Hi, I installed xen with Fedora devel (tobe FC4) packages without problems. Xen is great! Fantastic work guys! I have a question: What is the difference between a std Linux kernel and an xen0 one? Except that we can run xenU instances in the xen0 one... And is the xen0 instance different from the xenU instances? Or is it just another xenU instance in fact? And if I run programs in the xen0 instance, will it degrade perf of xenU instances? Or render them less secure (in term of isolation)? Thanks for clarification of these points. -jec ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Anthony Liguori
2005-Feb-08 20:46 UTC
Re: [Xen-devel] Diff between std, xen0 and xenU kernel
Jean-Eric wrote:> I have a question: > What is the difference between a std Linux kernel and an xen0 one? > Except that we can run xenU instances in the xen0 one...A standard Linux kernel expects to manage it''s own memory, hardware, etc. A xen kernel knows that it''s in a hypervisor so it makes hypercalls when it needs to deal with those sorts of things. That''s a pretty gross simplification but you can check out any number of the papers referenced on the Xen homepage for whatever level of detail you want.> And is the xen0 instance different from the xenU instances? Or is it > just another xenU instance in fact?A little bit. It mostly has to do with the initrd setup code. However, I think there was a thread on a list where someone said you could in fact use a xen0 kernel within xenU if you had the right drivers enabled. Really, the biggest difference is that xen0 domain has backend device drivers and the xenU kernel has the front-end version of those drivers.> And if I run programs in the xen0 instance, will it degrade perf of > xenU instances? Or render them less secure (in term of isolation)?It shouldn''t decrease performance. Currently, xen0 is pretty much a single point of failure though. If you had a remote comprimise in xen0 then an attack could bring down every other domain. Regards, Anthony Liguori ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Mark Williamson
2005-Feb-08 21:23 UTC
Re: [Xen-devel] Diff between std, xen0 and xenU kernel
> > And is the xen0 instance different from the xenU instances? Or is it > > just another xenU instance in fact? > > A little bit. It mostly has to do with the initrd setup code.Is it not the same for both? What''s different?> However, > I think there was a thread on a list where someone said you could in > fact use a xen0 kernel within xenU if you had the right drivers enabled.Xen0 kernels will run in an unprivileged domain so long as you have built in the frontend drivers (this happens by default in -testing and -stable, I think).> Really, the biggest difference is that xen0 domain has backend device > drivers and the xenU kernel has the front-end version of those drivers.The Xen0 kernel also has drivers for "real" hardware, whereas the xenU kernel contains only "virtual" drivers. The xenU kernel is smaller as a result, which is the reason we provided. You don''t strictly *need* the xenU kernel at all.> > And if I run programs in the xen0 instance, will it degrade perf of > > xenU instances? Or render them less secure (in term of isolation)?It won''t matter to performance any more than running applications in the unprivileged instances would. Regarding security you need to keep in mind that an attacker who gains root privileges in domain 0 will be able to get root privileges in every domain on the machine. Thus if you''re running an internet-facing machine you should make sure that domain 0 exposes as few services to the internet as possible. Cheers, Mark ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Anthony Liguori
2005-Feb-08 22:06 UTC
Re: [Xen-devel] Diff between std, xen0 and xenU kernel
Mark Williamson wrote:>>>And is the xen0 instance different from the xenU instances? Or is it >>>just another xenU instance in fact? >>> >>> >>A little bit. It mostly has to do with the initrd setup code. >> >> > >Is it not the same for both? What''s different? > >xen/arch/x86/x86_32/domain_build.c Looking again though, I think that it''s really that Xen behaves a little differently constructing domain-0 than when constructing another domain. So just ignore what I said :-) Regards, Anthony Liguori ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Jean-Eric Cuendet
2005-Feb-09 08:42 UTC
Re: [Xen-devel] Diff between std, xen0 and xenU kernel
>>>And if I run programs in the xen0 instance, will it degrade perf of >>>xenU instances? Or render them less secure (in term of isolation)? > > > It won''t matter to performance any more than running applications in the > unprivileged instances would. > > Regarding security you need to keep in mind that an attacker who gains root > privileges in domain 0 will be able to get root privileges in every domain on > the machine. Thus if you''re running an internet-facing machine you should > make sure that domain 0 exposes as few services to the internet as possible.That means that I should make the domain-0 as small as possible abd run only, say, ssh to administer it, but nothing else. And create other domains (which are secure and unpriviledged) for real services. Thanks for all informations. -jec ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel