Hello, I am still confused: does pyGrub run in dom0 as root? as it says in here: "PyGRUB used to act as a “PV bootloader”: it runs in dom0 as root, opens the PV disk image, reads its GRUB menu.lst, presents a GRUB-like menu to let the user choose a kernel which it copies to the dom0 filesystem, it then closes the disk image and eventually tells the domain builder to use that copy. Such a dom0 root process that parses user-provided data is a potential security breach." http://blog.xen.org/index.php/2008/08/28/xen-33-feature-pv-grub/ or does it run in domU? as it says in here: "PyGrub enables you to start Linux domUs with a kernel inside the DomU instead of a kernel that lies in the filesystem of the dom0." http://wiki.xen.org/wiki/PyGrub Isn''t those definitions contradictories? Am I misunderstanding something? Regards, Eva
On Tue, Apr 24, 2012 at 5:29 PM, eva <evammg@gmail.com> wrote:> Hello, > > I am still confused: does pyGrub run in dom0 as root? as it says in here:Yes> or does it run in domU? as it says in here:No.> Isn''t those definitions contradictories?No. pygrub: - is a python script (which, IIRC, also installs several python modules) - runs on dom0 - extract kernel and initrd from a domU image (file, partition, LVM, etc) and put it on dom0 (/var/lib/xen/...) - starts domU using the above kernel and initrd You can test it yourself btw: Run "pygrub -i /path/to/wherever/your/domU/image" pvgrub, on the other hand, runs completely on domU. So some might say pvgrub is "safer" than pygrub. -- Fajar
On 24 April 2012 12:44, Fajar A. Nugraha <list@fajar.net> wrote:> On Tue, Apr 24, 2012 at 5:29 PM, eva <evammg@gmail.com> wrote: >> Hello, >> >> I am still confused: does pyGrub run in dom0 as root? as it says in here: > > Yes > >> or does it run in domU? as it says in here: > > No. > >> Isn''t those definitions contradictories? > > No. > > pygrub: > - is a python script (which, IIRC, also installs several python modules) > - runs on dom0 > - extract kernel and initrd from a domU image (file, partition, LVM, > etc) and put it on dom0 (/var/lib/xen/...) > - starts domU using the above kernel and initrd > > You can test it yourself btw: Run "pygrub -i /path/to/wherever/your/domU/image" > > pvgrub, on the other hand, runs completely on domU. So some might say > pvgrub is "safer" than pygrub. > > -- > FajarThanks for the explanation, Fajar.
On Tue, Apr 24, 2012 at 05:44:19PM +0700, Fajar A. Nugraha wrote:> > pvgrub, on the other hand, runs completely on domU. So some might say > pvgrub is "safer" than pygrub.Pvgrub is pretty great if the DomUs are operated by people that don''t have root on the dom0. With pvgrub, it''s pretty easy to set things up so that the person that controls the DomU can never mess up the DomU to the point that they can''t boot[1], something that requires a xm config file edit otherwise. The big downside to pvgrub is that it wants a ext2/3 filesystem and a grub1 format menu.lst file. [1]http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
On 24 April 2012 17:37, Luke S. Crawford <lsc@prgmr.com> wrote:> > On Tue, Apr 24, 2012 at 05:44:19PM +0700, Fajar A. Nugraha wrote: > > > > pvgrub, on the other hand, runs completely on domU. So some might say > > pvgrub is "safer" than pygrub. > > Pvgrub is pretty great if the DomUs are operated by people that don''t > have root on the dom0. With pvgrub, it''s pretty easy to set things > up so that the person that controls the DomU can never mess up the > DomU to the point that they can''t boot[1], something that requires > a xm config file edit otherwise. > > The big downside to pvgrub is that it wants a ext2/3 filesystem and > a grub1 format menu.lst file. > > > > > [1]http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F >Thanks Luke. I''ve been reading the link, and now I have 2 questions. 1- if pygrub needs to mount the domU, why does it says this? http://wiki.xen.org/wiki/PyGrub "This means that reading the guest filesystem does not require mounting the filesystem" 2- What and where is the rescue image? "which then means that unlike my PyGRUB setup, users can never mess up their menu.lst to the point where they can’t get into their rescue image." Sorry to bother you guys, but I am trying to put it all together in my head.......
On Wed, Apr 25, 2012 at 5:59 PM, eva <evammg@gmail.com> wrote:> 1- if pygrub needs to mount the domU, why does it says this? > http://wiki.xen.org/wiki/PyGrub > > "This means that reading the guest filesystem does not require > mounting the filesystem"It doesn''t. There are ways to read the contents of an image without mounting it. In pygrub''s case, it reads the data using libfsimage. -- Fajar
eva wrote:>1- if pygrub needs to mount the domU, why does it says this? >http://wiki.xen.org/wiki/PyGrub > >"This means that reading the guest filesystem does not require >mounting the filesystem"Read the sentence before that : "PyGrub accesses the guest filesystem using a userspace filesystem library ..." Ie, instead of mounting the image to copy the files, it uses a userspace library to access the filesystem. The difference is that if you just do a regular mount, then the filesystem is mounted by kernel level code in Dom0 - and there is a theoretic risk that if someone finds a vulnerability in that, they can use it to compromise Dom0 with a carefully crafted DomU filesystem. Using a userspace library means that while there''s still a risk of compromising the system, they cannot "crash" it as they could be compromising kernel level code. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
On 25 April 2012 20:27, Simon Hobson <linux@thehobsons.co.uk> wrote:> > eva wrote: > >> 1- if pygrub needs to mount the domU, why does it says this? >> http://wiki.xen.org/wiki/PyGrub >> >> "This means that reading the guest filesystem does not require >> mounting the filesystem" > > > Read the sentence before that : "PyGrub accesses the guest filesystem using a userspace filesystem library ..." > > Ie, instead of mounting the image to copy the files, it uses a userspace library to access the filesystem. The difference is that if you just do a regular mount, then the filesystem is mounted by kernel level code in Dom0 - and there is a theoretic risk that if someone finds a vulnerability in that, they can use it to compromise Dom0 with a carefully crafted DomU filesystem. Using a userspace library means that while there''s still a risk of compromising the system, they cannot "crash" it as they could be compromising kernel level code. > >Hello Simon, Thanks for answering. I read that part, but afterwards I read the link that Luke posted that says: "The problem with PyGRUB is that while it’s a good simulation of a bootloader, it has to mount the domU partition" http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F ..hence my confusion.
eva wrote:>Thanks for answering. I read that part, but afterwards I read the link >that Luke posted that says: > >"The problem with PyGRUB is that while it''s a good simulation of a >bootloader, it has to mount the domU partition" > > >http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F > >..hence my confusion.Hmm, yes. One or other of the Wiki entries is wrong then. In that link I see the answer to your other query. In there, in extolling the virtues of pvgrub, the author is hinting (but explicitly stating) that he is providing a read-only volume which the end user (DomU owner) cannot modify. In that read-only partition, he has a basic (rescue) system which the DomU always boots "through" - thus the end user can never ever completely trash his DomU to the point that it won''t boot anything. My guess is that he has GRUB installed in the rescue partition, with two entries - rescue and user. Rescue boots into the rescue system, user (the default) chain loads a GRUB config from the user''s normal partition. In normal operation, the DomU will load the read-only GRUB, chainload the user''s GRUB, and then boot the user''s OS. If the user screws it up, he can interrupt the initial GRUB, boot into the rescue system, and from there fix his own system. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
I wrote:>... the author is hinting (but explicitly stating) that ...Oops, that should say "but *not* explicitly stating" -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:> eva wrote: > > >Thanks for answering. I read that part, but afterwards I read the link > >that Luke posted that says: > > > >"The problem with PyGRUB is that while it''s a good simulation of a > >bootloader, it has to mount the domU partition" > > > > > >http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F > > > >..hence my confusion. > > Hmm, yes. One or other of the Wiki entries is wrong then.Technically, mine is wrong; it uses libfsimage to pull the kernel out of the block device, it doesn''t mount it. But that has many of the dangers of mounting directly. (As someone else pointed out, I think, libfsimage can be run as something other than root, as long as it has read access to the block device, and that helps some, though by default I think it does run as root. But Pvgrub runs entirely within the guest, so there is no way a problem in pvgrub can lead to a dom0 compromise.) Note, pvgrub also protects you from, say, exploits in the code used to decompress the kernel; with pvgrub, the kernel is uncompressed within the DomU.> In that link I see the answer to your other query. In there, in > extolling the virtues of pvgrub, the author is hinting (but > explicitly stating) that he is providing a read-only volume which the > end user (DomU owner) cannot modify. In that read-only partition, he > has a basic (rescue) system which the DomU always boots "through" - > thus the end user can never ever completely trash his DomU to the > point that it won''t boot anything. > My guess is that he has GRUB installed in the rescue partition, with > two entries - rescue and user. Rescue boots into the rescue system, > user (the default) chain loads a GRUB config from the user''s normal > partition. In normal operation, the DomU will load the read-only > GRUB, chainload the user''s GRUB, and then boot the user''s OS. If the > user screws it up, he can interrupt the initial GRUB, boot into the > rescue system, and from there fix his own system.exactly.
On 28 April 2012 05:42, Luke S. Crawford <lsc@prgmr.com> wrote:> On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote: > > eva wrote: > > > > >Thanks for answering. I read that part, but afterwards I read the link > > >that Luke posted that says: > > > > > >"The problem with PyGRUB is that while it''s a good simulation of a > > >bootloader, it has to mount the domU partition" > > > > > > > > > > http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F > > > > > >..hence my confusion. > > > > Hmm, yes. One or other of the Wiki entries is wrong then. > > Technically, mine is wrong; it uses libfsimage to pull the kernel out > of the block device, it doesn''t mount it. But that has many of the > dangers of mounting directly. (As someone else pointed out, I think, > libfsimage can be run as something other than root, as long as it has read > access to the block device, and that helps some, though by default I think > it does run as root. But Pvgrub runs entirely within the guest, so there > is no way a problem in pvgrub can lead to a dom0 compromise.) > > Note, pvgrub also protects you from, say, exploits in the code used to > decompress the kernel; with pvgrub, the kernel is uncompressed within > the DomU. > > > In that link I see the answer to your other query. In there, in > > extolling the virtues of pvgrub, the author is hinting (but > > explicitly stating) that he is providing a read-only volume which the > > end user (DomU owner) cannot modify. In that read-only partition, he > > has a basic (rescue) system which the DomU always boots "through" - > > thus the end user can never ever completely trash his DomU to the > > point that it won''t boot anything. > > My guess is that he has GRUB installed in the rescue partition, with > > two entries - rescue and user. Rescue boots into the rescue system, > > user (the default) chain loads a GRUB config from the user''s normal > > partition. In normal operation, the DomU will load the read-only > > GRUB, chainload the user''s GRUB, and then boot the user''s OS. If the > > user screws it up, he can interrupt the initial GRUB, boot into the > > rescue system, and from there fix his own system. > > exactly. > > >Thank you guys to help me to clarify this point. Regards, Eva _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Reasonably Related Threads
- Separate kernel on domU's
- Step-by-step tutorial: Installing Xen 4.0.1 rpms on Fedora 13 with pvops Linux 2.6.32.x dom0 kernel
- Step-by-step tutorial: Installing Xen 4.0.1 rpms on Fedora 13 with pvops Linux 2.6.32.x dom0 kernel
- How using PV-Grub?
- Restrict disk I/O per domain