I''ve usually used the provided guest kernels at a node, what are the issues with letting XenLinux kernels travel with guest VMs? In past Xen versions, setting a kernel to support privliged drivers or be a priviliged domain (0) was a kernel config. But driver domains are not supported in Xen3 yet, as far as I understand. In Xen2, could a guest be booted with such a configured kernel but without priviliges because domain 0 did not tell the domain builder it was OK? Someone recently told me in person that there was such a configuration. i.e., it was not only the kernel configuration but some other domain building flag and both were required to make it happen? Thanks, Tim _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> In past Xen versions, setting a kernel to support privliged drivers or be a > priviliged domain (0) was a kernel config. But driver domains are not > supported in Xen3 yet, as far as I understand.They''ll be back soonish - probably in 3.0.2, I believe.> In Xen2, could a guest be booted with such a configured kernel but without > priviliges because domain 0 did not tell the domain builder it was OK?Yes.> Someone recently told me in person that there was such a configuration. > i.e., it was not only the kernel configuration but some other domain > building flag and both were required to make it happen?Whether the guest knows how to access the privileged interfaces of Xen or drive real devices (these are set in the kernel config) is orthogonal to whether the guest is allowed to access those interfaces at runtime (these are part of the domain config). The domain building setting is the important one: an unprivileged domain just *can''t* see or access the real devices, no matter what its kernel contains. A domain with device access is inherently more trusted. It''s perfectly safe to use a dom0 kernel in a domU with no devices, and have Xen ensure the domU stays unprivileged. Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thankyou On Mon, 20 Feb 2006 17:05:23 +0000 Mark Williamson <mark.williamson@cl.cam.ac.uk> wrote:> > In past Xen versions, setting a kernel to support privliged drivers or be a > > priviliged domain (0) was a kernel config. But driver domains are not > > supported in Xen3 yet, as far as I understand. > > They''ll be back soonish - probably in 3.0.2, I believe. > > > In Xen2, could a guest be booted with such a configured kernel but without > > priviliges because domain 0 did not tell the domain builder it was OK? > > Yes. > > > Someone recently told me in person that there was such a configuration. > > i.e., it was not only the kernel configuration but some other domain > > building flag and both were required to make it happen? > > Whether the guest knows how to access the privileged interfaces of Xen or > drive real devices (these are set in the kernel config) is orthogonal to > whether the guest is allowed to access those interfaces at runtime (these are > part of the domain config). > > The domain building setting is the important one: an unprivileged domain just > *can''t* see or access the real devices, no matter what its kernel contains. > A domain with device access is inherently more trusted. > > It''s perfectly safe to use a dom0 kernel in a domU with no devices, and have > Xen ensure the domU stays unprivileged. > > Cheers, > Mark > > -- > Dave: Just a question. What use is a unicyle with no seat? And no pedals! > Mark: To answer a question with a question: What use is a skateboard? > Dave: Skateboards have wheels. > Mark: My wheel has a wheel! > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users