view docs/src/user.tex @ 11128:f2f584093379

[POWERPC] Update .hgignore
Signed-off-by: Hollis Blanchard <hollisb@us.ibm.com>
author kfraser@localhost.localdomain
date Tue Aug 15 10:38:59 2006 +0100 (2006-08-15)
parents 457c427c28fc
children b26bf72514aa
line source
1 \documentclass[11pt,twoside,final,openright]{report}
2 \usepackage{a4,graphicx,html,parskip,setspace,times,xspace,url}
3 \setstretch{1.15}
5 \renewcommand{\ttdefault}{pcr}
7 \def\Xend{{Xend}\xspace}
8 \def\xend{{xend}\xspace}
10 \latexhtml{\renewcommand{\path}[1]{{\small {\tt #1}}}}{\renewcommand{\path}[1]{{\tt #1}}}
13 \begin{document}
16 \pagestyle{empty}
17 \begin{center}
18 \vspace*{\fill}
19 \includegraphics{figs/xenlogo.eps}
20 \vfill
21 \vfill
22 \vfill
23 \begin{tabular}{l}
24 {\Huge \bf Users' Manual} \\[4mm]
25 {\huge Xen v3.0} \\[80mm]
26 \end{tabular}
27 \end{center}
29 {\bf DISCLAIMER: This documentation is always under active development
30 and as such there may be mistakes and omissions --- watch out for
31 these and please report any you find to the developers' mailing list,
32 xen-devel@lists.xensource.com. The latest version is always available
33 on-line. Contributions of material, suggestions and corrections are
34 welcome.}
36 \vfill
37 \clearpage
41 \pagestyle{empty}
43 \vspace*{\fill}
45 Xen is Copyright \copyright 2002-2005, University of Cambridge, UK, XenSource
46 Inc., IBM Corp., Hewlett-Packard Co., Intel Corp., AMD Inc., and others. All
47 rights reserved.
49 Xen is an open-source project. Most portions of Xen are licensed for copying
50 under the terms of the GNU General Public License, version 2. Other portions
51 are licensed under the terms of the GNU Lesser General Public License, the
52 Zope Public License 2.0, or under ``BSD-style'' licenses. Please refer to the
53 COPYING file for details.
55 Xen includes software by Christopher Clark. This software is covered by the
56 following licence:
58 \begin{quote}
59 Copyright (c) 2002, Christopher Clark. All rights reserved.
61 Redistribution and use in source and binary forms, with or without
62 modification, are permitted provided that the following conditions are met:
64 \begin{itemize}
65 \item Redistributions of source code must retain the above copyright notice,
66 this list of conditions and the following disclaimer.
68 \item Redistributions in binary form must reproduce the above copyright
69 notice, this list of conditions and the following disclaimer in the
70 documentation and/or other materials provided with the distribution.
72 \item Neither the name of the original author; nor the names of any
73 contributors may be used to endorse or promote products derived from this
74 software without specific prior written permission.
75 \end{itemize}
87 \end{quote}
89 \cleardoublepage
93 \pagestyle{plain}
94 \pagenumbering{roman}
95 { \parskip 0pt plus 1pt
96 \tableofcontents }
97 \cleardoublepage
101 \pagenumbering{arabic}
102 \raggedbottom
103 \widowpenalty=10000
104 \clubpenalty=10000
105 \parindent=0pt
106 \parskip=5pt
107 \renewcommand{\topfraction}{.8}
108 \renewcommand{\bottomfraction}{.8}
109 \renewcommand{\textfraction}{.2}
110 \renewcommand{\floatpagefraction}{.8}
111 \setstretch{1.1}
114 %% Chapter Introduction moved to introduction.tex
115 \chapter{Introduction}
118 Xen is an open-source \emph{para-virtualizing} virtual machine monitor
119 (VMM), or ``hypervisor'', for the x86 processor architecture. Xen can
120 securely execute multiple virtual machines on a single physical system
121 with close-to-native performance. Xen facilitates enterprise-grade
122 functionality, including:
124 \begin{itemize}
125 \item Virtual machines with performance close to native hardware.
126 \item Live migration of running virtual machines between physical hosts.
127 \item Up to 32 virtual CPUs per guest virtual machine, with VCPU hotplug.
128 \item x86/32, x86/32 with PAE, and x86/64 platform support.
129 \item Intel Virtualization Technology (VT-x) for unmodified guest operating systems (including Microsoft Windows).
130 \item Excellent hardware support (supports almost all Linux device
131 drivers).
132 \end{itemize}
135 \section{Usage Scenarios}
137 Usage scenarios for Xen include:
139 \begin{description}
140 \item [Server Consolidation.] Move multiple servers onto a single
141 physical host with performance and fault isolation provided at the
142 virtual machine boundaries.
143 \item [Hardware Independence.] Allow legacy applications and operating
144 systems to exploit new hardware.
145 \item [Multiple OS configurations.] Run multiple operating systems
146 simultaneously, for development or testing purposes.
147 \item [Kernel Development.] Test and debug kernel modifications in a
148 sand-boxed virtual machine --- no need for a separate test machine.
149 \item [Cluster Computing.] Management at VM granularity provides more
150 flexibility than separately managing each physical host, but better
151 control and isolation than single-system image solutions,
152 particularly by using live migration for load balancing.
153 \item [Hardware support for custom OSes.] Allow development of new
154 OSes while benefiting from the wide-ranging hardware support of
155 existing OSes such as Linux.
156 \end{description}
159 \section{Operating System Support}
161 Para-virtualization permits very high performance virtualization, even
162 on architectures like x86 that are traditionally very hard to
163 virtualize.
165 This approach requires operating systems to be \emph{ported} to run on
166 Xen. Porting an OS to run on Xen is similar to supporting a new
167 hardware platform, however the process is simplified because the
168 para-virtual machine architecture is very similar to the underlying
169 native hardware. Even though operating system kernels must explicitly
170 support Xen, a key feature is that user space applications and
171 libraries \emph{do not} require modification.
173 With hardware CPU virtualization as provided by Intel VT and AMD
174 SVM technology, the ability to run an unmodified guest OS kernel
175 is available. No porting of the OS is required, although some
176 additional driver support is necessary within Xen itself. Unlike
177 traditional full virtualization hypervisors, which suffer a tremendous
178 performance overhead, the combination of Xen and VT or Xen and
179 Pacifica technology complement one another to offer superb performance
180 for para-virtualized guest operating systems and full support for
181 unmodified guests running natively on the processor. Full support for
182 VT and Pacifica chipsets will appear in early 2006.
184 Paravirtualized Xen support is available for increasingly many
185 operating systems: currently, mature Linux support is available and
186 included in the standard distribution. Other OS ports---including
187 NetBSD, FreeBSD and Solaris x86 v10---are nearing completion.
190 \section{Hardware Support}
192 Xen currently runs on the x86 architecture, requiring a ``P6'' or
193 newer processor (e.g.\ Pentium Pro, Celeron, Pentium~II, Pentium~III,
194 Pentium~IV, Xeon, AMD~Athlon, AMD~Duron). Multiprocessor machines are
195 supported, and there is support for HyperThreading (SMT). In
196 addition, ports to IA64 and Power architectures are in progress.
198 The default 32-bit Xen supports up to 4GB of memory. However Xen 3.0
199 adds support for Intel's Physical Addressing Extensions (PAE), which
200 enable x86/32 machines to address up to 64 GB of physical memory. Xen
201 3.0 also supports x86/64 platforms such as Intel EM64T and AMD Opteron
202 which can currently address up to 1TB of physical memory.
204 Xen offloads most of the hardware support issues to the guest OS
205 running in the \emph{Domain~0} management virtual machine. Xen itself
206 contains only the code required to detect and start secondary
207 processors, set up interrupt routing, and perform PCI bus
208 enumeration. Device drivers run within a privileged guest OS rather
209 than within Xen itself. This approach provides compatibility with the
210 majority of device hardware supported by Linux. The default XenLinux
211 build contains support for most server-class network and disk
212 hardware, but you can add support for other hardware by configuring
213 your XenLinux kernel in the normal way.
216 \section{Structure of a Xen-Based System}
218 A Xen system has multiple layers, the lowest and most privileged of
219 which is Xen itself.
221 Xen may host multiple \emph{guest} operating systems, each of which is
222 executed within a secure virtual machine. In Xen terminology, a
223 \emph{domain}. Domains are scheduled by Xen to make effective use of the
224 available physical CPUs. Each guest OS manages its own applications.
225 This management includes the responsibility of scheduling each
226 application within the time allotted to the VM by Xen.
228 The first domain, \emph{domain~0}, is created automatically when the
229 system boots and has special management privileges. Domain~0 builds
230 other domains and manages their virtual devices. It also performs
231 administrative tasks such as suspending, resuming and migrating other
232 virtual machines.
234 Within domain~0, a process called \emph{xend} runs to manage the system.
235 \Xend\ is responsible for managing virtual machines and providing access
236 to their consoles. Commands are issued to \xend\ over an HTTP interface,
237 via a command-line tool.
240 \section{History}
242 Xen was originally developed by the Systems Research Group at the
243 University of Cambridge Computer Laboratory as part of the XenoServers
244 project, funded by the UK-EPSRC\@.
246 XenoServers aim to provide a ``public infrastructure for global
247 distributed computing''. Xen plays a key part in that, allowing one to
248 efficiently partition a single machine to enable multiple independent
249 clients to run their operating systems and applications in an
250 environment. This environment provides protection, resource isolation
251 and accounting. The project web page contains further information along
252 with pointers to papers and technical reports:
253 \path{http://www.cl.cam.ac.uk/xeno}
255 Xen has grown into a fully-fledged project in its own right, enabling us
256 to investigate interesting research issues regarding the best techniques
257 for virtualizing resources such as the CPU, memory, disk and network.
258 Project contributors now include XenSource, Intel, IBM, HP, AMD, Novell,
259 RedHat.
261 Xen was first described in a paper presented at SOSP in
262 2003\footnote{\tt
263 http://www.cl.cam.ac.uk/netos/papers/2003-xensosp.pdf}, and the first
264 public release (1.0) was made that October. Since then, Xen has
265 significantly matured and is now used in production scenarios on many
266 sites.
268 \section{What's New}
270 Xen 3.0.0 offers:
272 \begin{itemize}
273 \item Support for up to 32-way SMP guest operating systems
274 \item Intel (Physical Addressing Extensions) PAE to support 32-bit
275 servers with more than 4GB physical memory
276 \item x86/64 support (Intel EM64T, AMD Opteron)
277 \item Intel VT-x support to enable the running of unmodified guest
278 operating systems (Windows XP/2003, Legacy Linux)
279 \item Enhanced control tools
280 \item Improved ACPI support
281 \item AGP/DRM graphics
282 \end{itemize}
285 Xen 3.0 features greatly enhanced hardware support, configuration
286 flexibility, usability and a larger complement of supported operating
287 systems. This latest release takes Xen a step closer to being the
288 definitive open source solution for virtualization.
292 \part{Installation}
294 %% Chapter Basic Installation
295 \chapter{Basic Installation}
297 The Xen distribution includes three main components: Xen itself, ports
298 of Linux and NetBSD to run on Xen, and the userspace tools required to
299 manage a Xen-based system. This chapter describes how to install the
300 Xen~3.0 distribution from source. Alternatively, there may be pre-built
301 packages available as part of your operating system distribution.
304 \section{Prerequisites}
305 \label{sec:prerequisites}
307 The following is a full list of prerequisites. Items marked `$\dag$' are
308 required by the \xend\ control tools, and hence required if you want to
309 run more than one virtual machine; items marked `$*$' are only required
310 if you wish to build from source.
311 \begin{itemize}
312 \item A working Linux distribution using the GRUB bootloader and running
313 on a P6-class or newer CPU\@.
314 \item [$\dag$] The \path{iproute2} package.
315 \item [$\dag$] The Linux bridge-utils\footnote{Available from {\tt
316 http://bridge.sourceforge.net}} (e.g., \path{/sbin/brctl})
317 \item [$\dag$] The Linux hotplug system\footnote{Available from {\tt
318 http://linux-hotplug.sourceforge.net/}} (e.g.,
319 \path{/sbin/hotplug} and related scripts). On newer distributions,
320 this is included alongside the Linux udev system\footnote{See {\tt
321 http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html/}}.
322 \item [$*$] Build tools (gcc v3.2.x or v3.3.x, binutils, GNU make).
323 \item [$*$] Development installation of zlib (e.g.,\ zlib-dev).
324 \item [$*$] Development installation of Python v2.2 or later (e.g.,\
325 python-dev).
326 \item [$*$] \LaTeX\ and transfig are required to build the
327 documentation.
328 \end{itemize}
330 Once you have satisfied these prerequisites, you can now install either
331 a binary or source distribution of Xen.
333 \section{Installing from Binary Tarball}
335 Pre-built tarballs are available for download from the XenSource downloads
336 page:
337 \begin{quote} {\tt http://www.xensource.com/downloads/}
338 \end{quote}
340 Once you've downloaded the tarball, simply unpack and install:
341 \begin{verbatim}
342 # tar zxvf xen-3.0-install.tgz
343 # cd xen-3.0-install
344 # sh ./install.sh
345 \end{verbatim}
347 Once you've installed the binaries you need to configure your system as
348 described in Section~\ref{s:configure}.
350 \section{Installing from RPMs}
351 Pre-built RPMs are available for download from the XenSource downloads
352 page:
353 \begin{quote} {\tt http://www.xensource.com/downloads/}
354 \end{quote}
356 Once you've downloaded the RPMs, you typically install them via the
357 RPM commands:
359 \verb|# rpm -iv rpmname|
361 See the instructions and the Release Notes for each RPM set referenced at:
362 \begin{quote}
363 {\tt http://www.xensource.com/downloads/}.
364 \end{quote}
366 \section{Installing from Source}
368 This section describes how to obtain, build and install Xen from source.
370 \subsection{Obtaining the Source}
372 The Xen source tree is available as either a compressed source tarball
373 or as a clone of our master Mercurial repository.
375 \begin{description}
376 \item[Obtaining the Source Tarball]\mbox{} \\
377 Stable versions and daily snapshots of the Xen source tree are
378 available from the Xen download page:
379 \begin{quote} {\tt \tt http://www.xensource.com/downloads/}
380 \end{quote}
381 \item[Obtaining the source via Mercurial]\mbox{} \\
382 The source tree may also be obtained via the public Mercurial
383 repository at:
384 \begin{quote}{\tt http://xenbits.xensource.com}
385 \end{quote} See the instructions and the Getting Started Guide
386 referenced at:
387 \begin{quote}
388 {\tt http://www.xensource.com/downloads/}
389 \end{quote}
390 \end{description}
392 % \section{The distribution}
393 %
394 % The Xen source code repository is structured as follows:
395 %
396 % \begin{description}
397 % \item[\path{tools/}] Xen node controller daemon (Xend), command line
398 % tools, control libraries
399 % \item[\path{xen/}] The Xen VMM.
400 % \item[\path{buildconfigs/}] Build configuration files
401 % \item[\path{linux-*-xen-sparse/}] Xen support for Linux.
402 % \item[\path{patches/}] Experimental patches for Linux.
403 % \item[\path{docs/}] Various documentation files for users and
404 % developers.
405 % \item[\path{extras/}] Bonus extras.
406 % \end{description}
408 \subsection{Building from Source}
410 The top-level Xen Makefile includes a target ``world'' that will do the
411 following:
413 \begin{itemize}
414 \item Build Xen.
415 \item Build the control tools, including \xend.
416 \item Download (if necessary) and unpack the Linux 2.6 source code, and
417 patch it for use with Xen.
418 \item Build a Linux kernel to use in domain~0 and a smaller unprivileged
419 kernel, which can be used for unprivileged virtual machines.
420 \end{itemize}
422 After the build has completed you should have a top-level directory
423 called \path{dist/} in which all resulting targets will be placed. Of
424 particular interest are the two XenLinux kernel images, one with a
425 ``-xen0'' extension which contains hardware device drivers and drivers
426 for Xen's virtual devices, and one with a ``-xenU'' extension that
427 just contains the virtual ones. These are found in
428 \path{dist/install/boot/} along with the image for Xen itself and the
429 configuration files used during the build.
431 %The NetBSD port can be built using:
432 %\begin{quote}
433 %\begin{verbatim}
434 %# make netbsd20
435 %\end{verbatim}\end{quote}
436 %NetBSD port is built using a snapshot of the netbsd-2-0 cvs branch.
437 %The snapshot is downloaded as part of the build process if it is not
438 %yet present in the \path{NETBSD\_SRC\_PATH} search path. The build
439 %process also downloads a toolchain which includes all of the tools
440 %necessary to build the NetBSD kernel under Linux.
442 To customize the set of kernels built you need to edit the top-level
443 Makefile. Look for the line:
444 \begin{quote}
445 \begin{verbatim}
446 KERNELS ?= linux-2.6-xen0 linux-2.6-xenU
447 \end{verbatim}
448 \end{quote}
450 You can edit this line to include any set of operating system kernels
451 which have configurations in the top-level \path{buildconfigs/}
452 directory.
454 %% Inspect the Makefile if you want to see what goes on during a
455 %% build. Building Xen and the tools is straightforward, but XenLinux
456 %% is more complicated. The makefile needs a `pristine' Linux kernel
457 %% tree to which it will then add the Xen architecture files. You can
458 %% tell the makefile the location of the appropriate Linux compressed
459 %% tar file by
460 %% setting the LINUX\_SRC environment variable, e.g. \\
461 %% \verb!# LINUX_SRC=/tmp/linux-2.6.11.tar.bz2 make world! \\ or by
462 %% placing the tar file somewhere in the search path of {\tt
463 %% LINUX\_SRC\_PATH} which defaults to `{\tt .:..}'. If the
464 %% makefile can't find a suitable kernel tar file it attempts to
465 %% download it from kernel.org (this won't work if you're behind a
466 %% firewall).
468 %% After untaring the pristine kernel tree, the makefile uses the {\tt
469 %% mkbuildtree} script to add the Xen patches to the kernel.
471 %% \framebox{\parbox{5in}{
472 %% {\bf Distro specific:} \\
473 %% {\it Gentoo} --- if not using udev (most installations,
474 %% currently), you'll need to enable devfs and devfs mount at boot
475 %% time in the xen0 config. }}
477 \subsection{Custom Kernels}
479 % If you have an SMP machine you may wish to give the {\tt '-j4'}
480 % argument to make to get a parallel build.
482 If you wish to build a customized XenLinux kernel (e.g.\ to support
483 additional devices or enable distribution-required features), you can
484 use the standard Linux configuration mechanisms, specifying that the
485 architecture being built for is \path{xen}, e.g:
486 \begin{quote}
487 \begin{verbatim}
488 # cd linux-2.6.12-xen0
489 # make ARCH=xen xconfig
490 # cd ..
491 # make
492 \end{verbatim}
493 \end{quote}
495 You can also copy an existing Linux configuration (\path{.config}) into
496 e.g.\ \path{linux-2.6.12-xen0} and execute:
497 \begin{quote}
498 \begin{verbatim}
499 # make ARCH=xen oldconfig
500 \end{verbatim}
501 \end{quote}
503 You may be prompted with some Xen-specific options. We advise accepting
504 the defaults for these options.
506 Note that the only difference between the two types of Linux kernels
507 that are built is the configuration file used for each. The ``U''
508 suffixed (unprivileged) versions don't contain any of the physical
509 hardware device drivers, leading to a 30\% reduction in size; hence you
510 may prefer these for your non-privileged domains. The ``0'' suffixed
511 privileged versions can be used to boot the system, as well as in driver
512 domains and unprivileged domains.
514 \subsection{Installing Generated Binaries}
516 The files produced by the build process are stored under the
517 \path{dist/install/} directory. To install them in their default
518 locations, do:
519 \begin{quote}
520 \begin{verbatim}
521 # make install
522 \end{verbatim}
523 \end{quote}
525 Alternatively, users with special installation requirements may wish to
526 install them manually by copying the files to their appropriate
527 destinations.
529 %% Files in \path{install/boot/} include:
530 %% \begin{itemize}
531 %% \item \path{install/boot/xen-3.0.gz} Link to the Xen 'kernel'
532 %% \item \path{install/boot/vmlinuz-2.6-xen0} Link to domain 0
533 %% XenLinux kernel
534 %% \item \path{install/boot/vmlinuz-2.6-xenU} Link to unprivileged
535 %% XenLinux kernel
536 %% \end{itemize}
538 The \path{dist/install/boot} directory will also contain the config
539 files used for building the XenLinux kernels, and also versions of Xen
540 and XenLinux kernels that contain debug symbols such as
541 (\path{xen-syms-3.0.0} and \path{vmlinux-syms-}) which are
542 essential for interpreting crash dumps. Retain these files as the
543 developers may wish to see them if you post on the mailing list.
546 \section{Configuration}
547 \label{s:configure}
549 Once you have built and installed the Xen distribution, it is simple to
550 prepare the machine for booting and running Xen.
552 \subsection{GRUB Configuration}
554 An entry should be added to \path{grub.conf} (often found under
555 \path{/boot/} or \path{/boot/grub/}) to allow Xen / XenLinux to boot.
556 This file is sometimes called \path{menu.lst}, depending on your
557 distribution. The entry should look something like the following:
559 %% KMSelf Thu Dec 1 19:06:13 PST 2005 262144 is useful for RHEL/RH and
560 %% related Dom0s.
561 {\small
562 \begin{verbatim}
563 title Xen 3.0 / XenLinux 2.6
564 kernel /boot/xen-3.0.gz dom0_mem=262144
565 module /boot/vmlinuz-2.6-xen0 root=/dev/sda4 ro console=tty0
566 \end{verbatim}
567 }
569 The kernel line tells GRUB where to find Xen itself and what boot
570 parameters should be passed to it (in this case, setting the domain~0
571 memory allocation in kilobytes and the settings for the serial port).
572 For more details on the various Xen boot parameters see
573 Section~\ref{s:xboot}.
575 The module line of the configuration describes the location of the
576 XenLinux kernel that Xen should start and the parameters that should be
577 passed to it. These are standard Linux parameters, identifying the root
578 device and specifying it be initially mounted read only and instructing
579 that console output be sent to the screen. Some distributions such as
580 SuSE do not require the \path{ro} parameter.
582 %% \framebox{\parbox{5in}{
583 %% {\bf Distro specific:} \\
584 %% {\it SuSE} --- Omit the {\tt ro} option from the XenLinux
585 %% kernel command line, since the partition won't be remounted rw
586 %% during boot. }}
588 To use an initrd, add another \path{module} line to the configuration,
589 like: {\small
590 \begin{verbatim}
591 module /boot/my_initrd.gz
592 \end{verbatim}
593 }
595 %% KMSelf Thu Dec 1 19:05:30 PST 2005 Other configs as an appendix?
597 When installing a new kernel, it is recommended that you do not delete
598 existing menu options from \path{menu.lst}, as you may wish to boot your
599 old Linux kernel in future, particularly if you have problems.
601 \subsection{Serial Console (optional)}
603 Serial console access allows you to manage, monitor, and interact with
604 your system over a serial console. This can allow access from another
605 nearby system via a null-modem (``LapLink'') cable or remotely via a serial
606 concentrator.
608 You system's BIOS, bootloader (GRUB), Xen, Linux, and login access must
609 each be individually configured for serial console access. It is
610 \emph{not} strictly necessary to have each component fully functional,
611 but it can be quite useful.
613 For general information on serial console configuration under Linux,
614 refer to the ``Remote Serial Console HOWTO'' at The Linux Documentation
615 Project: \url{http://www.tldp.org}
617 \subsubsection{Serial Console BIOS configuration}
619 Enabling system serial console output neither enables nor disables
620 serial capabilities in GRUB, Xen, or Linux, but may make remote
621 management of your system more convenient by displaying POST and other
622 boot messages over serial port and allowing remote BIOS configuration.
624 Refer to your hardware vendor's documentation for capabilities and
625 procedures to enable BIOS serial redirection.
628 \subsubsection{Serial Console GRUB configuration}
630 Enabling GRUB serial console output neither enables nor disables Xen or
631 Linux serial capabilities, but may made remote management of your system
632 more convenient by displaying GRUB prompts, menus, and actions over
633 serial port and allowing remote GRUB management.
635 Adding the following two lines to your GRUB configuration file,
636 typically either \path{/boot/grub/menu.lst} or \path{/boot/grub/grub.conf}
637 depending on your distro, will enable GRUB serial output.
639 \begin{quote}
640 {\small \begin{verbatim}
641 serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
642 terminal --timeout=10 serial console
643 \end{verbatim}}
644 \end{quote}
646 Note that when both the serial port and the local monitor and keyboard
647 are enabled, the text ``\emph{Press any key to continue}'' will appear
648 at both. Pressing a key on one device will cause GRUB to display to
649 that device. The other device will see no output. If no key is
650 pressed before the timeout period expires, the system will boot to the
651 default GRUB boot entry.
653 Please refer to the GRUB documentation for further information.
656 \subsubsection{Serial Console Xen configuration}
658 Enabling Xen serial console output neither enables nor disables Linux
659 kernel output or logging in to Linux over serial port. It does however
660 allow you to monitor and log the Xen boot process via serial console and
661 can be very useful in debugging.
663 %% kernel /boot/xen-2.0.gz dom0_mem=131072 console=com1,vga com1=115200,8n1
664 %% module /boot/vmlinuz-2.6-xen0 root=/dev/sda4 ro
666 In order to configure Xen serial console output, it is necessary to
667 add a boot option to your GRUB config; e.g.\ replace the previous
668 example kernel line with:
669 \begin{quote} {\small \begin{verbatim}
670 kernel /boot/xen.gz dom0_mem=131072 com1=115200,8n1
671 \end{verbatim}}
672 \end{quote}
674 This configures Xen to output on COM1 at 115,200 baud, 8 data bits, no
675 parity and 1 stop bit. Modify these parameters for your environment.
676 See Section~\ref{s:xboot} for an explanation of all boot parameters.
678 One can also configure XenLinux to share the serial console; to achieve
679 this append ``\path{console=ttyS0}'' to your module line.
682 \subsubsection{Serial Console Linux configuration}
684 Enabling Linux serial console output at boot neither enables nor
685 disables logging in to Linux over serial port. It does however allow
686 you to monitor and log the Linux boot process via serial console and can be
687 very useful in debugging.
689 To enable Linux output at boot time, add the parameter
690 \path{console=ttyS0} (or ttyS1, ttyS2, etc.) to your kernel GRUB line.
691 Under Xen, this might be:
692 \begin{quote}
693 {\footnotesize \begin{verbatim}
694 module /vmlinuz-2.6-xen0 ro root=/dev/VolGroup00/LogVol00 \
695 console=ttyS0, 115200
696 \end{verbatim}}
697 \end{quote}
698 to enable output over ttyS0 at 115200 baud.
702 \subsubsection{Serial Console Login configuration}
704 Logging in to Linux via serial console, under Xen or otherwise, requires
705 specifying a login prompt be started on the serial port. To permit root
706 logins over serial console, the serial port must be added to
707 \path{/etc/securetty}.
709 \newpage
710 To automatically start a login prompt over the serial port,
711 add the line: \begin{quote} {\small {\tt c:2345:respawn:/sbin/mingetty
712 ttyS0}} \end{quote} to \path{/etc/inittab}. Run \path{init q} to force
713 a reload of your inttab and start getty.
715 To enable root logins, add \path{ttyS0} to \path{/etc/securetty} if not
716 already present.
718 Your distribution may use an alternate getty; options include getty,
719 mgetty and agetty. Consult your distribution's documentation
720 for further information.
723 \subsection{TLS Libraries}
725 Users of the XenLinux 2.6 kernel should disable Thread Local Storage
726 (TLS) (e.g.\ by doing a \path{mv /lib/tls /lib/tls.disabled}) before
727 attempting to boot a XenLinux kernel\footnote{If you boot without first
728 disabling TLS, you will get a warning message during the boot process.
729 In this case, simply perform the rename after the machine is up and
730 then run \path{/sbin/ldconfig} to make it take effect.}. You can
731 always reenable TLS by restoring the directory to its original location
732 (i.e.\ \path{mv /lib/tls.disabled /lib/tls}).
734 The reason for this is that the current TLS implementation uses
735 segmentation in a way that is not permissible under Xen. If TLS is not
736 disabled, an emulation mode is used within Xen which reduces performance
737 substantially. To ensure full performance you should install a
738 `Xen-friendly' (nosegneg) version of the library.
741 \section{Booting Xen}
743 It should now be possible to restart the system and use Xen. Reboot and
744 choose the new Xen option when the Grub screen appears.
746 What follows should look much like a conventional Linux boot. The first
747 portion of the output comes from Xen itself, supplying low level
748 information about itself and the underlying hardware. The last portion
749 of the output comes from XenLinux.
751 You may see some error messages during the XenLinux boot. These are not
752 necessarily anything to worry about---they may result from kernel
753 configuration differences between your XenLinux kernel and the one you
754 usually use.
756 When the boot completes, you should be able to log into your system as
757 usual. If you are unable to log in, you should still be able to reboot
758 with your normal Linux kernel by selecting it at the GRUB prompt.
761 % Booting Xen
762 \chapter{Booting a Xen System}
764 Booting the system into Xen will bring you up into the privileged
765 management domain, Domain0. At that point you are ready to create
766 guest domains and ``boot'' them using the \texttt{xm create} command.
768 \section{Booting Domain0}
770 After installation and configuration is complete, reboot the system
771 and and choose the new Xen option when the Grub screen appears.
773 What follows should look much like a conventional Linux boot. The
774 first portion of the output comes from Xen itself, supplying low level
775 information about itself and the underlying hardware. The last
776 portion of the output comes from XenLinux.
778 %% KMSelf Wed Nov 30 18:09:37 PST 2005: We should specify what these are.
780 When the boot completes, you should be able to log into your system as
781 usual. If you are unable to log in, you should still be able to
782 reboot with your normal Linux kernel by selecting it at the GRUB prompt.
784 The first step in creating a new domain is to prepare a root
785 filesystem for it to boot. Typically, this might be stored in a normal
786 partition, an LVM or other volume manager partition, a disk file or on
787 an NFS server. A simple way to do this is simply to boot from your
788 standard OS install CD and install the distribution into another
789 partition on your hard drive.
791 To start the \xend\ control daemon, type
792 \begin{quote}
793 \verb!# xend start!
794 \end{quote}
796 If you wish the daemon to start automatically, see the instructions in
797 Section~\ref{s:xend}. Once the daemon is running, you can use the
798 \path{xm} tool to monitor and maintain the domains running on your
799 system. This chapter provides only a brief tutorial. We provide full
800 details of the \path{xm} tool in the next chapter.
802 % \section{From the web interface}
803 %
804 % Boot the Xen machine and start Xensv (see Chapter~\ref{cha:xensv}
805 % for more details) using the command: \\
806 % \verb_# xensv start_ \\
807 % This will also start Xend (see Chapter~\ref{cha:xend} for more
808 % information).
809 %
810 % The domain management interface will then be available at {\tt
811 % http://your\_machine:8080/}. This provides a user friendly wizard
812 % for starting domains and functions for managing running domains.
813 %
814 % \section{From the command line}
815 \section{Booting Guest Domains}
817 \subsection{Creating a Domain Configuration File}
819 Before you can start an additional domain, you must create a
820 configuration file. We provide two example files which you can use as
821 a starting point:
822 \begin{itemize}
823 \item \path{/etc/xen/xmexample1} is a simple template configuration
824 file for describing a single VM\@.
825 \item \path{/etc/xen/xmexample2} file is a template description that
826 is intended to be reused for multiple virtual machines. Setting the
827 value of the \path{vmid} variable on the \path{xm} command line
828 fills in parts of this template.
829 \end{itemize}
831 There are also a number of other examples which you may find useful.
832 Copy one of these files and edit it as appropriate. Typical values
833 you may wish to edit include:
835 \begin{quote}
836 \begin{description}
837 \item[kernel] Set this to the path of the kernel you compiled for use
838 with Xen (e.g.\ \path{kernel = ``/boot/vmlinuz-2.6-xenU''})
839 \item[memory] Set this to the size of the domain's memory in megabytes
840 (e.g.\ \path{memory = 64})
841 \item[disk] Set the first entry in this list to calculate the offset
842 of the domain's root partition, based on the domain ID\@. Set the
843 second to the location of \path{/usr} if you are sharing it between
844 domains (e.g.\ \path{disk = ['phy:your\_hard\_drive\%d,sda1,w' \%
845 (base\_partition\_number + vmid),
846 'phy:your\_usr\_partition,sda6,r' ]}
847 \item[dhcp] Uncomment the dhcp variable, so that the domain will
848 receive its IP address from a DHCP server (e.g.\ \path{dhcp=``dhcp''})
849 \end{description}
850 \end{quote}
852 You may also want to edit the {\bf vif} variable in order to choose
853 the MAC address of the virtual ethernet interface yourself. For
854 example:
856 \begin{quote}
857 \verb_vif = ['mac=00:16:3E:F6:BB:B3']_
858 \end{quote}
859 If you do not set this variable, \xend\ will automatically generate a
860 random MAC address from the range 00:16:3E:xx:xx:xx, assigned by IEEE to
861 XenSource as an OUI (organizationally unique identifier). XenSource
862 Inc. gives permission for anyone to use addresses randomly allocated
863 from this range for use by their Xen domains.
865 For a list of IEEE OUI assignments, see
866 \url{http://standards.ieee.org/regauth/oui/oui.txt}
869 \subsection{Booting the Guest Domain}
871 The \path{xm} tool provides a variety of commands for managing
872 domains. Use the \path{create} command to start new domains. Assuming
873 you've created a configuration file \path{myvmconf} based around
874 \path{/etc/xen/xmexample2}, to start a domain with virtual machine
875 ID~1 you should type:
877 \begin{quote}
878 \begin{verbatim}
879 # xm create -c myvmconf vmid=1
880 \end{verbatim}
881 \end{quote}
883 The \path{-c} switch causes \path{xm} to turn into the domain's
884 console after creation. The \path{vmid=1} sets the \path{vmid}
885 variable used in the \path{myvmconf} file.
887 You should see the console boot messages from the new domain appearing
888 in the terminal in which you typed the command, culminating in a login
889 prompt.
892 \section{Starting / Stopping Domains Automatically}
894 It is possible to have certain domains start automatically at boot
895 time and to have dom0 wait for all running domains to shutdown before
896 it shuts down the system.
898 To specify a domain is to start at boot-time, place its configuration
899 file (or a link to it) under \path{/etc/xen/auto/}.
901 A Sys-V style init script for Red Hat and LSB-compliant systems is
902 provided and will be automatically copied to \path{/etc/init.d/}
903 during install. You can then enable it in the appropriate way for
904 your distribution.
906 For instance, on Red Hat:
908 \begin{quote}
909 \verb_# chkconfig --add xendomains_
910 \end{quote}
912 By default, this will start the boot-time domains in runlevels 3, 4
913 and 5.
915 You can also use the \path{service} command to run this script
916 manually, e.g:
918 \begin{quote}
919 \verb_# service xendomains start_
921 Starts all the domains with config files under /etc/xen/auto/.
922 \end{quote}
924 \begin{quote}
925 \verb_# service xendomains stop_
927 Shuts down all running Xen domains.
928 \end{quote}
932 \part{Configuration and Management}
934 %% Chapter Domain Management Tools and Daemons
935 \chapter{Domain Management Tools}
937 This chapter summarizes the management software and tools available.
940 \section{\Xend\ }
941 \label{s:xend}
944 The \Xend\ node control daemon performs system management functions
945 related to virtual machines. It forms a central point of control of
946 virtualized resources, and must be running in order to start and manage
947 virtual machines. \Xend\ must be run as root because it needs access to
948 privileged system management functions.
950 An initialization script named \texttt{/etc/init.d/xend} is provided to
951 start \Xend\ at boot time. Use the tool appropriate (i.e. chkconfig) for
952 your Linux distribution to specify the runlevels at which this script
953 should be executed, or manually create symbolic links in the correct
954 runlevel directories.
956 \Xend\ can be started on the command line as well, and supports the
957 following set of parameters:
959 \begin{tabular}{ll}
960 \verb!# xend start! & start \xend, if not already running \\
961 \verb!# xend stop! & stop \xend\ if already running \\
962 \verb!# xend restart! & restart \xend\ if running, otherwise start it \\
963 % \verb!# xend trace_start! & start \xend, with very detailed debug logging \\
964 \verb!# xend status! & indicates \xend\ status by its return code
965 \end{tabular}
967 A SysV init script called {\tt xend} is provided to start \xend\ at
968 boot time. {\tt make install} installs this script in
969 \path{/etc/init.d}. To enable it, you have to make symbolic links in
970 the appropriate runlevel directories or use the {\tt chkconfig} tool,
971 where available. Once \xend\ is running, administration can be done
972 using the \texttt{xm} tool.
974 \subsection{Logging}
976 As \xend\ runs, events will be logged to \path{/var/log/xend.log} and
977 (less frequently) to \path{/var/log/xend-debug.log}. These, along with
978 the standard syslog files, are useful when troubleshooting problems.
980 \subsection{Configuring \Xend\ }
982 \Xend\ is written in Python. At startup, it reads its configuration
983 information from the file \path{/etc/xen/xend-config.sxp}. The Xen
984 installation places an example \texttt{xend-config.sxp} file in the
985 \texttt{/etc/xen} subdirectory which should work for most installations.
987 See the example configuration file \texttt{xend-debug.sxp} and the
988 section 5 man page \texttt{xend-config.sxp} for a full list of
989 parameters and more detailed information. Some of the most important
990 parameters are discussed below.
992 An HTTP interface and a Unix domain socket API are available to
993 communicate with \Xend. This allows remote users to pass commands to the
994 daemon. By default, \Xend does not start an HTTP server. It does start a
995 Unix domain socket management server, as the low level utility
996 \texttt{xm} requires it. For support of cross-machine migration, \Xend\
997 can start a relocation server. This support is not enabled by default
998 for security reasons.
1000 Note: the example \texttt{xend} configuration file modifies the defaults and
1001 starts up \Xend\ as an HTTP server as well as a relocation server.
1003 From the file:
1005 \begin{verbatim}
1006 #(xend-http-server no)
1007 (xend-http-server yes)
1008 #(xend-unix-server yes)
1009 #(xend-relocation-server no)
1010 (xend-relocation-server yes)
1011 \end{verbatim}
1013 Comment or uncomment lines in that file to disable or enable features
1014 that you require.
1016 Connections from remote hosts are disabled by default:
1018 \begin{verbatim}
1019 # Address xend should listen on for HTTP connections, if xend-http-server is
1020 # set.
1021 # Specifying 'localhost' prevents remote connections.
1022 # Specifying the empty string '' (the default) allows all connections.
1023 #(xend-address '')
1024 (xend-address localhost)
1025 \end{verbatim}
1027 It is recommended that if migration support is not needed, the
1028 \texttt{xend-relocation-server} parameter value be changed to
1029 ``\texttt{no}'' or commented out.
1031 \section{Xm}
1032 \label{s:xm}
1034 The xm tool is the primary tool for managing Xen from the console. The
1035 general format of an xm command line is:
1037 \begin{verbatim}
1038 # xm command [switches] [arguments] [variables]
1039 \end{verbatim}
1041 The available \emph{switches} and \emph{arguments} are dependent on the
1042 \emph{command} chosen. The \emph{variables} may be set using
1043 declarations of the form {\tt variable=value} and command line
1044 declarations override any of the values in the configuration file being
1045 used, including the standard variables described above and any custom
1046 variables (for instance, the \path{xmdefconfig} file uses a {\tt vmid}
1047 variable).
1049 For online help for the commands available, type:
1051 \begin{quote}
1052 \begin{verbatim}
1053 # xm help
1054 \end{verbatim}
1055 \end{quote}
1057 This will list the most commonly used commands. The full list can be obtained
1058 using \verb_xm help --long_. You can also type \path{xm help $<$command$>$}
1059 for more information on a given command.
1061 \subsection{Basic Management Commands}
1063 One useful command is \verb_# xm list_ which lists all domains running in rows
1064 of the following format:
1065 \begin{center} {\tt name domid memory vcpus state cputime}
1066 \end{center}
1068 The meaning of each field is as follows:
1069 \begin{quote}
1070 \begin{description}
1071 \item[name] The descriptive name of the virtual machine.
1072 \item[domid] The number of the domain ID this virtual machine is
1073 running in.
1074 \item[memory] Memory size in megabytes.
1075 \item[vcpus] The number of virtual CPUs this domain has.
1076 \item[state] Domain state consists of 5 fields:
1077 \begin{description}
1078 \item[r] running
1079 \item[b] blocked
1080 \item[p] paused
1081 \item[s] shutdown
1082 \item[c] crashed
1083 \end{description}
1084 \item[cputime] How much CPU time (in seconds) the domain has used so
1085 far.
1086 \end{description}
1087 \end{quote}
1089 The \path{xm list} command also supports a long output format when the
1090 \path{-l} switch is used. This outputs the full details of the
1091 running domains in \xend's SXP configuration format.
1093 If you want to know how long your domains have been running for, then
1094 you can use the \verb_# xm uptime_ command.
1097 You can get access to the console of a particular domain using
1098 the \verb_# xm console_ command (e.g.\ \verb_# xm console myVM_).
1100 \subsection{Domain Scheduling Management Commands}
1102 The credit CPU scheduler automatically load balances guest VCPUs
1103 across all available physical CPUs on an SMP host. The user need
1104 not manually pin VCPUs to load balance the system. However, she
1105 can restrict which CPUs a particular VCPU may run on using
1106 the \path{xm vcpu-pin} command.
1108 Each guest domain is assigned a \path{weight} and a \path{cap}.
1110 A domain with a weight of 512 will get twice as much CPU as a
1111 domain with a weight of 256 on a contended host. Legal weights
1112 range from 1 to 65535 and the default is 256.
1114 The cap optionally fixes the maximum amount of CPU a guest will
1115 be able to consume, even if the host system has idle CPU cycles.
1116 The cap is expressed in percentage of one physical CPU: 100 is
1117 1 physical CPU, 50 is half a CPU, 400 is 4 CPUs, etc... The
1118 default, 0, means there is no upper cap.
1120 When you are running with the credit scheduler, you can check and
1121 modify your domains' weights and caps using the \path{xm sched-credit}
1122 command:
1124 \begin{tabular}{ll}
1125 \verb!xm sched-credit -d <domain>! & lists weight and cap \\
1126 \verb!xm sched-credit -d <domain> -w <weight>! & sets the weight \\
1127 \verb!xm sched-credit -d <domain> -c <cap>! & sets the cap
1128 \end{tabular}
1132 %% Chapter Domain Configuration
1133 \chapter{Domain Configuration}
1134 \label{cha:config}
1136 The following contains the syntax of the domain configuration files
1137 and description of how to further specify networking, driver domain
1138 and general scheduling behavior.
1141 \section{Configuration Files}
1142 \label{s:cfiles}
1144 Xen configuration files contain the following standard variables.
1145 Unless otherwise stated, configuration items should be enclosed in
1146 quotes: see the configuration scripts in \path{/etc/xen/}
1147 for concrete examples.
1149 \begin{description}
1150 \item[kernel] Path to the kernel image.
1151 \item[ramdisk] Path to a ramdisk image (optional).
1152 % \item[builder] The name of the domain build function (e.g.
1153 % {\tt'linux'} or {\tt'netbsd'}.
1154 \item[memory] Memory size in megabytes.
1155 \item[vcpus] The number of virtual CPUs.
1156 \item[console] Port to export the domain console on (default 9600 +
1157 domain ID).
1158 \item[vif] Network interface configuration. This may simply contain
1159 an empty string for each desired interface, or may override various
1160 settings, e.g.\
1161 \begin{verbatim}
1162 vif = [ 'mac=00:16:3E:00:00:11, bridge=xen-br0',
1163 'bridge=xen-br1' ]
1164 \end{verbatim}
1165 to assign a MAC address and bridge to the first interface and assign
1166 a different bridge to the second interface, leaving \xend\ to choose
1167 the MAC address. The settings that may be overridden in this way are
1168 type, mac, bridge, ip, script, backend, and vifname.
1169 \item[disk] List of block devices to export to the domain e.g.
1170 \verb_disk = [ 'phy:hda1,sda1,r' ]_
1171 exports physical device \path{/dev/hda1} to the domain as
1172 \path{/dev/sda1} with read-only access. Exporting a disk read-write
1173 which is currently mounted is dangerous -- if you are \emph{certain}
1174 you wish to do this, you can specify \path{w!} as the mode.
1175 \item[dhcp] Set to {\tt `dhcp'} if you want to use DHCP to configure
1176 networking.
1177 \item[netmask] Manually configured IP netmask.
1178 \item[gateway] Manually configured IP gateway.
1179 \item[hostname] Set the hostname for the virtual machine.
1180 \item[root] Specify the root device parameter on the kernel command
1181 line.
1182 \item[nfs\_server] IP address for the NFS server (if any).
1183 \item[nfs\_root] Path of the root filesystem on the NFS server (if
1184 any).
1185 \item[extra] Extra string to append to the kernel command line (if
1186 any)
1187 \end{description}
1189 Additional fields are documented in the example configuration files
1190 (e.g. to configure virtual TPM functionality).
1192 For additional flexibility, it is also possible to include Python
1193 scripting commands in configuration files. An example of this is the
1194 \path{xmexample2} file, which uses Python code to handle the
1195 \path{vmid} variable.
1198 %\part{Advanced Topics}
1201 \section{Network Configuration}
1203 For many users, the default installation should work ``out of the
1204 box''. More complicated network setups, for instance with multiple
1205 Ethernet interfaces and/or existing bridging setups will require some
1206 special configuration.
1208 The purpose of this section is to describe the mechanisms provided by
1209 \xend\ to allow a flexible configuration for Xen's virtual networking.
1211 \subsection{Xen virtual network topology}
1213 Each domain network interface is connected to a virtual network
1214 interface in dom0 by a point to point link (effectively a ``virtual
1215 crossover cable''). These devices are named {\tt
1216 vif$<$domid$>$.$<$vifid$>$} (e.g.\ {\tt vif1.0} for the first
1217 interface in domain~1, {\tt vif3.1} for the second interface in
1218 domain~3).
1220 Traffic on these virtual interfaces is handled in domain~0 using
1221 standard Linux mechanisms for bridging, routing, rate limiting, etc.
1222 Xend calls on two shell scripts to perform initial configuration of
1223 the network and configuration of new virtual interfaces. By default,
1224 these scripts configure a single bridge for all the virtual
1225 interfaces. Arbitrary routing / bridging configurations can be
1226 configured by customizing the scripts, as described in the following
1227 section.
1229 \subsection{Xen networking scripts}
1231 Xen's virtual networking is configured by two shell scripts (by
1232 default \path{network-bridge} and \path{vif-bridge}). These are called
1233 automatically by \xend\ when certain events occur, with arguments to
1234 the scripts providing further contextual information. These scripts
1235 are found by default in \path{/etc/xen/scripts}. The names and
1236 locations of the scripts can be configured in
1237 \path{/etc/xen/xend-config.sxp}.
1239 \begin{description}
1240 \item[network-bridge:] This script is called whenever \xend\ is started or
1241 stopped to respectively initialize or tear down the Xen virtual
1242 network. In the default configuration initialization creates the
1243 bridge `xen-br0' and moves eth0 onto that bridge, modifying the
1244 routing accordingly. When \xend\ exits, it deletes the Xen bridge
1245 and removes eth0, restoring the normal IP and routing configuration.
1247 %% In configurations where the bridge already exists, this script
1248 %% could be replaced with a link to \path{/bin/true} (for instance).
1250 \item[vif-bridge:] This script is called for every domain virtual
1251 interface and can configure firewalling rules and add the vif to the
1252 appropriate bridge. By default, this adds and removes VIFs on the
1253 default Xen bridge.
1254 \end{description}
1256 Other example scripts are available (\path{network-route} and
1257 \path{vif-route}, \path{network-nat} and \path{vif-nat}).
1258 For more complex network setups (e.g.\ where routing is required or
1259 integrate with existing bridges) these scripts may be replaced with
1260 customized variants for your site's preferred configuration.
1262 \section{Driver Domain Configuration}
1263 \label{s:ddconf}
1265 \subsection{PCI}
1266 \label{ss:pcidd}
1268 Individual PCI devices can be assigned to a given domain (a PCI driver domain)
1269 to allow that domain direct access to the PCI hardware.
1271 While PCI Driver Domains can increase the stability and security of a system
1272 by addressing a number of security concerns, there are some security issues
1273 that remain that you can read about in Section~\ref{s:ddsecurity}.
1275 \subsubsection{Compile-Time Setup}
1276 To use this functionality, ensure
1277 that the PCI Backend is compiled in to a privileged domain (e.g. domain 0)
1278 and that the domains which will be assigned PCI devices have the PCI Frontend
1279 compiled in. In XenLinux, the PCI Backend is available under the Xen
1280 configuration section while the PCI Frontend is under the
1281 architecture-specific "Bus Options" section. You may compile both the backend
1282 and the frontend into the same kernel; they will not affect each other.
1284 \subsubsection{PCI Backend Configuration - Binding at Boot}
1285 The PCI devices you wish to assign to unprivileged domains must be "hidden"
1286 from your backend domain (usually domain 0) so that it does not load a driver
1287 for them. Use the \path{pciback.hide} kernel parameter which is specified on
1288 the kernel command-line and is configurable through GRUB (see
1289 Section~\ref{s:configure}). Note that devices are not really hidden from the
1290 backend domain. The PCI Backend appears to the Linux kernel as a regular PCI
1291 device driver. The PCI Backend ensures that no other device driver loads
1292 for the devices by binding itself as the device driver for those devices.
1293 PCI devices are identified by hexadecimal slot/function numbers (on Linux,
1294 use \path{lspci} to determine slot/function numbers of your devices) and
1295 can be specified with or without the PCI domain: \\
1296 \centerline{ {\tt ({\em bus}:{\em slot}.{\em func})} example {\tt (02:1d.3)}} \\
1297 \centerline{ {\tt ({\em domain}:{\em bus}:{\em slot}.{\em func})} example {\tt (0000:02:1d.3)}} \\
1299 An example kernel command-line which hides two PCI devices might be: \\
1300 \centerline{ {\tt root=/dev/sda4 ro console=tty0 pciback.hide=(02:01.f)(0000:04:1d.0) } } \\
1302 \subsubsection{PCI Backend Configuration - Late Binding}
1303 PCI devices can also be bound to the PCI Backend after boot through the manual
1304 binding/unbinding facilities provided by the Linux kernel in sysfs (allowing
1305 for a Xen user to give PCI devices to driver domains that were not specified
1306 on the kernel command-line). There are several attributes with the PCI
1307 Backend's sysfs directory (\path{/sys/bus/pci/drivers/pciback}) that can be
1308 used to bind/unbind devices:
1310 \begin{description}
1311 \item[slots] lists all of the PCI slots that the PCI Backend will try to seize
1312 (or "hide" from Domain 0). A PCI slot must appear in this list before it can
1313 be bound to the PCI Backend through the \path{bind} attribute.
1314 \item[new\_slot] write the name of a slot here (in 0000:00:00.0 format) to
1315 have the PCI Backend seize the device in this slot.
1316 \item[remove\_slot] write the name of a slot here (same format as
1317 \path{new\_slot}) to have the PCI Backend no longer try to seize devices in
1318 this slot. Note that this does not unbind the driver from a device it has
1319 already seized.
1320 \item[bind] write the name of a slot here (in 0000:00:00.0 format) to have
1321 the Linux kernel attempt to bind the device in that slot to the PCI Backend
1322 driver.
1323 \item[unbind] write the name of a skit here (same format as \path{bind}) to have
1324 the Linux kernel unbind the device from the PCI Backend. DO NOT unbind a
1325 device while it is currently given to a PCI driver domain!
1326 \end{description}
1328 Some examples:
1330 Bind a device to the PCI Backend which is not bound to any other driver.
1331 \begin{verbatim}
1332 # # Add a new slot to the PCI Backend's list
1333 # echo -n 0000:01:04.d > /sys/bus/pci/drivers/pciback/new_slot
1334 # # Now that the backend is watching for the slot, bind to it
1335 # echo -n 0000:01:04.d > /sys/bus/pci/drivers/pciback/bind
1336 \end{verbatim}
1338 Unbind a device from its driver and bind to the PCI Backend.
1339 \begin{verbatim}
1340 # # Unbind a PCI network card from its network driver
1341 # echo -n 0000:05:02.0 > /sys/bus/pci/drivers/3c905/unbind
1342 # # And now bind it to the PCI Backend
1343 # echo -n 0000:05:02.0 > /sys/bus/pci/drivers/pciback/new_slot
1344 # echo -n 0000:05:02.0 > /sys/bus/pci/drivers/pciback/bind
1345 \end{verbatim}
1347 Note that the "-n" option in the example is important as it causes echo to not
1348 output a new-line.
1350 \subsubsection{PCI Backend Configuration - User-space Quirks}
1351 Quirky devices (such as the Broadcom Tigon 3) may need write access to their
1352 configuration space registers. Xen can be instructed to allow specified PCI
1353 devices write access to specific configuration space registers. The policy may
1354 be found in:
1356 \centerline{ \path{/etc/xen/xend-pci-quirks.sxp} }
1358 The policy file is heavily commented and is intended to provide enough
1359 documentation for developers to extend it.
1361 \subsubsection{PCI Backend Configuration - Permissive Flag}
1362 If the user-space quirks approach doesn't meet your needs you may want to enable
1363 the permissive flag for that device. To do so, first get the PCI domain, bus,
1364 slot, and function information from dom0 via \path{lspci}. Then augment the
1365 user-space policy for permissive devices. The permissive policy can be found
1366 in:
1368 \centerline{ \path{/etc/xen/xend-pci-permissive.sxp} }
1370 Currently, the only way to reset the permissive flag is to unbind the device
1371 from the PCI Backend driver.
1373 \subsubsection{PCI Backend - Checking Status}
1374 There two important sysfs nodes that provide a mechanism to view specifics on
1375 quirks and permissive devices:
1376 \begin{description}
1377 \item \path{/sys/bus/drivers/pciback/permissive} \\
1378 Use \path{cat} on this file to view a list of permissive slots.
1379 \item \path{/sys/bus/drivers/pciback/quirks} \\
1380 Use \path{cat} on this file view a hierarchical view of devices bound to the
1381 PCI backend, their PCI vendor/device ID, and any quirks that are associated with
1382 that particular slot.
1383 \end{description}
1385 You may notice that every device bound to the PCI backend has 17 quirks standard
1386 "quirks" regardless of \path{xend-pci-quirks.sxp}. These default entries are
1387 necessary to support interactions between the PCI bus manager and the device bound
1388 to it. Even non-quirky devices should have these standard entries.
1390 In this case, preference was given to accuracy over aesthetics by choosing to
1391 show the standard quirks in the quirks list rather than hide them from the
1392 inquiring user
1394 \subsubsection{PCI Frontend Configuration}
1395 To configure a domU to receive a PCI device:
1397 \begin{description}
1398 \item[Command-line:]
1399 Use the {\em pci} command-line flag. For multiple devices, use the option
1400 multiple times. \\
1401 \centerline{ {\tt xm create netcard-dd pci=01:00.0 pci=02:03.0 }} \\
1403 \item[Flat Format configuration file:]
1404 Specify all of your PCI devices in a python list named {\em pci}. \\
1405 \centerline{ {\tt pci=['01:00.0','02:03.0'] }} \\
1407 \item[SXP Format configuration file:]
1408 Use a single PCI device section for all of your devices (specify the numbers
1409 in hexadecimal with the preceding '0x'). Note that {\em domain} here refers
1410 to the PCI domain, not a virtual machine within Xen.
1411 {\small
1412 \begin{verbatim}
1413 (device (pci
1414 (dev (domain 0x0)(bus 0x3)(slot 0x1a)(func 0x1)
1415 (dev (domain 0x0)(bus 0x1)(slot 0x5)(func 0x0)
1417 \end{verbatim}
1419 \end{description}
1421 %% There are two possible types of privileges: IO privileges and
1422 %% administration privileges.
1424 \section{Support for virtual Trusted Platform Module (vTPM)}
1425 \label{ss:vtpm}
1427 Paravirtualized domains can be given access to a virtualized version
1428 of a TPM. This enables applications in these domains to use the services
1429 of the TPM device for example through a TSS stack
1430 \footnote{Trousers TSS stack: http://sourceforge.net/projects/trousers}.
1431 The Xen source repository provides the necessary software components to
1432 enable virtual TPM access. Support is provided through several
1433 different pieces. First, a TPM emulator has been modified to provide TPM's
1434 functionality for the virtual TPM subsystem. Second, a virtual TPM Manager
1435 coordinates the virtual TPMs efforts, manages their creation, and provides
1436 protected key storage using the TPM. Third, a device driver pair providing
1437 a TPM front- and backend is available for XenLinux to deliver TPM commands
1438 from the domain to the virtual TPM manager, which dispatches it to a
1439 software TPM. Since the TPM Manager relies on a HW TPM for protected key
1440 storage, therefore this subsystem requires a Linux-supported hardware TPM.
1441 For development purposes, a TPM emulator is available for use on non-TPM
1442 enabled platforms.
1444 \subsubsection{Compile-Time Setup}
1445 To enable access to the virtual TPM, the virtual TPM backend driver must
1446 be compiled for a privileged domain (e.g. domain 0). Using the XenLinux
1447 configuration, the necessary driver can be selected in the Xen configuration
1448 section. Unless the driver has been compiled into the kernel, its module
1449 must be activated using the following command:
1451 \begin{verbatim}
1452 modprobe tpmbk
1453 \end{verbatim}
1455 Similarly, the TPM frontend driver must be compiled for the kernel trying
1456 to use TPM functionality. Its driver can be selected in the kernel
1457 configuration section Device Driver / Character Devices / TPM Devices.
1458 Along with that the TPM driver for the built-in TPM must be selected.
1459 If the virtual TPM driver has been compiled as module, it
1460 must be activated using the following command:
1462 \begin{verbatim}
1463 modprobe tpm_xenu
1464 \end{verbatim}
1466 Furthermore, it is necessary to build the virtual TPM manager and software
1467 TPM by making changes to entries in Xen build configuration files.
1468 The following entry in the file Config.mk in the Xen root source
1469 directory must be made:
1471 \begin{verbatim}
1472 VTPM_TOOLS ?= y
1473 \end{verbatim}
1475 After a build of the Xen tree and a reboot of the machine, the TPM backend
1476 drive must be loaded. Once loaded, the virtual TPM manager daemon
1477 must be started before TPM-enabled guest domains may be launched.
1478 To enable being the destination of a virtual TPM Migration, the virtual TPM
1479 migration daemon must also be loaded.
1481 \begin{verbatim}
1482 vtpm_managerd
1483 \end{verbatim}
1484 \begin{verbatim}
1485 vtpm_migratord
1486 \end{verbatim}
1488 Once the VTPM manager is running, the VTPM can be accessed by loading the
1489 front end driver in a guest domain.
1491 \subsubsection{Development and Testing TPM Emulator}
1492 For development and testing on non-TPM enabled platforms, a TPM emulator
1493 can be used in replacement of a platform TPM. First, the entry in the file
1494 tools/vtpm/Rules.mk must look as follows:
1496 \begin{verbatim}
1498 \end{verbatim}
1500 Second, the entry in the file tool/vtpm\_manager/Rules.mk must be uncommented
1501 as follows:
1503 \begin{verbatim}
1504 # TCS talks to fifo's rather than /dev/tpm. TPM Emulator assumed on fifos
1506 \end{verbatim}
1508 Before starting the virtual TPM Manager, start the emulator by executing
1509 the following in dom0:
1511 \begin{verbatim}
1512 tpm_emulator clear
1513 \end{verbatim}
1515 \subsubsection{vTPM Frontend Configuration}
1516 To provide TPM functionality to a user domain, a line must be added to
1517 the virtual TPM configuration file using the following format:
1519 \begin{verbatim}
1520 vtpm = ['instance=<instance number>, backend=<domain id>']
1521 \end{verbatim}
1523 The { \it instance number} reflects the preferred virtual TPM instance
1524 to associate with the domain. If the selected instance is
1525 already associated with another domain, the system will automatically
1526 select the next available instance. An instance number greater than
1527 zero must be provided. It is possible to omit the instance
1528 parameter from the configuration file.
1530 The {\it domain id} provides the ID of the domain where the
1531 virtual TPM backend driver and virtual TPM are running in. It should
1532 currently always be set to '0'.
1535 Examples for valid vtpm entries in the configuration file are
1537 \begin{verbatim}
1538 vtpm = ['instance=1, backend=0']
1539 \end{verbatim}
1540 and
1541 \begin{verbatim}
1542 vtpm = ['backend=0'].
1543 \end{verbatim}
1545 \subsubsection{Using the virtual TPM}
1547 Access to TPM functionality is provided by the virtual TPM frontend driver.
1548 Similar to existing hardware TPM drivers, this driver provides basic TPM
1549 status information through the {\it sysfs} filesystem. In a Xen user domain
1550 the sysfs entries can be found in /sys/devices/xen/vtpm-0.
1552 Commands can be sent to the virtual TPM instance using the character
1553 device /dev/tpm0 (major 10, minor 224).
1555 % Chapter Storage and FileSytem Management
1556 \chapter{Storage and File System Management}
1558 Storage can be made available to virtual machines in a number of
1559 different ways. This chapter covers some possible configurations.
1561 The most straightforward method is to export a physical block device (a
1562 hard drive or partition) from dom0 directly to the guest domain as a
1563 virtual block device (VBD).
1565 Storage may also be exported from a filesystem image or a partitioned
1566 filesystem image as a \emph{file-backed VBD}.
1568 Finally, standard network storage protocols such as NBD, iSCSI, NFS,
1569 etc., can be used to provide storage to virtual machines.
1572 \section{Exporting Physical Devices as VBDs}
1573 \label{s:exporting-physical-devices-as-vbds}
1575 One of the simplest configurations is to directly export individual
1576 partitions from domain~0 to other domains. To achieve this use the
1577 \path{phy:} specifier in your domain configuration file. For example a
1578 line like
1579 \begin{quote}
1580 \verb_disk = ['phy:hda3,sda1,w']_
1581 \end{quote}
1582 specifies that the partition \path{/dev/hda3} in domain~0 should be
1583 exported read-write to the new domain as \path{/dev/sda1}; one could
1584 equally well export it as \path{/dev/hda} or \path{/dev/sdb5} should
1585 one wish.
1587 In addition to local disks and partitions, it is possible to export
1588 any device that Linux considers to be ``a disk'' in the same manner.
1589 For example, if you have iSCSI disks or GNBD volumes imported into
1590 domain~0 you can export these to other domains using the \path{phy:}
1591 disk syntax. E.g.:
1592 \begin{quote}
1593 \verb_disk = ['phy:vg/lvm1,sda2,w']_
1594 \end{quote}
1596 \begin{center}
1597 \framebox{\bf Warning: Block device sharing}
1598 \end{center}
1599 \begin{quote}
1600 Block devices should typically only be shared between domains in a
1601 read-only fashion otherwise the Linux kernel's file systems will get
1602 very confused as the file system structure may change underneath
1603 them (having the same ext3 partition mounted \path{rw} twice is a
1604 sure fire way to cause irreparable damage)! \Xend\ will attempt to
1605 prevent you from doing this by checking that the device is not
1606 mounted read-write in domain~0, and hasn't already been exported
1607 read-write to another domain. If you want read-write sharing,
1608 export the directory to other domains via NFS from domain~0 (or use
1609 a cluster file system such as GFS or ocfs2).
1610 \end{quote}
1613 \section{Using File-backed VBDs}
1615 It is also possible to use a file in Domain~0 as the primary storage
1616 for a virtual machine. As well as being convenient, this also has the
1617 advantage that the virtual block device will be \emph{sparse} ---
1618 space will only really be allocated as parts of the file are used. So
1619 if a virtual machine uses only half of its disk space then the file
1620 really takes up half of the size allocated.
1622 For example, to create a 2GB sparse file-backed virtual block device
1623 (actually only consumes 1KB of disk):
1624 \begin{quote}
1625 \verb_# dd if=/dev/zero of=vm1disk bs=1k seek=2048k count=1_
1626 \end{quote}
1628 Make a file system in the disk file:
1629 \begin{quote}
1630 \verb_# mkfs -t ext3 vm1disk_
1631 \end{quote}
1633 (when the tool asks for confirmation, answer `y')
1635 Populate the file system e.g.\ by copying from the current root:
1636 \begin{quote}
1637 \begin{verbatim}
1638 # mount -o loop vm1disk /mnt
1639 # cp -ax /{root,dev,var,etc,usr,bin,sbin,lib} /mnt
1640 # mkdir /mnt/{proc,sys,home,tmp}
1641 \end{verbatim}
1642 \end{quote}
1644 Tailor the file system by editing \path{/etc/fstab},
1645 \path{/etc/hostname}, etc.\ Don't forget to edit the files in the
1646 mounted file system, instead of your domain~0 filesystem, e.g.\ you
1647 would edit \path{/mnt/etc/fstab} instead of \path{/etc/fstab}. For
1648 this example put \path{/dev/sda1} to root in fstab.
1650 Now unmount (this is important!):
1651 \begin{quote}
1652 \verb_# umount /mnt_
1653 \end{quote}
1655 In the configuration file set:
1656 \begin{quote}
1657 \verb_disk = ['file:/full/path/to/vm1disk,sda1,w']_
1658 \end{quote}
1660 As the virtual machine writes to its `disk', the sparse file will be
1661 filled in and consume more space up to the original 2GB.
1663 {\bf Note that file-backed VBDs may not be appropriate for backing
1664 I/O-intensive domains.} File-backed VBDs are known to experience
1665 substantial slowdowns under heavy I/O workloads, due to the I/O
1666 handling by the loopback block device used to support file-backed VBDs
1667 in dom0. Better I/O performance can be achieved by using either
1668 LVM-backed VBDs (Section~\ref{s:using-lvm-backed-vbds}) or physical
1669 devices as VBDs (Section~\ref{s:exporting-physical-devices-as-vbds}).
1671 Linux supports a maximum of eight file-backed VBDs across all domains
1672 by default. This limit can be statically increased by using the
1673 \emph{max\_loop} module parameter if CONFIG\_BLK\_DEV\_LOOP is
1674 compiled as a module in the dom0 kernel, or by using the
1675 \emph{max\_loop=n} boot option if CONFIG\_BLK\_DEV\_LOOP is compiled
1676 directly into the dom0 kernel.
1679 \section{Using LVM-backed VBDs}
1680 \label{s:using-lvm-backed-vbds}
1682 A particularly appealing solution is to use LVM volumes as backing for
1683 domain file-systems since this allows dynamic growing/shrinking of
1684 volumes as well as snapshot and other features.
1686 To initialize a partition to support LVM volumes:
1687 \begin{quote}
1688 \begin{verbatim}
1689 # pvcreate /dev/sda10
1690 \end{verbatim}
1691 \end{quote}
1693 Create a volume group named `vg' on the physical partition:
1694 \begin{quote}
1695 \begin{verbatim}
1696 # vgcreate vg /dev/sda10
1697 \end{verbatim}
1698 \end{quote}
1700 Create a logical volume of size 4GB named `myvmdisk1':
1701 \begin{quote}
1702 \begin{verbatim}
1703 # lvcreate -L4096M -n myvmdisk1 vg
1704 \end{verbatim}
1705 \end{quote}
1707 You should now see that you have a \path{/dev/vg/myvmdisk1} Make a
1708 filesystem, mount it and populate it, e.g.:
1709 \begin{quote}
1710 \begin{verbatim}
1711 # mkfs -t ext3 /dev/vg/myvmdisk1
1712 # mount /dev/vg/myvmdisk1 /mnt
1713 # cp -ax / /mnt
1714 # umount /mnt
1715 \end{verbatim}
1716 \end{quote}
1718 Now configure your VM with the following disk configuration:
1719 \begin{quote}
1720 \begin{verbatim}
1721 disk = [ 'phy:vg/myvmdisk1,sda1,w' ]
1722 \end{verbatim}
1723 \end{quote}
1725 LVM enables you to grow the size of logical volumes, but you'll need
1726 to resize the corresponding file system to make use of the new space.
1727 Some file systems (e.g.\ ext3) now support online resize. See the LVM
1728 manuals for more details.
1730 You can also use LVM for creating copy-on-write (CoW) clones of LVM
1731 volumes (known as writable persistent snapshots in LVM terminology).
1732 This facility is new in Linux 2.6.8, so isn't as stable as one might
1733 hope. In particular, using lots of CoW LVM disks consumes a lot of
1734 dom0 memory, and error conditions such as running out of disk space
1735 are not handled well. Hopefully this will improve in future.
1737 To create two copy-on-write clones of the above file system you would
1738 use the following commands:
1740 \begin{quote}
1741 \begin{verbatim}
1742 # lvcreate -s -L1024M -n myclonedisk1 /dev/vg/myvmdisk1
1743 # lvcreate -s -L1024M -n myclonedisk2 /dev/vg/myvmdisk1
1744 \end{verbatim}
1745 \end{quote}
1747 Each of these can grow to have 1GB of differences from the master
1748 volume. You can grow the amount of space for storing the differences
1749 using the lvextend command, e.g.:
1750 \begin{quote}
1751 \begin{verbatim}
1752 # lvextend +100M /dev/vg/myclonedisk1
1753 \end{verbatim}
1754 \end{quote}
1756 Don't let the `differences volume' ever fill up otherwise LVM gets
1757 rather confused. It may be possible to automate the growing process by
1758 using \path{dmsetup wait} to spot the volume getting full and then
1759 issue an \path{lvextend}.
1761 In principle, it is possible to continue writing to the volume that
1762 has been cloned (the changes will not be visible to the clones), but
1763 we wouldn't recommend this: have the cloned volume as a `pristine'
1764 file system install that isn't mounted directly by any of the virtual
1765 machines.
1768 \section{Using NFS Root}
1770 First, populate a root filesystem in a directory on the server
1771 machine. This can be on a distinct physical machine, or simply run
1772 within a virtual machine on the same node.
1774 Now configure the NFS server to export this filesystem over the
1775 network by adding a line to \path{/etc/exports}, for instance:
1777 \begin{quote}
1778 \begin{small}
1779 \begin{verbatim}
1780 /export/vm1root (rw,sync,no_root_squash)
1781 \end{verbatim}
1782 \end{small}
1783 \end{quote}
1785 Finally, configure the domain to use NFS root. In addition to the
1786 normal variables, you should make sure to set the following values in
1787 the domain's configuration file:
1789 \begin{quote}
1790 \begin{small}
1791 \begin{verbatim}
1792 root = '/dev/nfs'
1793 nfs_server = '' # substitute IP address of server
1794 nfs_root = '/path/to/root' # path to root FS on the server
1795 \end{verbatim}
1796 \end{small}
1797 \end{quote}
1799 The domain will need network access at boot time, so either statically
1800 configure an IP address using the config variables \path{ip},
1801 \path{netmask}, \path{gateway}, \path{hostname}; or enable DHCP
1802 (\path{dhcp='dhcp'}).
1804 Note that the Linux NFS root implementation is known to have stability
1805 problems under high load (this is not a Xen-specific problem), so this
1806 configuration may not be appropriate for critical servers.
1809 \chapter{CPU Management}
1811 %% KMS Something sage about CPU / processor management.
1813 Xen allows a domain's virtual CPU(s) to be associated with one or more
1814 host CPUs. This can be used to allocate real resources among one or
1815 more guests, or to make optimal use of processor resources when
1816 utilizing dual-core, hyperthreading, or other advanced CPU technologies.
1818 Xen enumerates physical CPUs in a `depth first' fashion. For a system
1819 with both hyperthreading and multiple cores, this would be all the
1820 hyperthreads on a given core, then all the cores on a given socket,
1821 and then all sockets. I.e. if you had a two socket, dual core,
1822 hyperthreaded Xeon the CPU order would be:
1825 \begin{center}
1826 \begin{tabular}{l|l|l|l|l|l|l|r}
1827 \multicolumn{4}{c|}{socket0} & \multicolumn{4}{c}{socket1} \\ \hline
1828 \multicolumn{2}{c|}{core0} & \multicolumn{2}{c|}{core1} &
1829 \multicolumn{2}{c|}{core0} & \multicolumn{2}{c}{core1} \\ \hline
1830 ht0 & ht1 & ht0 & ht1 & ht0 & ht1 & ht0 & ht1 \\
1831 \#0 & \#1 & \#2 & \#3 & \#4 & \#5 & \#6 & \#7 \\
1832 \end{tabular}
1833 \end{center}
1836 Having multiple vcpus belonging to the same domain mapped to the same
1837 physical CPU is very likely to lead to poor performance. It's better to
1838 use `vcpus-set' to hot-unplug one of the vcpus and ensure the others are
1839 pinned on different CPUs.
1841 If you are running IO intensive tasks, its typically better to dedicate
1842 either a hyperthread or whole core to running domain 0, and hence pin
1843 other domains so that they can't use CPU 0. If your workload is mostly
1844 compute intensive, you may want to pin vcpus such that all physical CPU
1845 threads are available for guest domains.
1847 \chapter{Migrating Domains}
1849 \section{Domain Save and Restore}
1851 The administrator of a Xen system may suspend a virtual machine's
1852 current state into a disk file in domain~0, allowing it to be resumed at
1853 a later time.
1855 For example you can suspend a domain called ``VM1'' to disk using the
1856 command:
1857 \begin{verbatim}
1858 # xm save VM1 VM1.chk
1859 \end{verbatim}
1861 This will stop the domain named ``VM1'' and save its current state
1862 into a file called \path{VM1.chk}.
1864 To resume execution of this domain, use the \path{xm restore} command:
1865 \begin{verbatim}
1866 # xm restore VM1.chk
1867 \end{verbatim}
1869 This will restore the state of the domain and resume its execution.
1870 The domain will carry on as before and the console may be reconnected
1871 using the \path{xm console} command, as described earlier.
1873 \section{Migration and Live Migration}
1875 Migration is used to transfer a domain between physical hosts. There
1876 are two varieties: regular and live migration. The former moves a
1877 virtual machine from one host to another by pausing it, copying its
1878 memory contents, and then resuming it on the destination. The latter
1879 performs the same logical functionality but without needing to pause
1880 the domain for the duration. In general when performing live migration
1881 the domain continues its usual activities and---from the user's
1882 perspective---the migration should be imperceptible.
1884 To perform a live migration, both hosts must be running Xen / \xend\ and
1885 the destination host must have sufficient resources (e.g.\ memory
1886 capacity) to accommodate the domain after the move. Furthermore we
1887 currently require both source and destination machines to be on the same
1888 L2 subnet.
1890 Currently, there is no support for providing automatic remote access
1891 to filesystems stored on local disk when a domain is migrated.
1892 Administrators should choose an appropriate storage solution (i.e.\
1893 SAN, NAS, etc.) to ensure that domain filesystems are also available
1894 on their destination node. GNBD is a good method for exporting a
1895 volume from one machine to another. iSCSI can do a similar job, but is
1896 more complex to set up.
1898 When a domain migrates, it's MAC and IP address move with it, thus it is
1899 only possible to migrate VMs within the same layer-2 network and IP
1900 subnet. If the destination node is on a different subnet, the
1901 administrator would need to manually configure a suitable etherip or IP
1902 tunnel in the domain~0 of the remote node.
1904 A domain may be migrated using the \path{xm migrate} command. To live
1905 migrate a domain to another machine, we would use the command:
1907 \begin{verbatim}
1908 # xm migrate --live mydomain destination.ournetwork.com
1909 \end{verbatim}
1911 Without the \path{--live} flag, \xend\ simply stops the domain and
1912 copies the memory image over to the new node and restarts it. Since
1913 domains can have large allocations this can be quite time consuming,
1914 even on a Gigabit network. With the \path{--live} flag \xend\ attempts
1915 to keep the domain running while the migration is in progress, resulting
1916 in typical down times of just 60--300ms.
1918 For now it will be necessary to reconnect to the domain's console on the
1919 new machine using the \path{xm console} command. If a migrated domain
1920 has any open network connections then they will be preserved, so SSH
1921 connections do not have this limitation.
1924 %% Chapter Securing Xen
1925 \chapter{Securing Xen}
1927 This chapter describes how to secure a Xen system. It describes a number
1928 of scenarios and provides a corresponding set of best practices. It
1929 begins with a section devoted to understanding the security implications
1930 of a Xen system.
1933 \section{Xen Security Considerations}
1935 When deploying a Xen system, one must be sure to secure the management
1936 domain (Domain-0) as much as possible. If the management domain is
1937 compromised, all other domains are also vulnerable. The following are a
1938 set of best practices for Domain-0:
1940 \begin{enumerate}
1941 \item \textbf{Run the smallest number of necessary services.} The less
1942 things that are present in a management partition, the better.
1943 Remember, a service running as root in the management domain has full
1944 access to all other domains on the system.
1945 \item \textbf{Use a firewall to restrict the traffic to the management
1946 domain.} A firewall with default-reject rules will help prevent
1947 attacks on the management domain.
1948 \item \textbf{Do not allow users to access Domain-0.} The Linux kernel
1949 has been known to have local-user root exploits. If you allow normal
1950 users to access Domain-0 (even as unprivileged users) you run the risk
1951 of a kernel exploit making all of your domains vulnerable.
1952 \end{enumerate}
1954 \section{Driver Domain Security Considerations}
1955 \label{s:ddsecurity}
1957 Driver domains address a range of security problems that exist regarding
1958 the use of device drivers and hardware. On many operating systems in common
1959 use today, device drivers run within the kernel with the same privileges as
1960 the kernel. Few or no mechanisms exist to protect the integrity of the kernel
1961 from a misbehaving (read "buggy") or malicious device driver. Driver
1962 domains exist to aid in isolating a device driver within its own virtual
1963 machine where it cannot affect the stability and integrity of other
1964 domains. If a driver crashes, the driver domain can be restarted rather than
1965 have the entire machine crash (and restart) with it. Drivers written by
1966 unknown or untrusted third-parties can be confined to an isolated space.
1967 Driver domains thus address a number of security and stability issues with
1968 device drivers.
1970 However, due to limitations in current hardware, a number of security
1971 concerns remain that need to be considered when setting up driver domains (it
1972 should be noted that the following list is not intended to be exhaustive).
1974 \begin{enumerate}
1975 \item \textbf{Without an IOMMU, a hardware device can DMA to memory regions
1976 outside of its controlling domain.} Architectures which do not have an
1977 IOMMU (e.g. most x86-based platforms) to restrict DMA usage by hardware
1978 are vulnerable. A hardware device which can perform arbitrary memory reads
1979 and writes can read/write outside of the memory of its controlling domain.
1980 A malicious or misbehaving domain could use a hardware device it controls
1981 to send data overwriting memory in another domain or to read arbitrary
1982 regions of memory in another domain.
1983 \item \textbf{Shared buses are vulnerable to sniffing.} Devices that share
1984 a data bus can sniff (and possible spoof) each others' data. Device A that
1985 is assigned to Domain A could eavesdrop on data being transmitted by
1986 Domain B to Device B and then relay that data back to Domain A.
1987 \item \textbf{Devices which share interrupt lines can either prevent the
1988 reception of that interrupt by the driver domain or can trigger the
1989 interrupt service routine of that guest needlessly.} A devices which shares
1990 a level-triggered interrupt (e.g. PCI devices) with another device can
1991 raise an interrupt and never clear it. This effectively blocks other devices
1992 which share that interrupt line from notifying their controlling driver
1993 domains that they need to be serviced. A device which shares an
1994 any type of interrupt line can trigger its interrupt continually which
1995 forces execution time to be spent (in multiple guests) in the interrupt
1996 service routine (potentially denying time to other processes within that
1997 guest). System architectures which allow each device to have its own
1998 interrupt line (e.g. PCI's Message Signaled Interrupts) are less
1999 vulnerable to this denial-of-service problem.
2000 \item \textbf{Devices may share the use of I/O memory address space.} Xen can
2001 only restrict access to a device's physical I/O resources at a certain
2002 granularity. For interrupt lines and I/O port address space, that
2003 granularity is very fine (per interrupt line and per I/O port). However,
2004 Xen can only restrict access to I/O memory address space on a page size
2005 basis. If more than one device shares use of a page in I/O memory address
2006 space, the domains to which those devices are assigned will be able to
2007 access the I/O memory address space of each other's devices.
2008 \end{enumerate}
2011 \section{Security Scenarios}
2014 \subsection{The Isolated Management Network}
2016 In this scenario, each node has two network cards in the cluster. One
2017 network card is connected to the outside world and one network card is a
2018 physically isolated management network specifically for Xen instances to
2019 use.
2021 As long as all of the management partitions are trusted equally, this is
2022 the most secure scenario. No additional configuration is needed other
2023 than forcing Xend to bind to the management interface for relocation.
2026 \subsection{A Subnet Behind a Firewall}
2028 In this scenario, each node has only one network card but the entire
2029 cluster sits behind a firewall. This firewall should do at least the
2030 following:
2032 \begin{enumerate}
2033 \item Prevent IP spoofing from outside of the subnet.
2034 \item Prevent access to the relocation port of any of the nodes in the
2035 cluster except from within the cluster.
2036 \end{enumerate}
2038 The following iptables rules can be used on each node to prevent
2039 migrations to that node from outside the subnet assuming the main
2040 firewall does not do this for you:
2042 \begin{verbatim}
2043 # this command disables all access to the Xen relocation
2044 # port:
2045 iptables -A INPUT -p tcp --destination-port 8002 -j REJECT
2047 # this command enables Xen relocations only from the specific
2048 # subnet:
2049 iptables -I INPUT -p tcp -{}-source \
2050 --destination-port 8002 -j ACCEPT
2051 \end{verbatim}
2053 \subsection{Nodes on an Untrusted Subnet}
2055 Migration on an untrusted subnet is not safe in current versions of Xen.
2056 It may be possible to perform migrations through a secure tunnel via an
2057 VPN or SSH. The only safe option in the absence of a secure tunnel is to
2058 disable migration completely. The easiest way to do this is with
2059 iptables:
2061 \begin{verbatim}
2062 # this command disables all access to the Xen relocation port
2063 iptables -A INPUT -p tcp -{}-destination-port 8002 -j REJECT
2064 \end{verbatim}
2066 %% Chapter Xen Mandatory Access Control Framework
2067 \chapter{sHype/Xen Access Control}
2069 The Xen mandatory access control framework is an implementation of the
2070 sHype Hypervisor Security Architecture
2071 (www.research.ibm.com/ssd\_shype). It permits or denies communication
2072 and resource access of domains based on a security policy. The
2073 mandatory access controls are enforced in addition to the Xen core
2074 controls, such as memory protection. They are designed to remain
2075 transparent during normal operation of domains (policy-conform
2076 behavior) but to intervene when domains move outside their intended
2077 sharing behavior. This chapter will describe how the sHype access
2078 controls in Xen can be configured to prevent viruses from spilling
2079 over from one into another workload type and secrets from leaking from
2080 one workload type to another. sHype/Xen depends on the correct
2081 behavior of Domain0 (cf previous chapter).
2083 Benefits of configuring sHype/ACM in Xen include:
2084 \begin{itemize}
2085 \item robust workload and resource protection effective against rogue
2086 user domains
2087 \item simple, platform- and operating system-independent security
2088 policies (ideal for heterogeneous distributed environments)
2089 \item safety net with minimal performance overhead in case operating
2090 system security is missing, does not scale, or fails
2091 \end{itemize}
2093 These benefits are very valuable because today's operating systems
2094 become increasingly complex and often have no or insufficient
2095 mandatory access controls. (Discretionary access controls, supported
2096 by of most operating systems, are not effective against viruses or
2097 misbehaving programs.) Where mandatory access control exists (e.g.,
2098 SELinux), they usually deploy complex and difficult to understand
2099 security policies. Additionally, multi-tier applications in business
2100 environments usually require different types of operating systems
2101 (e.g., AIX, Windows, Linux) which cannot be configured with compatible
2102 security policies. Related distributed transactions and workloads
2103 cannot be easily protected on the OS level. The Xen access control
2104 framework steps in to offer a coarse-grained but very robust security
2105 layer and safety net in case operating system security fails or is
2106 missing.
2108 To control sharing between domains, Xen mediates all inter-domain
2109 communication (shared memory, events) as well as the access of domains
2110 to resources such as disks. Thus, Xen can confine distributed
2111 workloads (domain payloads) by permitting sharing among domains
2112 running the same type of workload and denying sharing between pairs of
2113 domains that run different workload types. We assume that--from a Xen
2114 perspective--only one workload type is running per user domain. To
2115 enable Xen to associate domains and resources with workload types,
2116 security labels including the workload types are attached to domains
2117 and resources. These labels and the hypervisor sHype controls cannot
2118 be manipulated or bypassed and are effective even against rogue
2119 domains.
2121 \section{Overview}
2122 This section gives an overview of how workloads can be protected using
2123 the sHype mandatory access control framework in Xen.
2124 Figure~\ref{fig:acmoverview} shows the necessary steps in activating
2125 the Xen workload protection. These steps are described in detail in
2126 Section~\ref{section:acmexample}.
2128 \begin{figure}
2129 \centering
2130 \includegraphics[width=13cm]{figs/acm_overview.eps}
2131 \caption{Overview of activating sHype workload protection in Xen.
2132 Section numbers point to representative examples.}
2133 \label{fig:acmoverview}
2134 \end{figure}
2136 First, the sHype/ACM access control must be enabled in the Xen
2137 distribution and the distribution must be built and installed (cf
2138 Subsection~\ref{subsection:acmexampleconfigure}). Before we can
2139 enforce security, a Xen security policy must be created (cf
2140 Subsection~\ref{subsection:acmexamplecreate}) and deployed (cf
2141 Subsection~\ref{subsection:acmexampleinstall}). This policy defines
2142 the workload types differentiated during access control. It also
2143 defines the rules that compare workload types of domains and resources
2144 to provide access decisions. Workload types are represented by
2145 security labels that can be attached to domains and resources (cf
2146 Subsections~\ref{subsection:acmexamplelabeldomains}
2147 and~\ref{subsection:acmexamplelabelresources}). The functioning of
2148 the active sHype/Xen workload protection is demonstrated using simple
2149 resource assignment, and domain creation tests in
2150 Subsection~\ref{subsection:acmexampletest}.
2151 Section~\ref{section:acmpolicy} describes the syntax and semantics of
2152 the sHype/Xen security policy in detail and introduces briefly the
2153 tools that are available to help create valid security policies.
2155 The next section describes all the necessary steps to create, deploy,
2156 and test a simple workload protection policy. It is meant to enable
2157 anybody to quickly try out the sHype/Xen workload protection. Those
2158 readers who are interested in learning more about how the sHype access
2159 control in Xen works and how it is configured using the XML security
2160 policy should read Section~\ref{section:acmpolicy} as well.
2161 Section~\ref{section:acmlimitations} concludes this chapter with
2162 current limitations of the sHype implementation for Xen.
2164 \section{Xen Workload Protection Step-by-Step}
2165 \label{section:acmexample}
2167 What you are about to do consists of the following sequence:
2168 \begin{itemize}
2169 \item configure and install sHype/Xen
2170 \item create a simple workload protection security policy
2171 \item deploy the sHype/Xen security policy
2172 \item associate domains and resources with workload labels,
2173 \item test the workload protection
2174 \end{itemize}
2175 The essential commands to create and deploy a sHype/Xen security
2176 policy are numbered throughout the following sections. If you want a
2177 quick-guide or return at a later time to go quickly through this
2178 demonstration, simply look for the numbered commands and apply them in
2179 order.
2181 \subsection{Configuring/Building sHype Support into Xen}
2182 \label{subsection:acmexampleconfigure}
2183 First, we need to configure the access control module in Xen and
2184 install the ACM-enabled Xen hypervisor. This step installs security
2185 tools and compiles sHype/ACM controls into the Xen hypervisor.
2187 To enable sHype/ACM in Xen, please edit the Config.mk file in the top
2188 Xen directory.
2190 \begin{verbatim}
2191 (1) In Config.mk
2192 Change: ACM_SECURITY ?= n
2193 To: ACM_SECURITY ?= y
2194 \end{verbatim}
2196 Then install the security-enabled Xen environment as follows:
2198 \begin{verbatim}
2199 (2) # make world
2200 # make install
2201 \end{verbatim}
2203 \subsection{Creating A WLP Policy in 3 Simple Steps with ezPolicy}
2204 \label{subsection:acmexamplecreate}
2206 We will use the ezPolicy tool to quickly create a policy that protects
2207 workloads. You will need both the Python and wxPython packages to run
2208 this tool. To run the tool in Domain0, you can download the wxPython
2209 package from www.wxpython.org or use the command
2210 \verb|yum install wxPython| in Redhat/Fedora. To run the tool on MS
2211 Windows, you also need to download the Python package from
2212 www.python.org. After these packages are installed, start the ezPolicy
2213 tool with the following command:
2215 \begin{verbatim}
2216 (3) # xensec_ezpolicy
2217 \end{verbatim}
2219 Figure~\ref{fig:acmezpolicy} shows a screen-shot of the tool. The
2220 following steps show you how to create the policy shown in
2221 Figure~\ref{fig:acmezpolicy}. You can use \verb|<CTRL>-h| to pop up a
2222 help window at any time. The indicators (a), (b), and (c) in
2223 Figure~\ref{fig:acmezpolicy} show the buttons that are used during the
2224 3 steps of creating a policy:
2225 \begin{enumerate}
2226 \item defining workloads
2227 \item defining run-time conflicts
2228 \item translating the workload definition into a sHype/Xen access
2229 control policy
2230 \end{enumerate}
2232 \paragraph{Defining workloads.} Workloads are defined for each
2233 organization and department that you enter in the left panel. Please
2234 use the ``New Org'' button (a) to create the organizations ``Avis'',
2235 ``Hertz'', ``CocaCola'', and ``PepsiCo''.
2237 You can refine an organization to differentiate between multiple
2238 department workloads by right-clicking the organization and selecting
2239 \verb|Add Department| (or selecting an organization and pressing
2240 \verb|<CRTL>-a|). Create department workloads ``Intranet'',
2241 ``Extranet'', ``HumanResources'', and ``Payroll'' for the ``CocaCola''
2242 organization and department workloads ``Intranet'' and ``Extranet''
2243 for the ``PepsiCo'' organization. The resulting layout of the tool
2244 should be similar to the left panel shown in
2245 Figure~\ref{fig:acmezpolicy}.
2247 \paragraph{Defining run-time conflicts.} Workloads that shall be
2248 prohibited from running concurrently on the same hypervisor platform
2249 are grouped into ``Run-time Exclusion rules'' on the right panel of
2250 the window.
2252 To prevent PepsiCo and CocaCola workloads (including their
2253 departmental workloads) from running simultaneously on the same
2254 hypervisor system, select the organization ``PepsiCo'' and, while
2255 pressing the \verb|<CTRL>|-key, select the organization ``CocaCola''.
2256 Now press the button (b) named ``Create run-time exclusion rule from
2257 selection''. A popup window will ask for the name for this run-time
2258 exclusion rule (enter a name or just hit \verb|<ENTER>|). A rule will
2259 appear on the right panel. The name is used as reference only and does
2260 not affect the hypervisor policy.
2262 Repeat the process to create a run-time exclusion rule just for the
2263 department workloads CocaCola.Extranet and CocaCola.Payroll.
2265 \begin{figure}[htb]
2266 \centering
2267 \includegraphics[width=13cm]{figs/acm_ezpolicy.eps}
2268 \caption{Final layout including workload definition and Run-time Exclusion rules.}
2269 \label{fig:acmezpolicy}
2270 \end{figure}
2272 The resulting layout of your window should be similar to
2273 Figure~\ref{fig:acmezpolicy}. Save this workload definition by
2274 selecting ``Save Workload Definition as ...'' in the ``File'' menu
2275 (c). This workload definition can be later refined if required.
2277 \paragraph{Translating the workload definition into a sHype/Xen access
2278 control policy.} To translate the workload definition into a access
2279 control policy understood by Xen, please select the ``Save as Xen ACM
2280 Security Policy'' in the ``File'' menu (c). Enter the following policy
2281 name in the popup window: \verb|example.chwall_ste.test-wld|. If you
2282 are running ezPolicy in Domain0, the resulting policy file
2283 test-wld\_security-policy.xml will automatically be placed into the
2284 right directory (/etc/xen/acm-security/ policies/example/chwall\_ste).
2285 If you run the tool on another system, then you need to copy the
2286 resulting policy file into Domain0 before continuing. See
2287 Section~\ref{subsection:acmnaming} for naming conventions of security
2288 policies.
2290 \subsection{Deploying a WLP Policy}
2291 \label{subsection:acmexampleinstall}
2292 To deploy the workload protection policy we created in
2293 Section~\ref{subsection:acmexamplecreate}, we create a policy
2294 representation (test-wld.bin) that can be loaded into the Xen
2295 hypervisor and we configure Xen to actually load this policy at
2296 startup time.
2298 The following command translates the source policy representation
2299 into a format that can be loaded into Xen with sHype/ACM support.
2300 Refer to the \verb|xm| man page for further details:
2302 \begin{verbatim}
2303 (4) # xm makepolicy example.chwall_ste.test-wld
2304 \end{verbatim}
2306 The easiest way to install a security policy for Xen is to include the
2307 policy in the boot sequence. The following command does just this:
2309 \begin{verbatim}
2310 (5) # xm cfgbootpolicy example.chwall_ste.test-wld
2311 \end{verbatim}
2313 \textit{Alternatively, if this command fails} (e.g., because it cannot
2314 identify the Xen boot entry), you can manually install the policy in 2
2315 steps. First, manually copy the policy binary file into the boot
2316 directory:
2318 \begin{scriptsize}
2319 \begin{verbatim}
2320 # cp /etc/xen/acm-security/policies/example/chwall_ste/test-wld.bin \
2321 /boot/example.chwall_ste.test-wld.bin
2322 \end{verbatim}
2323 \end{scriptsize}
2325 Second, manually add a module line to your Xen boot entry so that grub
2326 loads this policy file during startup:
2328 \begin{scriptsize}
2329 \begin{verbatim}
2330 title Xen (
2331 root (hd0,0)
2332 kernel /xen.gz dom0_mem=2000000 console=vga
2333 module /vmlinuz- ro root=/dev/hda3
2334 module /initrd-
2335 module /example.chwall_ste.test-wld.bin
2336 \end{verbatim}
2337 \end{scriptsize}
2339 Now reboot into this Xen boot entry to activate the policy and the
2340 security-enabled Xen hypervisor.
2342 \begin{verbatim}
2343 (6) # reboot
2344 \end{verbatim}
2346 After reboot, check if security is enabled:
2348 \begin{scriptsize}
2349 \begin{verbatim}
2350 # xm list --label
2351 Name ID Mem(MiB) VCPUs State Time(s) Label
2352 Domain-0 0 1949 4 r----- 163.9 SystemManagement
2353 \end{verbatim}
2354 \end{scriptsize}
2356 If the security label at the end of the line says ``INACTIV'' then the
2357 security is not enabled. Verify the previous steps. Note: Domain0 is
2358 assigned a default label (see \verb|bootstrap| policy attribute
2359 explained in Section~\ref{section:acmpolicy}). All other domains must
2360 be labeled in order to start on this sHype/ACM-enabled Xen hypervisor
2361 (see following sections for labeling domains and resources).
2363 \subsection{Labeling Domains}
2364 \label{subsection:acmexamplelabeldomains}
2365 You should have a Xen domain configuration file that looks like the
2366 following (Note: www.jailtime.org or www.xen-get.org might be good
2367 places to look for example domU images). The following configuration
2368 file defines \verb|domain1|:
2370 \begin{scriptsize}
2371 \begin{verbatim}
2372 # cat domain1.xm
2373 kernel = "/boot/vmlinuz-"
2374 memory = 128
2375 name = "domain1"
2376 vif = [ '' ]
2377 dhcp = "dhcp"
2378 disk = ['file:/home/xen/dom_fc5/fedora.fc5.img,sda1,w', \
2379 'file:/home/xen/dom_fc5/fedora.swap,sda2,w']
2380 root = "/dev/sda1 ro"
2381 \end{verbatim}
2382 \end{scriptsize}
2384 If you try to start domain1, you will get the following error:
2386 \begin{scriptsize}
2387 \begin{verbatim}
2388 # xm create domain1.xm
2389 Using config file "domain1.xm".
2390 domain1: DENIED
2391 --> Domain not labeled
2392 Checking resources: (skipped)
2393 Security configuration prevents domain from starting
2394 \end{verbatim}
2395 \end{scriptsize}
2397 Every domain must be associated with a security label before it can
2398 start on sHype/Xen. Otherwise, sHype/Xen would not be able to enforce
2399 the policy consistently. The following command prints all domain
2400 labels available in the active policy:
2402 \begin{scriptsize}
2403 \begin{verbatim}
2404 # xm labels type=dom
2405 Avis
2406 CocaCola
2407 CocaCola.Extranet
2408 CocaCola.HumanResources
2409 CocaCola.Intranet
2410 CocaCola.Payroll
2411 Hertz
2412 PepsiCo
2413 PepsiCo.Extranet
2414 PepsiCo.Intranet
2415 SystemManagement
2416 \end{verbatim}
2417 \end{scriptsize}
2419 Now label domain1 with the CocaCola label and another domain2 with the
2420 PepsiCo.Extranet label. Please refer to the xm man page for further
2421 information.
2423 \begin{verbatim}
2424 (7) # xm addlabel CocaCola dom domain1.xm
2425 # xm addlabel PepsiCo.Extranet dom domain2.xm
2426 \end{verbatim}
2428 Let us try to start the domain again:
2430 \begin{scriptsize}
2431 \begin{verbatim}
2432 # xm create domain1.xm
2433 Using config file "domain1.xm".
2434 file:/home/xen/dom_fc5/fedora.fc5.img: DENIED
2435 --> res:__NULL_LABEL__ (NULL)
2436 --> dom:CocaCola (example.chwall_ste.test-wld)
2437 file:/home/xen/dom_fc5/fedora.swap: DENIED
2438 --> res:__NULL_LABEL__ (NULL)
2439 --> dom:CocaCola (example.chwall_ste.test-wld)
2440 Security configuration prevents domain from starting
2441 \end{verbatim}
2442 \end{scriptsize}
2444 This error indicates that domain1, if started, would not be able to
2445 access its image and swap files because they are not labeled. This
2446 makes sense because to confine workloads, access of domains to
2447 resources must be controlled. Otherwise, domains that are not allowed
2448 to communicate or run simultaneously could share data through storage
2449 resources.
2451 \subsection{Labeling Resources}
2452 \label{subsection:acmexamplelabelresources}
2453 You can use the \verb|xm labels type=res| command to list available
2454 resource labels. Let us assign the CocaCola resource label to the domain1
2455 image file representing \verb|/dev/sda1| and to its swap file:
2457 \begin{verbatim}
2458 (8) # xm addlabel CocaCola res \
2459 file:/home/xen/dom_fc5/fedora.fc5.img
2460 Resource file not found, creating new file at:
2461 /etc/xen/acm-security/policies/resource_labels
2462 # xm addlabel CocaCola res \
2463 file:/home/xen/dom_fc5/fedora.swap
2464 \end{verbatim}
2466 Starting \verb|domain1| now will succeed:
2468 \begin{scriptsize}
2469 \begin{verbatim}
2470 # xm create domain1.xm
2471 # xm list --label
2472 Name ID Mem(MiB) VCPUs State Time(s) Label
2473 domain1 1 128 1 r----- 2.8 CocaCola
2474 Domain-0 0 1949 4 r----- 387.7 SystemManagement
2475 \end{verbatim}
2476 \end{scriptsize}
2478 The following command lists all labeled resources on the
2479 system, e.g., to lookup or verify the labeling:
2481 \begin{scriptsize}
2482 \begin{verbatim}
2483 # xm resources
2484 file:/home/xen/dom_fc5/fedora.swap
2485 policy: example.chwall_ste.test-wld
2486 label: CocaCola
2487 file:/home/xen/dom_fc5/fedora.fc5.img
2488 policy: example.chwall_ste.test-wld
2489 label: CocaCola
2490 \end{verbatim}
2491 \end{scriptsize}
2493 Currently, if a labeled resource is moved to another location, the
2494 label must first be manually removed, and after the move re-attached
2495 using the xm commands \verb|xm rmlabel| and \verb|xm addlabel|
2496 respectively. Please see Section~\ref{section:acmlimitations} for
2497 further details.
2499 \begin{verbatim}
2500 (9) Label the resources of domain2 as PepsiCo.Extranet
2501 Do not try to start this domain yet
2502 \end{verbatim}
2504 \subsection{Testing The Xen Workload Protection}
2505 \label{subsection:acmexampletest}
2506 We are about to demonstrate how the workload protection works by
2507 verifying:
2508 \begin{itemize}
2509 \item that domains with conflicting workloads cannot run
2510 simultaneously
2511 \item that domains cannot access resources of other workloads
2512 \item that domains cannot exchange network packets if they are not
2513 associated with the same workload type
2514 \end{itemize}
2516 \paragraph{Test 1: Run-time exclusion rules.} We assume that domain1
2517 with the CocaCola label is still running. While domain1 is running,
2518 the run-time exclusion set of our policy says that domain2 cannot
2519 start because the label of domain1 includes the CHWALL type CocaCola
2520 and the label of domain2 includes the CHWALL type PepsiCo. The
2521 run-time exclusion rule of our policy enforces that PepsiCo and
2522 CocaCola cannot run at the same time on the same hypervisor platform.
2523 Once domain1 is stopped or saved, domain2 can start but domain1 can no
2524 longer start or be resumed. The ezPolicy tool, when creating the
2525 Chinese Wall types for the workload labels, ensures that department
2526 workloads inherit the organization type (and with it any organization
2527 exclusions).
2529 \begin{scriptsize}
2530 \begin{verbatim}
2531 # xm list --label
2532 Name ID Mem(MiB) VCPUs State Time(s) Label
2533 domain1 2 128 1 -b---- 6.9 CocaCola
2534 Domain-0 0 1949 4 r----- 273.1 SystemManagement
2536 # xm create domain2.xm
2537 Using config file "domain2.xm".
2538 Error: (1, 'Operation not permitted')
2540 # xm destroy domain1
2541 # xm create domain2.xm
2542 Using config file "domain2.xm".
2543 Started domain domain2
2545 # xm list --label
2546 Name ID Mem(MiB) VCPUs State Time(s) Label
2547 domain2 4 164 1 r----- 4.3 PepsiCo.Extranet
2548 Domain-0 0 1949 4 r----- 298.4 SystemManagement
2550 # xm create domain1.xm
2551 Using config file "domain1.xm".
2552 Error: (1, 'Operation not permitted')
2554 # xm destroy domain2
2555 # xm list
2556 Name ID Mem(MiB) VCPUs State Time(s)
2557 Domain-0 0 1949 4 r----- 391.2
2558 \end{verbatim}
2559 \end{scriptsize}
2561 You can verify that domains with Avis label can run together with
2562 domains labeled CocaCola, PepsiCo, or Hertz.
2564 \paragraph{Test2: Resource access.} In this test, we will re-label the
2565 swap file for domain1 with the Avis resource label. We expect that
2566 Domain1 will no longer start because it cannot access this resource.
2567 This test checks the sharing abilities of domains, which are defined
2568 by the Simple Type Enforcement Policy component.
2570 \begin{scriptsize}
2571 \begin{verbatim}
2572 # xm rmlabel res file:/home/xen/dom_fc5/fedora.swap
2573 # xm addlabel Avis res file:/home/xen/dom_fc5/fedora.swap
2574 # xm resources
2575 file:/home/xen/dom_fc5/fedora.swap
2576 policy: example.chwall_ste.test-wld
2577 label: Avis
2578 file:/home/xen/dom_fc5/fedora.fc5.img
2579 policy: example.chwall_ste.test-wld
2580 label: CocaCola
2582 # xm create domain1.xm
2583 Using config file "domain1.xm".
2584 file:/home/xen/dom_fc4/fedora.swap: DENIED
2585 --> res:Avis (example.chwall_ste.test-wld)
2586 --> dom:CocaCola (example.chwall_ste.test-wld)
2587 Security configuration prevents domain from starting
2588 \end{verbatim}
2589 \end{scriptsize}
2591 \paragraph{Test 3: Communication.} In this test we would verify that
2592 two domains with labels Hertz and Avis cannot exchange network packets
2593 by using the 'ping' connectivity test. It is also related to the STE
2594 policy.{\bf Note:} sHype/Xen does control direct communication between
2595 domains. However, domains associated with different workloads can
2596 currently still communicate through the Domain0 virtual network. We
2597 are working on the sHype/ACM controls for local and remote network
2598 traffic through Domain0. Please monitor the xen-devel mailing list
2599 for updated information.
2601 \section{Xen Access Control Policy}
2602 \label{section:acmpolicy}
2604 This section describes the sHype/Xen access control policy in detail.
2605 It gives enough information to enable the reader to write custom
2606 access control policies and to use the available Xen policy tools. The
2607 policy language is expressive enough to specify most symmetric access
2608 relationships between domains and resources efficiently.
2610 The Xen access control policy consists of two policy components. The
2611 first component, called Chinese Wall (CHWALL) policy, controls which
2612 domains can run simultaneously on the same virtualized platform. The
2613 second component, called Simple Type Enforcement (STE) policy,
2614 controls the sharing between running domains, i.e., communication or
2615 access to shared resources. The CHWALL and STE policy components can
2616 be configured to run alone, however in our examples we will assume
2617 that both policy components are configured together since they
2618 complement each other. The XML policy file includes all information
2619 needed by Xen to enforce the policies.
2621 Figures~\ref{fig:acmxmlfilea} and \ref{fig:acmxmlfileb} show a fully
2622 functional but very simple example policy for Xen. The policy can
2623 distinguish two workload types \verb|CocaCola| and \verb|PepsiCo| and
2624 defines the labels necessary to associate domains and resources with
2625 one of these workload types. The XML Policy consists of four parts:
2626 \begin{enumerate}
2627 \item policy header including the policy name
2628 \item Simple Type Enforcement block
2629 \item Chinese Wall Policy block
2630 \item label definition block
2631 \end{enumerate}
2633 \begin{figure}
2634 \begin{scriptsize}
2635 \begin{verbatim}
2636 01 <?xml version="1.0" encoding="UTF-8"?>
2637 02 <!-- Auto-generated by ezPolicy -->
2638 03 <SecurityPolicyDefinition
2639 xmlns="http://www.ibm.com"
2640 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2641 xsi:schemaLocation=
2642 "http://www.ibm.com ../../security_policy.xsd ">
2643 04 <PolicyHeader>
2644 05 <PolicyName>example.chwall_ste.test</PolicyName>
2645 06 <Date>Wed Jul 12 17:32:59 2006</Date>
2646 07 </PolicyHeader>
2647 08
2648 09 <SimpleTypeEnforcement>
2649 10 <SimpleTypeEnforcementTypes>
2650 11 <Type>SystemManagement</Type>
2651 12 <Type>PepsiCo</Type>
2652 13 <Type>CocaCola</Type>
2653 14 </SimpleTypeEnforcementTypes>
2654 15 </SimpleTypeEnforcement>
2655 16
2656 17 <ChineseWall priority="PrimaryPolicyComponent">
2657 18 <ChineseWallTypes>
2658 19 <Type>SystemManagement</Type>
2659 20 <Type>PepsiCo</Type>
2660 21 <Type>CocaCola</Type>
2661 22 </ChineseWallTypes>
2662 23
2663 24 <ConflictSets>
2664 25 <Conflict name="RER1">
2665 26 <Type>CocaCola</Type>
2666 27 <Type>PepsiCo</Type>
2667 28 </Conflict>
2668 29 </ConflictSets>
2669 30 </ChineseWall>
2670 31
2671 \end{verbatim}
2672 \end{scriptsize}
2673 \caption{Example XML security policy file -- Part I: Types and Rules Definition.}
2674 \label{fig:acmxmlfilea}
2675 \end{figure}
2677 \subsection{Policy Header and Policy Name}
2678 \label{subsection:acmnaming}
2679 Lines 1-2 (cf Figure~\ref{fig:acmxmlfilea}) include the usual XML
2680 header. The security policy definition starts in Line 3 and refers to
2681 the policy schema. The XML-Schema definition for the Xen policy can be
2682 found in the file
2683 \textit{/etc/xen/acm-security/policies/security-policy.xsd}. Examples
2684 for security policies can be found in the example subdirectory. The
2685 acm-security directory is only installed if ACM security is configured
2686 during installation (cf Section~\ref{subsection:acmexampleconfigure}).
2688 The \verb|Policy Header| spans lines 4-7. It includes a date field and
2689 defines the policy name \verb|example.chwall_ste.test|. It can also
2690 include optional fields that are not shown and are for future use (see
2691 schema definition).
2693 The policy name serves two purposes: First, it provides a unique name
2694 for the security policy. This name is also exported by the Xen
2695 hypervisor to the Xen management tools in order to ensure that both
2696 enforce the same policy. We plan to extend the policy name with a
2697 digital fingerprint of the policy contents to better protect this
2698 correlation. Second, it implicitly points the xm tools to the
2699 location where the XML policy file is stored on the Xen system.
2700 Replacing the colons in the policy name by slashes yields the local
2701 path to the policy file starting from the global policy directory
2702 \verb|/etc/xen/acm-security/policies|. The last part of the policy
2703 name is the prefix for the XML policy file name, completed by
2704 \verb|-security_policy.xml|. Consequently, the policy with the name
2705 \verb|example.chwall_ste.test| can be found in the XML policy file
2706 named \verb|test-security_policy.xml| that is stored in the local
2707 directory \verb|example/chwall_ste| under the global policy directory.
2709 \subsection{Simple Type Enforcement Policy Component}
2711 The Simple Type Enforcement (STE) policy controls which domains can
2712 communicate or share resources. This way, Xen can enforce confinement
2713 of workload types by confining the domains running those workload
2714 types. The mandatory access control framework enforces its policy when
2715 domains access intended ways of communication or cooperation (shared
2716 memory, events, shared resources such as block devices). It builds on
2717 top of the core hypervisor isolation, which restricts the ways of
2718 inter-communication to those intended means. STE does not protect or
2719 intend to protect from covert channels in the hypervisor or hardware;
2720 this is an orthogonal problem that can be mitigated by using the
2721 Run-time Exclusion rules described above or by fixing the problem in
2722 the core hypervisor.
2724 Xen controls sharing between domains on the resource and domain level
2725 because this is the abstraction the hypervisor and its management
2726 understand naturally. While this is coarse-grained, it is also very
2727 reliable and robust and it requires minimal changes to implement
2728 mandatory access controls in the hypervisor. It enables platform- and
2729 operation system-independent policies as part of a layered security
2730 approach.
2732 Lines 9-15 (cf Figure~\ref{fig:acmxmlfilea}) define the Simple Type
2733 Enforcement policy component. Essentially, they define the workload
2734 type names \verb|SystemManagement|, \verb|PepsiCo|, and
2735 \verb|CocaCola| that are available in the STE policy component. The
2736 policy rules are implicit: Xen permits a domain to communicate with
2737 another domain if and only if the labels of the domains share an
2738 common STE type. Xen permits a domain to access a resource if and
2739 only if the labels of the domain and the resource share a common STE
2740 workload type.
2742 \subsection{Chinese Wall Policy Component}
2744 The Chinese Wall security policy interpretation of sHype enables users
2745 to prevent certain workloads from running simultaneously on the same
2746 hypervisor platform. Run-time Exclusion rules (RER), also called
2747 Conflict Sets, define a set of workload types that are not permitted
2748 to run simultaneously. Of all the workloads specified in a Run-time
2749 Exclusion rule, at most one type can run on the same hypervisor
2750 platform at a time. Run-time Exclusion Rules implement a less
2751 rigorous variant of the original Chinese Wall security component. They
2752 do not implement the *-property of the policy, which would require to
2753 restrict also types that are not part of an exclusion rule once they
2754 are running together with a type in an exclusion rule (please refer to
2755 http://www.gammassl.co.uk/topics/chinesewall.html for more information
2756 on the original Chinese Wall policy).
2758 Xen considers the \verb|ChineseWallTypes| part of the label for the
2759 enforcement of the Run-time Exclusion rules. It is illegal to define
2760 labels including conflicting Chinese Wall types.
2762 Lines 17-30 (cf Figure~\ref{fig:acmxmlfilea}) define the Chinese Wall
2763 policy component. Lines 17-22 define the known Chinese Wall types,
2764 which coincide here with the STE types defined above. This usually
2765 holds if the criteria for sharing among domains and sharing of the
2766 hardware platform are the same. Lines 24-29 define one Run-time
2767 Exclusion rule:
2769 \begin{scriptsize}
2770 \begin{verbatim}
2771 <Conflict name="RER1">
2772 <Type>CocaCola</Type>
2773 <Type>PepsiCo</Type>
2774 </Conflict>
2775 \end{verbatim}
2776 \end{scriptsize}
2778 Based on this rule, Xen enforces that only one of the types
2779 \verb|CocaCola| or \verb|PepsiCo| will run on a single hypervisor
2780 platform at a time. For example, once a domain assigned a
2781 \verb|CocaCola| workload type is started, domains with the
2782 \verb|PepsiCo| type will be denied to start. When the former domain
2783 stops and no other domains with the \verb|CocaCola| type are running,
2784 then domains with the \verb|PepsiCo| type can start.
2786 Xen maintains reference counts on each running workload type to keep
2787 track of which workload types are running. Every time a domain starts
2788 or resumes, the reference count on those Chinese Wall types that are
2789 referenced in the domain's label are incremented. Every time a domain
2790 is destroyed or saved, the reference counts of its Chinese Wall types
2791 are decremented. sHype in Xen covers migration and live-migration,
2792 which is treated the same way as saving a domain on the source
2793 platform and resuming it on the destination platform.
2795 Reasons why users would want to restrict which workloads or domains
2796 can share the system hardware include:
2798 \begin{itemize}
2799 \item Imperfect resource management or control might enable a rogue
2800 domain to starve another domain and the workload running in it.
2801 \item Redundant domains might run the same workload to increase
2802 availability; such domains should not run on the same hardware to
2803 avoid single points of failure.
2804 \item Imperfect Xen core domain isolation might enable two rogue
2805 domains running different workload types to use unintended and
2806 unknown ways (covert channels) to exchange some data. This way, they
2807 bypass the policed Xen access control mechanisms. Such
2808 imperfections cannot be completely eliminated and are a result of
2809 trade-offs between security and other design requirements. For a
2810 simple example of a covert channel see
2811 http://www.multicians.org/timing-chn.html. Such covert channels
2812 exist also between workloads running on different platforms if they
2813 are connected through networks. The Xen Chinese Wall policy provides
2814 an approximation of this imperfect ``air-gap'' between selected
2815 workload types.
2816 \end{itemize}
2818 \subsection{Security Labels}
2820 To enable Xen to associate domains with workload types running in
2821 them, each domain is assigned a security label that includes the
2822 workload types of the domain.
2824 \begin{figure}
2825 \begin{scriptsize}
2826 \begin{verbatim}
2827 32 <SecurityLabelTemplate>
2828 33 <SubjectLabels bootstrap="SystemManagement">
2829 34 <VirtualMachineLabel>
2830 35 <Name>SystemManagement</Name>
2831 36 <SimpleTypeEnforcementTypes>
2832 37 <Type>SystemManagement</Type>
2833 38 <Type>PepsiCo</Type>
2834 39 <Type>CocaCola</Type>
2835 40 </SimpleTypeEnforcementTypes>
2836 41 <ChineseWallTypes>
2837 42 <Type>SystemManagement</Type>
2838 43 </ChineseWallTypes>
2839 44 </VirtualMachineLabel>
2840 45
2841 46 <VirtualMachineLabel>
2842 47 <Name>PepsiCo</Name>
2843 48 <SimpleTypeEnforcementTypes>
2844 49 <Type>PepsiCo</Type>
2845 50 </SimpleTypeEnforcementTypes>
2846 51 <ChineseWallTypes>
2847 52 <Type>PepsiCo</Type>
2848 53 </ChineseWallTypes>
2849 54 </VirtualMachineLabel>
2850 55
2851 56 <VirtualMachineLabel>
2852 57 <Name>CocaCola</Name>
2853 58 <SimpleTypeEnforcementTypes>
2854 59 <Type>CocaCola</Type>
2855 60 </SimpleTypeEnforcementTypes>
2856 61 <ChineseWallTypes>
2857 62 <Type>CocaCola</Type>
2858 63 </ChineseWallTypes>
2859 64 </VirtualMachineLabel>
2860 65 </SubjectLabels>
2861 66
2862 67 <ObjectLabels>
2863 68 <ResourceLabel>
2864 69 <Name>SystemManagement</Name>
2865 70 <SimpleTypeEnforcementTypes>
2866 71 <Type>SystemManagement</Type>
2867 72 </SimpleTypeEnforcementTypes>
2868 73 </ResourceLabel>
2869 74
2870 75 <ResourceLabel>
2871 76 <Name>PepsiCo</Name>
2872 77 <SimpleTypeEnforcementTypes>
2873 78 <Type>PepsiCo</Type>
2874 79 </SimpleTypeEnforcementTypes>
2875 80 </ResourceLabel>
2876 81
2877 82 <ResourceLabel>
2878 83 <Name>CocaCola</Name>
2879 84 <SimpleTypeEnforcementTypes>
2880 85 <Type>CocaCola</Type>
2881 86 </SimpleTypeEnforcementTypes>
2882 87 </ResourceLabel>
2883 88 </ObjectLabels>
2884 89 </SecurityLabelTemplate>
2885 90 </SecurityPolicyDefinition>
2886 \end{verbatim}
2887 \end{scriptsize}
2888 \caption{Example XML security policy file -- Part II: Label Definition.}
2889 \label{fig:acmxmlfileb}
2890 \end{figure}
2892 Lines 32-89 (cf Figure~\ref{fig:acmxmlfileb}) define the
2893 \verb|SecurityLabelTemplate|, which includes the labels that can be
2894 attached to domains and resources when this policy is active. The
2895 domain labels include Chinese Wall types while resource labels do not
2896 include Chinese Wall types. Lines 33-65 define the
2897 \verb|SubjectLabels| that can be assigned to domains. For example, the
2898 virtual machine label \verb|CocaCola| (cf lines 56-64 in
2899 Figure~\ref{fig:acmxmlfileb}) associates the domain that carries it
2900 with the workload type \verb|CocaCola|.
2902 The \verb|bootstrap| attribute names the label
2903 \verb|SystemManagement|. Xen will assign this label to Domain0 at
2904 boot time. All other domains are assigned labels according to their
2905 domain configuration file (see
2906 Section~\ref{subsection:acmexamplelabeldomains} for examples of how to
2907 label domains). Lines 67-88 define the \verb|ObjectLabels|. Those
2908 labels can be assigned to resources when this policy is active.
2910 In general, user domains should be assigned labels that have only a
2911 single SimpleTypeEnforcement workload type. This way, workloads remain
2912 confined even if user domains become rogue. Any domain that is
2913 assigned a label with multiple STE types must be trusted to keep
2914 information belonging to the different STE types separate (confined).
2915 For example, Domain0 is assigned the bootstrap label
2916 \verb|SystemsManagement|, which includes all existing STE types.
2917 Therefore, Domain0 must take care not to enable unauthorized
2918 information flow (eg. through block devices or virtual networking)
2919 between domains or resources that are assigned different STE types.
2921 Security administrators simply use the name of a label (specified in
2922 the \verb|<Name>| field) to associate a label with a domain (cf.
2923 Section~\ref{subsection:acmexamplelabeldomains}). The types inside the
2924 label are used by the Xen access control enforcement. While the name
2925 can be arbitrarily chosen (as long as it is unique), it is advisable
2926 to choose the label name in accordance to the security types included.
2927 While the XML representation in the above label seems unnecessary
2928 flexible, labels in general can consist of multiple types as we will
2929 see in the following example.
2931 Assume that \verb|PepsiCo| and \verb|CocaCola| workloads use virtual
2932 disks that are provided by a virtual I/O domain hosting a physical
2933 storage device and carrying the following label:
2935 \begin{scriptsize}
2936 \begin{verbatim}
2937 <VirtualMachineLabel>
2938 <Name>VIO</Name>
2939 <SimpleTypeEnforcementTypes>
2940 <Type>CocaCola</Type>
2941 <Type>PepsiCo</Type>
2942 </SimpleTypeEnforcementTypes>
2943 <ChineseWallTypes>
2944 <Type>VIOServer</Type>
2945 </ChineseWallTypes>
2946 </VirtualMachineLabel>
2947 \end{verbatim}
2948 \end{scriptsize}
2950 This Virtual I/O domain (VIO) exports its virtualized disks by
2951 communicating both to domains labeled with the \verb|PepsiCo| label
2952 and domains labeled with the \verb|CocaCola| label. This requires the
2953 VIO domain to carry both the STE types \verb|CocaCola| and
2954 \verb|PepsiCo|. In this example, the confinement of \verb|CocaCola|
2955 and \verb|PepsiCo| workload depends on a VIO domain that must keep the
2956 data of those different workloads separate. The virtual disks are
2957 labeled as well (see Section~\ref{subsection:acmexamplelabelresources}
2958 for labeling resources) and enforcement functions inside the VIO
2959 domain must ensure that the labels of the domain mounting a virtual
2960 disk and the virtual disk label share a common STE type. The VIO label
2961 carrying its own VIOServer CHWALL type introduces the flexibility to
2962 permit the trusted VIO server to run together with CocaCola or PepsiCo
2963 workloads.
2965 Alternatively, a system that has two hard-drives does not need a VIO
2966 domain but can directly assign one hardware storage device to each of
2967 the workloads (if the platform offers an IO-MMU, cf
2968 Section~\ref{s:ddsecurity}. Sharing hardware through virtualization
2969 is a trade-off between the amount of trusted code (size of the trusted
2970 computing base) and the amount of acceptable over-provisioning. This
2971 holds both for peripherals and for system platforms.
2973 \subsection{Tools For Creating sHype/Xen Security Policies}
2974 To create a security policy for Xen, you can use one of the following
2975 tools:
2976 \begin{itemize}
2977 \item \verb|ezPolicy| GUI tool -- start writing policies
2978 \item \verb|xensec_gen| tool -- refine policies created with \verb|ezPolicy|
2979 \item text or XML editor
2980 \end{itemize}
2982 We use the \verb|ezPolicy| tool in
2983 Section~\ref{subsection:acmexamplecreate} to quickly create a workload
2984 protection policy. If desired, the resulting XML policy file can be
2985 loaded into the \verb|xensec_gen| tool to refine it. It can also be
2986 directly edited using an XML editor. Any XML policy file is verified
2987 against the security policy schema when it is translated (see
2988 Subsection~\ref{subsection:acmexampleinstall}).
2990 \section{Current Limitations}
2991 \label{section:acmlimitations}
2993 The sHype/ACM configuration for Xen is work in progress. There is
2994 ongoing work for protecting virtualized resources and planned and
2995 ongoing work for protecting access to remote resources and domains.
2996 The following sections describe limitations of some of the areas into
2997 which access control is being extended.
2999 \subsection{Network Traffic}
3000 Local and remote network traffic is currently not controlled.
3001 Solutions to add sHype/ACM policy enforcement to the virtual network
3002 exist but need to be discussed before they can become part of Xen.
3003 Subjecting external network traffic to the ACM security policy is work
3004 in progress. Manually setting up filters in domain 0 is required for
3005 now but does not scale well.
3007 \subsection{Resource Access and Usage Control}
3009 Enforcing the security policy across multiple hypervisor systems and
3010 on access to remote shared resources is work in progress. Extending
3011 access control to new types of resources is ongoing work (e.g. network
3012 storage).
3014 On a single Xen system, information about the association of resources
3015 and security labels is stored in
3016 \verb|/etc/xen/acm-security/policy/resource_labels|. This file relates
3017 a full resource path with a security label. This association is weak
3018 and will break if resources are moved or renamed without adapting the
3019 label file. Improving the protection of label-resource relationships
3020 is ongoing work.
3022 Controlling resource usage and enforcing resource limits in general is
3023 ongoing work in the Xen community.
3025 \subsection{Domain Migration}
3027 Labels on domains are enforced during domain migration and the
3028 destination hypervisor will ensure that the domain label is valid and
3029 the domain is permitted to run (considering the Chinese Wall policy
3030 rules) before it accepts the migration. However, the network between
3031 the source and destination hypervisor as well as both hypervisors must
3032 be trusted. Architectures and prototypes exist that both protect the
3033 network connection and ensure that the hypervisors enforce access
3034 control consistently but patches are not yet available for the main
3035 stream.
3037 \subsection{Covert Channels}
3039 The sHype access control aims at system independent security policies.
3040 It builds on top of the core hypervisor isolation. Any covert channels
3041 that exist in the core hypervisor or in the hardware (e.g., shared
3042 processor cache) will be inherited. If those covert channels are not
3043 the result of trade-offs between security and other system properties,
3044 then they are most effectively minimized or eliminated where they are
3045 caused. sHype offers however some means to mitigate their impact
3046 (cf. run-time exclusion rules).
3048 \part{Reference}
3050 %% Chapter Build and Boot Options
3051 \chapter{Build and Boot Options}
3053 This chapter describes the build- and boot-time options which may be
3054 used to tailor your Xen system.
3056 \section{Top-level Configuration Options}
3058 Top-level configuration is achieved by editing one of two
3059 files: \path{Config.mk} and \path{Makefile}.
3061 The former allows the overall build target architecture to be
3062 specified. You will typically not need to modify this unless
3063 you are cross-compiling or if you wish to build a PAE-enabled
3064 Xen system. Additional configuration options are documented
3065 in the \path{Config.mk} file.
3067 The top-level \path{Makefile} is chiefly used to customize the set of
3068 kernels built. Look for the line:
3069 \begin{quote}
3070 \begin{verbatim}
3071 KERNELS ?= linux-2.6-xen0 linux-2.6-xenU
3072 \end{verbatim}
3073 \end{quote}
3075 Allowable options here are any kernels which have a corresponding
3076 build configuration file in the \path{buildconfigs/} directory.
3080 \section{Xen Build Options}
3082 Xen provides a number of build-time options which should be set as
3083 environment variables or passed on make's command-line.
3085 \begin{description}
3086 \item[verbose=y] Enable debugging messages when Xen detects an
3087 unexpected condition. Also enables console output from all domains.
3088 \item[debug=y] Enable debug assertions. Implies {\bf verbose=y}.
3089 (Primarily useful for tracing bugs in Xen).
3090 \item[debugger=y] Enable the in-Xen debugger. This can be used to
3091 debug Xen, guest OSes, and applications.
3092 \item[perfc=y] Enable performance counters for significant events
3093 within Xen. The counts can be reset or displayed on Xen's console
3094 via console control keys.
3095 \end{description}
3098 \section{Xen Boot Options}
3099 \label{s:xboot}
3101 These options are used to configure Xen's behaviour at runtime. They
3102 should be appended to Xen's command line, either manually or by
3103 editing \path{grub.conf}.
3105 \begin{description}
3106 \item [ noreboot ] Don't reboot the machine automatically on errors.
3107 This is useful to catch debug output if you aren't catching console
3108 messages via the serial line.
3109 \item [ nosmp ] Disable SMP support. This option is implied by
3110 `ignorebiostables'.
3111 \item [ watchdog ] Enable NMI watchdog which can report certain
3112 failures.
3113 \item [ noirqbalance ] Disable software IRQ balancing and affinity.
3114 This can be used on systems such as Dell 1850/2850 that have
3115 workarounds in hardware for IRQ-routing issues.
3116 \item [ badpage=$<$page number$>$,$<$page number$>$, \ldots ] Specify
3117 a list of pages not to be allocated for use because they contain bad
3118 bytes. For example, if your memory tester says that byte 0x12345678
3119 is bad, you would place `badpage=0x12345' on Xen's command line.
3120 \item [ com1=$<$baud$>$,DPS,$<$io\_base$>$,$<$irq$>$
3121 com2=$<$baud$>$,DPS,$<$io\_base$>$,$<$irq$>$ ] \mbox{}\\
3122 Xen supports up to two 16550-compatible serial ports. For example:
3123 `com1=9600, 8n1, 0x408, 5' maps COM1 to a 9600-baud port, 8 data
3124 bits, no parity, 1 stop bit, I/O port base 0x408, IRQ 5. If some
3125 configuration options are standard (e.g., I/O base and IRQ), then
3126 only a prefix of the full configuration string need be specified. If
3127 the baud rate is pre-configured (e.g., by the bootloader) then you
3128 can specify `auto' in place of a numeric baud rate.
3129 \item [ console=$<$specifier list$>$ ] Specify the destination for Xen
3130 console I/O. This is a comma-separated list of, for example:
3131 \begin{description}
3132 \item[ vga ] Use VGA console (only until domain 0 boots, unless {\bf
3133 vga[keep] } is specified).
3134 \item[ com1 ] Use serial port com1.
3135 \item[ com2H ] Use serial port com2. Transmitted chars will have the
3136 MSB set. Received chars must have MSB set.
3137 \item[ com2L] Use serial port com2. Transmitted chars will have the
3138 MSB cleared. Received chars must have MSB cleared.
3139 \end{description}
3140 The latter two examples allow a single port to be shared by two
3141 subsystems (e.g.\ console and debugger). Sharing is controlled by
3142 MSB of each transmitted/received character. [NB. Default for this
3143 option is `com1,vga']
3144 \item [ sync\_console ] Force synchronous console output. This is
3145 useful if you system fails unexpectedly before it has sent all
3146 available output to the console. In most cases Xen will
3147 automatically enter synchronous mode when an exceptional event
3148 occurs, but this option provides a manual fallback.
3149 \item [ conswitch=$<$switch-char$><$auto-switch-char$>$ ] Specify how
3150 to switch serial-console input between Xen and DOM0. The required
3151 sequence is CTRL-$<$switch-char$>$ pressed three times. Specifying
3152 the backtick character disables switching. The
3153 $<$auto-switch-char$>$ specifies whether Xen should auto-switch
3154 input to DOM0 when it boots --- if it is `x' then auto-switching is
3155 disabled. Any other value, or omitting the character, enables
3156 auto-switching. [NB. Default switch-char is `a'.]
3157 \item [ nmi=xxx ]
3158 Specify what to do with an NMI parity or I/O error. \\
3159 `nmi=fatal': Xen prints a diagnostic and then hangs. \\
3160 `nmi=dom0': Inform DOM0 of the NMI. \\
3161 `nmi=ignore': Ignore the NMI.
3162 \item [ mem=xxx ] Set the physical RAM address limit. Any RAM
3163 appearing beyond this physical address in the memory map will be
3164 ignored. This parameter may be specified with a B, K, M or G suffix,
3165 representing bytes, kilobytes, megabytes and gigabytes respectively.
3166 The default unit, if no suffix is specified, is kilobytes.
3167 \item [ dom0\_mem=xxx ] Set the amount of memory to be allocated to
3168 domain0. In Xen 3.x the parameter may be specified with a B, K, M or
3169 G suffix, representing bytes, kilobytes, megabytes and gigabytes
3170 respectively; if no suffix is specified, the parameter defaults to
3171 kilobytes. In previous versions of Xen, suffixes were not supported
3172 and the value is always interpreted as kilobytes.
3173 \item [ tbuf\_size=xxx ] Set the size of the per-cpu trace buffers, in
3174 pages (default 0).
3175 \item [ sched=xxx ] Select the CPU scheduler Xen should use. The
3176 current possibilities are `credit' (default), `sedf', and `bvt'.
3177 \item [ apic\_verbosity=debug,verbose ] Print more detailed
3178 information about local APIC and IOAPIC configuration.
3179 \item [ lapic ] Force use of local APIC even when left disabled by
3180 uniprocessor BIOS.
3181 \item [ nolapic ] Ignore local APIC in a uniprocessor system, even if
3182 enabled by the BIOS.
3183 \item [ apic=bigsmp,default,es7000,summit ] Specify NUMA platform.
3184 This can usually be probed automatically.
3185 \end{description}
3187 In addition, the following options may be specified on the Xen command
3188 line. Since domain 0 shares responsibility for booting the platform,
3189 Xen will automatically propagate these options to its command line.
3190 These options are taken from Linux's command-line syntax with
3191 unchanged semantics.
3193 \begin{description}
3194 \item [ acpi=off,force,strict,ht,noirq,\ldots ] Modify how Xen (and
3195 domain 0) parses the BIOS ACPI tables.
3196 \item [ acpi\_skip\_timer\_override ] Instruct Xen (and domain~0) to
3197 ignore timer-interrupt override instructions specified by the BIOS
3198 ACPI tables.
3199 \item [ noapic ] Instruct Xen (and domain~0) to ignore any IOAPICs
3200 that are present in the system, and instead continue to use the
3201 legacy PIC.
3202 \end{description}
3205 \section{XenLinux Boot Options}
3207 In addition to the standard Linux kernel boot options, we support:
3208 \begin{description}
3209 \item[ xencons=xxx ] Specify the device node to which the Xen virtual
3210 console driver is attached. The following options are supported:
3211 \begin{center}
3212 \begin{tabular}{l}
3213 `xencons=off': disable virtual console \\
3214 `xencons=tty': attach console to /dev/tty1 (tty0 at boot-time) \\
3215 `xencons=ttyS': attach console to /dev/ttyS0
3216 \end{tabular}
3217 \end{center}
3218 The default is ttyS for dom0 and tty for all other domains.
3219 \end{description}
3222 %% Chapter Further Support
3223 \chapter{Further Support}
3225 If you have questions that are not answered by this manual, the
3226 sources of information listed below may be of interest to you. Note
3227 that bug reports, suggestions and contributions related to the
3228 software (or the documentation) should be sent to the Xen developers'
3229 mailing list (address below).
3232 \section{Other Documentation}
3234 For developers interested in porting operating systems to Xen, the
3235 \emph{Xen Interface Manual} is distributed in the \path{docs/}
3236 directory of the Xen source distribution.
3239 \section{Online References}
3241 The official Xen web site can be found at:
3242 \begin{quote} {\tt http://www.xensource.com}
3243 \end{quote}
3245 This contains links to the latest versions of all online
3246 documentation, including the latest version of the FAQ.
3248 Information regarding Xen is also available at the Xen Wiki at
3249 \begin{quote} {\tt http://wiki.xensource.com/xenwiki/}\end{quote}
3250 The Xen project uses Bugzilla as its bug tracking system. You'll find
3251 the Xen Bugzilla at http://bugzilla.xensource.com/bugzilla/.
3254 \section{Mailing Lists}
3256 There are several mailing lists that are used to discuss Xen related
3257 topics. The most widely relevant are listed below. An official page of
3258 mailing lists and subscription information can be found at \begin{quote}
3259 {\tt http://lists.xensource.com/} \end{quote}
3261 \begin{description}
3262 \item[xen-devel@lists.xensource.com] Used for development
3263 discussions and bug reports. Subscribe at: \\
3264 {\small {\tt http://lists.xensource.com/xen-devel}}
3265 \item[xen-users@lists.xensource.com] Used for installation and usage
3266 discussions and requests for help. Subscribe at: \\
3267 {\small {\tt http://lists.xensource.com/xen-users}}
3268 \item[xen-announce@lists.xensource.com] Used for announcements only.
3269 Subscribe at: \\
3270 {\small {\tt http://lists.xensource.com/xen-announce}}
3271 \item[xen-changelog@lists.xensource.com] Changelog feed
3272 from the unstable and 2.0 trees - developer oriented. Subscribe at: \\
3273 {\small {\tt http://lists.xensource.com/xen-changelog}}
3274 \end{description}
3278 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
3280 \appendix
3282 \chapter{Unmodified (VMX) guest domains in Xen with Intel\textregistered Virtualization Technology (VT)}
3284 Xen supports guest domains running unmodified Guest operating systems using Virtualization Technology (VT) available on recent Intel Processors. More information about the Intel Virtualization Technology implementing Virtual Machine Extensions (VMX) in the processor is available on the Intel website at \\
3285 {\small {\tt http://www.intel.com/technology/computing/vptech}}
3287 \section{Building Xen with VT support}
3289 The following packages need to be installed in order to build Xen with VT support. Some Linux distributions do not provide these packages by default.
3291 \begin{tabular}{lp{11.0cm}}
3292 {\bfseries Package} & {\bfseries Description} \\
3294 dev86 & The dev86 package provides an assembler and linker for real mode 80x86 instructions. You need to have this package installed in order to build the BIOS code which runs in (virtual) real mode.
3296 If the dev86 package is not available on the x86\_64 distribution, you can install the i386 version of it. The dev86 rpm package for various distributions can be found at {\scriptsize {\tt http://www.rpmfind.net/linux/rpm2html/search.php?query=dev86\&submit=Search}} \\
3298 LibVNCServer & The unmodified guest's VGA display, keyboard, and mouse can be virtualized by the vncserver library. You can get the sources of libvncserver from {\small {\tt http://sourceforge.net/projects/libvncserver}}. Build and install the sources on the build system to get the libvncserver library. There is a significant performance degradation in 0.8 version. The current sources in the CVS tree have fixed this degradation. So it is highly recommended to download the latest CVS sources and install them.\\
3300 SDL-devel, SDL & Simple DirectMedia Layer (SDL) is another way of virtualizing the unmodified guest console. It provides an X window for the guest console.
3302 If the SDL and SDL-devel packages are not installed by default on the build system, they can be obtained from {\scriptsize {\tt http://www.rpmfind.net/linux/rpm2html/search.php?query=SDL\&amp;submit=Search}}
3303 , {\scriptsize {\tt http://www.rpmfind.net/linux/rpm2html/search.php?query=SDL-devel\&submit=Search}} \\
3305 \end{tabular}
3307 \section{Configuration file for unmodified VMX guests}
3309 The Xen installation includes a sample configuration file, {\small {\tt /etc/xen/xmexample.vmx}}. There are comments describing all the options. In addition to the common options that are the same as those for paravirtualized guest configurations, VMX guest configurations have the following settings:
3311 \begin{tabular}{lp{11.0cm}}
3313 {\bfseries Parameter} & {\bfseries Description} \\
3315 kernel & The VMX firmware loader, {\small {\tt /usr/lib/xen/boot/vmxloader}}\\
3317 builder & The domain build function. The VMX domain uses the vmx builder.\\
3319 acpi & Enable VMX guest ACPI, default=0 (disabled)\\
3321 apic & Enable VMX guest APIC, default=0 (disabled)\\
3323 pae & Enable VMX guest PAE, default=0 (disabled)\\
3325 vif & Optionally defines MAC address and/or bridge for the network interfaces. Random MACs are assigned if not given. {\small {\tt type=ioemu}} means ioemu is used to virtualize the VMX NIC. If no type is specified, vbd is used, as with paravirtualized guests.\\
3327 disk & Defines the disk devices you want the domain to have access to, and what you want them accessible as. If using a physical device as the VMX guest's disk, each disk entry is of the form
3329 {\small {\tt phy:UNAME,ioemu:DEV,MODE,}}
3331 where UNAME is the device, DEV is the device name the domain will see, and MODE is r for read-only, w for read-write. ioemu means the disk will use ioemu to virtualize the VMX disk. If not adding ioemu, it uses vbd like paravirtualized guests.
3333 If using disk image file, its form should be like
3335 {\small {\tt file:FILEPATH,ioemu:DEV,MODE}}
3337 If using more than one disk, there should be a comma between each disk entry. For example:
3339 {\scriptsize {\tt disk = ['file:/var/images/image1.img,ioemu:hda,w', 'file:/var/images/image2.img,ioemu:hdb,w']}}\\
3341 cdrom & Disk image for CD-ROM. The default is {\small {\tt /dev/cdrom}} for Domain0. Inside the VMX domain, the CD-ROM will available as device {\small {\tt /dev/hdc}}. The entry can also point to an ISO file.\\
3343 boot & Boot from floppy (a), hard disk (c) or CD-ROM (d). For example, to boot from CD-ROM, the entry should be:
3345 boot='d'\\
3347 device\_model & The device emulation tool for VMX guests. This parameter should not be changed.\\
3349 sdl & Enable SDL library for graphics, default = 0 (disabled)\\
3351 vnc & Enable VNC library for graphics, default = 1 (enabled)\\
3353 vncviewer & Enable spawning of the vncviewer (only valid when vnc=1), default = 1 (enabled)
3355 If vnc=1 and vncviewer=0, user can use vncviewer to manually connect VMX from remote. For example:
3357 {\small {\tt vncviewer domain0\_IP\_address:VMX\_domain\_id}} \\
3359 ne2000 & Enable ne2000, default = 0 (disabled; use pcnet)\\
3361 serial & Enable redirection of VMX serial output to pty device\\
3363 \end{tabular}
3365 \begin{tabular}{lp{10cm}}
3367 usb & Enable USB support without defining a specific USB device.
3368 This option defaults to 0 (disabled) unless the option usbdevice is
3369 specified in which case this option then defaults to 1 (enabled).\\
3371 usbdevice & Enable USB support and also enable support for the given
3372 device. Devices that can be specified are {\small {\tt mouse}} (a PS/2 style
3373 mouse), {\small {\tt tablet}} (an absolute pointing device) and
3374 {\small {\tt host:id1:id2}} (a physical USB device on the host machine whose
3375 ids are {\small {\tt id1}} and {\small {\tt id2}}). The advantage
3376 of {\small {\tt tablet}} is that Windows guests will automatically recognize
3377 and support this device so specifying the config line
3379 {\small
3380 \begin{verbatim}
3381 usbdevice='tablet'
3382 \end{verbatim}
3385 will create a mouse that works transparently with Windows guests under VNC.
3386 Linux doesn't recognize the USB tablet yet so Linux guests under VNC will
3387 still need the Summagraphics emulation.
3388 Details about mouse emulation are provided in section \textbf{A.4.3}.\\
3390 localtime & Set the real time clock to local time [default=0, that is, set to UTC].\\
3392 enable-audio & Enable audio support. This is under development.\\
3394 full-screen & Start in full screen. This is under development.\\
3396 nographic & Another way to redirect serial output. If enabled, no 'sdl' or 'vnc' can work. Not recommended.\\
3398 \end{tabular}
3401 \section{Creating virtual disks from scratch}
3402 \subsection{Using physical disks}
3403 If you are using a physical disk or physical disk partition, you need to install a Linux OS on the disk first. Then the boot loader should be installed in the correct place. For example {\small {\tt dev/sda}} for booting from the whole disk, or {\small {\tt /dev/sda1}} for booting from partition 1.
3405 \subsection{Using disk image files}
3406 You need to create a large empty disk image file first; then, you need to install a Linux OS onto it. There are two methods you can choose. One is directly installing it using a VMX guest while booting from the OS installation CD-ROM. The other is copying an installed OS into it. The boot loader will also need to be installed.
3408 \subsubsection*{To create the image file:}
3409 The image size should be big enough to accommodate the entire OS. This example assumes the size is 1G (which is probably too small for most OSes).
3411 {\small {\tt \# dd if=/dev/zero of=hd.img bs=1M count=1 seek=1023}}
3413 \subsubsection*{To directly install Linux OS into an image file using a VMX guest:}
3415 Install Xen and create VMX with the original image file with booting from CD-ROM. Then it is just like a normal Linux OS installation. The VMX configuration file should have these two entries before creating:
3417 {\small {\tt cdrom='/dev/cdrom'
3418 boot='d'}}
3420 If this method does not succeed, you can choose the following method of copying an installed Linux OS into an image file.
3422 \subsubsection*{To copy a installed OS into an image file:}
3423 Directly installing is an easier way to make partitions and install an OS in a disk image file. But if you want to create a specific OS in your disk image, then you will most likely want to use this method.
3425 \begin{enumerate}
3426 \item {\bfseries Install a normal Linux OS on the host machine}\\
3427 You can choose any way to install Linux, such as using yum to install Red Hat Linux or YAST to install Novell SuSE Linux. The rest of this example assumes the Linux OS is installed in {\small {\tt /var/guestos/}}.
3429 \item {\bfseries Make the partition table}\\
3430 The image file will be treated as hard disk, so you should make the partition table in the image file. For example:
3432 {\scriptsize {\tt \# losetup /dev/loop0 hd.img\\
3433 \# fdisk -b 512 -C 4096 -H 16 -S 32 /dev/loop0\\
3434 press 'n' to add new partition\\
3435 press 'p' to choose primary partition\\
3436 press '1' to set partition number\\
3437 press "Enter" keys to choose default value of "First Cylinder" parameter.\\
3438 press "Enter" keys to choose default value of "Last Cylinder" parameter.\\
3439 press 'w' to write partition table and exit\\
3440 \# losetup -d /dev/loop0}}
3442 \item {\bfseries Make the file system and install grub}\\
3443 {\scriptsize {\tt \# ln -s /dev/loop0 /dev/loop\\
3444 \# losetup /dev/loop0 hd.img\\
3445 \# losetup -o 16384 /dev/loop1 hd.img\\
3446 \# mkfs.ext3 /dev/loop1\\
3447 \# mount /dev/loop1 /mnt\\
3448 \# mkdir -p /mnt/boot/grub\\
3449 \# cp /boot/grub/stage* /boot/grub/e2fs\_stage1\_5 /mnt/boot/grub\\
3450 \# umount /mnt\\
3451 \# grub\\
3452 grub> device (hd0) /dev/loop\\
3453 grub> root (hd0,0)\\
3454 grub> setup (hd0)\\
3455 grub> quit\\
3456 \# rm /dev/loop\\
3457 \# losetup -d /dev/loop0\\
3458 \# losetup -d /dev/loop1}}
3460 The {\small {\tt losetup}} option {\small {\tt -o 16384}} skips the partition table in the image file. It is the number of sectors times 512. We need {\small {\tt /dev/loop}} because grub is expecting a disk device \emph{name}, where \emph{name} represents the entire disk and \emph{name1} represents the first partition.
3462 \item {\bfseries Copy the OS files to the image}\\
3463 If you have Xen installed, you can easily use {\small {\tt lomount}} instead of {\small {\tt losetup}} and {\small {\tt mount}} when coping files to some partitions. {\small {\tt lomount}} just needs the partition information.
3465 {\scriptsize {\tt \# lomount -t ext3 -diskimage hd.img -partition 1 /mnt/guest\\
3466 \# cp -ax /var/guestos/\{root,dev,var,etc,usr,bin,sbin,lib\} /mnt/guest\\
3467 \# mkdir /mnt/guest/\{proc,sys,home,tmp\}}}
3469 \item {\bfseries Edit the {\small {\tt /etc/fstab}} of the guest image}\\
3470 The fstab should look like this:
3472 {\scriptsize {\tt \# vim /mnt/guest/etc/fstab\\
3473 /dev/hda1 / ext3 defaults 1 1\\
3474 none /dev/pts devpts gid=5,mode=620 0 0\\
3475 none /dev/shm tmpfs defaults 0 0\\
3476 none /proc proc defaults 0 0\\
3477 none /sys sysfs efaults 0 0}}
3479 \item {\bfseries umount the image file}\\
3480 {\small {\tt \# umount /mnt/guest}}
3481 \end{enumerate}
3483 Now, the guest OS image {\small {\tt hd.img}} is ready. You can also reference {\small {\tt http://free.oszoo.org}} for quickstart images. But make sure to install the boot loader.
3485 \subsection{Install Windows into an Image File using a VMX guest}
3486 In order to install a Windows OS, you should keep {\small {\tt acpi=0}} in your VMX configuration file.
3488 \section{VMX Guests}
3489 \subsection{Editing the Xen VMX config file}
3490 Make a copy of the example VMX configuration file {\small {\tt /etc/xen/xmeaxmple.vmx}} and edit the line that reads
3492 {\small {\tt disk = [ 'file:/var/images/\emph{guest.img},ioemu:hda,w' ]}}
3494 replacing \emph{guest.img} with the name of the guest OS image file you just made.
3496 \subsection{Creating VMX guests}
3497 Simply follow the usual method of creating the guest, using the -f parameter and providing the filename of your VMX configuration file:\\
3499 {\small {\tt \# xend start\\
3500 \# xm create /etc/xen/vmxguest.vmx}}
3502 In the default configuration, VNC is on and SDL is off. Therefore VNC windows will open when VMX guests are created. If you want to use SDL to create VMX guests, set {\small {\tt sdl=1}} in your VMX configuration file. You can also turn off VNC by setting {\small {\tt vnc=0}}.
3504 \subsection{Mouse issues, especially under VNC}
3505 Mouse handling when using VNC is a little problematic.
3506 The problem is that the VNC viewer provides a virtual pointer which is
3507 located at an absolute location in the VNC window and only absolute
3508 coordinates are provided.
3509 The VMX device model converts these absolute mouse coordinates
3510 into the relative motion deltas that are expected by the PS/2
3511 mouse driver running in the guest.
3512 Unfortunately,
3513 it is impossible to keep these generated mouse deltas
3514 accurate enough for the guest cursor to exactly match
3515 the VNC pointer.
3516 This can lead to situations where the guest's cursor
3517 is in the center of the screen and there's no way to
3518 move that cursor to the left
3519 (it can happen that the VNC pointer is at the left
3520 edge of the screen and,
3521 therefore,
3522 there are no longer any left mouse deltas that
3523 can be provided by the device model emulation code.)
3525 To deal with these mouse issues there are 4 different
3526 mouse emulations available from the VMX device model:
3528 \begin{description}
3529 \item[PS/2 mouse over the PS/2 port.]
3530 This is the default mouse
3531 that works perfectly well under SDL.
3532 Under VNC the guest cursor will get
3533 out of sync with the VNC pointer.
3534 When this happens you can re-synchronize
3535 the guest cursor to the VNC pointer by
3536 holding down the
3537 \textbf{left-ctl}
3538 and
3539 \textbf{left-alt}
3540 keys together.
3541 While these keys are down VNC pointer motions
3542 will not be reported to the guest so
3543 that the VNC pointer can be moved
3544 to a place where it is possible
3545 to move the guest cursor again.
3547 \item[Summagraphics mouse over the serial port.]
3548 The device model also provides emulation
3549 for a Summagraphics tablet,
3550 an absolute pointer device.
3551 This emulation is provided over the second
3552 serial port,
3553 \textbf{/dev/ttyS1}
3554 for Linux guests and
3555 \textbf{COM2}
3556 for Windows guests.
3557 Unfortunately,
3558 neither Linux nor Windows provides
3559 default support for the Summagraphics
3560 tablet so the guest will have to be
3561 manually configured for this mouse.
3563 \textbf{Linux configuration.}
3565 First,
3566 configure the GPM service to use the Summagraphics tablet.
3567 This can vary between distributions but,
3568 typically,
3569 all that needs to be done is modify the file
3570 \path{/etc/sysconfig/mouse} to contain the lines:
3572 {\small
3573 \begin{verbatim}
3574 MOUSETYPE="summa"
3576 DEVICE=/dev/ttyS1
3577 \end{verbatim}
3580 and then restart the GPM daemon.
3582 Next,
3583 modify the X11 config
3584 \path{/etc/X11/xorg.conf}
3585 to support the Summgraphics tablet by replacing
3586 the input device stanza with the following:
3588 {\small
3589 \begin{verbatim}
3590 Section "InputDevice"
3591 Identifier "Mouse0"
3592 Driver "summa"
3593 Option "Device" "/dev/ttyS1"
3594 Option "InputFashion" "Tablet"
3595 Option "Mode" "Absolute"
3596 Option "Name" "EasyPen"
3597 Option "Compatible" "True"
3598 Option "Protocol" "Auto"
3599 Option "SendCoreEvents" "on"
3600 Option "Vendor" "GENIUS"
3601 EndSection
3602 \end{verbatim}
3605 Restart X and the X cursor should now properly
3606 track the VNC pointer.
3609 \textbf{Windows configuration.}
3611 Get the file
3612 \path{http://www.cad-plan.de/files/download/tw2k.exe}
3613 and execute that file on the guest,
3614 answering the questions as follows:
3616 \begin{enumerate}
3617 \item When the program asks for \textbf{model},
3618 scroll down and selese \textbf{SummaSketch (MM Compatible)}.
3620 \item When the program asks for \textbf{COM Port} specify \textbf{com2}.
3622 \item When the programs asks for a \textbf{Cursor Type} specify
3623 \textbf{4 button cursor/puck}.
3625 \item The guest system will then reboot and,
3626 when it comes back up,
3627 the guest cursor will now properly track
3628 the VNC pointer.
3629 \end{enumerate}
3631 \item[PS/2 mouse over USB port.]
3632 This is just the same PS/2 emulation except it is
3633 provided over a USB port.
3634 This emulation is enabled by the configuration flag:
3635 {\small
3636 \begin{verbatim}
3637 usbdevice='mouse'
3638 \end{verbatim}
3641 \item[USB tablet over USB port.]
3642 The USB tablet is an absolute pointing device
3643 that has the advantage that it is automatically
3644 supported under Windows guests,
3645 although Linux guests still require some
3646 manual configuration.
3647 This mouse emulation is enabled by the
3648 configuration flag:
3649 {\small
3650 \begin{verbatim}
3651 usbdevice='tablet'
3652 \end{verbatim}
3655 \textbf{Linux configuration.}
3657 Unfortunately,
3658 there is no GPM support for the
3659 USB tablet at this point in time.
3660 If you intend to use a GPM pointing
3661 device under VNC you should
3662 configure the guest for Summagraphics
3663 emulation.
3665 Support for X11 is available by following
3666 the instructions at\\
3667 \verb+http://stz-softwaretechnik.com/~ke/touchscreen/evtouch.html+\\
3668 with one minor change.
3669 The
3670 \path{xorg.conf}
3671 given in those instructions
3672 uses the wrong values for the X \& Y minimums and maximums,
3673 use the following config stanza instead:
3675 {\small
3676 \begin{verbatim}
3677 Section "InputDevice"
3678 Identifier "Tablet"
3679 Driver "evtouch"
3680 Option "Device" "/dev/input/event2"
3681 Option "DeviceName" "touchscreen"
3682 Option "MinX" "0"
3683 Option "MinY" "0"
3684 Option "MaxX" "32256"
3685 Option "MaxY" "32256"
3686 Option "ReportingMode" "Raw"
3687 Option "Emulate3Buttons"
3688 Option "Emulate3Timeout" "50"
3689 Option "SendCoreEvents" "On"
3690 EndSection
3691 \end{verbatim}
3694 \textbf{Windows configuration.}
3696 Just enabling the USB tablet in the
3697 guest's configuration file is sufficient,
3698 Windows will automatically recognize and
3699 configure device drivers for this
3700 pointing device.
3702 \end{description}
3704 \subsection{USB Support}
3705 There is support for an emulated USB mouse,
3706 an emulated USB tablet
3707 and physical low speed USB devices
3708 (support for high speed USB 2.0 devices is
3709 still under development).
3711 \begin{description}
3712 \item[USB PS/2 style mouse.]
3713 Details on the USB mouse emulation are
3714 given in sections
3715 \textbf{A.2}
3716 and
3717 \textbf{A.4.3}.
3718 Enabling USB PS/2 style mouse emulation
3719 is just a matter of adding the line
3721 {\small
3722 \begin{verbatim}
3723 usbdevice='mouse'
3724 \end{verbatim}
3727 to the configuration file.
3728 \item[USB tablet.]
3729 Details on the USB tablet emulation are
3730 given in sections
3731 \textbf{A.2}
3732 and
3733 \textbf{A.4.3}.
3734 Enabling USB tablet emulation
3735 is just a matter of adding the line
3737 {\small
3738 \begin{verbatim}
3739 usbdevice='tablet'
3740 \end{verbatim}
3743 to the configuration file.
3744 \item[USB physical devices.]
3745 Access to a physical (low speed) USB device
3746 is enabled by adding a line of the form
3748 {\small
3749 \begin{verbatim}
3750 usbdevice='host:vid:pid'
3751 \end{verbatim}
3754 into the the configuration file.\footnote{
3755 There is an alternate
3756 way of specifying a USB device that
3757 uses the syntax
3758 \textbf{host:bus.addr}
3759 but this syntax suffers from
3760 a major problem that makes
3761 it effectively useless.
3762 The problem is that the
3763 \textbf{addr}
3764 portion of this address
3765 changes every time the USB device
3766 is plugged into the system.
3767 For this reason this addressing
3768 scheme is not recommended and
3769 will not be documented further.
3771 \textbf{vid}
3772 and
3773 \textbf{pid}
3774 are a
3775 product id and
3776 vendor id
3777 that uniquely identify
3778 the USB device.
3779 These ids can be identified
3780 in two ways:
3782 \begin{enumerate}
3783 \item Through the control window.
3784 As described in section
3785 \textbf{A.4.6}
3786 the control window
3787 is activated by pressing
3788 \textbf{ctl-alt-2}
3789 in the guest VGA window.
3790 As long as USB support is
3791 enabled in the guest by including
3792 the config file line
3793 {\small
3794 \begin{verbatim}
3795 usb=1
3796 \end{verbatim}
3798 then executing the command
3799 {\small
3800 \begin{verbatim}
3801 info usbhost
3802 \end{verbatim}
3804 in the control window
3805 will display a list of all
3806 usb devices and their ids.
3807 For example,
3808 this output:
3809 {\small
3810 \begin{verbatim}
3811 Device 1.3, speed 1.5 Mb/s
3812 Class 00: USB device 04b3:310b
3813 \end{verbatim}
3815 was created from a USB mouse with
3816 vendor id
3817 \textbf{04b3}
3818 and product id
3819 \textbf{310b}.
3820 This device could be made available
3821 to the VMX guest by including the
3822 config file entry
3823 {\small
3824 \begin{verbatim}
3825 usbdevice='host:04be:310b'
3826 \end{verbatim}
3829 It is also possible to
3830 enable access to a USB
3831 device dynamically through
3832 the control window.
3833 The control window command
3834 {\small
3835 \begin{verbatim}
3836 usb_add host:vid:pid
3837 \end{verbatim}
3839 will also allow access to a
3840 USB device with vendor id
3841 \textbf{vid}
3842 and product id
3843 \textbf{pid}.
3844 \item Through the
3845 \path{/proc} file system.
3846 The contents of the pseudo file
3847 \path{/proc/bus/usb/devices}
3848 can also be used to identify
3849 vendor and product ids.
3850 Looking at this file,
3851 the line starting with
3852 \textbf{P:}
3853 has a field
3854 \textbf{Vendor}
3855 giving the vendor id and
3856 another field
3857 \textbf{ProdID}
3858 giving the product id.
3859 The contents of
3860 \path{/proc/bus/usb/devices}
3861 for the example mouse is as
3862 follows:
3863 {\small
3864 \begin{verbatim}
3865 T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=1.5 MxCh= 0
3866 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
3867 P: Vendor=04b3 ProdID=310b Rev= 1.60
3868 C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=100mA
3869 I: If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=02 Driver=(none)
3870 E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=10ms
3871 \end{verbatim}
3873 Note that the
3874 \textbf{P:}
3875 line correctly identifies the
3876 vendor id and product id
3877 for this mouse as
3878 \textbf{04b3:310b}.
3879 \end{enumerate}
3880 There is one other issue to
3881 be aware of when accessing a
3882 physical USB device from the guest.
3883 The Dom0 kernel must not have
3884 a device driver loaded for
3885 the device that the guest wishes
3886 to access.
3887 This means that the Dom0
3888 kernel must not have that
3889 device driver compiled into
3890 the kernel or,
3891 if using modules,
3892 that driver module must
3893 not be loaded.
3894 Note that this is the device
3895 specific USB driver that must
3896 not be loaded,
3897 either the
3898 \textbf{UHCI}
3899 or
3900 \textbf{OHCI}
3901 USB controller driver must
3902 still be loaded.
3904 Going back to the USB mouse
3905 as an example,
3906 if \textbf{lsmod}
3907 gives the output:
3909 {\small
3910 \begin{verbatim}
3911 Module Size Used by
3912 usbmouse 4128 0
3913 usbhid 28996 0
3914 uhci_hcd 35409 0
3915 \end{verbatim}
3918 then the USB mouse is being
3919 used by the Dom0 kernel and is
3920 not available to the guest.
3921 Executing the command
3922 \textbf{rmmod usbhid}\footnote{
3923 Turns out the
3924 \textbf{usbhid}
3925 driver is the significant
3926 one for the USB mouse,
3927 the presence or absence of
3928 the module
3929 \textbf{usbmouse}
3930 has no effect on whether or
3931 not the guest can see a USB mouse.}
3932 will remove the USB mouse
3933 driver from the Dom0 kernel
3934 and the mouse will now be
3935 accessible by the VMX guest.
3937 Be aware the the Linux USB
3938 hotplug system will reload
3939 the drivers if a USB device
3940 is removed and plugged back
3941 in.
3942 This means that just unloading
3943 the driver module might not
3944 be sufficient if the USB device
3945 is removed and added back.
3946 A more reliable technique is
3947 to first
3948 \textbf{rmmod}
3949 the driver and then rename the
3950 driver file in the
3951 \path{/lib/modules}
3952 directory,
3953 just to make sure it doesn't get
3954 reloaded.
3955 \end{description}
3957 \subsection{Destroy VMX guests}
3958 VMX guests can be destroyed in the same way as can paravirtualized guests. We recommend that you type the command
3960 {\small {\tt poweroff}}
3962 in the VMX guest's console first to prevent data loss. Then execute the command
3964 {\small {\tt xm destroy \emph{vmx\_guest\_id} }}
3966 at the Domain0 console.
3968 \subsection{VMX window (X or VNC) Hot Key}
3969 If you are running in the X environment after creating a VMX guest, an X window is created. There are several hot keys for control of the VMX guest that can be used in the window.
3971 {\bfseries Ctrl+Alt+2} switches from guest VGA window to the control window. Typing {\small {\tt help }} shows the control commands help. For example, 'q' is the command to destroy the VMX guest.\\
3972 {\bfseries Ctrl+Alt+1} switches back to VMX guest's VGA.\\
3973 {\bfseries Ctrl+Alt+3} switches to serial port output. It captures serial output from the VMX guest. It works only if the VMX guest was configured to use the serial port. \\
3975 \subsection{Save/Restore and Migration}
3976 VMX guests currently cannot be saved and restored, nor migrated. These features are currently under active development.
3978 \chapter{Vnets - Domain Virtual Networking}
3980 Xen optionally supports virtual networking for domains using {\em vnets}.
3981 These emulate private LANs that domains can use. Domains on the same
3982 vnet can be hosted on the same machine or on separate machines, and the
3983 vnets remain connected if domains are migrated. Ethernet traffic
3984 on a vnet is tunneled inside IP packets on the physical network. A vnet is a virtual
3985 network and addressing within it need have no relation to addressing on
3986 the underlying physical network. Separate vnets, or vnets and the physical network,
3987 can be connected using domains with more than one network interface and
3988 enabling IP forwarding or bridging in the usual way.
3990 Vnet support is included in \texttt{xm} and \xend:
3991 \begin{verbatim}
3992 # xm vnet-create <config>
3993 \end{verbatim}
3994 creates a vnet using the configuration in the file \verb|<config>|.
3995 When a vnet is created its configuration is stored by \xend and the vnet persists until it is
3996 deleted using
3997 \begin{verbatim}
3998 # xm vnet-delete <vnetid>
3999 \end{verbatim}
4000 The vnets \xend knows about are listed by
4001 \begin{verbatim}
4002 # xm vnet-list
4003 \end{verbatim}
4004 More vnet management commands are available using the
4005 \texttt{vn} tool included in the vnet distribution.
4007 The format of a vnet configuration file is
4008 \begin{verbatim}
4009 (vnet (id <vnetid>)
4010 (bridge <bridge>)
4011 (vnetif <vnet interface>)
4012 (security <level>))
4013 \end{verbatim}
4014 White space is not significant. The parameters are:
4015 \begin{itemize}
4016 \item \verb|<vnetid>|: vnet id, the 128-bit vnet identifier. This can be given
4017 as 8 4-digit hex numbers separated by colons, or in short form as a single 4-digit hex number.
4018 The short form is the same as the long form with the first 7 fields zero.
4019 Vnet ids must be non-zero and id 1 is reserved.
4021 \item \verb|<bridge>|: the name of a bridge interface to create for the vnet. Domains
4022 are connected to the vnet by connecting their virtual interfaces to the bridge.
4023 Bridge names are limited to 14 characters by the kernel.
4025 \item \verb|<vnetif>|: the name of the virtual interface onto the vnet (optional). The
4026 interface encapsulates and decapsulates vnet traffic for the network and is attached
4027 to the vnet bridge. Interface names are limited to 14 characters by the kernel.
4029 \item \verb|<level>|: security level for the vnet (optional). The level may be one of
4030 \begin{itemize}
4031 \item \verb|none|: no security (default). Vnet traffic is in clear on the network.
4032 \item \verb|auth|: authentication. Vnet traffic is authenticated using IPSEC
4033 ESP with hmac96.
4034 \item \verb|conf|: confidentiality. Vnet traffic is authenticated and encrypted
4035 using IPSEC ESP with hmac96 and AES-128.
4036 \end{itemize}
4037 Authentication and confidentiality are experimental and use hard-wired keys at present.
4038 \end{itemize}
4039 When a vnet is created its configuration is stored by \xend and the vnet persists until it is
4040 deleted using \texttt{xm vnet-delete <vnetid>}. The interfaces and bridges used by vnets
4041 are visible in the output of \texttt{ifconfig} and \texttt{brctl show}.
4043 \section{Example}
4044 If the file \path{vnet97.sxp} contains
4045 \begin{verbatim}
4046 (vnet (id 97) (bridge vnet97) (vnetif vnif97)
4047 (security none))
4048 \end{verbatim}
4049 Then \texttt{xm vnet-create vnet97.sxp} will define a vnet with id 97 and no security.
4050 The bridge for the vnet is called vnet97 and the virtual interface for it is vnif97.
4051 To add an interface on a domain to this vnet set its bridge to vnet97
4052 in its configuration. In Python:
4053 \begin{verbatim}
4054 vif="bridge=vnet97"
4055 \end{verbatim}
4056 In sxp:
4057 \begin{verbatim}
4058 (dev (vif (mac aa:00:00:01:02:03) (bridge vnet97)))
4059 \end{verbatim}
4060 Once the domain is started you should see its interface in the output of \texttt{brctl show}
4061 under the ports for \texttt{vnet97}.
4063 To get best performance it is a good idea to reduce the MTU of a domain's interface
4064 onto a vnet to 1400. For example using \texttt{ifconfig eth0 mtu 1400} or putting
4065 \texttt{MTU=1400} in \texttt{ifcfg-eth0}.
4066 You may also have to change or remove cached config files for eth0 under
4067 \texttt{/etc/sysconfig/networking}. Vnets work anyway, but performance can be reduced
4068 by IP fragmentation caused by the vnet encapsulation exceeding the hardware MTU.
4070 \section{Installing vnet support}
4071 Vnets are implemented using a kernel module, which needs to be loaded before
4072 they can be used. You can either do this manually before starting \xend, using the
4073 command \texttt{vn insmod}, or configure \xend to use the \path{network-vnet}
4074 script in the xend configuration file \texttt{/etc/xend/xend-config.sxp}:
4075 \begin{verbatim}
4076 (network-script network-vnet)
4077 \end{verbatim}
4078 This script insmods the module and calls the \path{network-bridge} script.
4080 The vnet code is not compiled and installed by default.
4081 To compile the code and install on the current system
4082 use \texttt{make install} in the root of the vnet source tree,
4083 \path{tools/vnet}. It is also possible to install to an installation
4084 directory using \texttt{make dist}. See the \path{Makefile} in
4085 the source for details.
4087 The vnet module creates vnet interfaces \texttt{vnif0002},
4088 \texttt{vnif0003} and \texttt{vnif0004} by default. You can test that
4089 vnets are working by configuring IP addresses on these interfaces
4090 and trying to ping them across the network. For example, using machines
4091 hostA and hostB:
4092 \begin{verbatim}
4093 hostA# ifconfig vnif0004 up
4094 hostB# ifconfig vnif0004 up
4095 hostB# ping
4096 \end{verbatim}
4098 The vnet implementation uses IP multicast to discover vnet interfaces, so
4099 all machines hosting vnets must be reachable by multicast. Network switches
4100 are often configured not to forward multicast packets, so this often
4101 means that all machines using a vnet must be on the same LAN segment,
4102 unless you configure vnet forwarding.
4104 You can test multicast coverage by pinging the vnet multicast address:
4105 \begin{verbatim}
4106 # ping -b
4107 \end{verbatim}
4108 You should see replies from all machines with the vnet module running.
4109 You can see if vnet packets are being sent or received by dumping traffic
4110 on the vnet UDP port:
4111 \begin{verbatim}
4112 # tcpdump udp port 1798
4113 \end{verbatim}
4115 If multicast is not being forwaded between machines you can configure
4116 multicast forwarding using vn. Suppose we have machines hostA on
4117 and hostB on and that multicast is not forwarded between them.
4118 We use vn to configure each machine to forward to the other:
4119 \begin{verbatim}
4120 hostA# vn peer-add hostB
4121 hostB# vn peer-add hostA
4122 \end{verbatim}
4123 Multicast forwarding needs to be used carefully - you must avoid creating forwarding
4124 loops. Typically only one machine on a subnet needs to be configured to forward,
4125 as it will forward multicasts received from other machines on the subnet.
4127 %% Chapter Glossary of Terms moved to glossary.tex
4128 \chapter{Glossary of Terms}
4130 \begin{description}
4132 \item[BVT] The BVT scheduler is used to give proportional fair shares
4133 of the CPU to domains.
4135 \item[Domain] A domain is the execution context that contains a
4136 running {\bf virtual machine}. The relationship between virtual
4137 machines and domains on Xen is similar to that between programs and
4138 processes in an operating system: a virtual machine is a persistent
4139 entity that resides on disk (somewhat like a program). When it is
4140 loaded for execution, it runs in a domain. Each domain has a {\bf
4141 domain ID}.
4143 \item[Domain 0] The first domain to be started on a Xen machine.
4144 Domain 0 is responsible for managing the system.
4146 \item[Domain ID] A unique identifier for a {\bf domain}, analogous to
4147 a process ID in an operating system.
4149 \item[Full virtualization] An approach to virtualization which
4150 requires no modifications to the hosted operating system, providing
4151 the illusion of a complete system of real hardware devices.
4153 \item[Hypervisor] An alternative term for {\bf VMM}, used because it
4154 means `beyond supervisor', since it is responsible for managing
4155 multiple `supervisor' kernels.
4157 \item[Live migration] A technique for moving a running virtual machine
4158 to another physical host, without stopping it or the services
4159 running on it.
4161 \item[Paravirtualization] An approach to virtualization which requires
4162 modifications to the operating system in order to run in a virtual
4163 machine. Xen uses paravirtualization but preserves binary
4164 compatibility for user space applications.
4166 \item[Shadow pagetables] A technique for hiding the layout of machine
4167 memory from a virtual machine's operating system. Used in some {\bf
4168 VMMs} to provide the illusion of contiguous physical memory, in
4169 Xen this is used during {\bf live migration}.
4171 \item[Virtual Block Device] Persistant storage available to a virtual
4172 machine, providing the abstraction of an actual block storage device.
4173 {\bf VBD}s may be actual block devices, filesystem images, or
4174 remote/network storage.
4176 \item[Virtual Machine] The environment in which a hosted operating
4177 system runs, providing the abstraction of a dedicated machine. A
4178 virtual machine may be identical to the underlying hardware (as in
4179 {\bf full virtualization}, or it may differ, as in {\bf
4180 paravirtualization}).
4182 \item[VMM] Virtual Machine Monitor - the software that allows multiple
4183 virtual machines to be multiplexed on a single physical machine.
4185 \item[Xen] Xen is a paravirtualizing virtual machine monitor,
4186 developed primarily by the Systems Research Group at the University
4187 of Cambridge Computer Laboratory.
4189 \item[XenLinux] A name for the port of the Linux kernel that
4190 runs on Xen.
4192 \end{description}
4195 \end{document}
4198 %% Other stuff without a home
4200 %% Instructions Re Python API
4202 %% Other Control Tasks using Python
4203 %% ================================
4205 %% A Python module 'Xc' is installed as part of the tools-install
4206 %% process. This can be imported, and an 'xc object' instantiated, to
4207 %% provide access to privileged command operations:
4209 %% # import Xc
4210 %% # xc = Xc.new()
4211 %% # dir(xc)
4212 %% # help(xc.domain_create)
4214 %% In this way you can see that the class 'xc' contains useful
4215 %% documentation for you to consult.
4217 %% A further package of useful routines (xenctl) is also installed:
4219 %% # import xenctl.utils
4220 %% # help(xenctl.utils)
4222 %% You can use these modules to write your own custom scripts or you
4223 %% can customise the scripts supplied in the Xen distribution.
4227 % Explain about AGP GART
4230 %% If you're not intending to configure the new domain with an IP
4231 %% address on your LAN, then you'll probably want to use NAT. The
4232 %% 'xen_nat_enable' installs a few useful iptables rules into domain0
4233 %% to enable NAT. [NB: We plan to support RSIP in future]
4237 %% Installing the file systems from the CD
4238 %% =======================================
4240 %% If you haven't got an existing Linux installation onto which you
4241 %% can just drop down the Xen and Xenlinux images, then the file
4242 %% systems on the CD provide a quick way of doing an install. However,
4243 %% you would be better off in the long run doing a proper install of
4244 %% your preferred distro and installing Xen onto that, rather than
4245 %% just doing the hack described below:
4247 %% Choose one or two partitions, depending on whether you want a
4248 %% separate /usr or not. Make file systems on it/them e.g.:
4249 %% mkfs -t ext3 /dev/hda3
4250 %% [or mkfs -t ext2 /dev/hda3 && tune2fs -j /dev/hda3 if using an old
4251 %% version of mkfs]
4253 %% Next, mount the file system(s) e.g.:
4254 %% mkdir /mnt/root && mount /dev/hda3 /mnt/root
4255 %% [mkdir /mnt/usr && mount /dev/hda4 /mnt/usr]
4257 %% To install the root file system, simply untar /usr/XenDemoCD/root.tar.gz:
4258 %% cd /mnt/root && tar -zxpf /usr/XenDemoCD/root.tar.gz
4260 %% You'll need to edit /mnt/root/etc/fstab to reflect your file system
4261 %% configuration. Changing the password file (etc/shadow) is probably a
4262 %% good idea too.
4264 %% To install the usr file system, copy the file system from CD on
4265 %% /usr, though leaving out the "XenDemoCD" and "boot" directories:
4266 %% cd /usr && cp -a X11R6 etc java libexec root src bin dict kerberos
4267 %% local sbin tmp doc include lib man share /mnt/usr
4269 %% If you intend to boot off these file systems (i.e. use them for
4270 %% domain 0), then you probably want to copy the /usr/boot
4271 %% directory on the cd over the top of the current symlink to /boot
4272 %% on your root filesystem (after deleting the current symlink)
4273 %% i.e.:
4274 %% cd /mnt/root ; rm boot ; cp -a /usr/boot .