Hi, I have a Debian Wheezy Linux server running Xen 4.1. I have used Xen for a couple of years now, but not on these versions, and I am having a problem launching a VM. Here is a pastie entry of xend.log http://pastie.org/pastes/7707677/text Many thanks, Jon
On Wed, 2013-04-24 at 10:22 +0100, Jonathan Gowar wrote:> Hi, > > I have a Debian Wheezy Linux server running Xen 4.1. I have used Xen > for a couple of years now, but not on these versions, and I am having a > problem launching a VM. Here is a pastie entry of xend.log > http://pastie.org/pastes/7707677/text > > Many thanks, > > Jon > > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-usersAdditionally, this is in xm dmesg (XEN) Xen does not allow DomU creation on this CPU for security reasons. Nothing else I can see pointing to the cause.
On Wed, 2013-04-24 at 11:04 +0100, Jonathan Gowar wrote:> On Wed, 2013-04-24 at 10:22 +0100, Jonathan Gowar wrote: > > Hi, > > > > I have a Debian Wheezy Linux server running Xen 4.1. I have used Xen > > for a couple of years now, but not on these versions, and I am having a > > problem launching a VM. Here is a pastie entry of xend.log > > http://pastie.org/pastes/7707677/text > > > > Many thanks, > > > > Jon > > > > > > > > > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xen.org > > http://lists.xen.org/xen-users > > Additionally, this is in xm dmesg > > (XEN) Xen does not allow DomU creation on this CPU for security reasons.This sounds like it is related to XSA-9: http://wiki.xen.org/wiki/Security_Announcements#XSA-9_PV_guest_host_Denial_of_Service_.28AMD_erratum_.23121.29 If you are confident that the attack scenarios do not apply to you then you can add "allow_unsafe" to your hypervisor command line. Ian.
On Wed, 2013-04-24 at 11:13 +0100, Ian Campbell wrote:> On Wed, 2013-04-24 at 11:04 +0100, Jonathan Gowar wrote: > > On Wed, 2013-04-24 at 10:22 +0100, Jonathan Gowar wrote: > > > Hi, > > > > > > I have a Debian Wheezy Linux server running Xen 4.1. I have used Xen > > > for a couple of years now, but not on these versions, and I am having a > > > problem launching a VM. Here is a pastie entry of xend.log > > > http://pastie.org/pastes/7707677/text > > > > > > Many thanks, > > > > > > Jon > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xen-users mailing list > > > Xen-users@lists.xen.org > > > http://lists.xen.org/xen-users > > > > Additionally, this is in xm dmesg > > > > (XEN) Xen does not allow DomU creation on this CPU for security reasons. > > This sounds like it is related to XSA-9: > http://wiki.xen.org/wiki/Security_Announcements#XSA-9_PV_guest_host_Denial_of_Service_.28AMD_erratum_.23121.29 > > If you are confident that the attack scenarios do not apply to you then > you can add "allow_unsafe" to your hypervisor command line. > > Ian. >Vadim, thank you for your quick response. Firstly, here: # xl getenforce ERROR: A different toolstack (xm) have been selected! Is xl ''better'' than xm? Secondly, please let me know the preferred thread, and I''ll post there :) Ian, thank you too. That certain seems to be the problem, but I can''t work the solution. I added allow_unsafe to default/grub and updated: # cat /proc/cmdline placeholder root=UUID=3ecb462b-f87c-49a6-9a56-1af61990c40a ro allow_unsafe Still the same error though. Here are some parts from xm dmesg: (XEN) *** Xen will not allow creation of DomU-s on this CPU for security reasons. *** (XEN) *** Pass "allow_unsafe" if you\047re trusting all your (PV) guest kernels. *** (XEN) AMD-Vi: IOMMU not found! (XEN) I/O virtualisation disabled ... (XEN) Xen does not allow DomU creation on this CPU for security reasons. Am I implementing the allow_unsafe parameter correctly? Here is cpuinfo (for one core): # cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 15 model : 37 model name : AMD Opteron(tm) Processor 246 stepping : 1 cpu MHz : 1992.143 cache size : 1024 KB fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu de tsc msr pae cx8 apic cmov pat clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt lm 3dnowext 3dnow rep_good nopl extd_apicid pni hypervisor lahf_lm bogomips : 3984.28 TLB size : 1024 4K pages clflush size : 64 cache_alignment : 64 address sizes : 40 bits physical, 48 bits virtual power management: ts fid vid ttp
On Wed, 2013-04-24 at 12:06 +0100, Jonathan Gowar wrote:> Ian, thank you too. That certain seems to be the problem, but I can''t > work the solution. I added allow_unsafe to default/grub and updated: > > # cat /proc/cmdline > placeholder root=UUID=3ecb462b-f87c-49a6-9a56-1af61990c40a ro > allow_unsafeIt needs to be added to the hypervisor command line, not the dom0 kernel command line which you have here. That''s GRUB_CMDLINE_XEN in /etc/default/grub on Debian at least.> > Still the same error though. Here are some parts from xm dmesg: > > (XEN) *** Xen will not allow creation of DomU-s on this CPU for security reasons. *** > (XEN) *** Pass "allow_unsafe" if you\047re trusting all your (PV) guest kernels. ***Ian.
On Wed, 2013-04-24 at 12:12 +0100, Ian Campbell wrote:> On Wed, 2013-04-24 at 12:06 +0100, Jonathan Gowar wrote: > > Ian, thank you too. That certain seems to be the problem, but I can''t > > work the solution. I added allow_unsafe to default/grub and updated: > > > > # cat /proc/cmdline > > placeholder root=UUID=3ecb462b-f87c-49a6-9a56-1af61990c40a ro > > allow_unsafe > > It needs to be added to the hypervisor command line, not the dom0 kernel > command line which you have here. > > That''s GRUB_CMDLINE_XEN in /etc/default/grub on Debian at least. > > > > > Still the same error though. Here are some parts from xm dmesg: > > > > (XEN) *** Xen will not allow creation of DomU-s on this CPU for security reasons. *** > > (XEN) *** Pass "allow_unsafe" if you\047re trusting all your (PV) guest kernels. *** > > Ian. > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-usersMany thanks, that was it. GRUB_CMDLINE_XEN="allow_unsafe=true" Regards, Jon
On Wed, 2013-04-24 at 12:59 +0100, Jonathan Gowar wrote:> On Wed, 2013-04-24 at 12:12 +0100, Ian Campbell wrote: > > On Wed, 2013-04-24 at 12:06 +0100, Jonathan Gowar wrote: > > > Ian, thank you too. That certain seems to be the problem, but I can''t > > > work the solution. I added allow_unsafe to default/grub and updated: > > > > > > # cat /proc/cmdline > > > placeholder root=UUID=3ecb462b-f87c-49a6-9a56-1af61990c40a ro > > > allow_unsafe > > > > It needs to be added to the hypervisor command line, not the dom0 kernel > > command line which you have here. > > > > That''s GRUB_CMDLINE_XEN in /etc/default/grub on Debian at least. > > > > > > > > Still the same error though. Here are some parts from xm dmesg: > > > > > > (XEN) *** Xen will not allow creation of DomU-s on this CPU for security reasons. *** > > > (XEN) *** Pass "allow_unsafe" if you\047re trusting all your (PV) guest kernels. *** > > > > Ian. > >> Many thanks, that was it. > > GRUB_CMDLINE_XEN="allow_unsafe=true"I have installed XCP 1.6 CentOS version today, and have the same issue. I want to know where to add the allow_unsafe option, but I have not been able to find were to change this in CentOS; as there is no /etc/default/grub or /boot/grub/menu.lst Assistance appreciated. Regards, Jon
Hi Jon, On 01/05/13 14:19, Jonathan Gowar wrote:> > I have installed XCP 1.6 CentOS version today, and have the same issue. > I want to know where to add the allow_unsafe option, but I have not been > able to find were to change this in CentOS; as there is > no /etc/default/grub or /boot/grub/menu.lst Assistance appreciated. > >I think that you''re trying to share a core between your Dom0 and a DomU which, if your DomUs aren''t trusted might present a risk of taking the machine down if the one sharing that Dom0 CPU falls over. I don''t know CentOS but, depending on which version of GrUB you have, it might be worth checking /boot/grub/grub.conf or searching in /etc/sysconfig. Bests, Paul.
On Wed, 2013-05-01 at 14:19 +0100, Jonathan Gowar wrote:> I have installed XCP 1.6 CentOS version today, and have the same issue. > I want to know where to add the allow_unsafe option, but I have not been > able to find were to change this in CentOS; as there is > no /etc/default/grub or /boot/grub/menu.lst Assistance appreciated.XCP discussions usually happen on the (badly named) xen-api@ list. IIRC XCP uses extlinux, so I''d expect /boot/extlinux.conf or something along those lines to exist. Ian.
On Wed, 2013-05-01 at 15:21 +0100, Paul Stimpson wrote:> Hi Jon, > > On 01/05/13 14:19, Jonathan Gowar wrote: > > > > I have installed XCP 1.6 CentOS version today, and have the same issue. > > I want to know where to add the allow_unsafe option, but I have not been > > able to find were to change this in CentOS; as there is > > no /etc/default/grub or /boot/grub/menu.lst Assistance appreciated. > > > > > > I think that you''re trying to share a core between your Dom0 and a DomU > which, if your DomUs aren''t trusted might present a risk of taking the > machine down if the one sharing that Dom0 CPU falls over. > > I don''t know CentOS but, depending on which version of GrUB you have, it > might be worth checking /boot/grub/grub.conf or searching in /etc/sysconfig.Thanks, Paul. In the end, I found it in /boot/extlinux.conf , more importantly, I can launch VMs now :) Regards, Jon