view docs/man/xm.pod.1 @ 18947:2dffa6ceb0af

Support S3 for MSI interrupt

From: "Jiang, Yunhong" <yunhong.jiang@intel.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Dec 19 14:56:36 2008 +0000 (2008-12-19)
parents c6f80d1227cb
children 3e1e87052029
line source
1 =head1 NAME
3 xm - Xen management user interface
5 =head1 SYNOPSIS
7 B<xm> I<subcommand> [I<args>]
11 The B<xm> program is the main interface for managing Xen guest
12 domains. The program can be used to create, pause, and shutdown
13 domains. It can also be used to list current domains, enable or pin
14 VCPUs, and attach or detach virtual block devices.
16 The basic structure of every B<xm> command is almost always:
18 =over 2
20 B<xm> I<subcommand> I<domain-id> [I<OPTIONS>]
22 =back
24 Where I<subcommand> is one of the subcommands listed below, I<domain-id>
25 is the numeric domain id, or the domain name (which will be internally
26 translated to domain id), and I<OPTIONS> are subcommand specific
27 options. There are a few exceptions to this rule in the cases where
28 the subcommand in question acts on all domains, the entire machine,
29 or directly on the Xen hypervisor. Those exceptions will be clear for
30 each of those subcommands.
32 =head1 NOTES
34 All B<xm> operations rely upon the Xen control daemon, aka B<xend>.
35 For any B<xm> commands to run, xend must also be running. For this
36 reason you should start xend as a service when your system first boots
37 using Xen.
39 Most B<xm> commands require root privileges to run due to the
40 communications channels used to talk to the hypervisor. Running as
41 non root will return an error.
43 Most B<xm> commands act asynchronously, so just because the B<xm>
44 command returned doesn't mean the action is complete. This is
45 important, as many operations on domains, like create and shutdown,
46 can take considerable time (30 seconds or more) to bring the machine
47 into a fully compliant state. If you want to know when one of these
48 actions has finished you must poll through B<xm list> periodically.
52 The following subcommands manipulate domains directly. As stated
53 previously, most commands take I<domain-id> as the first parameter.
55 =over 4
57 =item B<console> I<domain-id>
59 Attach to domain I<domain-id>'s console. If you've set up your domains to
60 have a traditional log in console this will look much like a normal
61 text log in screen.
63 This uses the back end xenconsole service which currently only
64 works for para-virtual domains.
66 The attached console will perform much like a standard serial console,
67 so running curses based interfaces over the console B<is not
68 advised>. Vi tends to get very odd when using it over this interface.
70 =item B<create> I<configfile> [I<OPTIONS>] [I<vars>]..
72 The create subcommand requires a config file and can optionally take a
73 series of I<vars> that add to or override variables defined
74 in the config file. See L<xmdomain.cfg> for full details of that file
75 format, and possible options used in either the configfile or for I<vars>.
77 I<configfile> can either be an absolute path to a file, or a relative
78 path to a file located in /etc/xen.
80 Create will return B<as soon> as the domain is started. This B<does
81 not> mean the guest OS in the domain has actually booted, or is
82 available for input.
86 =over 4
88 =item B<--help_config>
90 Print the available configuration variables I<vars>. These variables may be
91 used on the command line or in the configuration file I<configfile>.
93 =item B<-q>, B<--quiet>
95 No console output.
97 =item B<--path>
99 Search path for configuration scripts. The value of PATH is a
100 colon-separated directory list.
102 =item B<-f=FILE>, B<--defconfig=FILE>
104 Use the given Python configuration script. The configuration
105 script is loaded after arguments have been processed. Each
106 command-line option sets a configuration variable named after
107 its long option name, and these variables are placed in the
108 environment of the script before it is loaded. Variables
109 for options that may be repeated have list values. Other
110 variables can be set using name=value on the command line.
111 After the script is loaded, option values that were not set
112 on the command line are replaced by the values set in the script.
114 =item B<-F=FILE>, B<--config=FILE>
116 Use the given SXP formated configuration script.
117 SXP is the underlying configuration format used by Xen.
118 SXP configuration scripts can be hand-written or generated
119 from Python configuration scripts, using the -n
120 (dryrun) option to print the configuration. An SXP formatted
121 configuration file may also be generated for a given I<domain-id> by
122 redirecting the output from the the B<xm list --long I<domain-id>>
123 to a file.
125 =item B<-n>, B<--dryrun>
127 Dry run - prints the resulting configuration in SXP
128 but does not create the domain.
130 =item B<-x>, B<--xmldryrun>
132 XML dry run - prints the resulting configuration in
133 XML but does not create the domain.
135 =item B<-s>, B<--skipdtd>
137 Skip DTD checking - skips checks on XML before
138 creating. Experimental. Can decrease create time.
140 =item B<-p>, B<--paused>
142 Leave the domain paused after it is created.
144 =item B<-c>, B<--console_autoconnect>
146 Attach console to the domain as soon as it has started. This is
147 useful for determining issues with crashing domains.
149 =back
153 =over 4
155 =item I<with config file>
157 xm create Fedora4
159 This creates a domain with the file /etc/xen/Fedora4, and returns as
160 soon as it is run.
162 =item I<without config file>
164 xm create /dev/null ramdisk=initrd.img \
165 kernel=/boot/vmlinuz- \
166 name=ramdisk vif='' vcpus=1 \
167 memory=64 root=/dev/ram0
169 This creates the domain without using a config file (more specifically
170 using /dev/null as an empty config file), kernel and ramdisk as
171 specified, setting the name of the domain to "ramdisk", also disabling
172 virtual networking. (This example comes from the xm-test test suite.)
174 =back
176 =item B<delete>
178 Remove a domain from Xend domain management. The B<xm list> command
179 shows the domain names.
181 =item B<destroy> I<domain-id>
183 Immediately terminate the domain I<domain-id>. This doesn't give the
184 domain OS any chance to react, and is the equivalent of ripping the
185 power cord out on a physical machine. In most cases you will want to
186 use the B<shutdown> command instead.
188 =item B<domid> I<domain-name>
190 Converts a domain name to a domain id using xend's internal mapping.
192 =item B<domname> I<domain-id>
194 Converts a domain id to a domain name using xend's internal mapping.
196 =item B<dump-core> [I<OPTIONS>] I<domain-id> [I<filename>]
198 Dumps the virtual machine's memory for the specified domain to the
199 I<filename> specified. The dump file will be written to a distribution
200 specific directory for dump files. Such as: /var/lib/xen/dump or
201 /var/xen/dump Defaults to dumping the core without pausing the domain
202 if no I<OPTIONS> are specified.
206 =over 4
208 =item B<-L>, B<--live>
210 Dump core without pausing the domain.
212 =item B<-C>, B<--crash>
214 Crash domain after dumping core.
216 =back
218 =item B<help> [B<--long>]
220 Displays the short help message (i.e. common commands).
222 The B<--long> option prints out the complete set of B<xm> subcommands,
223 grouped by function.
225 =item B<list> [I<OPTIONS>] [I<domain-id> ...]
227 Prints information about one or more domains. If no domains are
228 specified it prints out information about all domains.
233 =over 4
235 =item B<-l>, B<--long>
237 The output for B<xm list> is not the table view shown below, but
238 instead presents the data in SXP format.
240 =item B<--label>
242 Security labels are added to the output of xm list and the lines
243 are sorted by the labels (ignoring case).
244 See the ACCESS CONTROL SUBCOMMAND section of this man page for more
245 information about labels.
247 =item B<--state=<state>>
249 Output information for VMs in the specified state.
251 =back
255 An example format for the list is as follows:
257 Name ID Mem(MiB) VCPUs State Time(s)
258 Domain-0 0 98 1 r----- 5068.6
259 Fedora3 164 128 1 r----- 7.6
260 Fedora4 165 128 1 ------ 0.6
261 Mandrake2006 166 128 1 -b---- 3.6
262 Mandrake10.2 167 128 1 ------ 2.5
263 Suse9.2 168 100 1 ------ 1.8
265 Name is the name of the domain. ID the numeric domain id. Mem is the
266 desired amount of memory to allocate to the domain (although it may
267 not be the currently allocated amount). VCPUs is the number of
268 virtual CPUs allocated to the domain. State is the run state (see
269 below). Time is the total run time of the domain as accounted for by
270 Xen.
274 The State field lists 6 states for a Xen domain, and which ones the
275 current domain is in.
277 =over 4
279 =item B<r - running>
281 The domain is currently running on a CPU.
283 =item B<b - blocked>
285 The domain is blocked, and not running or runnable. This can be caused
286 because the domain is waiting on IO (a traditional wait state) or has
287 gone to sleep because there was nothing else for it to do.
289 =item B<p - paused>
291 The domain has been paused, usually occurring through the administrator
292 running B<xm pause>. When in a paused state the domain will still
293 consume allocated resources like memory, but will not be eligible for
294 scheduling by the Xen hypervisor.
296 =item B<s - shutdown>
298 FIXME: Why would you ever see this state?
300 =item B<c - crashed>
302 The domain has crashed, which is always a violent ending. Usually
303 this state can only occur if the domain has been configured not to
304 restart on crash. See L<xmdomain.cfg> for more info.
306 =item B<d - dying>
308 The domain is in process of dying, but hasn't completely shutdown or
309 crashed.
311 FIXME: Is this right?
313 =back
315 B<NOTES>
317 =over 4
319 The Time column is deceptive. Virtual IO (network and block devices)
320 used by domains requires coordination by Domain0, which means that
321 Domain0 is actually charged for much of the time that a DomainU is
322 doing IO. Use of this time value to determine relative utilizations
323 by domains is thus very suspect, as a high IO workload may show as
324 less utilized than a high CPU workload. Consider yourself warned.
326 =back
328 =item B<mem-max> I<domain-id> I<mem>
330 Specify the maximum amount of memory the domain is able to use. I<mem>
331 is specified in megabytes.
333 The mem-max value may not correspond to the actual memory used in the
334 domain, as it may balloon down its memory to give more back to the OS.
336 =item B<mem-set> I<domain-id> I<mem>
338 Set the domain's used memory using the balloon driver.
340 Because this operation requires cooperation from the domain operating
341 system, there is no guarantee that it will succeed. This command will
342 definitely not work unless the domain has the required paravirt
343 driver.
345 B<Warning:> There is no good way to know in advance how small of a
346 mem-set will make a domain unstable and cause it to crash. Be very
347 careful when using this command on running domains.
349 =item B<migrate> I<domain-id> I<host> [I<OPTIONS>]
351 Migrate a domain to another host machine. Xend must be running on
352 other host machine, it must be running the same version of Xen, it
353 must have the migration TCP port open and accepting connections from
354 the source host, and there must be sufficient resources for the domain
355 to run (memory, disk, etc).
357 Migration is pretty complicated, and has many security implications.
358 Please read the Xen User's Guide to ensure you understand the
359 ramifications and limitations on migration before attempting it in
360 production.
364 =over 4
366 =item B<-l>, B<--live>
368 Use live migration. This will migrate the domain between hosts
369 without shutting down the domain. See the Xen User's Guide for more
370 information.
372 =item B<-r>, B<--resource> I<Mbs>
374 Set maximum Mbs allowed for migrating the domain. This ensures that
375 the network link is not saturated with migration traffic while
376 attempting to do other useful work.
378 =back
380 =item B<new> I<configfile> [I<OPTIONS>] [I<vars>]...
382 Adds a domain to Xend domain management.
384 The new subcommand requires a config file and can optionally
385 take a series of I<vars> that add to or override variables
386 defined in the config file. See xmdomain.cfg for full details of that
387 file format, and possible options used in either the configfile or for
388 I<vars>.
390 I<configfile> can either be an absolute path to a file, or a relative
391 path to a file located in /etc/xen.
393 The new subcommand will return without starting the domain. The
394 domain needs to be started using the B<xm start> command.
398 =over 4
400 =item B<--help_config>
402 Print the available configuration variables I<vars>. These variables may be
403 used on the command line or in the configuration file I<configfile>.
405 =item B<-q>, B<--quiet>
407 No console output.
409 =item B<--path>
411 Search path for configuration scripts. The value of PATH is a
412 colon-separated directory list.
414 =item B<-f=FILE>, B<--defconfig=FILE>
417 Use the given Python configuration script. The configuration
418 script is loaded after arguments have been processed. Each
419 command-line option sets a configuration variable named after
420 its long option name, and these variables are placed in the
421 environment of the script before it is loaded. Variables
422 for options that may be repeated have list values. Other
423 variables can be set using name=value on the command line.
424 After the script is loaded, option values that were not set
425 on the command line are replaced by the values set in the script.
427 =item B<-F=FILE>, B<--config=FILE>
429 Use the given SXP formated configuration script.
430 SXP is the underlying configuration format used by Xen.
431 SXP configuration scripts can be hand-written or generated
432 from Python configuration scripts, using the -n
433 (dryrun) option to print the configuration. An SXP formatted
434 configuration file may also be generated for a given I<domain-id> by
435 redirecting the output from the the B<xm list --long I<domain-id>>
436 to a file.
438 =item B<-n>, B<--dryrun>
440 Dry run - prints the resulting configuration in SXP
441 but does not create the domain.
443 =item B<-x>, B<--xmldryrun>
445 XML dry run - prints the resulting configuration in
446 XML but does not create the domain.
448 =item B<-s>, B<--skipdtd>
450 Skip DTD checking - skips checks on XML before
451 creating. Experimental. Can decrease create time.
453 =item B<-p>, B<--paused>
455 Leave the domain paused after it is created.
457 =item B<-c>, B<--console_autoconnect>
459 Attach console to the domain as soon as it has started. This is
460 useful for determining issues with crashing domains.
462 =back
464 =item B<pause> I<domain-id>
466 Pause a domain. When in a paused state the domain will still consume
467 allocated resources such as memory, but will not be eligible for
468 scheduling by the Xen hypervisor.
470 =item B<reboot> [I<OPTIONS>] I<domain-id>
472 Reboot a domain. This acts just as if the domain had the B<reboot>
473 command run from the console. The command returns as soon as it has
474 executed the reboot action, which may be significantly before the
475 domain actually reboots.
477 The behavior of what happens to a domain when it reboots is set by the
478 B<on_reboot> parameter of the xmdomain.cfg file when the domain was
479 created.
483 =over 4
485 =item B<-a>, B<--all>
487 Reboot all domains.
489 =item B<-w>, B<--wait>
491 Wait for reboot to complete before returning. This may take a while,
492 as all services in the domain will have to be shut down cleanly.
494 =back
496 =item B<restore> I<state-file>
498 Build a domain from an B<xm save> state file. See B<save> for more info.
500 =item B<resume> I<domain-name> [I<OPTIONS>]
502 Moves a domain out of the suspended state and back into memory.
506 =over 4
508 =item B<-p>, <--paused>
510 Moves a domain back into memory but leaves the domain in a paused state.
511 The B<xm unpause> subcommand may then be used to bring it out of the
512 paused state.
514 =back
516 =item B<save> I<domain-id> I<state-file>
518 Saves a running domain to a state file so that it can be restored
519 later. Once saved, the domain will no longer be running on the
520 system, thus the memory allocated for the domain will be free for
521 other domains to use. B<xm restore> restores from this state file.
523 This is roughly equivalent to doing a hibernate on a running computer,
524 with all the same limitations. Open network connections may be
525 severed upon restore, as TCP timeouts may have expired.
527 =item B<shutdown> [I<OPTIONS>] I<domain-id>
529 Gracefully shuts down a domain. This coordinates with the domain OS
530 to perform graceful shutdown, so there is no guarantee that it will
531 succeed, and may take a variable length of time depending on what
532 services must be shutdown in the domain. The command returns
533 immediately after signally the domain unless that B<-w> flag is used.
535 The behavior of what happens to a domain when it reboots is set by the
536 B<on_shutdown> parameter of the xmdomain.cfg file when the domain was
537 created.
541 =over 4
543 =item B<-a>
545 Shutdown B<all> domains. Often used when doing a complete shutdown of
546 a Xen system.
548 =item B<-w>
550 Wait for the domain to complete shutdown before returning.
552 =back
554 =item B<start> I<domain-name> [I<OPTIONS>]
556 Start a Xend managed domain that was added using the B<xm new> command.
561 =over 4
563 =item B<-p>, B<--paused>
565 Do not unpause domain after starting it.
567 =item B<-c>, B<--console_autoconnect>
569 Connect to the console after the domain is created.
571 =back
573 =item B<suspend> I<domain-name>
575 Suspend a domain to a state file so that it can be later
576 resumed using the B<xm resume> subcommand. Similar to the B<xm save>
577 subcommand although the state file may not be specified.
579 =item B<sysrq> I<domain-id> I<letter>
581 Send a I<Magic System Request> signal to the domain. For more
582 information on available magic sys req operations, see sysrq.txt in
583 your Linux Kernel sources.
585 =item B<unpause> I<domain-id>
587 Moves a domain out of the paused state. This will allow a previously
588 paused domain to now be eligible for scheduling by the Xen hypervisor.
590 =item B<vcpu-set> I<domain-id> I<vcpu-count>
592 Enables the I<vcpu-count> virtual CPUs for the domain in question.
593 Like mem-set, this command can only allocate up to the maximum virtual
594 CPU count configured at boot for the domain.
596 If the I<vcpu-count> is smaller than the current number of active
597 VCPUs, the highest number VCPUs will be hotplug removed. This may be
598 important for pinning purposes.
600 Attempting to set the VCPUs to a number larger than the initially
601 configured VCPU count is an error. Trying to set VCPUs to < 1 will be
602 quietly ignored.
604 Because this operation requires cooperation from the domain operating
605 system, there is no guarantee that it will succeed. This command will
606 not work with a full virt domain.
608 =item B<vcpu-list> [I<domain-id>]
610 Lists VCPU information for a specific domain. If no domain is
611 specified, VCPU information for all domains will be provided.
613 =item B<vcpu-pin> I<domain-id> I<vcpu> I<cpus>
615 Pins the the VCPU to only run on the specific CPUs. The keyword
616 B<all> can be used to apply the I<cpus> list to all VCPUs in the
617 domain.
619 Normally VCPUs can float between available CPUs whenever Xen deems a
620 different run state is appropriate. Pinning can be used to restrict
621 this, by ensuring certain VCPUs can only run on certain physical
622 CPUs.
624 =back
628 =over 4
630 =item B<dmesg> [B<-c>]
632 Reads the Xen message buffer, similar to dmesg on a Linux system. The
633 buffer contains informational, warning, and error messages created
634 during Xen's boot process. If you are having problems with Xen, this
635 is one of the first places to look as part of problem determination.
639 =over 4
641 =item B<-c>, B<--clear>
643 Clears Xen's message buffer.
645 =back
647 =item B<info>
649 Print information about the Xen host in I<name : value> format. When
650 reporting a Xen bug, please provide this information as part of the
651 bug report.
653 Sample output looks as follows (lines wrapped manually to make the man
654 page more readable):
656 host : talon
657 release :
658 version : #1 Mon Nov 14 14:26:26 EST 2005
659 machine : i686
660 nr_cpus : 2
661 nr_nodes : 1
662 cores_per_socket : 1
663 threads_per_core : 1
664 cpu_mhz : 696
665 hw_caps : 0383fbff:00000000:00000000:00000040
666 total_memory : 767
667 free_memory : 37
668 xen_major : 3
669 xen_minor : 0
670 xen_extra : -devel
671 xen_caps : xen-3.0-x86_32
672 xen_scheduler : credit
673 xen_pagesize : 4096
674 platform_params : virt_start=0xfc000000
675 xen_changeset : Mon Nov 14 18:13:38 2005 +0100
676 7793:090e44133d40
677 cc_compiler : gcc version 3.4.3 (Mandrakelinux
678 10.2 3.4.3-7mdk)
679 cc_compile_by : sdague
680 cc_compile_domain : (none)
681 cc_compile_date : Mon Nov 14 14:16:48 EST 2005
682 xend_config_format : 3
686 Not all fields will be explained here, but some of the less obvious
687 ones deserve explanation:
689 =over 4
691 =item B<hw_caps>
693 A vector showing what hardware capabilities are supported by your
694 processor. This is equivalent to, though more cryptic, the flags
695 field in /proc/cpuinfo on a normal Linux machine.
697 =item B<free_memory>
699 Available memory (in MB) not allocated to Xen, or any other domains.
701 =item B<xen_caps>
703 The Xen version and architecture. Architecture values can be one of:
704 x86_32, x86_32p (i.e. PAE enabled), x86_64, ia64.
706 =item B<xen_changeset>
708 The Xen mercurial changeset id. Very useful for determining exactly
709 what version of code your Xen system was built from.
711 =back
713 =item B<log>
715 Print out the xend log. This log file can be found in
716 /var/log/xend.log.
718 =item B<top>
720 Executes the B<xentop> command, which provides real time monitoring of
721 domains. Xentop is a curses interface, and reasonably self
722 explanatory.
724 =item B<uptime>
726 Prints the current uptime of the domains running.
728 =back
732 Xen ships with a number of domain schedulers, which can be set at boot
733 time with the B<sched=> parameter on the Xen command line. By
734 default B<credit> is used for scheduling.
736 FIXME: we really need a scheduler expert to write up this section.
738 =over 4
740 =item B<sched-credit> [ B<-d> I<domain-id> [ B<-w>[B<=>I<WEIGHT>] | B<-c>[B<=>I<CAP>] ] ]
742 Set credit scheduler parameters. The credit scheduler is a
743 proportional fair share CPU scheduler built from the ground up to be
744 work conserving on SMP hosts.
746 Each domain (including Domain0) is assigned a weight and a cap.
750 =over 4
752 =item I<WEIGHT>
754 A domain with a weight of 512 will get twice as much CPU as a domain
755 with a weight of 256 on a contended host. Legal weights range from 1
756 to 65535 and the default is 256.
758 =item I<CAP>
760 The cap optionally fixes the maximum amount of CPU a domain will be
761 able to consume, even if the host system has idle CPU cycles. The cap
762 is expressed in percentage of one physical CPU: 100 is 1 physical CPU,
763 50 is half a CPU, 400 is 4 CPUs, etc. The default, 0, means there is
764 no upper cap.
766 =back
768 =item B<sched-sedf> I<period> I<slice> I<latency-hint> I<extratime> I<weight>
770 Set Simple EDF (Earliest Deadline First) scheduler parameters. This
771 scheduler provides weighted CPU sharing in an intuitive way and uses
772 realtime-algorithms to ensure time guarantees. For more information
773 see docs/misc/sedf_scheduler_mini-HOWTO.txt in the Xen distribution.
777 =over 4
779 =item I<period>
781 The normal EDF scheduling usage in nanoseconds
783 =item I<slice>
785 The normal EDF scheduling usage in nanoseconds
787 FIXME: these are lame, should explain more.
789 =item I<latency-hint>
791 Scaled period if domain is doing heavy I/O.
793 =item I<extratime>
795 Flag for allowing domain to run in extra time.
797 =item I<weight>
799 Another way of setting CPU slice.
801 =back
805 I<normal EDF (20ms/5ms):>
807 xm sched-sedf <dom-id> 20000000 5000000 0 0 0
809 I<best-effort domains (i.e. non-realtime):>
811 xm sched-sedf <dom-id> 20000000 0 0 1 0
813 I<normal EDF (20ms/5ms) + share of extra-time:>
815 xm sched-sedf <dom-id> 20000000 5000000 0 1 0
817 I<4 domains with weights 2:3:4:2>
819 xm sched-sedf <d1> 0 0 0 0 2
820 xm sched-sedf <d2> 0 0 0 0 3
821 xm sched-sedf <d3> 0 0 0 0 4
822 xm sched-sedf <d4> 0 0 0 0 2
824 I<1 fully-specified (10ms/3ms) domain, 3 other domains share available
825 rest in 2:7:3 ratio:>
827 xm sched-sedf <d1> 10000000 3000000 0 0 0
828 xm sched-sedf <d2> 0 0 0 0 2
829 xm sched-sedf <d3> 0 0 0 0 7
830 xm sched-sedf <d4> 0 0 0 0 3
832 =back
836 Most virtual devices can be added and removed while guests are
837 running. The effect to the guest OS is much the same as any hotplug
838 event.
840 =head2 BLOCK DEVICES
842 =over 4
844 =item B<block-attach> I<domain-id> I<be-dev> I<fe-dev> I<mode> [I<bedomain-id>]
846 Create a new virtual block device. This will trigger a hotplug event
847 for the guest.
851 =over 4
853 =item I<domain-id>
855 The domain id of the guest domain that the device will be attached to.
857 =item I<be-dev>
859 The device in the backend domain (usually domain 0) to be exported.
860 This can be specified as a physical partition (phy:sda7) or as a file
861 mounted as loopback (file://path/to/loop.iso).
863 =item I<fe-dev>
865 How the device should be presented to the guest domain. It can be
866 specified as either a symbolic name, such as /dev/hdc, for common
867 devices, or by device id, such as 0x1400 (/dev/hdc device id in hex).
869 =item I<mode>
871 The access mode for the device from the guest domain. Supported modes
872 are B<w> (read/write) or B<r> (read-only).
874 =item I<bedomain-id>
876 The back end domain hosting the device. This defaults to domain 0.
878 =back
882 =over 4
884 =item I<Mount an ISO as a Disk>
886 xm block-attach guestdomain file://path/to/dsl-2.0RC2.iso /dev/hdc ro
888 This will mount the dsl ISO as /dev/hdc in the guestdomain as a read
889 only device. This will probably not be detected as a CD-ROM by the
890 guest, but mounting /dev/hdc manually will work.
892 =back
894 =item B<block-detach> I<domain-id> I<devid> [B<--force>]
896 Detach a domain's virtual block device. I<devid> may be the symbolic
897 name or the numeric device id given to the device by domain 0. You
898 will need to run B<xm block-list> to determine that number.
900 Detaching the device requires the cooperation of the domain. If the
901 domain fails to release the device (perhaps because the domain is hung
902 or is still using the device), the detach will fail. The B<--force>
903 parameter will forcefully detach the device, but may cause IO errors
904 in the domain.
906 =item B<block-list> [B<-l>|B<--long>] I<domain-id>
908 List virtual block devices for a domain. The returned output is
909 formatted as a list or as an S-Expression if the B<--long> option was given.
911 =back
915 =over 4
917 =item B<network-attach> I<domain-id> [B<script=>I<scriptname>] [B<ip=>I<ipaddr>]
918 [B<mac=>I<macaddr>] [B<bridge=>I<bridge-name>] [B<backend=>I<bedomain-id>]
920 Creates a new network device in the domain specified by I<domain-id>. It
921 takes the following optional options:
923 =back
927 =over 4
929 =item B<script=>I<scriptname>
931 Use the specified script name to bring up the network. Defaults to
932 the default setting in xend-config.sxp for B<vif-script>.
934 =item B<ip=>I<ipaddr>
936 Passes the specified IP Address to the adapter on creation.
938 FIXME: this currently appears to be B<broken>. I'm not sure under what
939 circumstances this should actually work.
941 =item B<mac=>I<macaddr>
943 The MAC address that the domain will see on its Ethernet device. If
944 the device is not specified it will be randomly generated with the
945 00:16:3e vendor id prefix.
947 =item B<bridge=>I<bridge-name>
949 The name of the bridge to attach the vif to, in case you have more
950 than one. This defaults to xenbr0.
952 =item B<backend=>I<bedomain-id>
954 The backend domain id. By default this is domain 0.
956 =back
958 =over 4
960 =item B<network-detach> I<domain-id> I<devid>
962 Removes the network device from the domain specified by I<domain-id>.
963 I<devid> is the virtual interface device number within the domain
964 (i.e. the 3 in vif22.3).
966 FIXME: this is currently B<broken>. Network devices aren't completely
967 removed from domain 0.
969 =item B<network-list> [B<-l>|B<--long>]> I<domain-id>
971 List virtual network interfaces for a domain. The returned output is
972 formatted as a list or as an S-Expression if the B<--long> option was given.
974 =back
978 =over 4
980 =item B<vtpm-list> [B<-l>|B<--long>] I<domain-id>
982 Show the virtual TPM device for a domain. The returned output is
983 formatted as a list or as an S-Expression if the B<--long> option was given.
985 =back
987 =head1 VNET COMMANDS
989 The Virtual Network interfaces for Xen.
991 FIXME: This needs a lot more explanation, or it needs to be ripped
992 out entirely.
994 =over 4
996 =item B<vnet-list> [B<-l>|B<--long>]
998 List vnets.
1000 =item B<vnet-create> I<config>
1002 Create a vnet from a config file.
1004 =item B<vnet-delete> I<vnetid>
1006 Delete a vnet.
1008 =back
1012 Access Control in Xen consists of two components: (i) The Access
1013 Control Policy (ACP) defines security labels and access rules based on
1014 these labels. (ii) The Access Control Module (ACM) makes access control
1015 decisions by interpreting the policy when domains require to
1016 communicate or to access resources. The Xen access control has
1017 sufficient mechanisms in place to enforce the access decisions even
1018 against maliciously acting user domains (mandatory access control).
1020 Access rights for domains in Xen are determined by the domain security
1021 label only and not based on the domain Name or ID. The ACP specifies
1022 security labels that can then be assigned to domains and
1023 resources. Every domain must be assigned exactly one security label,
1024 otherwise access control decisions could become indeterministic. ACPs
1025 are distinguished by their name, which is a parameter to most of the
1026 subcommands described below. Currently, the ACP specifies two ways to
1027 interpret labels:
1029 (1) Simple Type Enforcement: Labels are interpreted to decide access
1030 of domains to communication means and virtual or physical
1031 resources. Communication between domains as well as access to
1032 resources are forbidden by default and can only take place if they are
1033 explicitly allowed by the security policy. The proper assignment of
1034 labels to domains controls the sharing of information (directly
1035 through communication or indirectly through shared resources) between
1036 domains. This interpretation allows to control the overt (intended)
1037 communication channels in Xen.
1039 (2) Chinese Wall: Labels are interpreted to decide which domains can
1040 co-exist (be run simultaneously) on the same system. This
1041 interpretation allows to prevent direct covert (unintended) channels
1042 and mitigates risks caused by imperfect core domain isolation
1043 (trade-off between security and other system requirements). For a
1044 short introduction to covert channels, please refer to
1045 http://www.multicians.org/timing-chn.html.
1047 The following subcommands help you to manage security policies in Xen
1048 and to assign security labels to domains. To enable access control
1049 security in Xen, you must compile Xen with ACM support enabled as
1050 described under "Configuring Security" below. There, you will find
1051 also examples of each subcommand described here.
1053 =over 4
1055 =item B<setpolicy> ACM I<policy>
1057 Makes the given ACM policy available to xend as a I<xend-managed policy>.
1058 The policy is compiled and a mapping (.map) as well as a binary (.bin)
1059 version of the policy is created. The policy is loaded and the system's
1060 bootloader is prepared to boot the system with this policy the next time
1061 it is started.
1063 =back
1065 =over 4
1067 I<policy> is a dot-separated list of names. The last part is the file
1068 name pre-fix for the policy XML file. The preceding name parts are
1069 translated into the local path pointing to the policy XML file
1070 relative to the global policy root directory
1071 (/etc/xen/acm-security/policies). For example,
1072 example.chwall_ste.client_v1 denotes the policy file
1073 example/chwall_ste/client_v1-security_policy.xml relative to the
1074 global policy root directory.
1076 =back
1078 =over 4
1080 =item B<resetpolicy>
1082 Reset the system's policy to the default state where the DEFAULT policy
1083 is loaded and enforced. This operation may fail if for example guest VMs are
1084 running and and one of them uses a different label than what Domain-0
1085 does. It is best to make sure that no guests are running before issuing
1086 this command.
1088 =item B<getpolicy> [--dumpxml]
1090 Displays information about the current xend-managed policy, such as
1091 name and type of the policy, the uuid xend has assigned to it on the
1092 local system, the version of the XML representation and the status
1093 of the policy, such as whether it is currently loaded into Xen or
1094 whether the policy is automatically loaded during system boot. With
1095 the I<--dumpxml> option, the XML representation of the policy is
1096 displayed.
1098 =item B<dumppolicy>
1100 Prints the current security policy state information of Xen.
1102 =item B<labels> [I<policy>] [B<type=dom>|B<res>|B<any>]
1104 Lists all labels of a I<type> (domain, resource, or both) that are
1105 defined in the I<policy>. Unless specified, the default I<policy> is
1106 the currently enforced access control policy. The default for I<type>
1107 is 'dom'. The labels are arranged in alphabetical order.
1109 =item B<addlabel> I<label> B<dom> I<configfile> [I<policy>]
1111 =item B<addlabel> I<label> B<mgt> I<domain name> [I<policy type>:I<policy>]
1113 =item B<addlabel> I<label> B<res> I<resource> [I<policy>]
1115 =item B<addlabel> I<label> B<vif-idx> I<domain name> [I<policy type>:I<policy>]
1118 Adds the security label with name I<label> to a domain
1119 I<configfile> (dom), a Xend-managed domain (mgt), to the global resource label
1120 file for the given I<resource> (res), or to a managed domain's virtual network
1121 interface (vif) that is specified by its index. Unless specified,
1122 the default I<policy> is the currently enforced access control policy.
1123 This subcommand also verifies that the I<policy> definition supports the
1124 specified I<label> name.
1126 The only I<policy type> that is currently supported is I<ACM>.
1128 =item B<rmlabel> B<dom> I<configfile>
1130 =item B<rmlabel> B<mgt> I<domain name>
1132 =item B<rmlabel> B<res> I<resource>
1134 =item B<rmlabel> B<vif-idx> I<domain name>
1136 Works the same as the B<addlabel> command (above), except that this
1137 command will remove the label from the domain I<configfile> (dom),
1138 a Xend-managed domain (mgt), the global resource label file (res),
1139 or a managed domain's network interface (vif).
1141 =item B<getlabel> B<dom> I<configfile>
1143 =item B<getlabel> B<mgt> I<domain name>
1145 =item B<getlabel> B<res> I<resource>
1147 =item B<getlabel> B<vif-idx> I<domain name>
1149 Shows the label for a domain's configuration in the given I<configfile>,
1150 a xend-managed domain (mgt), a resource, or a managed domain's network
1151 interface (vif).
1153 =item B<resources>
1155 Lists all resources in the global resource label file. Each resource
1156 is listed with its associated label and policy name.
1158 =item B<dry-run> I<configfile>
1160 Determines if the specified I<configfile> describes a domain with a valid
1161 security configuration for type enforcement. The test shows the policy
1162 decision made for each resource label against the domain label as well as
1163 the overall decision.
1167 =over 4
1169 In xen_source_dir/Config.mk set the following parameter:
1171 XSM_ENABLE ?= y
1172 ACM_SECURITY ?= y
1174 Then recompile and install xen and the security tools and then reboot:
1176 cd xen_source_dir; make clean; make install
1177 reboot into Xen
1179 =back
1183 =over 4
1185 To set the system's security policy enforcement into its default state,
1186 the follow command can be issued. Make sure that no guests are running
1187 while doing this.
1189 xm resetpolicy
1191 After this command has successfully completed, the system's DEFAULT policy
1192 is enforced.
1194 =back
1198 =over 4
1200 This step sets the system's policy and automatically loads it into Xen
1201 for enforcement.
1203 xm setpolicy ACM example.client_v1
1205 =back
1209 =over 4
1211 This subcommand shows all labels that are defined and which can be
1212 attached to domains.
1214 xm labels example.client_v1 type=dom
1216 will print for our example policy:
1218 dom_BoincClient
1219 dom_Fun
1220 dom_HomeBanking
1221 dom_NetworkDomain
1222 dom_StorageDomain
1223 dom_SystemManagement
1225 =back
1229 =over 4
1231 The B<addlabel> subcommand can attach a security label to a domain
1232 configuration file, here a HomeBanking label. The example policy
1233 ensures that this domain does not share information with other
1234 non-homebanking user domains (i.e., domains labeled as dom_Fun or
1235 dom_Boinc) and that it will not run simultaneously with domains
1236 labeled as dom_Fun.
1238 We assume that the specified myconfig.xm configuration file actually
1239 instantiates a domain that runs workloads related to home-banking,
1240 probably just a browser environment for online-banking.
1242 xm addlabel dom_HomeBanking dom myconfig.xm
1244 The very simple configuration file might now look as printed
1245 below. The B<addlabel> subcommand added the B<access_control> entry at
1246 the end of the file, consisting of a label name and the policy that
1247 specifies this label name:
1249 kernel = "/boot/vmlinuz-2.6.16-xen"
1250 ramdisk="/boot/U1_home_banking_ramdisk.img"
1251 memory = 164
1252 name = "homebanking"
1253 vif = [ '' ]
1254 dhcp = "dhcp"
1255 access_control = ['policy=example.chwall_ste.client_v1,
1256 label=dom_HomeBanking']
1258 Security labels must be assigned to domain configurations because
1259 these labels are essential for making access control decisions as
1260 early as during the configuration phase of a newly instantiated
1261 domain. Consequently, a security-enabled Xen hypervisor will only
1262 start domains that have a security label configured and whose security
1263 label is consistent with the currently enforced policy. Otherwise,
1264 starting the domain will fail with the error condition "operation not
1265 permitted".
1267 =back
1271 =over 4
1273 The addlabel subcommand supports labeling of domains that are managed
1274 by xend. This includes domains that are currently running, such as for
1275 example Domain-0, or those that are in a dormant state.
1276 Depending on the state of the system, it is possible that the new label
1277 is rejected. An example for a reason for the rejection of the relabeling
1278 of a domain would be if a domain is currently allowed to
1279 access its labeled resources but due to the new label would be prevented
1280 from accessing one or more of them.
1282 xm addlabel dom_Fun mgt Domain-0
1284 This changes the label of Domain-0 to dom_Fun under the condition that
1285 this new label of Domain-0 would not prevent any other domain from
1286 accessing its resources that are provided through Domain-0, such as for
1287 example network or block device access.
1289 =back
1293 =over 4
1295 The B<addlabel> subcommand can also be used to attach a security
1296 label to a resource. Following the home banking example from above,
1297 we can label a disk resource (e.g., a physical partition or a file)
1298 to make it accessible to the home banking domain. The example policy
1299 provides a resource label, res_LogicalDiskPartition1(hda1), that is
1300 compatible with the HomeBanking domain label.
1302 xm addlabel "res_LogicalDiskPartition1(hda1)" res phy:hda6
1304 After labeling this disk resource, it can be attached to the domain
1305 by adding a line to the domain configuration file. The line below
1306 attaches this disk to the domain at boot time.
1308 disk = [ 'phy:hda6,sda2,w' ]
1310 Alternatively, the resource can be attached after booting the domain
1311 by using the B<block-attach> subcommand.
1313 xm block-attach homebanking phy:hda6 sda2 w
1315 Note that labeled resources cannot be used when security is turned
1316 off. Any attempt to use labeled resources with security turned off
1317 will result in a failure with a corresponding error message. The
1318 solution is to enable security or, if security is no longer desired,
1319 to remove the resource label using the B<rmlabel> subcommand.
1321 =back
1325 =over 4
1327 xm create myconfig.xm
1329 xm list --label
1331 Name ID ... Time(s) Label
1332 homebanking 23 ... 4.4 dom_HomeBanking
1333 Domain-0 0 ... 2658.8 dom_SystemManagement
1335 =back
1339 =over 4
1341 xm resources
1343 phy:hda6
1344 type: ACM
1345 policy: example.chwall_ste.client_v1
1346 label: res_LogicalDiskPartition1(hda1)
1347 file:/xen/disk_image/disk.img
1348 type: ACM
1349 policy: example.chwall_ste.client_v1
1350 label: res_LogicalDiskPartition2(hda2)
1352 =back
1356 =over 4
1358 We distinguish three representations of the Xen access control policy:
1359 the source XML version, its binary counterpart, and a mapping
1360 representation that enables the tools to deterministically translate
1361 back and forth between label names of the XML policy and label
1362 identifiers of the binary policy. All three versions must be kept
1363 consistent to achieve predictable security guarantees.
1365 The XML version is the version that users are supposed to create or
1366 change, either by manually editing the XML file or by using the Xen
1367 policy generation tool (B<xensec_gen>). After changing the XML file,
1368 run the B<setpolicy> subcommand to ensure that the new policy is
1369 available to xend. Use, for example, the subcommand
1370 B<activatepolicy> to activate the changes during the next system
1371 reboot.
1373 The binary version of the policy is derived from the XML policy by
1374 tokenizing the specified labels and is used inside Xen only. It is
1375 created with the B<setpolicy> subcommand. Essentially, the binary
1376 version is much more compact than the XML version and is easier to
1377 evaluate during access control decisions.
1379 The mapping version of the policy is created during the XML-to-binary
1380 policy translation (B<setpolicy>) and is used by xend and the management
1381 tools to translate between label names used as input to the tools and
1382 their binary identifiers (ssidrefs) used inside Xen.
1384 =back
1386 =back
1388 =head1 SEE ALSO
1390 B<xmdomain.cfg>(5), B<xentop>(1)
1392 =head1 AUTHOR
1394 Sean Dague <sean at dague dot net>
1395 Daniel Stekloff <dsteklof at us dot ibm dot com>
1396 Reiner Sailer <sailer at us dot ibm dot com>
1397 Stefan Berger <stefanb at us dot ibm dot com>
1399 =head1 BUGS