Good evening to you all, Apologies if this is a naive question. I am currently working on the Mini-OS stubdomain and trying to access the Xenstore. Mini-OS has its own implementation for accessing the Xenstore (xs_wire.h) with functions such as xs_write, xs_read etc However when the stubdomain is run it doesn''t even have permission to access its own local area in the Xenstore, e.g. /local/domain/16 (I get an EACESS error code) I have tried reading the wiki but it isn''t clear when permissions need to be set. Are they meant to be set before the stubdomain is launched? Is it like this by default? Furthermore, is Mini-OS capable of setting permissions for other guests to access a particular path in the Xenstore, using a C call? So far I have not seen anything that does this. I''d be grateful if you can clear up this confusion I''m having. Regards, Adrian _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
On Mon, 2012-07-02 at 16:45 +0100, Adrian Shaw wrote:> Good evening to you all, > > > Apologies if this is a naive question. > I am currently working on the Mini-OS stubdomain and trying to access > the Xenstore. > Mini-OS has its own implementation for accessing the Xenstore > (xs_wire.h) with functions such as xs_write, xs_read etc > However when the stubdomain is run it doesn''t even have permission to > access its own local area in the Xenstore,access == write or read as well?> e.g. /local/domain/16Where are you getting this path from at runtime? Is it just /local/domain/<domid> or subkeys under it too e.g. can you read /local/domain/<domid>/vm or /local/domain/<domid>/name?> > (I get an EACESS error code) > > > I have tried reading the wiki but it isn''t clear when permissions need > to be set.> Are they meant to be set before the stubdomain is launched? > Is it like this by default?The toolstack should do this for you, before launching the domain. How are you loading the domain? "xenstore-ls -fp" should give you some insight into the permissions which are being set. I wouldn''t be surprised if a domain could not write to /local/domain/<domid> itself but there should be accessible keys under there.> Furthermore, is Mini-OS capable of setting permissions for other > guests to access a particular path in the Xenstore, using a C call? > So far I have not seen anything that does this.Usually only the toolstack can control permissions in this way. This is relaxed slightly for a qemu-stubdomain which does have some additional XS privileges over the domain for which it is the device model (but only that domain).> I''d be grateful if you can clear up this confusion I''m having. > > > Regards, > > > Adrian
On Mon, Jul 2, 2012 at 4:56 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:> On Mon, 2012-07-02 at 16:45 +0100, Adrian Shaw wrote: > > Good evening to you all, > > > > > > Apologies if this is a naive question. > > I am currently working on the Mini-OS stubdomain and trying to access > > the Xenstore. > > Mini-OS has its own implementation for accessing the Xenstore > > (xs_wire.h) with functions such as xs_write, xs_read etc > > However when the stubdomain is run it doesn''t even have permission to > > access its own local area in the Xenstore, > > access == write or read as well? > > Yes, both reading and writing.> > e.g. /local/domain/16 > > Where are you getting this path from at runtime? > > Using xs_get_domain_path> Is it just /local/domain/<domid> or subkeys under it too e.g. can you > read /local/domain/<domid>/vm or /local/domain/<domid>/name? > > I have tried to write subkeys too, however I''m not sure whether I wasdoing so correctly. It yields the same error code. There is no xs_mkdir implementation in Mini-OS, strangely.> > > > (I get an EACESS error code) > > > > > > I have tried reading the wiki but it isn''t clear when permissions need > > to be set. > > > > Are they meant to be set before the stubdomain is launched? > > Is it like this by default? > > The toolstack should do this for you, before launching the domain. > > How are you loading the domain? > > Using xm create mystub.config -c, unless you mean something more specific?Is there anything about permissions I should be placing in the configuration file?> "xenstore-ls -fp" should give you some insight into the permissions > which are being set.I have tried that already, but couldn''t find anything that explains what n0 or r0 mean?> I wouldn''t be surprised if a domain could not write > to /local/domain/<domid> itself but there should be accessible keys > under there. > > How can I browse these available keys at runtime?> > Furthermore, is Mini-OS capable of setting permissions for other > > guests to access a particular path in the Xenstore, using a C call? > > So far I have not seen anything that does this. > > Usually only the toolstack can control permissions in this way. > > Makes sense. I''ll have to assign permissions before creation then.> This is relaxed slightly for a qemu-stubdomain which does have some > additional XS privileges over the domain for which it is the device > model (but only that domain). > > > I''d be grateful if you can clear up this confusion I''m having. > > > > > > Regards, > > > > > > Adrian > > >I am new to Xen so you''ll have to forgive me! Thanks, Adrian _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
On Mon, 2012-07-02 at 17:12 +0100, Adrian Shaw wrote:> > > e.g. /local/domain/16 > > Where are you getting this path from at runtime? > > Using xs_get_domain_pathDoh, yeah ;-) Where do you get the domid from?> > Is it just /local/domain/<domid> or subkeys under it too e.g. > can you > read /local/domain/<domid>/vm or /local/domain/<domid>/name? > > > I have tried to write subkeys too, however I''m not sure whether I was > doing so correctly. It yields the same error code.Those ones are read-only. I know that xl creates a writable area as /l/d/<domid>/data but I don''t know about xend.> There is no xs_mkdir implementation in Mini-OS, strangely.I expect noone ever needed it yet, should be easy to add if you want.> > How are you loading the domain? > > Using xm create mystub.config -c, unless you mean something more > specific? > Is there anything about permissions I should be placing in the > configuration file?Nope, it should all Just Work in this regard.> > "xenstore-ls -fp" should give you some insight into the > permissions > which are being set. > > > I have tried that already, but couldn''t find anything that explains > what n0 or r0 mean?http://wiki.xen.org/wiki/XenBus#Permissions has a bit on the (mad) permission scheme. It uses Python syntax though. n == no permissions, r == read only, w =write only, b == both. The number is the domain. The quirk is that the first entry in the list is the owner and the permissions for all *other* users (unless overridden further down the list) Clear as mud I expect... BY way of an example: /local/domain/1 = "" (n0,r1) Means that domain 0 owns this path and can therefore read and write and nobody else has any read or write privilege (the "n0" means this), except domain 1 who can read it (the "r1"). So it seems that it is expected that a domain cannot write /local/domain/<domid>, but it ought to be able to read it.> I wouldn''t be surprised if a domain could not write > to /local/domain/<domid> itself but there should be accessible > keys > under there. > > > How can I browse these available keys at runtime?xenstore-ls on the cmd line or xs_directory(). Ian.
Apologies for the late reply, I was without an internet connection. On Mon, Jul 2, 2012 at 5:24 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:> On Mon, 2012-07-02 at 17:12 +0100, Adrian Shaw wrote: > > > > > > e.g. /local/domain/16 > > > > Where are you getting this path from at runtime? > > > > Using xs_get_domain_path > > Doh, yeah ;-) > > Where do you get the domid from? > > Sorry :-P using xenbus_get_self_id()> > > > Is it just /local/domain/<domid> or subkeys under it too e.g. > > can you > > read /local/domain/<domid>/vm or /local/domain/<domid>/name? > > > > > > I have tried to write subkeys too, however I''m not sure whether I was > > doing so correctly. It yields the same error code. > > Those ones are read-only. I know that xl creates a writable area > as /l/d/<domid>/data but I don''t know about xend. > > > There is no xs_mkdir implementation in Mini-OS, strangely. > > I expect noone ever needed it yet, should be easy to add if you want. > > As you may have gathered, I don''t have the confidence or expertise towrite it, but perhaps one day :-)> > > > How are you loading the domain? > > > > Using xm create mystub.config -c, unless you mean something more > > specific? > > Is there anything about permissions I should be placing in the > > configuration file? > > Nope, it should all Just Work in this regard. > > > > > > "xenstore-ls -fp" should give you some insight into the > > permissions > > which are being set. > > > > > > I have tried that already, but couldn''t find anything that explains > > what n0 or r0 mean? > > http://wiki.xen.org/wiki/XenBus#Permissions has a bit on the (mad) > permission scheme. > > It uses Python syntax though. n == no permissions, r == read only, w => write only, b == both. The number is the domain. The quirk is that the > first entry in the list is the owner and the permissions for all *other* > users (unless overridden further down the list) > > Thanks for clearing that up, noted.> Clear as mud I expect... > > BY way of an example: > > /local/domain/1 = "" (n0,r1) > > Means that domain 0 owns this path and can therefore read and write and > nobody else has any read or write privilege (the "n0" means this), > except domain 1 who can read it (the "r1"). So it seems that it is > expected that a domain cannot write /local/domain/<domid>, but it ought > to be able to read it. > > > > I wouldn''t be surprised if a domain could not write > > to /local/domain/<domid> itself but there should be accessible > > keys > > under there. > > > > > > How can I browse these available keys at runtime? > > xenstore-ls on the cmd line or xs_directory(). > > Many thanks Ian, I''ll give that a shot. Could not figure out what thatfunction was for.> Ian. > > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users