Xen users - Feb 2012 - Separate kernel on domU's

Hello,

I am still learning about Xen.. I am trying to setup Xen hypervisor
for the first time. I was reading the howto here:

http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64

and I stopped here:

"(To use the default Ubuntu kernel instead of Debian''s Xen kernel
in
the guest, you can also comment out the kernel and initrd lines in
/etc/xen-tools/xen-tools.conf.)"

Also, I have read about the stub domains to load a separate kernel.

At this point I am a bit lost.

I have searched information about this but it''s still not clear to me.

It seems that Xen hypervisor shares the kernel with domU''s, but this
is not recommended because it makes it can easily mess it all up..
But, with an option through xen-tools you can create a domU with a
separate kernel.. does that mean that uses a stub domain?

I''d appreciate any hint about how Xen works here.

Thanks

Eva

On Wed, Feb 22, 2012 at 6:28 PM, eva <evammg@gmail.com>
wrote:
> At this point I am a bit lost.
:D

Too much information for newbies, perhaps.
>
> I have searched information about this but it''s still not clear to
me.
>
> It seems that Xen hypervisor shares the kernel with domU''s,
No.

domU can use the same kernel as dom0, and sometimes it can share the
same initrd as well.
> but this
> is not recommended because it makes it can easily mess it all up..
"easily" is a relative term, and some might not agree with that
statement, but IMHO yes.
> But, with an option through xen-tools you can create a domU with a
> separate kernel..
Probably. I don''t use xen-tools.
>does that mean that uses a stub domain?
stub domain is another beast altogether. Better forget about that for now.
> I''d appreciate any hint about how Xen works here.
A good howto for Ubuntu domU installation is here:
http://wiki.xen.org/wiki/Ubuntu_10.04_domU

Some of it should apply to debian as well.

-- 
Fajar

On 22 February 2012 13:05, Fajar A. Nugraha <list@fajar.net>
wrote:
> On Wed, Feb 22, 2012 at 6:28 PM, eva <evammg@gmail.com> wrote:
>> At this point I am a bit lost.
>
> :D
>
> Too much information for newbies, perhaps.
>
>>
>> I have searched information about this but it''s still not
clear to me.
>>
>> It seems that Xen hypervisor shares the kernel with domU''s,
>
> No.
>
> domU can use the same kernel as dom0, and sometimes it can share the
> same initrd as well.
>
>> but this
>> is not recommended because it makes it can easily mess it all up..
>
> "easily" is a relative term, and some might not agree with that
> statement, but IMHO yes.
>
>> But, with an option through xen-tools you can create a domU with a
>> separate kernel..
>
> Probably. I don''t use xen-tools.
>
>>does that mean that uses a stub domain?
>
> stub domain is another beast altogether. Better forget about that for now.
>
>> I''d appreciate any hint about how Xen works here.
>
> A good howto for Ubuntu domU installation is here:
> http://wiki.xen.org/wiki/Ubuntu_10.04_domU
>
> Some of it should apply to debian as well.
>
> --
> Fajar
Thanks, I''ve got homework to do now.

I store my kernels in /home/xen/boot and this is my config file.
I don''t see how kernel could get messed up domu can''t write
back to dom0.
You can always copy kernel separate dir.

# dom01 Config File
kernel = "/home/xen/boot/vmlinuz-linux"
ramdisk = "/home/xen/boot/initramfs-linux.img"
extra="iommu=soft swiotlb=force"
memory = 2048
name = "archlinuxa"
vif=[''bridge=xenbr0,model=e1000,script=vif-bridge'']
vfb=[''vnc=1,vncunused=1,vnclisten=0.0.0.0,keymap=it'']
disk = [ ''phy:/dev/xensvol/archlinuxa,ioemu:xvda,w''  ]

root = "/dev/xvda1 ro"
sdl=0
serial=''pty''
acpi = 1
apic = 1
pae=1
usb=1
usbdevice=''tablet''
on_poweroff = ''destroy''
on_reboot   = ''restart''
on_crash    = ''restart''



On Wed, Feb 22, 2012 at 5:37 AM, eva <evammg@gmail.com> wrote:
>  On 22 February 2012 13:05, Fajar A. Nugraha <list@fajar.net> wrote:
> > On Wed, Feb 22, 2012 at 6:28 PM, eva <evammg@gmail.com> wrote:
> >> At this point I am a bit lost.
> >
> > :D
> >
> > Too much information for newbies, perhaps.
> >
> >>
> >> I have searched information about this but it''s still not
clear to me.
> >>
> >> It seems that Xen hypervisor shares the kernel with
domU''s,
> >
> > No.
> >
> > domU can use the same kernel as dom0, and sometimes it can share the
> > same initrd as well.
> >
> >> but this
> >> is not recommended because it makes it can easily mess it all up..
> >
> > "easily" is a relative term, and some might not agree with
that
> > statement, but IMHO yes.
> >
> >> But, with an option through xen-tools you can create a domU with a
> >> separate kernel..
> >
> > Probably. I don''t use xen-tools.
> >
> >>does that mean that uses a stub domain?
> >
> > stub domain is another beast altogether. Better forget about that for
> now.
> >
> >> I''d appreciate any hint about how Xen works here.
> >
> > A good howto for Ubuntu domU installation is here:
> > http://wiki.xen.org/wiki/Ubuntu_10.04_domU
> >
> > Some of it should apply to debian as well.
> >
> > --
> > Fajar
>
> Thanks, I''ve got homework to do now.
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On Wed, Feb 22, 2012 at 8:28 PM, jacek burghardt
<jaceksburghardt@gmail.com> wrote:
> I store my kernels in /home/xen/boot and this is my config file.
> I don''t see how kernel could get messed up domu can''t
write back to dom0.
> You can always copy kernel separate dir.
Sure.

But the original question was about using the SAME kernel for dom0 and
domU. You''re talking about using the same kernel for all domU, but
DIFFERENT from the one used in dom0.

When using the same kernel and initd, it''s possible (for example) if
you make certain changes to dom0 kernel (e.g. put some drivers like
xen-blkfront as module) or initrd (e.g. change which modules are
included, from "most" to "dep" in ubuntu), it will cause
dom0 to still
boot fine but domU stops working (in the example it was because domU''s
disk driver was not included).

Another example is when you have iptables as module, then update dom0
kernel, but don''t copy the corresponding /lib/modules directory to
domU. In that case domU''s iptables will stop working.

-- 
Fajar

Hello,

On 22 February 2012 14:12, Qrux <qrux.qed@gmail.com>
wrote:
>
> On Feb 22, 2012, at 3:28 AM, eva wrote:
>
>> Hello,
>>
>> I am still learning about Xen.. I am trying to setup Xen hypervisor
>> for the first time. I was reading the howto here:
>>
>>
http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
>
> If I were you, I would use a commercial distro (e.g., openSUSE) to learn
about Xen.  It''s the most robust and mature experience, and has the
least amount of tinkering with stuff like custom kernels.
>
Maybe I should''ve said that I have been working with Debian for
years.. I prefer Debian, although this is my first time learning about
virtualization.. always handled virtualization thru a GUI, so never
learned how it really works..
>> "(To use the default Ubuntu kernel instead of Debian''s
Xen kernel in
>> the guest, you can also comment out the kernel and initrd lines in
>> /etc/xen-tools/xen-tools.conf.)"
>
> If you don''t understand what you''re reading here,
that''s another sign that it''s probably more productive to use
a commercial distro that offers Xen.  You seem new...So, the information
I''m giving you is at a more basic level than maybe some of the other
responses you''ve gotten.
>
I prefer to learn! I am not scared! :D
>> Also, I have read about the stub domains to load a separate kernel.
>>
>> At this point I am a bit lost.
>>
>> I have searched information about this but it''s still not
clear to me.
>>
>> It seems that Xen hypervisor shares the kernel with domU''s,
but this
>> is not recommended because it makes it can easily mess it all up..
>> But, with an option through xen-tools you can create a domU with a
>> separate kernel.. does that mean that uses a stub domain?
>
> Xen is a Type-1 hypervisor.  It doesn''t really "share the
kernel" with anything.
It seems I need to study a bit more about the general background of
virtualization. That''s what I''ll do.
>
> It *is* a kernel...though, from your perspective, it''s a bit more
like a super-fancy boot-loader.
>
> After Xen itself (the bare-metal hypervisor) boots, it will then load the
domU kernel.  At that point, it transfer "control over to the dom0
kernel--otherwise known as your "Host" OS.  The general process is:
>
>        1. You load Xen on the hardware (usually via a Grub entry).
>        2. Xen loads your dom0 (usually via that same Grub entry).
>        3. Then, you load domUs on your dom0 (through interacting with Xen
from dom0).
>
> You''ll use your Host OS and the Xen tools it provides (which
communicate to the Hypervisor sitting under the host), you''ll create
domUs (Guest OSes).  Those domUs can be of all different types, and which you
specifically need...Is determined by what you need it for--or, what your
boss/client needs.  A variety of different OSes can be used as Xen Guest OSes.
>
> Each DomU has it''s own separate kernel.  You can choose to use the
dom0 kernel (it''s just a file, from Xen''s perspective), but
that''s just a coincidence.  It makes sense conceptually to think of
domUs having their own kernels.  In the configuration for each Guest,
you''ll specific a file on the dom0 filesystem which will be the kernel
of the Guest.  Guests can use the same file, but each Guest will load that
kernel as a separate instance.  Don''t confuse pointing to the FILE that
is a kernel in a Guest config with "sharing a running kernel".
>
> I hope this information can help you get started.
>
>        Q
>
Ok, I need some time to study this a bit more and I''ll give you a feed
back.

Thank you guys!

On Feb 22, 2012 9:00 PM, "eva" <evammg@gmail.com>
wrote:
>
> Hello,
>
---- >8 snip
>
> Ok, I need some time to study this a bit more and I''ll give you a
feed
back.
>
> Thank you guys!
>
Here''s a graphical representation:

https://community.emc.com/servlet/JiveServlet/showImage/38-3466-30315/Xen.png

(ignore the misleading "Recommended" word on top right; if your
domU''s are
Linux, and you can specify your domUs'' kernels, paravirtualization will
give you *much* better performance)

Rgds,


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On Wed, Feb 22, 2012 at 12:28:51PM +0100, eva wrote:
> Hello,
> 
> I am still learning about Xen.. I am trying to setup Xen hypervisor
> for the first time. I was reading the howto here:
> 
>
http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
> 
> and I stopped here:
> 
> "(To use the default Ubuntu kernel instead of Debian''s Xen
kernel in
> the guest, you can also comment out the kernel and initrd lines in
> /etc/xen-tools/xen-tools.conf.)"
I don''t remember a lot about xen-tools, and others have given you
some pointers on how to manually specify a DomU kernel from the Dom0-

Personally, though, I find it much easier to keep the DomU kernel in
the DomU.  With proper configuration (installation of grub-legacy 
on some platforms, so the guest updates the grub1 configuration
file rather than the grub2 configuration file in the guest)  
It is possible to set things up so that the guest can upgrade the
guest kernel without the dom0 doing anything.  PyGRUB, I think is
the recommended debian way to do this, but PyGRUB isn''t very secure
if you don''t trust the guest administrators.   PV-GRUB solves 
those problems, and  can call itself, but you''d need to compile it
from source and copy it over, as it doesn''t come with debian.  (It will
work fine with the rest of the xen setup, debian just doesn''t package
it.)  


here is some info on PVGRUB and how I use it with my untrusted users - the
document is kind of out of date, but I think still correct in the important
ways:

http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F

I create a pvgrub config file on a read-only partition and boot off that;
but that menu.lst calls pvgrub with the menu.lst on the user-writable 
partition after two seconds, so by default, the user''s menu.lst is what
boots the kernel, but if for whatever reason the user screws that up,
they can boot off the read-only partition and fix it without
bugging me. 

I''ve got some basic info about pygrub above that in the same document.
Like I said, I think pygrub is not suitable for untrusted guests because
of security problems and because if the guest messes up the grub config,
they need dom0 administrator help to fix it.   But, on the plus side,
I think there are recent versions of pygrub support grub2 format config
files.


Note, pvgrub protects you from the recent exploits in the code to unzip
kernels, pygrub does not.

On 24 February 2012 22:55, Luke S. Crawford <lsc@prgmr.com>
wrote:
> On Wed, Feb 22, 2012 at 12:28:51PM +0100, eva wrote:
>> Hello,
>>
>> I am still learning about Xen.. I am trying to setup Xen hypervisor
>> for the first time. I was reading the howto here:
>>
>>
http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
>>
>> and I stopped here:
>>
>> "(To use the default Ubuntu kernel instead of Debian''s
Xen kernel in
>> the guest, you can also comment out the kernel and initrd lines in
>> /etc/xen-tools/xen-tools.conf.)"
>
[...]

Thanks, your answer was very useful to me.

I thought in xen kernels work separately, as it''s shown in this
representation....

https://community.emc.com/servlet/JiveServlet/showImage/38-3466-30315/Xen.png

but now it seems that you can set it up to share a few things. At this
point I was quite surprised.

I just want to understand how xen works.. so why would you share the
kernel or parts of the kernel with another dom? Must be a good reason
to do it, I think.

Using the same initrd looks fine to me, but I using other parts of the
kernel.. it looks like that you must really know what you doing or you
will end up with a mess after an upgrade, for example.

So in what cases would you do it and why?

Fajar tried to explain it a little, but I still don''t fully understand
it ..

Thank you

On Mon, Feb 27, 2012 at 3:47 PM, eva <evammg@gmail.com>
wrote:
> Using the same initrd looks fine to me, but I using other parts of the
> kernel.. it looks like that you must really know what you doing or you
> will end up with a mess after an upgrade, for example.
>
> So in what cases would you do it and why?
Nowadays? Almost no scenario is worth the hassle. Seriously.

IIRC the main reason in that past was:
- to ensure you have a working domU (since you''ll only be using kernel
and initrd from dom0, which presumably is well-tested by the admin)
- to NOT use pygrub (there was some security hole)

Just stick with pygrub/pv-grub, and use compatible /boot on domU (or
/, if you keep it all in one). Some old pygrub/pv-grub require you  to
use ext2/3 for /boot, while newer ones should handle ext4 just fine.

-- 
Fajar

On Feb 27, 2012 3:55 PM, "eva" <evammg@gmail.com>
wrote:
>
> On 24 February 2012 22:55, Luke S. Crawford <lsc@prgmr.com> wrote:
> > On Wed, Feb 22, 2012 at 12:28:51PM +0100, eva wrote:
> >> Hello,
> >>
> >> I am still learning about Xen.. I am trying to setup Xen
hypervisor
> >> for the first time. I was reading the howto here:
> >>
> >>
http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
> >>
> >> and I stopped here:
> >>
> >> "(To use the default Ubuntu kernel instead of
Debian''s Xen kernel in
> >> the guest, you can also comment out the kernel and initrd lines in
> >> /etc/xen-tools/xen-tools.conf.)"
> >
>
> [...]
>
> Thanks, your answer was very useful to me.
>
> I thought in xen kernels work separately, as it''s shown in this
> representation....
>
>
https://community.emc.com/servlet/JiveServlet/showImage/38-3466-30315/Xen.png
>
> but now it seems that you can set it up to share a few things. At this
> point I was quite surprised.
>
> I just want to understand how xen works.. so why would you share the
> kernel or parts of the kernel with another dom? Must be a good reason
> to do it, I think.
>
> Using the same initrd looks fine to me, but I using other parts of the
> kernel.. it looks like that you must really know what you doing or you
> will end up with a mess after an upgrade, for example.
>
> So in what cases would you do it and why?
>
> Fajar tried to explain it a little, but I still don''t fully
understand it
..
>
> Thank you
>
Usually, domU''s use a different kernel from dom0. But multiple
domU''s might
share a single kernel image, stored in dom0.

When starting a domU configured to use a kernel stored in dom0, dom0 will
simply tell Xen to "boot using this file, and pass these parameters to the
kernel".

Benefits: Don''t have to update domU kernels one by one, domU root
can''t
overwrite the kernel in dom0, domU''s can be forced to use a specific
kernel, no need for a separate /boot partition, etc.

Drawback: a buggy kernel shared by multiple domU''s will impact many VMs
at
the same time.

But it its perfectly acceptable also for domU''s to have their own
kernels;
this allows Windows VMs, for example. In this situation, dom0 will tell
Xen: This is the virtual hard disk. Please boot it from the MBR.

Rgds,


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On Feb 27, 2012 8:51 PM, "Pandu Poluan" <pandu@poluan.info>
wrote:
>
>
> On Feb 27, 2012 3:55 PM, "eva" <evammg@gmail.com> wrote:
> >
> > On 24 February 2012 22:55, Luke S. Crawford <lsc@prgmr.com>
wrote:
> > > On Wed, Feb 22, 2012 at 12:28:51PM +0100, eva wrote:
> > >> Hello,
> > >>
> > >> I am still learning about Xen.. I am trying to setup Xen
hypervisor
> > >> for the first time. I was reading the howto here:
> > >>
> > >>
http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
> > >>
> > >> and I stopped here:
> > >>
> > >> "(To use the default Ubuntu kernel instead of
Debian''s Xen kernel in
> > >> the guest, you can also comment out the kernel and initrd
lines in
> > >> /etc/xen-tools/xen-tools.conf.)"
> > >
> >
> > [...]
> >
> > Thanks, your answer was very useful to me.
> >
> > I thought in xen kernels work separately, as it''s shown in
this
> > representation....
> >
> >
https://community.emc.com/servlet/JiveServlet/showImage/38-3466-30315/Xen.png
> >
> > but now it seems that you can set it up to share a few things. At this
> > point I was quite surprised.
> >
> > I just want to understand how xen works.. so why would you share the
> > kernel or parts of the kernel with another dom? Must be a good reason
> > to do it, I think.
> >
> > Using the same initrd looks fine to me, but I using other parts of the
> > kernel.. it looks like that you must really know what you doing or you
> > will end up with a mess after an upgrade, for example.
> >
> > So in what cases would you do it and why?
> >
> > Fajar tried to explain it a little, but I still don''t fully
understand
it ..
> >
> > Thank you
> >
>
> Usually, domU''s use a different kernel from dom0. But multiple
domU''s
might share a single kernel image, stored in dom0.
>
> When starting a domU configured to use a kernel stored in dom0, dom0 will
simply tell Xen to "boot using this file, and pass these parameters to the
kernel".
>
> Benefits: Don''t have to update domU kernels one by one, domU root
can''t
overwrite the kernel in dom0, domU''s can be forced to use a specific
kernel, no need for a separate /boot partition, etc.
>
> Drawback: a buggy kernel shared by multiple domU''s will impact
many VMs
at the same time.
>
> But it its perfectly acceptable also for domU''s to have their own
kernels; this allows Windows VMs, for example. In this situation, dom0 will
tell Xen: This is the virtual hard disk. Please boot it from the
MBR.
>
> Rgds,
Fajar''s reply reminds me: There''s a third way of booting using
"pygrub" or
"pv-grub" mechanism. It''s kind of a hybrid between the two
mechanisms I
explained above.

In this case, dom0 tells Xen: here''s the virtual hard disk, but you
don''t
have to start from the MBR. The kernel you must boot is listed in
grub''s
configuration file somewhere inside.

Rgds,


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On 27 February 2012 14:57, Pandu Poluan <pandu@poluan.info>
wrote:
>
> On Feb 27, 2012 8:51 PM, "Pandu Poluan" <pandu@poluan.info>
wrote:
>>
>>
>> On Feb 27, 2012 3:55 PM, "eva" <evammg@gmail.com>
wrote:
>> >
>> > On 24 February 2012 22:55, Luke S. Crawford <lsc@prgmr.com>
wrote:
>> > > On Wed, Feb 22, 2012 at 12:28:51PM +0100, eva wrote:
>> > >> Hello,
>> > >>
>> > >> I am still learning about Xen.. I am trying to setup Xen
hypervisor
>> > >> for the first time. I was reading the howto here:
>> > >>
>> > >>
>> > >>
http://www.howtoforge.com/paravirtualization-with-xen-4.0-on-debian-squeeze-amd64
>> > >>
>> > >> and I stopped here:
>> > >>
>> > >> "(To use the default Ubuntu kernel instead of
Debian''s Xen kernel in
>> > >> the guest, you can also comment out
the kernel and initrd lines in
>> > >> /etc/xen-tools/xen-tools.conf.)"
>> > >
>> >
>> > [...]
>> >
>> > Thanks, your answer was very useful to me.
>> >
[...]

Thank you guys for such a detailed explanation.