The first time I installed xen there were two kernels, this time with 3.0.2, there is only one kernel, everything works. I can boot my dom0 and my domU''s using this one kernel but if I want to build a custom kernel for my domU''s but I am not sure from what I read on how to go about it. Will I end up with a new kernel other than my single kernel? Should I do the kernel config in the directory that I used to install xen? Any help is appreciated, Jon _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jon, You only have one kernel because in the Makefile of your Xen source directory, you probably have a line that reads: KERNELS ? = linux-2.6-xen If you change that to: KERNELS ? = linux-2.6-xen0 linux-2.6-xenU You''ll have two kernels for a separate dom0 kernel and a domU kernel. Then simply type: # make world You''ll get two kernel source directories, one for 2.6.x-xen0 and 2.6.x-xenU (for me x=16) At this point, you can type the following to create a dom0 kernel: # make linux-2.6-xen0-config CONFIGMODE=menuconfig # make linux-2.6-xen0-build # make linux-2.6-xen0-install If you need a ramdisk to load special modules (such as SCSI drivers), create an initrd file by typing: # mkinitrd /boot/initrd-2.6.16-xen0.img 2.6.16-xen0 To make the domU kernel: # make linux-2.6-xenU-config CONFIGMODE=menuconfig # make linux-2.6-xenU-build # make linux-2.6-xenU-install It seems the updated instructions on the Xensource site encourages people to create just one kernel, rather than two kernels, privileged and unprivileged, for dom0 and domU respectively. Me, I don''t want to use a privileged kernel for my guests. That''s ludicrous. The potential security problems far outweighs the convenience that method may provide. Hope this helps. S On Aug 31, 2006, at 10:21 AM, jonr@destar.net wrote:> The first time I installed xen there were two kernels, this time > with 3.0.2, > there is only one kernel, everything works. I can boot my dom0 and > my domU''s > using this one kernel but if I want to build a custom kernel for my > domU''s but > I am not sure from what I read on how to go about it. > > Will I end up with a new kernel other than my single kernel? Should > I do the > kernel config in the directory that I used to install xen? > > Any help is appreciated, > > Jon > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi> Me, I don''t want to use a privileged kernel for my guests. > That''s ludicrous. The potential security problems far > outweighs the convenience that method may provide.Can someone with inside knowledgte to xen comment on this? I don''t believe there is a security problem. But I don''t know the sources. I think dom0 means, that there are things compiled in, which may be used for management, but using these functions requires access to the hypervisor, which I expect to be only granded to that domain that boots the system (hence dom0). So running a dom0-compiled kernel as domU will give a litte unnessesary load, but NO security problem. If the content of a kernel might change the privileges a domain has would mean that any kernel (and as such kernel-mode module) running in a domU might take control of the system. I don''t beliebe that... Regards, Steffen _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Quoting Stephen Yum <steveyum@exactimage.com>:> Jon, > > You only have one kernel because in the Makefile of your Xen source > directory, you probably have a line that reads: > > KERNELS ? = linux-2.6-xen > > If you change that to: > > KERNELS ? = linux-2.6-xen0 linux-2.6-xenU > > You''ll have two kernels for a separate dom0 kernel and a domU kernel. > Then simply type: > > # make world > > You''ll get two kernel source directories, one for 2.6.x-xen0 and > 2.6.x-xenU (for me x=16) > At this point, you can type the following to create a dom0 kernel: > > # make linux-2.6-xen0-config CONFIGMODE=menuconfig > # make linux-2.6-xen0-build > # make linux-2.6-xen0-install > If you need a ramdisk to load special modules (such as SCSI drivers), > create an initrd file by typing: > # mkinitrd /boot/initrd-2.6.16-xen0.img 2.6.16-xen0 > > To make the domU kernel: > > # make linux-2.6-xenU-config CONFIGMODE=menuconfig > # make linux-2.6-xenU-build > # make linux-2.6-xenU-install > > It seems the updated instructions on the Xensource site encourages > people to create just one kernel, rather than two kernels, privileged > and unprivileged, for dom0 and domU respectively. > > Me, I don''t want to use a privileged kernel for my guests. That''s > ludicrous. The potential security problems far outweighs the > convenience that method may provide. > > Hope this helps. > > SStephen, Yes that helps tremendously. I was looking at the Makefile and noticed that line at the beginning. Is there a limit as to how many kernels I could build, could I build a custom domU kernel for each domU? This isn''t a production box, I am just using it to experiment with VRRP, eth bonding, NATing, Firewalls and VLANs and for testing service setups/configs, like sendmail, apache, bind etc,etc. So I would like to be able to build custom kernels with only these features I need to make it work before I migrate to a production box which doesn''t use Xen. Thanks again for the help, Jon _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi> Yes that helps tremendously. I was looking at the Makefile > and noticed that line at the beginning. Is there a limit as > to how many kernels I could build, could I build a custom > domU kernel for each domU?No, why should it? And you don''t have to build them all at the same time. Just build those you need the time you need them. Regards, Steffen _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi> I wouldn''t care very much about a few unnecessary load. A fat > kernel, give or take a 100k doesn''t mean jack.Agreed, although 1M might make a difference...> Maybe I''m totally off the wall here, but my dom0 has direct, > low level access to hardware - namely the NICs and storage > devices (SATA, SCSI, etc.) and the abstraction layers above > that (RAID, LVM, etc).Yes, your domain 0 has low level access to hardware - because it is loaded in a way by the hypervisor, which allows that. But that''s a decision of the hypervisor, not of the way the kernel is built.> Just imagine if the guests had access to the LVM layer. If > one of the guests get rooted, they can wipe out the > filesystems of other guests, and the host too.That would be awful, BUT it will neven happen. Even if the running kernel has such functions built in, it will never be allowed by the hypervisor to access these devices...> Your Xen box may be in a different environment than mine. My > box is being used for semi-production environment and is > connected to a public network. Every domain (about 20 in > all), except dom0, is visible from the outside via one port > or another through a firewall that is done by one of the guests.Yes, I am in a different environment. My box is fully in production every domain has 1-2 public ips, is fully reachable over the internet and is running software I cannot even controll by customers of mine. They can even replace the kernel they use on their own. I leave that decition to them. It would be hazardous if that would give them a way to get control...> They all work well. But if I were to use a privileged kernel > for any of these guests, I don''t think I''d be able to sleep at night.Me too, but the privileges come from the hypervisor, not from the build-process. Regards, Steffen _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users