Hello all, I''ve been using pygrub successfully as my bootloader but I recently ran across this and I''m wondering if anyone has any insight: http://wiki.xensource.com/xenwiki/PvGrub This says that pv-grub is a replacement for pygrub that loads the kernel and initrd from within the domU safely. As far as I knew, pygrub does this as well in my recent Xen 4.1 installation, however I know that pygrub has to read the kernel and initrd out of the domU for a moment to boot it. My Xen 4.1 installation does not seem to come with any pv-grub gzip files as are shown in the documentation. Has pygrub since replaced pv-grub, or is pv-grub still in existence and if so what is the difference? Can pv-grub actually use the installed grub from within the domU without ever reading anything from within the domU outside in dom0? Thank you, Chris _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
At 11:48 -0400 7/5/12, Chris Dickson wrote:>Hello all, I''ve been using pygrub successfully as my bootloader but >I recently ran across this and I''m wondering if anyone has any >insight: > ><http://wiki.xensource.com/xenwiki/PvGrub>http://wiki.xensource.com/xenwiki/PvGrubSee the thread titled "Where does PyGrub run?" from teh archives for last month.>This says that pv-grub is a replacement for pygrub that loads the >kernel and initrd from within the domU safely. As far as I knew, >pygrub does this as well in my recent Xen 4.1 installation, however >I know that pygrub has to read the kernel and initrd out of the domU >for a moment to boot it.Indeed, you have hit the nail on the head. PyGrub copies the DomU kernel and initrd from the DomU filesystem image to Dom0 and then creates a new domain using that kernel. This means that PyGrub manipulates the DomU filesystem and files from within Dom0 which is a potential security issue if someone can find a flaw in the code and craft (for example) a malicious filesystem or menu.lst. PvGrub executes within the newly created DomU environment. If you read through the previous thread you''ll see that it''s possible to setup guests with a read-only recovery partition so that it''s not possible for a user to make their VM unbootable with PvGrub.> My Xen 4.1 installation does not seem to come with any pv-grub gzip >files as are shown in the documentation. Has pygrub since replaced >pv-grub, or is pv-grub still in existence and if so what is the >difference?AFAIK both are still current programs. However I vaguely recall there being some licensing issue that means PvGrub is not included in some distros (Debian being one). Ah, now I look it up I see it''s probably more a case of "not been packaged yet" for Debian : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588839 http://xen.1045712.n5.nabble.com/pv-grub-removed-td3046506.html -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
Arg, thanks Simon. I''m using the debian package so that''s the issue. I''m compiling everything in 4.1.2 from source now so hopefully pv-grub gets built. On Mon, May 7, 2012 at 12:21 PM, Simon Hobson <linux@thehobsons.co.uk>wrote:> At 11:48 -0400 7/5/12, Chris Dickson wrote: > >> Hello all, I''ve been using pygrub successfully as my bootloader but I >> recently ran across this and I''m wondering if anyone has any insight: >> >> <http://wiki.xensource.com/**xenwiki/PvGrub<http://wiki.xensource.com/xenwiki/PvGrub> >> >http://wiki.**xensource.com/xenwiki/PvGrub<http://wiki.xensource.com/xenwiki/PvGrub> >> > > See the thread titled "Where does PyGrub run?" from teh archives for last > month. > > > This says that pv-grub is a replacement for pygrub that loads the kernel >> and initrd from within the domU safely. As far as I knew, pygrub does this >> as well in my recent Xen 4.1 installation, however I know that pygrub has >> to read the kernel and initrd out of the domU for a moment to boot it. >> > > Indeed, you have hit the nail on the head. > PyGrub copies the DomU kernel and initrd from the DomU filesystem image to > Dom0 and then creates a new domain using that kernel. This means that > PyGrub manipulates the DomU filesystem and files from within Dom0 which is > a potential security issue if someone can find a flaw in the code and craft > (for example) a malicious filesystem or menu.lst. > > PvGrub executes within the newly created DomU environment. > > If you read through the previous thread you''ll see that it''s possible to > setup guests with a read-only recovery partition so that it''s not possible > for a user to make their VM unbootable with PvGrub. > > > My Xen 4.1 installation does not seem to come with any pv-grub gzip >> files as are shown in the documentation. Has pygrub since replaced pv-grub, >> or is pv-grub still in existence and if so what is the difference? >> > > AFAIK both are still current programs. However I vaguely recall there > being some licensing issue that means PvGrub is not included in some > distros (Debian being one). > Ah, now I look it up I see it''s probably more a case of "not been packaged > yet" for Debian : > > http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=588839<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588839> > http://xen.1045712.n5.nabble.**com/pv-grub-removed-td3046506.**html<http://xen.1045712.n5.nabble.com/pv-grub-removed-td3046506.html> > > -- > Simon Hobson > > Visit http://www.**magpiesnestpublishing.co.uk/<http://www.magpiesnestpublishing.co.uk/>for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ______________________________**_________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
On Mon, May 07, 2012 at 12:57:54PM -0400, Chris Dickson wrote:> Arg, thanks Simon. I''m using the debian package so that''s the issue. I''m > compiling everything in 4.1.2 from source now so hopefully pv-grub gets > built.Note, pv-grub doesn''t need to be built with the dom0 you use. I have a bunch of CentOS5/xen Dom0s, and the RHEL5/xen doesn''t come with pv-grub. I compile pv-grub seperately and just copy the binary to my RHEL5 dom0 and it works fine.
Thanks all, everything is working nicely now. After getting the prereqs for xen 4.1.2 I did a ''make stubdom'' and found pv-grub-x86_64.gz waiting for me in ./dist/install/usr/lib/xen/boot/. Also, I noticed people talking about the grub 0.97 fedora patch with ext4 support, so I gave that a shot and placed it at ./stubdom/grub.patches/grub-ext4-support.patch. Here''s where I got it from. http://pkgs.fedoraproject.org/gitweb/?p=grub.git;a=blob_plain;f=grub-ext4-support.patch;hb=3bcdb10fc21d8e94efa70fd91d21224f13f01433 Booted a domU right up with pv-grub off of an ext4 volume. Nice. Thanks, Chris On Mon, May 7, 2012 at 1:36 PM, Luke S. Crawford <lsc@prgmr.com> wrote:> On Mon, May 07, 2012 at 12:57:54PM -0400, Chris Dickson wrote: > > Arg, thanks Simon. I''m using the debian package so that''s the issue. I''m > > compiling everything in 4.1.2 from source now so hopefully pv-grub gets > > built. > > Note, pv-grub doesn''t need to be built with the dom0 you use. > I have a bunch of CentOS5/xen Dom0s, and the RHEL5/xen doesn''t come > with pv-grub. I compile pv-grub seperately and just copy the binary > to my RHEL5 dom0 and it works fine. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users