Xen users - Mar 2007 - How can I create another privileged domian?

Hi,
We know that Domain0 is the privileged domain.Now as per the Xen
architecture we can make another DomainX (X>0) to be a privileged
domain.
Now here are a few Questions:
A) How can I make another Domain (apart from Domain0) as a privileged
host?
B) As per the architecture this new privileged domain can manage other
Domains.So Can it directly manage the drivers and can the DomainX view
the drivers of this newly created privileged domain?
C) Volume Groups(VG) can be created over the raw storage devices on
Domain0 and the other VM can access them through this Volume Group.Is
the same thing happens in the case of this newly created privileged
Domain too?

Thanks and regards
Ashit


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

So will there be two privileged domains (dom0 and domx) running at the same
time?


On 3/19/07, Ashit Kumar <Ashit_Kumar@symantec.com>
wrote:
>
> Hi,
> We know that Domain0 is the privileged domain.Now as per the Xen
> architecture we can make another DomainX (X>0) to be a privileged
domain.
>
> Now here are a few Questions:
> A) How can I make another Domain (apart from Domain0) as a privileged
> host?
> B) As per the architecture this new privileged domain can manage other
> Domains.So Can it directly manage the drivers and can the DomainX view the
> drivers of this newly created privileged domain?
>
> C) Volume Groups(VG) can be created over the raw storage devices on
> Domain0 and the other VM can access them through this Volume Group.Is the
> same thing happens in the case of this newly created privileged Domain too?
>
> Thanks and regards
> Ashit
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> -----Original Message-----
> From: xen-users-bounces@lists.xensource.com 
> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of 
> Prabhakar Chaganti
> Sent: 19 March 2007 16:33
> To: Ashit Kumar
> Cc: xen-users@lists.xensource.com
> Subject: Re: [Xen-users] How can I create another privileged domian?
> 
> So will there be two privileged domains (dom0 and domx) 
> running at the same time? 
In theory, you could have any number of privileged domains, just like
you can have multiple users with "root" privilege on a Linux (or admin
privs on Windows if you prefer). See below for practical limitation(s)
to this. 
>   
> 
> 
> On 3/19/07, Ashit Kumar < Ashit_Kumar@symantec.com 
> <mailto:Ashit_Kumar@symantec.com> > wrote:
> 
> 	Hi, 
> 	We know that Domain0 is the privileged domain.Now as 
> per the Xen architecture we can make another DomainX (X>0) to 
> be a privileged domain. 
> 
> 	Now here are a few Questions: 
> 	A) How can I make another Domain (apart from Domain0) 
> as a privileged host? 
At the moment, I don''t think there''s a way to set the flag to
make a
domain priviliged, aside from the Dom0 startup (which is integral to the
startup of Xen. 

There is of course no reason to expect this limitation to last forever -
if there''s a good reason to have multiple privileged domains, then
I''m
sure it can be pretty easily achieved. 
> 	B) As per the architecture this new privileged domain 
> can manage other Domains.So Can it directly manage the 
> drivers and can the DomainX view the drivers of this newly 
> created privileged domain?
Not sure what you''re referring to here. Drivers are available for both
privileged and unprivileged domains. The difference is that privileged
domains are allowed to perform certain operations (such as directly
mapping other domains memory) that unprivileged domains are not allowed
to perform. 

As long as the domain stays within it''s own memory space, it''s
essentially alllowed to do whatever it likes, including using whatever
drivers the kernel and/or owner sees fit. Of course, most domains don''t
have any REAL hardware to access, so many drivers that you would
normally find on a "real" system become meaningless in a system where
there is no real hardware for the driver to access (most drivers will
fail to install/load/initialize in this situation). 

Drivers that don''t need direct access to hardware (file-system drivers
for example) are perfectly fine in such a system. 

The guest domain also needs drivers for the virtualized devices, in a
para-virtual world, that is the virtual network and disk drivers. In a
fully-virtual domain, disk-drive is a regular IDE driver, with an IDE
interface inside the device-model that translates the "virtual" disk
device into requests in Dom0 to read/write to the actual device that is
"behind" the virtual wall. 
> 
> 	C) Volume Groups(VG) can be created over the raw 
> storage devices on Domain0 and the other VM can access them 
> through this Volume Group.Is the same thing happens in the 
> case of this newly created privileged Domain too? 
Volume groups (as in LVM) has nothing to do with Xen Domains at all. Of
course, normally, only Domain zero owns the physical disk/device that
you can (or would want to) create a volume group onto. But in theory,
you could probably create volume groups on top of a virtual disk that is
visible to the guest-domain. Also, assuming we have a para-virtual
domain, we could pass an entire SCSI controller (or other disk
controller) to the domain with the pci-hide/passthrough mechanism, and
let the domain handle it''s own disk entirely.

Please explain to me, if I''ve misunderstood the meaning of Volume
Groups
or in other ways not understood your question. 

--
Mats 
> 
> 	Thanks and regards 
> 	Ashit 
> 
> 
> 	_______________________________________________
> 	Xen-users mailing list
> 	Xen-users@lists.xensource.com 
> <mailto:Xen-users@lists.xensource.com> 
> 	http://lists.xensource.com/xen-users
> 	
> 
> 
> 


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

yes..There will be two privileged users Dom0 and Domx running...
Thanks and regards
Ashit

________________________________

From: Prabhakar Chaganti [mailto:pchaganti@gmail.com] 
Sent: Monday, March 19, 2007 10:03 PM
To: Ashit Kumar
Cc: xen-users@lists.xensource.com
Subject: Re: [Xen-users] How can I create another privileged domian?


So will there be two privileged domains (dom0 and domx) running at the
same time? 
  


On 3/19/07, Ashit Kumar < Ashit_Kumar@symantec.com
<mailto:Ashit_Kumar@symantec.com> > wrote: 

	Hi, 
	We know that Domain0 is the privileged domain.Now as per the Xen
architecture we can make another DomainX (X>0) to be a privileged
domain. 

	Now here are a few Questions: 
	A) How can I make another Domain (apart from Domain0) as a
privileged host? 
	B) As per the architecture this new privileged domain can manage
other Domains.So Can it directly manage the drivers and can the DomainX
view the drivers of this newly created privileged domain?

	C) Volume Groups(VG) can be created over the raw storage devices
on Domain0 and the other VM can access them through this Volume Group.Is
the same thing happens in the case of this newly created privileged
Domain too? 

	Thanks and regards 
	Ashit 


	_______________________________________________
	Xen-users mailing list
	Xen-users@lists.xensource.com
	http://lists.xensource.com/xen-users
	




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Why do you want to do that?
What do you hope to gain?

regards
TMC

On 20/03/07, Ashit Kumar <Ashit_Kumar@symantec.com>
wrote:
>
>
> yes..There will be two privileged users Dom0 and Domx running...
> Thanks and regards
> Ashit
>
>  ________________________________
>  From: Prabhakar Chaganti [mailto:pchaganti@gmail.com]
> Sent: Monday, March 19, 2007 10:03 PM
> To: Ashit Kumar
> Cc: xen-users@lists.xensource.com
> Subject: Re: [Xen-users] How can I create another privileged domian?
>
>
> So will there be two privileged domains (dom0 and domx) running at the same
> time?
>
>
>
> On 3/19/07, Ashit Kumar < Ashit_Kumar@symantec.com> wrote:
> >
> >
> >
> > Hi,
> > We know that Domain0 is the privileged domain.Now as per the Xen
> architecture we can make another DomainX (X>0) to be a privileged
domain.
> >
> > Now here are a few Questions:
> > A) How can I make another Domain (apart from Domain0) as a privileged
> host?
> > B) As per the architecture this new privileged domain can manage other
> Domains.So Can it directly manage the drivers and can the DomainX view the
> drivers of this newly created privileged domain?
> >
> > C) Volume Groups(VG) can be created over the raw storage devices on
> Domain0 and the other VM can access them through this Volume Group.Is the
> same thing happens in the case of this newly created privileged Domain too?
> >
> > Thanks and regards
> > Ashit
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

-- 
GPG key fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD 41C4 C2F0
GPG public key availabe on pgp.mit .edu keyserver

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Mats,
Thanks for the reply.

Mats wrote:
>>we could pass an entire SCSI controller (or other disk
>>controller) to the domain with the pci-hide/passthrough mechanism, and
let the domain handle it''s own disk entirely.

Suppose I have a two SCSI storage Controllers as 
 14:05.0 SCSI storage controller: LSI Logic / Symbios Logic 53c1030
PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 08)
 14:05.1 SCSI storage controller: LSI Logic / Symbios Logic 53c1030
PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 08)
And I want to pass 14.05.0 to DomainX,
Now if I change the grub.conf with the kernel command line as:
 root=/dev/sda4 ro console=tty0 pciback.hide=(14.05.0)
Then will it work?
Also how do we ensure that to which Domain we are passing this SCSI
controller because we are not mentioning anywhere the domain info,in the
above line in the grub.conf?

Please help..
Thanks and regards
Ashit


-----Original Message-----
From: Petersson, Mats [mailto:Mats.Petersson@amd.com] 
Sent: Monday, March 19, 2007 11:51 PM
To: Prabhakar Chaganti; Ashit Kumar
Cc: xen-users@lists.xensource.com
Subject: RE: [Xen-users] How can I create another privileged domian?

 
> -----Original Message-----
> From: xen-users-bounces@lists.xensource.com
> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Prabhakar 
> Chaganti
> Sent: 19 March 2007 16:33
> To: Ashit Kumar
> Cc: xen-users@lists.xensource.com
> Subject: Re: [Xen-users] How can I create another privileged domian?
> 
> So will there be two privileged domains (dom0 and domx) running at the
> same time?
In theory, you could have any number of privileged domains, just like
you can have multiple users with "root" privilege on a Linux (or admin
privs on Windows if you prefer). See below for practical limitation(s)
to this. 
>   
> 
> 
> On 3/19/07, Ashit Kumar < Ashit_Kumar@symantec.com 
> <mailto:Ashit_Kumar@symantec.com> > wrote:
> 
> 	Hi, 
> 	We know that Domain0 is the privileged domain.Now as per the Xen
> architecture we can make another DomainX (X>0) to be a privileged 
> domain.
> 
> 	Now here are a few Questions: 
> 	A) How can I make another Domain (apart from Domain0) as a
privileged 
> host?
At the moment, I don''t think there''s a way to set the flag to
make a
domain priviliged, aside from the Dom0 startup (which is integral to the
startup of Xen. 

There is of course no reason to expect this limitation to last forever -
if there''s a good reason to have multiple privileged domains, then
I''m
sure it can be pretty easily achieved. 
> 	B) As per the architecture this new privileged domain can manage
> other Domains.So Can it directly manage the drivers and can the 
> DomainX view the drivers of this newly created privileged domain?
Not sure what you''re referring to here. Drivers are available for both
privileged and unprivileged domains. The difference is that privileged
domains are allowed to perform certain operations (such as directly
mapping other domains memory) that unprivileged domains are not allowed
to perform. 

As long as the domain stays within it''s own memory space, it''s
essentially alllowed to do whatever it likes, including using whatever
drivers the kernel and/or owner sees fit. Of course, most domains don''t
have any REAL hardware to access, so many drivers that you would
normally find on a "real" system become meaningless in a system where
there is no real hardware for the driver to access (most drivers will
fail to install/load/initialize in this situation). 

Drivers that don''t need direct access to hardware (file-system drivers
for example) are perfectly fine in such a system. 

The guest domain also needs drivers for the virtualized devices, in a
para-virtual world, that is the virtual network and disk drivers. In a
fully-virtual domain, disk-drive is a regular IDE driver, with an IDE
interface inside the device-model that translates the "virtual" disk
device into requests in Dom0 to read/write to the actual device that is
"behind" the virtual wall. 
> 
> 	C) Volume Groups(VG) can be created over the raw storage devices
on 
> Domain0 and the other VM can access them through this Volume Group.Is 
> the same thing happens in the case of this newly created privileged 
> Domain too?
Volume groups (as in LVM) has nothing to do with Xen Domains at all. Of
course, normally, only Domain zero owns the physical disk/device that
you can (or would want to) create a volume group onto. But in theory,
you could probably create volume groups on top of a virtual disk that is
visible to the guest-domain. Also, assuming we have a para-virtual
domain, we could pass an entire SCSI controller (or other disk
controller) to the domain with the pci-hide/passthrough mechanism, and
let the domain handle it''s own disk entirely.

Please explain to me, if I''ve misunderstood the meaning of Volume
Groups
or in other ways not understood your question. 

--
Mats 
> 
> 	Thanks and regards 
> 	Ashit
> 
> 
> 	_______________________________________________
> 	Xen-users mailing list
> 	Xen-users@lists.xensource.com
> <mailto:Xen-users@lists.xensource.com> 
> 	http://lists.xensource.com/xen-users
> 	
> 
> 
> 


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> -----Original Message-----
> From: Ashit Kumar [mailto:Ashit_Kumar@symantec.com] 
> Sent: 21 March 2007 14:24
> To: Petersson, Mats; Prabhakar Chaganti
> Cc: xen-users@lists.xensource.com
> Subject: RE: [Xen-users] How can I create another privileged domian?
> 
> Hi Mats,
> Thanks for the reply.
> 
> Mats wrote:
> >>we could pass an entire SCSI controller (or other disk
> >>controller) to the domain with the pci-hide/passthrough 
> mechanism, and
> let the domain handle it''s own disk entirely.
> 
> Suppose I have a two SCSI storage Controllers as 
>  14:05.0 SCSI storage controller: LSI Logic / Symbios Logic 53c1030
> PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 08)
>  14:05.1 SCSI storage controller: LSI Logic / Symbios Logic 53c1030
> PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 08)
> And I want to pass 14.05.0 to DomainX,
> Now if I change the grub.conf with the kernel command line as:
>  root=/dev/sda4 ro console=tty0 pciback.hide=(14.05.0)
> Then will it work?
> Also how do we ensure that to which Domain we are passing this SCSI
> controller because we are not mentioning anywhere the domain 
> info,in the
> above line in the grub.conf?
You''d have to add that pass-through into the configuration file of the
DomU you decide should use that device - I''m not an expert on how this
works, so I can''t say exactly how that statement would look. 

I think (from "xm create --help_config|grep pci") that you''d
add
"pci=14.05.0" to the config file. 

Once the device has been taken by a domain, it can''t be used by any
other (at  least, it shouldn''t be allowed). 

Note that this doesn''t make this domain PRIVILEGED, it still
can''t
control other domains for example. It just allows the domain to control
that SCSI device (and any attached functionality). 

--
Mats
> 
> Please help..
> Thanks and regards
> Ashit
> 
> 
> -----Original Message-----
> From: Petersson, Mats [mailto:Mats.Petersson@amd.com] 
> Sent: Monday, March 19, 2007 11:51 PM
> To: Prabhakar Chaganti; Ashit Kumar
> Cc: xen-users@lists.xensource.com
> Subject: RE: [Xen-users] How can I create another privileged domian?
> 
>  
> 
> > -----Original Message-----
> > From: xen-users-bounces@lists.xensource.com
> > [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of 
> Prabhakar 
> > Chaganti
> > Sent: 19 March 2007 16:33
> > To: Ashit Kumar
> > Cc: xen-users@lists.xensource.com
> > Subject: Re: [Xen-users] How can I create another privileged domian?
> > 
> > So will there be two privileged domains (dom0 and domx) 
> running at the
> 
> > same time?
> 
> In theory, you could have any number of privileged domains, just like
> you can have multiple users with "root" privilege on a Linux (or
admin
> privs on Windows if you prefer). See below for practical limitation(s)
> to this. 
> 
> >   
> > 
> > 
> > On 3/19/07, Ashit Kumar < Ashit_Kumar@symantec.com 
> > <mailto:Ashit_Kumar@symantec.com> > wrote:
> > 
> > 	Hi, 
> > 	We know that Domain0 is the privileged domain.Now as per the Xen
> 
> > architecture we can make another DomainX (X>0) to be a privileged 
> > domain.
> > 
> > 	Now here are a few Questions: 
> > 	A) How can I make another Domain (apart from Domain0) as a
> privileged 
> > host?
> 
> At the moment, I don''t think there''s a way to set the
flag to make a
> domain priviliged, aside from the Dom0 startup (which is 
> integral to the
> startup of Xen. 
> 
> There is of course no reason to expect this limitation to 
> last forever -
> if there''s a good reason to have multiple privileged domains, then
I''m
> sure it can be pretty easily achieved. 
> 
> > 	B) As per the architecture this new privileged domain can manage
> 
> > other Domains.So Can it directly manage the drivers and can the 
> > DomainX view the drivers of this newly created privileged domain?
> 
> Not sure what you''re referring to here. Drivers are available for
both
> privileged and unprivileged domains. The difference is that privileged
> domains are allowed to perform certain operations (such as directly
> mapping other domains memory) that unprivileged domains are 
> not allowed
> to perform. 
> 
> As long as the domain stays within it''s own memory space,
it''s
> essentially alllowed to do whatever it likes, including using whatever
> drivers the kernel and/or owner sees fit. Of course, most 
> domains don''t
> have any REAL hardware to access, so many drivers that you would
> normally find on a "real" system become meaningless in a system
where
> there is no real hardware for the driver to access (most drivers will
> fail to install/load/initialize in this situation). 
> 
> Drivers that don''t need direct access to hardware (file-system
drivers
> for example) are perfectly fine in such a system. 
> 
> The guest domain also needs drivers for the virtualized devices, in a
> para-virtual world, that is the virtual network and disk drivers. In a
> fully-virtual domain, disk-drive is a regular IDE driver, with an IDE
> interface inside the device-model that translates the "virtual"
disk
> device into requests in Dom0 to read/write to the actual 
> device that is
> "behind" the virtual wall. 
> 
> > 
> > 	C) Volume Groups(VG) can be created over the raw storage devices
> on 
> > Domain0 and the other VM can access them through this 
> Volume Group.Is 
> > the same thing happens in the case of this newly created privileged 
> > Domain too?
> 
> Volume groups (as in LVM) has nothing to do with Xen Domains 
> at all. Of
> course, normally, only Domain zero owns the physical disk/device that
> you can (or would want to) create a volume group onto. But in theory,
> you could probably create volume groups on top of a virtual 
> disk that is
> visible to the guest-domain. Also, assuming we have a para-virtual
> domain, we could pass an entire SCSI controller (or other disk
> controller) to the domain with the pci-hide/passthrough mechanism, and
> let the domain handle it''s own disk entirely.
> 
> Please explain to me, if I''ve misunderstood the meaning of 
> Volume Groups
> or in other ways not understood your question. 
> 
> --
> Mats 
> > 
> > 	Thanks and regards 
> > 	Ashit
> > 
> > 
> > 	_______________________________________________
> > 	Xen-users mailing list
> > 	Xen-users@lists.xensource.com
> > <mailto:Xen-users@lists.xensource.com> 
> > 	http://lists.xensource.com/xen-users
> > 	
> > 
> > 
> > 
> 
> 
> 
> 
> 


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users