run simultaneously) on the same system. This
812 interpretation allows to prevent direct covert (unintended) channels
813 and mitigates risks caused by imperfect core domain isolation
814 (trade-off between security and other system requirements). For a
815 short introduction to covert channels, please refer to
816 http://www.multicians.org/timing-chn.html.
818 The following subcommands help you to manage security policies in Xen
819 and to assign security labels to domains. To enable access control
820 security in Xen, you must compile Xen with ACM support enabled as
821 described under "Configuring Security" below. There, you will find
822 also examples of each subcommand described here.
824 =item B<setpolicy> ACM I<policy> I<[--load|--boot]>
826 Makes the given ACM policy available to xend as a I<xend-managed policy>.
827 The policy is compiled and a mapping (.map) as well as a binary (.bin)
828 version of the policy is created. If the option I<--load> is provided
829 the policy is loaded into Xen. If the option I<--boot> is provided the
830 system is configure to be loaded with the policy at boot time. If these
831 options are not provided with the B<setpolicy> subcommand, the
832 B<activatepolicy> subcommand provides this functionality.
834 =over 4
836 I<policy> is a dot-separated list of names. The last part is the file
837 name pre-fix for the policy XML file. The preceding name parts are
838 translated into the local path pointing to the policy XML file
839 relative to the global policy root directory
840 (/etc/xen/acm-security/policies). For example,
841 example.chwall_ste.client_v1 denotes the policy file
842 example/chwall_ste/client_v1-security_policy.xml relative to the
843 global policy root directory.
845 =back
847 =item B<activatepolicy> I<[--load|--boot]>
849 Activates the xend-managed policy by loading it into Xen using the
850 I<--load> option or configures the system to boot with the
851 xend-managed policy during the next reboot as a result of the
852 I<--boot> option. The latter is only supported if the system is booted
853 with the grub boot loader and the default boot title is modified.
854 It copies the binary policy representation into the /boot directory and
855 adds a module line specifying the binary policy to the /boot/grub/menu.lst
856 or /boot/grub/grub.conf file.
858 =item B<getpolicy> [--dumpxml]
860 Displays information about the current xend-managed policy, such as
861 name and type of the policy, the uuid xend has assigned to it on the
862 local system, the version of the XML representation and the status
863 of the policy, such as whether it is currently loaded into Xen or
864 whether the policy is automatically loaded during system boot. With
865 the I<--dumpxml> option, the XML representation of the policy is
866 displayed.
868 =item B<dumppolicy>
870 Prints the current security policy state information of Xen.
872 =item B<labels> [I<policy>] [B<type=dom>|B<res>|B<any>]
874 Lists all labels of a I<type> (domain, resource, or both) that are
875 defined in the I<policy>. Unless specified, the default I<policy> is
876 the currently enforced access control policy. The default for I<type>
877 is 'dom'. The labels are arranged in alphabetical order.
879 =item B<addlabel> I<label> B<dom> I<configfile> [I<policy>]
881 =item B<addlabel> I<label> B<mgt> I<domain name> [I<policy type>:I<policy>]
883 =item B<addlabel> I<label> B<res> I<resource> [I<policy>]
885 =item B<addlabel> I<label> B<vif-idx> I<domain name> [I<policy type>:I<policy>]
888 Adds the security label with name I<label> to a domain
889 I<configfile> (dom), a Xend-managed domain (mgt), to the global resource label
890 file for the given I<resource> (res), or to a managed domain's virtual network
891 interface (vif) that is specified by its index. Unless specified,
892 the default I<policy> is the currently enforced access control policy.
893 This subcommand also verifies that the I<policy> definition supports the
894 specified I<label> name.
896 The only I<policy type> that is currently supported is I<ACM>.
898 =item B<rmlabel> B<dom> I<configfile>
900 =item B<rmlabel> B<mgt> I<domain name>
902 =item B<rmlabel> B<res> I<resource>
904 =item B<rmlabel> B<vif-idx> I<domain name>
906 Works the same as the B<addlabel> command (above), except that this
907 command will remove the label from the domain I<configfile> (dom),
908 a Xend-managed domain (mgt), the global resource label file (res),
909 or a managed domain's network interface (vif).
911 =item B<getlabel> B<dom> I<configfile>
913 =item B<getlabel> B<mgt> I<domain name>
915 =item B<getlabel> B<res> I<resource>
917 =item B<getlabel> B<vif-idx> I<domain name>
919 Shows the label for a domain's configuration in the given I<configfile>,
920 a xend-managed domain (mgt), a resource, or a managed domain's network
921 interface (vif).
923 =item B<resources>
925 Lists all resources in the global resource label file. Each resource
926 is listed with its associated label and policy name.
928 =item B<dry-run> I<configfile>
930 Determines if the specified I<configfile> describes a domain with a valid
931 security configuration for type enforcement. The test shows the policy
932 decision made for each resource label against the domain label as well as
933 the overall decision.
935 B<CONFIGURING SECURITY>
937 =over 4
939 In xen_source_dir/Config.mk set the following parameter:
941 ACM_SECURITY ?= y
942 Then recompile and install xen and the security tools and then reboot:
944 cd xen_source_dir/xen; make clean; make; cp xen.gz /boot;
945 cd xen_source_dir/tools/security; make install;
946 reboot into Xen
948 =back
950 B<SETTING A SECURITY POLICY>
952 =over 4
954 This step makes the policy available to xend and creates the client_v1.map and
955 client_v1.bin files in /etc/xen/acm-security/policies/example/chwall_ste.
957 xm setpolicy ACM example.client_v1
959 =back
961 B<ACTIVATING THE XEND-MANAGED SECURITY POLICY>
963 =over 4
965 This step activates the xend-manged policy as new security policy in Xen.
966 You can use the dumppolicy subcommand before and afterwards to see the
967 change in the Xen policy state.
969 xm activatpolicy --load
971 =back
973 B<CONFIGURING A BOOT SECURITY POLICY>
975 =over 4
977 This configures the boot loader to load the current xend-managed policy at
978 boot time. During system start, the ACM configures Xen with this policy and
979 Xen enforces this policy from then on.
981 xm activatepolicy --boot
983 =back
985 B<LISTING SECURITY LABELS>
987 =over 4
989 This subcommand shows all labels that are defined and which can be
990 attached to domains.
992 xm labels example.client_v1 type=dom
994 will print for our example policy:
996 dom_BoincClient
997 dom_Fun
998 dom_HomeBanking
999 dom_NetworkDomain
1000 dom_StorageDomain
1001 dom_SystemManagement
1003 =back
1005 B<ATTACHING A SECURITY LABEL TO A DOMAIN>
1007 =over 4
1009 The B<addlabel> subcommand can attach a security label to a domain
1010 configuration file, here a HomeBanking label. The example policy
1011 ensures that this domain does not share information with other
1012 non-homebanking user domains (i.e., domains labeled as dom_Fun or
1013 dom_Boinc) and that it will not run simultaneously with domains
1014 labeled as dom_Fun.
1016 We assume that the specified myconfig.xm configuration file actually
1017 instantiates a domain that runs workloads related to home-banking,
1018 probably just a browser environment for online-banking.
1020 xm addlabel dom_HomeBanking dom myconfig.xm
1022 The very simple configuration file might now look as printed
1023 below. The B<addlabel> subcommand added the B<access_control> entry at
1024 the end of the file, consisting of a label name and the policy that
1025 specifies this label name:
1027 kernel = "/boot/vmlinuz-2.6.16-xen"
1028 ramdisk="/boot/U1_home_banking_ramdisk.img"
1029 memory = 164
1030 name = "homebanking"
1031 vif = [ '' ]
1032 dhcp = "dhcp"
1033 access_control = ['policy=example.chwall_ste.client_v1,
1034 label=dom_HomeBanking']
1036 Security labels must be assigned to domain configurations because
1037 these labels are essential for making access control decisions as
1038 early as during the configuration phase of a newly instantiated
1039 domain. Consequently, a security-enabled Xen hypervisor will only
1040 start domains that have a security label configured and whose security
1041 label is consistent with the currently enforced policy. Otherwise,
1042 starting the domain will fail with the error condition "operation not
1043 permitted".
1045 =back
1047 B<ATTACHING A SECURITY LABEL TO A XEND-MANAGED DOMAIN>
1049 =over 4
1051 The addlabel subcommand supports labeling of domains that are managed
1052 by xend. This includes domains that are currently running, such as for
1053 example Domain-0, or those that are in a dormant state.
1054 Depending on the state of the system, it is possible that the new label
1055 is rejected. An example for a reason for the rejection of the relabeling
1056 of a domain would be if a domain is currently allowed to
1057 access its labeled resources but due to the new label would be prevented
1058 from accessing one or more of them.
1060 xm addlabel dom_Fun mgt Domain-0
1062 This changes the label of Domain-0 to dom_Fun under the condition that
1063 this new label of Domain-0 would not prevent any other domain from
1064 accessing its resources that are provided through Domain-0, such as for
1065 example network or block device access.
1067 =back
1069 B<ATTACHING A SECURITY LABEL TO A RESOURCE>
1071 =over 4
1073 The B<addlabel> subcommand can also be used to attach a security
1074 label to a resource. Following the home banking example from above,
1075 we can label a disk resource (e.g., a physical partition or a file)
1076 to make it accessible to the home banking domain. The example policy
1077 provides a resource label, res_LogicalDiskPartition1(hda1), that is
1078 compatible with the HomeBanking domain label.
1080 xm addlabel "res_LogicalDiskPartition1(hda1)" res phy:hda6
1082 After labeling this disk resource, it can be attached to the domain
1083 by adding a line to the domain configuration file. The line below
1084 attaches this disk to the domain at boot time.
1086 disk = [ 'phy:hda6,sda2,w' ]
1088 Alternatively, the resource can be attached after booting the domain
1089 by using the B<block-attach> subcommand.
1091 xm block-attach homebanking phy:hda6 sda2 w
1093 Note that labeled resources cannot be used when security is turned
1094 off. Any attempt to use labeled resources with security turned off
1095 will result in a failure with a corresponding error message. The
1096 solution is to enable security or, if security is no longer desired,
1097 to remove the resource label using the B<rmlabel> subcommand.
1099 =back
1101 B<STARTING AND LISTING LABELED DOMAINS>
1103 =over 4
1105 xm create myconfig.xm
1107 xm list --label
1109 Name ID ... Time(s) Label
1110 homebanking 23 ... 4.4 dom_HomeBanking
1111 Domain-0 0 ... 2658.8 dom_SystemManagement
1113 =back
1115 B<LISTING LABELED RESOURCES>
1117 =over 4
1119 xm resources
1121 phy:hda6
1122 type: ACM
1123 policy: example.chwall_ste.client_v1
1124 label: res_LogicalDiskPartition1(hda1)
1125 file:/xen/disk_image/disk.img
1126 type: ACM
1127 policy: example.chwall_ste.client_v1
1128 label: res_LogicalDiskPartition2(hda2)
1130 =back
1132 B<POLICY REPRESENTATIONS>
1134 =over 4
1136 We distinguish three representations of the Xen access control policy:
1137 the source XML version, its binary counterpart, and a mapping
1138 representation that enables the tools to deterministically translate
1139 back and forth between label names of the XML policy and label
1140 identifiers of the binary policy. All three versions must be kept
1141 consistent to achieve predictable security guarantees.
1143 The XML version is the version that users are supposed to create or
1144 change, either by manually editing the XML file or by using the Xen
1145 policy generation tool (B<xensec_gen>). After changing the XML file,
1146 run the B<setpolicy> subcommand to ensure that the new policy is
1147 available to xend. Use, for example, the subcommand
1148 B<activatepolicy> to activate the changes during the next system
1149 reboot.
1151 The binary version of the policy is derived from the XML policy by
1152 tokenizing the specified labels and is used inside Xen only. It is
1153 created with the B<setpolicy> subcommand. Essentially, the binary
1154 version is much more compact than the XML version and is easier to
1155 evaluate during access control decisions.
1157 The mapping version of the policy is created during the XML-to-binary
1158 policy translation (B<setpolicy>) and is used by xend and the management
1159 tools to translate between label names used as input to the tools and
1160 their binary identifiers (ssidrefs) used inside Xen.
1162 =back
1164 =head1 SEE ALSO
1166 B<xmdomain.cfg>(5), B<xentop>(1)
1168 =head1 AUTHOR
1170 Sean Dague <sean at dague dot net>
1171 Daniel Stekloff <dsteklof at us dot ibm dot com>
1172 Reiner Sailer <sailer at us dot ibm dot com>
1173 Stefan Berger <stefanb at us dot ibm dot com>
1175 =head1 BUGS