view docs/src/user.tex @ 10957:cec400df7462

Change default scheduler in user's manual (from sedf to credit).
Signed-off-by: Atsushi SAKAI <>
author ack@localhost.localdomain
date Thu Aug 03 15:05:54 2006 +0100 (2006-08-03)
parents 3fae79942240
children 457c427c28fc
line source
1 \documentclass[11pt,twoside,final,openright]{report}
2 \usepackage{a4,graphicx,html,parskip,setspace,times,xspace,url}
3 \setstretch{1.15}
5 \renewcommand{\ttdefault}{pcr}
7 \def\Xend{{Xend}\xspace}
8 \def\xend{{xend}\xspace}
10 \latexhtml{\renewcommand{\path}[1]{{\small {\tt #1}}}}{\renewcommand{\path}[1]{{\tt #1}}}
13 \begin{document}
16 \pagestyle{empty}
17 \begin{center}
18 \vspace*{\fill}
19 \includegraphics{figs/xenlogo.eps}
20 \vfill
21 \vfill
22 \vfill
23 \begin{tabular}{l}
24 {\Huge \bf Users' Manual} \\[4mm]
25 {\huge Xen v3.0} \\[80mm]
26 \end{tabular}
27 \end{center}
29 {\bf DISCLAIMER: This documentation is always under active development
30 and as such there may be mistakes and omissions --- watch out for
31 these and please report any you find to the developers' mailing list,
32 The latest version is always available
33 on-line. Contributions of material, suggestions and corrections are
34 welcome.}
36 \vfill
37 \clearpage
41 \pagestyle{empty}
43 \vspace*{\fill}
45 Xen is Copyright \copyright 2002-2005, University of Cambridge, UK, XenSource
46 Inc., IBM Corp., Hewlett-Packard Co., Intel Corp., AMD Inc., and others. All
47 rights reserved.
49 Xen is an open-source project. Most portions of Xen are licensed for copying
50 under the terms of the GNU General Public License, version 2. Other portions
51 are licensed under the terms of the GNU Lesser General Public License, the
52 Zope Public License 2.0, or under ``BSD-style'' licenses. Please refer to the
53 COPYING file for details.
55 Xen includes software by Christopher Clark. This software is covered by the
56 following licence:
58 \begin{quote}
59 Copyright (c) 2002, Christopher Clark. All rights reserved.
61 Redistribution and use in source and binary forms, with or without
62 modification, are permitted provided that the following conditions are met:
64 \begin{itemize}
65 \item Redistributions of source code must retain the above copyright notice,
66 this list of conditions and the following disclaimer.
68 \item Redistributions in binary form must reproduce the above copyright
69 notice, this list of conditions and the following disclaimer in the
70 documentation and/or other materials provided with the distribution.
72 \item Neither the name of the original author; nor the names of any
73 contributors may be used to endorse or promote products derived from this
74 software without specific prior written permission.
75 \end{itemize}
87 \end{quote}
89 \cleardoublepage
93 \pagestyle{plain}
94 \pagenumbering{roman}
95 { \parskip 0pt plus 1pt
96 \tableofcontents }
97 \cleardoublepage
101 \pagenumbering{arabic}
102 \raggedbottom
103 \widowpenalty=10000
104 \clubpenalty=10000
105 \parindent=0pt
106 \parskip=5pt
107 \renewcommand{\topfraction}{.8}
108 \renewcommand{\bottomfraction}{.8}
109 \renewcommand{\textfraction}{.2}
110 \renewcommand{\floatpagefraction}{.8}
111 \setstretch{1.1}
114 %% Chapter Introduction moved to introduction.tex
115 \chapter{Introduction}
118 Xen is an open-source \emph{para-virtualizing} virtual machine monitor
119 (VMM), or ``hypervisor'', for the x86 processor architecture. Xen can
120 securely execute multiple virtual machines on a single physical system
121 with close-to-native performance. Xen facilitates enterprise-grade
122 functionality, including:
124 \begin{itemize}
125 \item Virtual machines with performance close to native hardware.
126 \item Live migration of running virtual machines between physical hosts.
127 \item Up to 32 virtual CPUs per guest virtual machine, with VCPU hotplug.
128 \item x86/32, x86/32 with PAE, and x86/64 platform support.
129 \item Intel Virtualization Technology (VT-x) for unmodified guest operating systems (including Microsoft Windows).
130 \item Excellent hardware support (supports almost all Linux device
131 drivers).
132 \end{itemize}
135 \section{Usage Scenarios}
137 Usage scenarios for Xen include:
139 \begin{description}
140 \item [Server Consolidation.] Move multiple servers onto a single
141 physical host with performance and fault isolation provided at the
142 virtual machine boundaries.
143 \item [Hardware Independence.] Allow legacy applications and operating
144 systems to exploit new hardware.
145 \item [Multiple OS configurations.] Run multiple operating systems
146 simultaneously, for development or testing purposes.
147 \item [Kernel Development.] Test and debug kernel modifications in a
148 sand-boxed virtual machine --- no need for a separate test machine.
149 \item [Cluster Computing.] Management at VM granularity provides more
150 flexibility than separately managing each physical host, but better
151 control and isolation than single-system image solutions,
152 particularly by using live migration for load balancing.
153 \item [Hardware support for custom OSes.] Allow development of new
154 OSes while benefiting from the wide-ranging hardware support of
155 existing OSes such as Linux.
156 \end{description}
159 \section{Operating System Support}
161 Para-virtualization permits very high performance virtualization, even
162 on architectures like x86 that are traditionally very hard to
163 virtualize.
165 This approach requires operating systems to be \emph{ported} to run on
166 Xen. Porting an OS to run on Xen is similar to supporting a new
167 hardware platform, however the process is simplified because the
168 para-virtual machine architecture is very similar to the underlying
169 native hardware. Even though operating system kernels must explicitly
170 support Xen, a key feature is that user space applications and
171 libraries \emph{do not} require modification.
173 With hardware CPU virtualization as provided by Intel VT and AMD
174 SVM technology, the ability to run an unmodified guest OS kernel
175 is available. No porting of the OS is required, although some
176 additional driver support is necessary within Xen itself. Unlike
177 traditional full virtualization hypervisors, which suffer a tremendous
178 performance overhead, the combination of Xen and VT or Xen and
179 Pacifica technology complement one another to offer superb performance
180 for para-virtualized guest operating systems and full support for
181 unmodified guests running natively on the processor. Full support for
182 VT and Pacifica chipsets will appear in early 2006.
184 Paravirtualized Xen support is available for increasingly many
185 operating systems: currently, mature Linux support is available and
186 included in the standard distribution. Other OS ports---including
187 NetBSD, FreeBSD and Solaris x86 v10---are nearing completion.
190 \section{Hardware Support}
192 Xen currently runs on the x86 architecture, requiring a ``P6'' or
193 newer processor (e.g.\ Pentium Pro, Celeron, Pentium~II, Pentium~III,
194 Pentium~IV, Xeon, AMD~Athlon, AMD~Duron). Multiprocessor machines are
195 supported, and there is support for HyperThreading (SMT). In
196 addition, ports to IA64 and Power architectures are in progress.
198 The default 32-bit Xen supports up to 4GB of memory. However Xen 3.0
199 adds support for Intel's Physical Addressing Extensions (PAE), which
200 enable x86/32 machines to address up to 64 GB of physical memory. Xen
201 3.0 also supports x86/64 platforms such as Intel EM64T and AMD Opteron
202 which can currently address up to 1TB of physical memory.
204 Xen offloads most of the hardware support issues to the guest OS
205 running in the \emph{Domain~0} management virtual machine. Xen itself
206 contains only the code required to detect and start secondary
207 processors, set up interrupt routing, and perform PCI bus
208 enumeration. Device drivers run within a privileged guest OS rather
209 than within Xen itself. This approach provides compatibility with the
210 majority of device hardware supported by Linux. The default XenLinux
211 build contains support for most server-class network and disk
212 hardware, but you can add support for other hardware by configuring
213 your XenLinux kernel in the normal way.
216 \section{Structure of a Xen-Based System}
218 A Xen system has multiple layers, the lowest and most privileged of
219 which is Xen itself.
221 Xen may host multiple \emph{guest} operating systems, each of which is
222 executed within a secure virtual machine. In Xen terminology, a
223 \emph{domain}. Domains are scheduled by Xen to make effective use of the
224 available physical CPUs. Each guest OS manages its own applications.
225 This management includes the responsibility of scheduling each
226 application within the time allotted to the VM by Xen.
228 The first domain, \emph{domain~0}, is created automatically when the
229 system boots and has special management privileges. Domain~0 builds
230 other domains and manages their virtual devices. It also performs
231 administrative tasks such as suspending, resuming and migrating other
232 virtual machines.
234 Within domain~0, a process called \emph{xend} runs to manage the system.
235 \Xend\ is responsible for managing virtual machines and providing access
236 to their consoles. Commands are issued to \xend\ over an HTTP interface,
237 via a command-line tool.
240 \section{History}
242 Xen was originally developed by the Systems Research Group at the
243 University of Cambridge Computer Laboratory as part of the XenoServers
244 project, funded by the UK-EPSRC\@.
246 XenoServers aim to provide a ``public infrastructure for global
247 distributed computing''. Xen plays a key part in that, allowing one to
248 efficiently partition a single machine to enable multiple independent
249 clients to run their operating systems and applications in an
250 environment. This environment provides protection, resource isolation
251 and accounting. The project web page contains further information along
252 with pointers to papers and technical reports:
253 \path{}
255 Xen has grown into a fully-fledged project in its own right, enabling us
256 to investigate interesting research issues regarding the best techniques
257 for virtualizing resources such as the CPU, memory, disk and network.
258 Project contributors now include XenSource, Intel, IBM, HP, AMD, Novell,
259 RedHat.
261 Xen was first described in a paper presented at SOSP in
262 2003\footnote{\tt
263}, and the first
264 public release (1.0) was made that October. Since then, Xen has
265 significantly matured and is now used in production scenarios on many
266 sites.
268 \section{What's New}
270 Xen 3.0.0 offers:
272 \begin{itemize}
273 \item Support for up to 32-way SMP guest operating systems
274 \item Intel (Physical Addressing Extensions) PAE to support 32-bit
275 servers with more than 4GB physical memory
276 \item x86/64 support (Intel EM64T, AMD Opteron)
277 \item Intel VT-x support to enable the running of unmodified guest
278 operating systems (Windows XP/2003, Legacy Linux)
279 \item Enhanced control tools
280 \item Improved ACPI support
281 \item AGP/DRM graphics
282 \end{itemize}
285 Xen 3.0 features greatly enhanced hardware support, configuration
286 flexibility, usability and a larger complement of supported operating
287 systems. This latest release takes Xen a step closer to being the
288 definitive open source solution for virtualization.
292 \part{Installation}
294 %% Chapter Basic Installation
295 \chapter{Basic Installation}
297 The Xen distribution includes three main components: Xen itself, ports
298 of Linux and NetBSD to run on Xen, and the userspace tools required to
299 manage a Xen-based system. This chapter describes how to install the
300 Xen~3.0 distribution from source. Alternatively, there may be pre-built
301 packages available as part of your operating system distribution.
304 \section{Prerequisites}
305 \label{sec:prerequisites}
307 The following is a full list of prerequisites. Items marked `$\dag$' are
308 required by the \xend\ control tools, and hence required if you want to
309 run more than one virtual machine; items marked `$*$' are only required
310 if you wish to build from source.
311 \begin{itemize}
312 \item A working Linux distribution using the GRUB bootloader and running
313 on a P6-class or newer CPU\@.
314 \item [$\dag$] The \path{iproute2} package.
315 \item [$\dag$] The Linux bridge-utils\footnote{Available from {\tt
316}} (e.g., \path{/sbin/brctl})
317 \item [$\dag$] The Linux hotplug system\footnote{Available from {\tt
318}} (e.g.,
319 \path{/sbin/hotplug} and related scripts). On newer distributions,
320 this is included alongside the Linux udev system\footnote{See {\tt
322 \item [$*$] Build tools (gcc v3.2.x or v3.3.x, binutils, GNU make).
323 \item [$*$] Development installation of zlib (e.g.,\ zlib-dev).
324 \item [$*$] Development installation of Python v2.2 or later (e.g.,\
325 python-dev).
326 \item [$*$] \LaTeX\ and transfig are required to build the
327 documentation.
328 \end{itemize}
330 Once you have satisfied these prerequisites, you can now install either
331 a binary or source distribution of Xen.
333 \section{Installing from Binary Tarball}
335 Pre-built tarballs are available for download from the XenSource downloads
336 page:
337 \begin{quote} {\tt}
338 \end{quote}
340 Once you've downloaded the tarball, simply unpack and install:
341 \begin{verbatim}
342 # tar zxvf xen-3.0-install.tgz
343 # cd xen-3.0-install
344 # sh ./
345 \end{verbatim}
347 Once you've installed the binaries you need to configure your system as
348 described in Section~\ref{s:configure}.
350 \section{Installing from RPMs}
351 Pre-built RPMs are available for download from the XenSource downloads
352 page:
353 \begin{quote} {\tt}
354 \end{quote}
356 Once you've downloaded the RPMs, you typically install them via the
357 RPM commands:
359 \verb|# rpm -iv rpmname|
361 See the instructions and the Release Notes for each RPM set referenced at:
362 \begin{quote}
363 {\tt}.
364 \end{quote}
366 \section{Installing from Source}
368 This section describes how to obtain, build and install Xen from source.
370 \subsection{Obtaining the Source}
372 The Xen source tree is available as either a compressed source tarball
373 or as a clone of our master Mercurial repository.
375 \begin{description}
376 \item[Obtaining the Source Tarball]\mbox{} \\
377 Stable versions and daily snapshots of the Xen source tree are
378 available from the Xen download page:
379 \begin{quote} {\tt \tt}
380 \end{quote}
381 \item[Obtaining the source via Mercurial]\mbox{} \\
382 The source tree may also be obtained via the public Mercurial
383 repository at:
384 \begin{quote}{\tt}
385 \end{quote} See the instructions and the Getting Started Guide
386 referenced at:
387 \begin{quote}
388 {\tt}
389 \end{quote}
390 \end{description}
392 % \section{The distribution}
393 %
394 % The Xen source code repository is structured as follows:
395 %
396 % \begin{description}
397 % \item[\path{tools/}] Xen node controller daemon (Xend), command line
398 % tools, control libraries
399 % \item[\path{xen/}] The Xen VMM.
400 % \item[\path{buildconfigs/}] Build configuration files
401 % \item[\path{linux-*-xen-sparse/}] Xen support for Linux.
402 % \item[\path{patches/}] Experimental patches for Linux.
403 % \item[\path{docs/}] Various documentation files for users and
404 % developers.
405 % \item[\path{extras/}] Bonus extras.
406 % \end{description}
408 \subsection{Building from Source}
410 The top-level Xen Makefile includes a target ``world'' that will do the
411 following:
413 \begin{itemize}
414 \item Build Xen.
415 \item Build the control tools, including \xend.
416 \item Download (if necessary) and unpack the Linux 2.6 source code, and
417 patch it for use with Xen.
418 \item Build a Linux kernel to use in domain~0 and a smaller unprivileged
419 kernel, which can be used for unprivileged virtual machines.
420 \end{itemize}
422 After the build has completed you should have a top-level directory
423 called \path{dist/} in which all resulting targets will be placed. Of
424 particular interest are the two XenLinux kernel images, one with a
425 ``-xen0'' extension which contains hardware device drivers and drivers
426 for Xen's virtual devices, and one with a ``-xenU'' extension that
427 just contains the virtual ones. These are found in
428 \path{dist/install/boot/} along with the image for Xen itself and the
429 configuration files used during the build.
431 %The NetBSD port can be built using:
432 %\begin{quote}
433 %\begin{verbatim}
434 %# make netbsd20
435 %\end{verbatim}\end{quote}
436 %NetBSD port is built using a snapshot of the netbsd-2-0 cvs branch.
437 %The snapshot is downloaded as part of the build process if it is not
438 %yet present in the \path{NETBSD\_SRC\_PATH} search path. The build
439 %process also downloads a toolchain which includes all of the tools
440 %necessary to build the NetBSD kernel under Linux.
442 To customize the set of kernels built you need to edit the top-level
443 Makefile. Look for the line:
444 \begin{quote}
445 \begin{verbatim}
446 KERNELS ?= linux-2.6-xen0 linux-2.6-xenU
447 \end{verbatim}
448 \end{quote}
450 You can edit this line to include any set of operating system kernels
451 which have configurations in the top-level \path{buildconfigs/}
452 directory.
454 %% Inspect the Makefile if you want to see what goes on during a
455 %% build. Building Xen and the tools is straightforward, but XenLinux
456 %% is more complicated. The makefile needs a `pristine' Linux kernel
457 %% tree to which it will then add the Xen architecture files. You can
458 %% tell the makefile the location of the appropriate Linux compressed
459 %% tar file by
460 %% setting the LINUX\_SRC environment variable, e.g. \\
461 %% \verb!# LINUX_SRC=/tmp/linux-2.6.11.tar.bz2 make world! \\ or by
462 %% placing the tar file somewhere in the search path of {\tt
463 %% LINUX\_SRC\_PATH} which defaults to `{\tt .:..}'. If the
464 %% makefile can't find a suitable kernel tar file it attempts to
465 %% download it from (this won't work if you're behind a
466 %% firewall).
468 %% After untaring the pristine kernel tree, the makefile uses the {\tt
469 %% mkbuildtree} script to add the Xen patches to the kernel.
471 %% \framebox{\parbox{5in}{
472 %% {\bf Distro specific:} \\
473 %% {\it Gentoo} --- if not using udev (most installations,
474 %% currently), you'll need to enable devfs and devfs mount at boot
475 %% time in the xen0 config. }}
477 \subsection{Custom Kernels}
479 % If you have an SMP machine you may wish to give the {\tt '-j4'}
480 % argument to make to get a parallel build.
482 If you wish to build a customized XenLinux kernel (e.g.\ to support
483 additional devices or enable distribution-required features), you can
484 use the standard Linux configuration mechanisms, specifying that the
485 architecture being built for is \path{xen}, e.g:
486 \begin{quote}
487 \begin{verbatim}
488 # cd linux-2.6.12-xen0
489 # make ARCH=xen xconfig
490 # cd ..
491 # make
492 \end{verbatim}
493 \end{quote}
495 You can also copy an existing Linux configuration (\path{.config}) into
496 e.g.\ \path{linux-2.6.12-xen0} and execute:
497 \begin{quote}
498 \begin{verbatim}
499 # make ARCH=xen oldconfig
500 \end{verbatim}
501 \end{quote}
503 You may be prompted with some Xen-specific options. We advise accepting
504 the defaults for these options.
506 Note that the only difference between the two types of Linux kernels
507 that are built is the configuration file used for each. The ``U''
508 suffixed (unprivileged) versions don't contain any of the physical
509 hardware device drivers, leading to a 30\% reduction in size; hence you
510 may prefer these for your non-privileged domains. The ``0'' suffixed
511 privileged versions can be used to boot the system, as well as in driver
512 domains and unprivileged domains.
514 \subsection{Installing Generated Binaries}
516 The files produced by the build process are stored under the
517 \path{dist/install/} directory. To install them in their default
518 locations, do:
519 \begin{quote}
520 \begin{verbatim}
521 # make install
522 \end{verbatim}
523 \end{quote}
525 Alternatively, users with special installation requirements may wish to
526 install them manually by copying the files to their appropriate
527 destinations.
529 %% Files in \path{install/boot/} include:
530 %% \begin{itemize}
531 %% \item \path{install/boot/xen-3.0.gz} Link to the Xen 'kernel'
532 %% \item \path{install/boot/vmlinuz-2.6-xen0} Link to domain 0
533 %% XenLinux kernel
534 %% \item \path{install/boot/vmlinuz-2.6-xenU} Link to unprivileged
535 %% XenLinux kernel
536 %% \end{itemize}
538 The \path{dist/install/boot} directory will also contain the config
539 files used for building the XenLinux kernels, and also versions of Xen
540 and XenLinux kernels that contain debug symbols such as
541 (\path{xen-syms-3.0.0} and \path{vmlinux-syms-}) which are
542 essential for interpreting crash dumps. Retain these files as the
543 developers may wish to see them if you post on the mailing list.
546 \section{Configuration}
547 \label{s:configure}
549 Once you have built and installed the Xen distribution, it is simple to
550 prepare the machine for booting and running Xen.
552 \subsection{GRUB Configuration}
554 An entry should be added to \path{grub.conf} (often found under
555 \path{/boot/} or \path{/boot/grub/}) to allow Xen / XenLinux to boot.
556 This file is sometimes called \path{menu.lst}, depending on your
557 distribution. The entry should look something like the following:
559 %% KMSelf Thu Dec 1 19:06:13 PST 2005 262144 is useful for RHEL/RH and
560 %% related Dom0s.
561 {\small
562 \begin{verbatim}
563 title Xen 3.0 / XenLinux 2.6
564 kernel /boot/xen-3.0.gz dom0_mem=262144
565 module /boot/vmlinuz-2.6-xen0 root=/dev/sda4 ro console=tty0
566 \end{verbatim}
567 }
569 The kernel line tells GRUB where to find Xen itself and what boot
570 parameters should be passed to it (in this case, setting the domain~0
571 memory allocation in kilobytes and the settings for the serial port).
572 For more details on the various Xen boot parameters see
573 Section~\ref{s:xboot}.
575 The module line of the configuration describes the location of the
576 XenLinux kernel that Xen should start and the parameters that should be
577 passed to it. These are standard Linux parameters, identifying the root
578 device and specifying it be initially mounted read only and instructing
579 that console output be sent to the screen. Some distributions such as
580 SuSE do not require the \path{ro} parameter.
582 %% \framebox{\parbox{5in}{
583 %% {\bf Distro specific:} \\
584 %% {\it SuSE} --- Omit the {\tt ro} option from the XenLinux
585 %% kernel command line, since the partition won't be remounted rw
586 %% during boot. }}
588 To use an initrd, add another \path{module} line to the configuration,
589 like: {\small
590 \begin{verbatim}
591 module /boot/my_initrd.gz
592 \end{verbatim}
593 }
595 %% KMSelf Thu Dec 1 19:05:30 PST 2005 Other configs as an appendix?
597 When installing a new kernel, it is recommended that you do not delete
598 existing menu options from \path{menu.lst}, as you may wish to boot your
599 old Linux kernel in future, particularly if you have problems.
601 \subsection{Serial Console (optional)}
603 Serial console access allows you to manage, monitor, and interact with
604 your system over a serial console. This can allow access from another
605 nearby system via a null-modem (``LapLink'') cable or remotely via a serial
606 concentrator.
608 You system's BIOS, bootloader (GRUB), Xen, Linux, and login access must
609 each be individually configured for serial console access. It is
610 \emph{not} strictly necessary to have each component fully functional,
611 but it can be quite useful.
613 For general information on serial console configuration under Linux,
614 refer to the ``Remote Serial Console HOWTO'' at The Linux Documentation
615 Project: \url{}
617 \subsubsection{Serial Console BIOS configuration}
619 Enabling system serial console output neither enables nor disables
620 serial capabilities in GRUB, Xen, or Linux, but may make remote
621 management of your system more convenient by displaying POST and other
622 boot messages over serial port and allowing remote BIOS configuration.
624 Refer to your hardware vendor's documentation for capabilities and
625 procedures to enable BIOS serial redirection.
628 \subsubsection{Serial Console GRUB configuration}
630 Enabling GRUB serial console output neither enables nor disables Xen or
631 Linux serial capabilities, but may made remote management of your system
632 more convenient by displaying GRUB prompts, menus, and actions over
633 serial port and allowing remote GRUB management.
635 Adding the following two lines to your GRUB configuration file,
636 typically either \path{/boot/grub/menu.lst} or \path{/boot/grub/grub.conf}
637 depending on your distro, will enable GRUB serial output.
639 \begin{quote}
640 {\small \begin{verbatim}
641 serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
642 terminal --timeout=10 serial console
643 \end{verbatim}}
644 \end{quote}
646 Note that when both the serial port and the local monitor and keyboard
647 are enabled, the text ``\emph{Press any key to continue}'' will appear
648 at both. Pressing a key on one device will cause GRUB to display to
649 that device. The other device will see no output. If no key is
650 pressed before the timeout period expires, the system will boot to the
651 default GRUB boot entry.
653 Please refer to the GRUB documentation for further information.
656 \subsubsection{Serial Console Xen configuration}
658 Enabling Xen serial console output neither enables nor disables Linux
659 kernel output or logging in to Linux over serial port. It does however
660 allow you to monitor and log the Xen boot process via serial console and
661 can be very useful in debugging.
663 %% kernel /boot/xen-2.0.gz dom0_mem=131072 console=com1,vga com1=115200,8n1
664 %% module /boot/vmlinuz-2.6-xen0 root=/dev/sda4 ro
666 In order to configure Xen serial console output, it is necessary to
667 add a boot option to your GRUB config; e.g.\ replace the previous
668 example kernel line with:
669 \begin{quote} {\small \begin{verbatim}
670 kernel /boot/xen.gz dom0_mem=131072 com1=115200,8n1
671 \end{verbatim}}
672 \end{quote}
674 This configures Xen to output on COM1 at 115,200 baud, 8 data bits, no
675 parity and 1 stop bit. Modify these parameters for your environment.
676 See Section~\ref{s:xboot} for an explanation of all boot parameters.
678 One can also configure XenLinux to share the serial console; to achieve
679 this append ``\path{console=ttyS0}'' to your module line.
682 \subsubsection{Serial Console Linux configuration}
684 Enabling Linux serial console output at boot neither enables nor
685 disables logging in to Linux over serial port. It does however allow
686 you to monitor and log the Linux boot process via serial console and can be
687 very useful in debugging.
689 To enable Linux output at boot time, add the parameter
690 \path{console=ttyS0} (or ttyS1, ttyS2, etc.) to your kernel GRUB line.
691 Under Xen, this might be:
692 \begin{quote}
693 {\footnotesize \begin{verbatim}
694 module /vmlinuz-2.6-xen0 ro root=/dev/VolGroup00/LogVol00 \
695 console=ttyS0, 115200
696 \end{verbatim}}
697 \end{quote}
698 to enable output over ttyS0 at 115200 baud.
702 \subsubsection{Serial Console Login configuration}
704 Logging in to Linux via serial console, under Xen or otherwise, requires
705 specifying a login prompt be started on the serial port. To permit root
706 logins over serial console, the serial port must be added to
707 \path{/etc/securetty}.
709 \newpage
710 To automatically start a login prompt over the serial port,
711 add the line: \begin{quote} {\small {\tt c:2345:respawn:/sbin/mingetty
712 ttyS0}} \end{quote} to \path{/etc/inittab}. Run \path{init q} to force
713 a reload of your inttab and start getty.
715 To enable root logins, add \path{ttyS0} to \path{/etc/securetty} if not
716 already present.
718 Your distribution may use an alternate getty; options include getty,
719 mgetty and agetty. Consult your distribution's documentation
720 for further information.
723 \subsection{TLS Libraries}
725 Users of the XenLinux 2.6 kernel should disable Thread Local Storage
726 (TLS) (e.g.\ by doing a \path{mv /lib/tls /lib/tls.disabled}) before
727 attempting to boot a XenLinux kernel\footnote{If you boot without first
728 disabling TLS, you will get a warning message during the boot process.
729 In this case, simply perform the rename after the machine is up and
730 then run \path{/sbin/ldconfig} to make it take effect.}. You can
731 always reenable TLS by restoring the directory to its original location
732 (i.e.\ \path{mv /lib/tls.disabled /lib/tls}).
734 The reason for this is that the current TLS implementation uses
735 segmentation in a way that is not permissible under Xen. If TLS is not
736 disabled, an emulation mode is used within Xen which reduces performance
737 substantially. To ensure full performance you should install a
738 `Xen-friendly' (nosegneg) version of the library.
741 \section{Booting Xen}
743 It should now be possible to restart the system and use Xen. Reboot and
744 choose the new Xen option when the Grub screen appears.
746 What follows should look much like a conventional Linux boot. The first
747 portion of the output comes from Xen itself, supplying low level
748 information about itself and the underlying hardware. The last portion
749 of the output comes from XenLinux.
751 You may see some error messages during the XenLinux boot. These are not
752 necessarily anything to worry about---they may result from kernel
753 configuration differences between your XenLinux kernel and the one you
754 usually use.
756 When the boot completes, you should be able to log into your system as
757 usual. If you are unable to log in, you should still be able to reboot
758 with your normal Linux kernel by selecting it at the GRUB prompt.
761 % Booting Xen
762 \chapter{Booting a Xen System}
764 Booting the system into Xen will bring you up into the privileged
765 management domain, Domain0. At that point you are ready to create
766 guest domains and ``boot'' them using the \texttt{xm create} command.
768 \section{Booting Domain0}
770 After installation and configuration is complete, reboot the system
771 and and choose the new Xen option when the Grub screen appears.
773 What follows should look much like a conventional Linux boot. The
774 first portion of the output comes from Xen itself, supplying low level
775 information about itself and the underlying hardware. The last
776 portion of the output comes from XenLinux.
778 %% KMSelf Wed Nov 30 18:09:37 PST 2005: We should specify what these are.
780 When the boot completes, you should be able to log into your system as
781 usual. If you are unable to log in, you should still be able to
782 reboot with your normal Linux kernel by selecting it at the GRUB prompt.
784 The first step in creating a new domain is to prepare a root
785 filesystem for it to boot. Typically, this might be stored in a normal
786 partition, an LVM or other volume manager partition, a disk file or on
787 an NFS server. A simple way to do this is simply to boot from your
788 standard OS install CD and install the distribution into another
789 partition on your hard drive.
791 To start the \xend\ control daemon, type
792 \begin{quote}
793 \verb!# xend start!
794 \end{quote}
796 If you wish the daemon to start automatically, see the instructions in
797 Section~\ref{s:xend}. Once the daemon is running, you can use the
798 \path{xm} tool to monitor and maintain the domains running on your
799 system. This chapter provides only a brief tutorial. We provide full
800 details of the \path{xm} tool in the next chapter.
802 % \section{From the web interface}
803 %
804 % Boot the Xen machine and start Xensv (see Chapter~\ref{cha:xensv}
805 % for more details) using the command: \\
806 % \verb_# xensv start_ \\
807 % This will also start Xend (see Chapter~\ref{cha:xend} for more
808 % information).
809 %
810 % The domain management interface will then be available at {\tt
811 % http://your\_machine:8080/}. This provides a user friendly wizard
812 % for starting domains and functions for managing running domains.
813 %
814 % \section{From the command line}
815 \section{Booting Guest Domains}
817 \subsection{Creating a Domain Configuration File}
819 Before you can start an additional domain, you must create a
820 configuration file. We provide two example files which you can use as
821 a starting point:
822 \begin{itemize}
823 \item \path{/etc/xen/xmexample1} is a simple template configuration
824 file for describing a single VM\@.
825 \item \path{/etc/xen/xmexample2} file is a template description that
826 is intended to be reused for multiple virtual machines. Setting the
827 value of the \path{vmid} variable on the \path{xm} command line
828 fills in parts of this template.
829 \end{itemize}
831 There are also a number of other examples which you may find useful.
832 Copy one of these files and edit it as appropriate. Typical values
833 you may wish to edit include:
835 \begin{quote}
836 \begin{description}
837 \item[kernel] Set this to the path of the kernel you compiled for use
838 with Xen (e.g.\ \path{kernel = ``/boot/vmlinuz-2.6-xenU''})
839 \item[memory] Set this to the size of the domain's memory in megabytes
840 (e.g.\ \path{memory = 64})
841 \item[disk] Set the first entry in this list to calculate the offset
842 of the domain's root partition, based on the domain ID\@. Set the
843 second to the location of \path{/usr} if you are sharing it between
844 domains (e.g.\ \path{disk = ['phy:your\_hard\_drive\%d,sda1,w' \%
845 (base\_partition\_number + vmid),
846 'phy:your\_usr\_partition,sda6,r' ]}
847 \item[dhcp] Uncomment the dhcp variable, so that the domain will
848 receive its IP address from a DHCP server (e.g.\ \path{dhcp=``dhcp''})
849 \end{description}
850 \end{quote}
852 You may also want to edit the {\bf vif} variable in order to choose
853 the MAC address of the virtual ethernet interface yourself. For
854 example:
856 \begin{quote}
857 \verb_vif = ['mac=00:16:3E:F6:BB:B3']_
858 \end{quote}
859 If you do not set this variable, \xend\ will automatically generate a
860 random MAC address from the range 00:16:3E:xx:xx:xx, assigned by IEEE to
861 XenSource as an OUI (organizationally unique identifier). XenSource
862 Inc. gives permission for anyone to use addresses randomly allocated
863 from this range for use by their Xen domains.
865 For a list of IEEE OUI assignments, see
866 \url{}
869 \subsection{Booting the Guest Domain}
871 The \path{xm} tool provides a variety of commands for managing
872 domains. Use the \path{create} command to start new domains. Assuming
873 you've created a configuration file \path{myvmconf} based around
874 \path{/etc/xen/xmexample2}, to start a domain with virtual machine
875 ID~1 you should type:
877 \begin{quote}
878 \begin{verbatim}
879 # xm create -c myvmconf vmid=1
880 \end{verbatim}
881 \end{quote}
883 The \path{-c} switch causes \path{xm} to turn into the domain's
884 console after creation. The \path{vmid=1} sets the \path{vmid}
885 variable used in the \path{myvmconf} file.
887 You should see the console boot messages from the new domain appearing
888 in the terminal in which you typed the command, culminating in a login
889 prompt.
892 \section{Starting / Stopping Domains Automatically}
894 It is possible to have certain domains start automatically at boot
895 time and to have dom0 wait for all running domains to shutdown before
896 it shuts down the system.
898 To specify a domain is to start at boot-time, place its configuration
899 file (or a link to it) under \path{/etc/xen/auto/}.
901 A Sys-V style init script for Red Hat and LSB-compliant systems is
902 provided and will be automatically copied to \path{/etc/init.d/}
903 during install. You can then enable it in the appropriate way for
904 your distribution.
906 For instance, on Red Hat:
908 \begin{quote}
909 \verb_# chkconfig --add xendomains_
910 \end{quote}
912 By default, this will start the boot-time domains in runlevels 3, 4
913 and 5.
915 You can also use the \path{service} command to run this script
916 manually, e.g:
918 \begin{quote}
919 \verb_# service xendomains start_
921 Starts all the domains with config files under /etc/xen/auto/.
922 \end{quote}
924 \begin{quote}
925 \verb_# service xendomains stop_
927 Shuts down all running Xen domains.
928 \end{quote}
932 \part{Configuration and Management}
934 %% Chapter Domain Management Tools and Daemons
935 \chapter{Domain Management Tools}
937 This chapter summarizes the management software and tools available.
940 \section{\Xend\ }
941 \label{s:xend}
944 The \Xend\ node control daemon performs system management functions
945 related to virtual machines. It forms a central point of control of
946 virtualized resources, and must be running in order to start and manage
947 virtual machines. \Xend\ must be run as root because it needs access to
948 privileged system management functions.
950 An initialization script named \texttt{/etc/init.d/xend} is provided to
951 start \Xend\ at boot time. Use the tool appropriate (i.e. chkconfig) for
952 your Linux distribution to specify the runlevels at which this script
953 should be executed, or manually create symbolic links in the correct
954 runlevel directories.
956 \Xend\ can be started on the command line as well, and supports the
957 following set of parameters:
959 \begin{tabular}{ll}
960 \verb!# xend start! & start \xend, if not already running \\
961 \verb!# xend stop! & stop \xend\ if already running \\
962 \verb!# xend restart! & restart \xend\ if running, otherwise start it \\
963 % \verb!# xend trace_start! & start \xend, with very detailed debug logging \\
964 \verb!# xend status! & indicates \xend\ status by its return code
965 \end{tabular}
967 A SysV init script called {\tt xend} is provided to start \xend\ at
968 boot time. {\tt make install} installs this script in
969 \path{/etc/init.d}. To enable it, you have to make symbolic links in
970 the appropriate runlevel directories or use the {\tt chkconfig} tool,
971 where available. Once \xend\ is running, administration can be done
972 using the \texttt{xm} tool.
974 \subsection{Logging}
976 As \xend\ runs, events will be logged to \path{/var/log/xend.log} and
977 (less frequently) to \path{/var/log/xend-debug.log}. These, along with
978 the standard syslog files, are useful when troubleshooting problems.
980 \subsection{Configuring \Xend\ }
982 \Xend\ is written in Python. At startup, it reads its configuration
983 information from the file \path{/etc/xen/xend-config.sxp}. The Xen
984 installation places an example \texttt{xend-config.sxp} file in the
985 \texttt{/etc/xen} subdirectory which should work for most installations.
987 See the example configuration file \texttt{xend-debug.sxp} and the
988 section 5 man page \texttt{xend-config.sxp} for a full list of
989 parameters and more detailed information. Some of the most important
990 parameters are discussed below.
992 An HTTP interface and a Unix domain socket API are available to
993 communicate with \Xend. This allows remote users to pass commands to the
994 daemon. By default, \Xend does not start an HTTP server. It does start a
995 Unix domain socket management server, as the low level utility
996 \texttt{xm} requires it. For support of cross-machine migration, \Xend\
997 can start a relocation server. This support is not enabled by default
998 for security reasons.
1000 Note: the example \texttt{xend} configuration file modifies the defaults and
1001 starts up \Xend\ as an HTTP server as well as a relocation server.
1003 From the file:
1005 \begin{verbatim}
1006 #(xend-http-server no)
1007 (xend-http-server yes)
1008 #(xend-unix-server yes)
1009 #(xend-relocation-server no)
1010 (xend-relocation-server yes)
1011 \end{verbatim}
1013 Comment or uncomment lines in that file to disable or enable features
1014 that you require.
1016 Connections from remote hosts are disabled by default:
1018 \begin{verbatim}
1019 # Address xend should listen on for HTTP connections, if xend-http-server is
1020 # set.
1021 # Specifying 'localhost' prevents remote connections.
1022 # Specifying the empty string '' (the default) allows all connections.
1023 #(xend-address '')
1024 (xend-address localhost)
1025 \end{verbatim}
1027 It is recommended that if migration support is not needed, the
1028 \texttt{xend-relocation-server} parameter value be changed to
1029 ``\texttt{no}'' or commented out.
1031 \section{Xm}
1032 \label{s:xm}
1034 The xm tool is the primary tool for managing Xen from the console. The
1035 general format of an xm command line is:
1037 \begin{verbatim}
1038 # xm command [switches] [arguments] [variables]
1039 \end{verbatim}
1041 The available \emph{switches} and \emph{arguments} are dependent on the
1042 \emph{command} chosen. The \emph{variables} may be set using
1043 declarations of the form {\tt variable=value} and command line
1044 declarations override any of the values in the configuration file being
1045 used, including the standard variables described above and any custom
1046 variables (for instance, the \path{xmdefconfig} file uses a {\tt vmid}
1047 variable).
1049 For online help for the commands available, type:
1051 \begin{quote}
1052 \begin{verbatim}
1053 # xm help
1054 \end{verbatim}
1055 \end{quote}
1057 This will list the most commonly used commands. The full list can be obtained
1058 using \verb_xm help --long_. You can also type \path{xm help $<$command$>$}
1059 for more information on a given command.
1061 \subsection{Basic Management Commands}
1063 One useful command is \verb_# xm list_ which lists all domains running in rows
1064 of the following format:
1065 \begin{center} {\tt name domid memory vcpus state cputime}
1066 \end{center}
1068 The meaning of each field is as follows:
1069 \begin{quote}
1070 \begin{description}
1071 \item[name] The descriptive name of the virtual machine.
1072 \item[domid] The number of the domain ID this virtual machine is
1073 running in.
1074 \item[memory] Memory size in megabytes.
1075 \item[vcpus] The number of virtual CPUs this domain has.
1076 \item[state] Domain state consists of 5 fields:
1077 \begin{description}
1078 \item[r] running
1079 \item[b] blocked
1080 \item[p] paused
1081 \item[s] shutdown
1082 \item[c] crashed
1083 \end{description}
1084 \item[cputime] How much CPU time (in seconds) the domain has used so
1085 far.
1086 \end{description}
1087 \end{quote}
1089 The \path{xm list} command also supports a long output format when the
1090 \path{-l} switch is used. This outputs the full details of the
1091 running domains in \xend's SXP configuration format.
1094 You can get access to the console of a particular domain using
1095 the \verb_# xm console_ command (e.g.\ \verb_# xm console myVM_).
1097 \subsection{Domain Scheduling Management Commands}
1099 The credit CPU scheduler automatically load balances guest VCPUs
1100 across all available physical CPUs on an SMP host. The user need
1101 not manually pin VCPUs to load balance the system. However, she
1102 can restrict which CPUs a particular VCPU may run on using
1103 the \path{xm vcpu-pin} command.
1105 Each guest domain is assigned a \path{weight} and a \path{cap}.
1107 A domain with a weight of 512 will get twice as much CPU as a
1108 domain with a weight of 256 on a contended host. Legal weights
1109 range from 1 to 65535 and the default is 256.
1111 The cap optionally fixes the maximum amount of CPU a guest will
1112 be able to consume, even if the host system has idle CPU cycles.
1113 The cap is expressed in percentage of one physical CPU: 100 is
1114 1 physical CPU, 50 is half a CPU, 400 is 4 CPUs, etc... The
1115 default, 0, means there is no upper cap.
1117 When you are running with the credit scheduler, you can check and
1118 modify your domains' weights and caps using the \path{xm sched-credit}
1119 command:
1121 \begin{tabular}{ll}
1122 \verb!xm sched-credit -d <domain>! & lists weight and cap \\
1123 \verb!xm sched-credit -d <domain> -w <weight>! & sets the weight \\
1124 \verb!xm sched-credit -d <domain> -c <cap>! & sets the cap
1125 \end{tabular}
1129 %% Chapter Domain Configuration
1130 \chapter{Domain Configuration}
1131 \label{cha:config}
1133 The following contains the syntax of the domain configuration files
1134 and description of how to further specify networking, driver domain
1135 and general scheduling behavior.
1138 \section{Configuration Files}
1139 \label{s:cfiles}
1141 Xen configuration files contain the following standard variables.
1142 Unless otherwise stated, configuration items should be enclosed in
1143 quotes: see the configuration scripts in \path{/etc/xen/}
1144 for concrete examples.
1146 \begin{description}
1147 \item[kernel] Path to the kernel image.
1148 \item[ramdisk] Path to a ramdisk image (optional).
1149 % \item[builder] The name of the domain build function (e.g.
1150 % {\tt'linux'} or {\tt'netbsd'}.
1151 \item[memory] Memory size in megabytes.
1152 \item[vcpus] The number of virtual CPUs.
1153 \item[console] Port to export the domain console on (default 9600 +
1154 domain ID).
1155 \item[vif] Network interface configuration. This may simply contain
1156 an empty string for each desired interface, or may override various
1157 settings, e.g.\
1158 \begin{verbatim}
1159 vif = [ 'mac=00:16:3E:00:00:11, bridge=xen-br0',
1160 'bridge=xen-br1' ]
1161 \end{verbatim}
1162 to assign a MAC address and bridge to the first interface and assign
1163 a different bridge to the second interface, leaving \xend\ to choose
1164 the MAC address. The settings that may be overridden in this way are
1165 type, mac, bridge, ip, script, backend, and vifname.
1166 \item[disk] List of block devices to export to the domain e.g.
1167 \verb_disk = [ 'phy:hda1,sda1,r' ]_
1168 exports physical device \path{/dev/hda1} to the domain as
1169 \path{/dev/sda1} with read-only access. Exporting a disk read-write
1170 which is currently mounted is dangerous -- if you are \emph{certain}
1171 you wish to do this, you can specify \path{w!} as the mode.
1172 \item[dhcp] Set to {\tt `dhcp'} if you want to use DHCP to configure
1173 networking.
1174 \item[netmask] Manually configured IP netmask.
1175 \item[gateway] Manually configured IP gateway.
1176 \item[hostname] Set the hostname for the virtual machine.
1177 \item[root] Specify the root device parameter on the kernel command
1178 line.
1179 \item[nfs\_server] IP address for the NFS server (if any).
1180 \item[nfs\_root] Path of the root filesystem on the NFS server (if
1181 any).
1182 \item[extra] Extra string to append to the kernel command line (if
1183 any)
1184 \end{description}
1186 Additional fields are documented in the example configuration files
1187 (e.g. to configure virtual TPM functionality).
1189 For additional flexibility, it is also possible to include Python
1190 scripting commands in configuration files. An example of this is the
1191 \path{xmexample2} file, which uses Python code to handle the
1192 \path{vmid} variable.
1195 %\part{Advanced Topics}
1198 \section{Network Configuration}
1200 For many users, the default installation should work ``out of the
1201 box''. More complicated network setups, for instance with multiple
1202 Ethernet interfaces and/or existing bridging setups will require some
1203 special configuration.
1205 The purpose of this section is to describe the mechanisms provided by
1206 \xend\ to allow a flexible configuration for Xen's virtual networking.
1208 \subsection{Xen virtual network topology}
1210 Each domain network interface is connected to a virtual network
1211 interface in dom0 by a point to point link (effectively a ``virtual
1212 crossover cable''). These devices are named {\tt
1213 vif$<$domid$>$.$<$vifid$>$} (e.g.\ {\tt vif1.0} for the first
1214 interface in domain~1, {\tt vif3.1} for the second interface in
1215 domain~3).
1217 Traffic on these virtual interfaces is handled in domain~0 using
1218 standard Linux mechanisms for bridging, routing, rate limiting, etc.
1219 Xend calls on two shell scripts to perform initial configuration of
1220 the network and configuration of new virtual interfaces. By default,
1221 these scripts configure a single bridge for all the virtual
1222 interfaces. Arbitrary routing / bridging configurations can be
1223 configured by customizing the scripts, as described in the following
1224 section.
1226 \subsection{Xen networking scripts}
1228 Xen's virtual networking is configured by two shell scripts (by
1229 default \path{network-bridge} and \path{vif-bridge}). These are called
1230 automatically by \xend\ when certain events occur, with arguments to
1231 the scripts providing further contextual information. These scripts
1232 are found by default in \path{/etc/xen/scripts}. The names and
1233 locations of the scripts can be configured in
1234 \path{/etc/xen/xend-config.sxp}.
1236 \begin{description}
1237 \item[network-bridge:] This script is called whenever \xend\ is started or
1238 stopped to respectively initialize or tear down the Xen virtual
1239 network. In the default configuration initialization creates the
1240 bridge `xen-br0' and moves eth0 onto that bridge, modifying the
1241 routing accordingly. When \xend\ exits, it deletes the Xen bridge
1242 and removes eth0, restoring the normal IP and routing configuration.
1244 %% In configurations where the bridge already exists, this script
1245 %% could be replaced with a link to \path{/bin/true} (for instance).
1247 \item[vif-bridge:] This script is called for every domain virtual
1248 interface and can configure firewalling rules and add the vif to the
1249 appropriate bridge. By default, this adds and removes VIFs on the
1250 default Xen bridge.
1251 \end{description}
1253 Other example scripts are available (\path{network-route} and
1254 \path{vif-route}, \path{network-nat} and \path{vif-nat}).
1255 For more complex network setups (e.g.\ where routing is required or
1256 integrate with existing bridges) these scripts may be replaced with
1257 customized variants for your site's preferred configuration.
1259 \section{Driver Domain Configuration}
1260 \label{s:ddconf}
1262 \subsection{PCI}
1263 \label{ss:pcidd}
1265 Individual PCI devices can be assigned to a given domain (a PCI driver domain)
1266 to allow that domain direct access to the PCI hardware.
1268 While PCI Driver Domains can increase the stability and security of a system
1269 by addressing a number of security concerns, there are some security issues
1270 that remain that you can read about in Section~\ref{s:ddsecurity}.
1272 \subsubsection{Compile-Time Setup}
1273 To use this functionality, ensure
1274 that the PCI Backend is compiled in to a privileged domain (e.g. domain 0)
1275 and that the domains which will be assigned PCI devices have the PCI Frontend
1276 compiled in. In XenLinux, the PCI Backend is available under the Xen
1277 configuration section while the PCI Frontend is under the
1278 architecture-specific "Bus Options" section. You may compile both the backend
1279 and the frontend into the same kernel; they will not affect each other.
1281 \subsubsection{PCI Backend Configuration - Binding at Boot}
1282 The PCI devices you wish to assign to unprivileged domains must be "hidden"
1283 from your backend domain (usually domain 0) so that it does not load a driver
1284 for them. Use the \path{pciback.hide} kernel parameter which is specified on
1285 the kernel command-line and is configurable through GRUB (see
1286 Section~\ref{s:configure}). Note that devices are not really hidden from the
1287 backend domain. The PCI Backend appears to the Linux kernel as a regular PCI
1288 device driver. The PCI Backend ensures that no other device driver loads
1289 for the devices by binding itself as the device driver for those devices.
1290 PCI devices are identified by hexadecimal slot/function numbers (on Linux,
1291 use \path{lspci} to determine slot/function numbers of your devices) and
1292 can be specified with or without the PCI domain: \\
1293 \centerline{ {\tt ({\em bus}:{\em slot}.{\em func})} example {\tt (02:1d.3)}} \\
1294 \centerline{ {\tt ({\em domain}:{\em bus}:{\em slot}.{\em func})} example {\tt (0000:02:1d.3)}} \\
1296 An example kernel command-line which hides two PCI devices might be: \\
1297 \centerline{ {\tt root=/dev/sda4 ro console=tty0 pciback.hide=(02:01.f)(0000:04:1d.0) } } \\
1299 \subsubsection{PCI Backend Configuration - Late Binding}
1300 PCI devices can also be bound to the PCI Backend after boot through the manual
1301 binding/unbinding facilities provided by the Linux kernel in sysfs (allowing
1302 for a Xen user to give PCI devices to driver domains that were not specified
1303 on the kernel command-line). There are several attributes with the PCI
1304 Backend's sysfs directory (\path{/sys/bus/pci/drivers/pciback}) that can be
1305 used to bind/unbind devices:
1307 \begin{description}
1308 \item[slots] lists all of the PCI slots that the PCI Backend will try to seize
1309 (or "hide" from Domain 0). A PCI slot must appear in this list before it can
1310 be bound to the PCI Backend through the \path{bind} attribute.
1311 \item[new\_slot] write the name of a slot here (in 0000:00:00.0 format) to
1312 have the PCI Backend seize the device in this slot.
1313 \item[remove\_slot] write the name of a slot here (same format as
1314 \path{new\_slot}) to have the PCI Backend no longer try to seize devices in
1315 this slot. Note that this does not unbind the driver from a device it has
1316 already seized.
1317 \item[bind] write the name of a slot here (in 0000:00:00.0 format) to have
1318 the Linux kernel attempt to bind the device in that slot to the PCI Backend
1319 driver.
1320 \item[unbind] write the name of a skit here (same format as \path{bind}) to have
1321 the Linux kernel unbind the device from the PCI Backend. DO NOT unbind a
1322 device while it is currently given to a PCI driver domain!
1323 \end{description}
1325 Some examples:
1327 Bind a device to the PCI Backend which is not bound to any other driver.
1328 \begin{verbatim}
1329 # # Add a new slot to the PCI Backend's list
1330 # echo -n 0000:01:04.d > /sys/bus/pci/drivers/pciback/new_slot
1331 # # Now that the backend is watching for the slot, bind to it
1332 # echo -n 0000:01:04.d > /sys/bus/pci/drivers/pciback/bind
1333 \end{verbatim}
1335 Unbind a device from its driver and bind to the PCI Backend.
1336 \begin{verbatim}
1337 # # Unbind a PCI network card from its network driver
1338 # echo -n 0000:05:02.0 > /sys/bus/pci/drivers/3c905/unbind
1339 # # And now bind it to the PCI Backend
1340 # echo -n 0000:05:02.0 > /sys/bus/pci/drivers/pciback/new_slot
1341 # echo -n 0000:05:02.0 > /sys/bus/pci/drivers/pciback/bind
1342 \end{verbatim}
1344 Note that the "-n" option in the example is important as it causes echo to not
1345 output a new-line.
1347 \subsubsection{PCI Backend Configuration - User-space Quirks}
1348 Quirky devices (such as the Broadcom Tigon 3) may need write access to their
1349 configuration space registers. Xen can be instructed to allow specified PCI
1350 devices write access to specific configuration space registers. The policy may
1351 be found in:
1353 \centerline{ \path{/etc/xen/xend-pci-quirks.sxp} }
1355 The policy file is heavily commented and is intended to provide enough
1356 documentation for developers to extend it.
1358 \subsubsection{PCI Backend Configuration - Permissive Flag}
1359 If the user-space quirks approach doesn't meet your needs you may want to enable
1360 the permissive flag for that device. To do so, first get the PCI domain, bus,
1361 slot, and function information from dom0 via \path{lspci}. Then augment the
1362 user-space policy for permissive devices. The permissive policy can be found
1363 in:
1365 \centerline{ \path{/etc/xen/xend-pci-permissive.sxp} }
1367 Currently, the only way to reset the permissive flag is to unbind the device
1368 from the PCI Backend driver.
1370 \subsubsection{PCI Backend - Checking Status}
1371 There two important sysfs nodes that provide a mechanism to view specifics on
1372 quirks and permissive devices:
1373 \begin{description}
1374 \item \path{/sys/bus/drivers/pciback/permissive} \\
1375 Use \path{cat} on this file to view a list of permissive slots.
1376 \item \path{/sys/bus/drivers/pciback/quirks} \\
1377 Use \path{cat} on this file view a hierarchical view of devices bound to the
1378 PCI backend, their PCI vendor/device ID, and any quirks that are associated with
1379 that particular slot.
1380 \end{description}
1382 You may notice that every device bound to the PCI backend has 17 quirks standard
1383 "quirks" regardless of \path{xend-pci-quirks.sxp}. These default entries are
1384 necessary to support interactions between the PCI bus manager and the device bound
1385 to it. Even non-quirky devices should have these standard entries.
1387 In this case, preference was given to accuracy over aesthetics by choosing to
1388 show the standard quirks in the quirks list rather than hide them from the
1389 inquiring user
1391 \subsubsection{PCI Frontend Configuration}
1392 To configure a domU to receive a PCI device:
1394 \begin{description}
1395 \item[Command-line:]
1396 Use the {\em pci} command-line flag. For multiple devices, use the option
1397 multiple times. \\
1398 \centerline{ {\tt xm create netcard-dd pci=01:00.0 pci=02:03.0 }} \\
1400 \item[Flat Format configuration file:]
1401 Specify all of your PCI devices in a python list named {\em pci}. \\
1402 \centerline{ {\tt pci=['01:00.0','02:03.0'] }} \\
1404 \item[SXP Format configuration file:]
1405 Use a single PCI device section for all of your devices (specify the numbers
1406 in hexadecimal with the preceding '0x'). Note that {\em domain} here refers
1407 to the PCI domain, not a virtual machine within Xen.
1408 {\small
1409 \begin{verbatim}
1410 (device (pci
1411 (dev (domain 0x0)(bus 0x3)(slot 0x1a)(func 0x1)
1412 (dev (domain 0x0)(bus 0x1)(slot 0x5)(func 0x0)
1414 \end{verbatim}
1416 \end{description}
1418 %% There are two possible types of privileges: IO privileges and
1419 %% administration privileges.
1421 \section{Support for virtual Trusted Platform Module (vTPM)}
1422 \label{ss:vtpm}
1424 Paravirtualized domains can be given access to a virtualized version
1425 of a TPM. This enables applications in these domains to use the services
1426 of the TPM device for example through a TSS stack
1427 \footnote{Trousers TSS stack:}.
1428 The Xen source repository provides the necessary software components to
1429 enable virtual TPM access. Support is provided through several
1430 different pieces. First, a TPM emulator has been modified to provide TPM's
1431 functionality for the virtual TPM subsystem. Second, a virtual TPM Manager
1432 coordinates the virtual TPMs efforts, manages their creation, and provides
1433 protected key storage using the TPM. Third, a device driver pair providing
1434 a TPM front- and backend is available for XenLinux to deliver TPM commands
1435 from the domain to the virtual TPM manager, which dispatches it to a
1436 software TPM. Since the TPM Manager relies on a HW TPM for protected key
1437 storage, therefore this subsystem requires a Linux-supported hardware TPM.
1438 For development purposes, a TPM emulator is available for use on non-TPM
1439 enabled platforms.
1441 \subsubsection{Compile-Time Setup}
1442 To enable access to the virtual TPM, the virtual TPM backend driver must
1443 be compiled for a privileged domain (e.g. domain 0). Using the XenLinux
1444 configuration, the necessary driver can be selected in the Xen configuration
1445 section. Unless the driver has been compiled into the kernel, its module
1446 must be activated using the following command:
1448 \begin{verbatim}
1449 modprobe tpmbk
1450 \end{verbatim}
1452 Similarly, the TPM frontend driver must be compiled for the kernel trying
1453 to use TPM functionality. Its driver can be selected in the kernel
1454 configuration section Device Driver / Character Devices / TPM Devices.
1455 Along with that the TPM driver for the built-in TPM must be selected.
1456 If the virtual TPM driver has been compiled as module, it
1457 must be activated using the following command:
1459 \begin{verbatim}
1460 modprobe tpm_xenu
1461 \end{verbatim}
1463 Furthermore, it is necessary to build the virtual TPM manager and software
1464 TPM by making changes to entries in Xen build configuration files.
1465 The following entry in the file in the Xen root source
1466 directory must be made:
1468 \begin{verbatim}
1469 VTPM_TOOLS ?= y
1470 \end{verbatim}
1472 After a build of the Xen tree and a reboot of the machine, the TPM backend
1473 drive must be loaded. Once loaded, the virtual TPM manager daemon
1474 must be started before TPM-enabled guest domains may be launched.
1475 To enable being the destination of a virtual TPM Migration, the virtual TPM
1476 migration daemon must also be loaded.
1478 \begin{verbatim}
1479 vtpm_managerd
1480 \end{verbatim}
1481 \begin{verbatim}
1482 vtpm_migratord
1483 \end{verbatim}
1485 Once the VTPM manager is running, the VTPM can be accessed by loading the
1486 front end driver in a guest domain.
1488 \subsubsection{Development and Testing TPM Emulator}
1489 For development and testing on non-TPM enabled platforms, a TPM emulator
1490 can be used in replacement of a platform TPM. First, the entry in the file
1491 tools/vtpm/ must look as follows:
1493 \begin{verbatim}
1495 \end{verbatim}
1497 Second, the entry in the file tool/vtpm\_manager/ must be uncommented
1498 as follows:
1500 \begin{verbatim}
1501 # TCS talks to fifo's rather than /dev/tpm. TPM Emulator assumed on fifos
1503 \end{verbatim}
1505 Before starting the virtual TPM Manager, start the emulator by executing
1506 the following in dom0:
1508 \begin{verbatim}
1509 tpm_emulator clear
1510 \end{verbatim}
1512 \subsubsection{vTPM Frontend Configuration}
1513 To provide TPM functionality to a user domain, a line must be added to
1514 the virtual TPM configuration file using the following format:
1516 \begin{verbatim}
1517 vtpm = ['instance=<instance number>, backend=<domain id>']
1518 \end{verbatim}
1520 The { \it instance number} reflects the preferred virtual TPM instance
1521 to associate with the domain. If the selected instance is
1522 already associated with another domain, the system will automatically
1523 select the next available instance. An instance number greater than
1524 zero must be provided. It is possible to omit the instance
1525 parameter from the configuration file.
1527 The {\it domain id} provides the ID of the domain where the
1528 virtual TPM backend driver and virtual TPM are running in. It should
1529 currently always be set to '0'.
1532 Examples for valid vtpm entries in the configuration file are
1534 \begin{verbatim}
1535 vtpm = ['instance=1, backend=0']
1536 \end{verbatim}
1537 and
1538 \begin{verbatim}
1539 vtpm = ['backend=0'].
1540 \end{verbatim}
1542 \subsubsection{Using the virtual TPM}
1544 Access to TPM functionality is provided by the virtual TPM frontend driver.
1545 Similar to existing hardware TPM drivers, this driver provides basic TPM
1546 status information through the {\it sysfs} filesystem. In a Xen user domain
1547 the sysfs entries can be found in /sys/devices/xen/vtpm-0.
1549 Commands can be sent to the virtual TPM instance using the character
1550 device /dev/tpm0 (major 10, minor 224).
1552 % Chapter Storage and FileSytem Management
1553 \chapter{Storage and File System Management}
1555 Storage can be made available to virtual machines in a number of
1556 different ways. This chapter covers some possible configurations.
1558 The most straightforward method is to export a physical block device (a
1559 hard drive or partition) from dom0 directly to the guest domain as a
1560 virtual block device (VBD).
1562 Storage may also be exported from a filesystem image or a partitioned
1563 filesystem image as a \emph{file-backed VBD}.
1565 Finally, standard network storage protocols such as NBD, iSCSI, NFS,
1566 etc., can be used to provide storage to virtual machines.
1569 \section{Exporting Physical Devices as VBDs}
1570 \label{s:exporting-physical-devices-as-vbds}
1572 One of the simplest configurations is to directly export individual
1573 partitions from domain~0 to other domains. To achieve this use the
1574 \path{phy:} specifier in your domain configuration file. For example a
1575 line like
1576 \begin{quote}
1577 \verb_disk = ['phy:hda3,sda1,w']_
1578 \end{quote}
1579 specifies that the partition \path{/dev/hda3} in domain~0 should be
1580 exported read-write to the new domain as \path{/dev/sda1}; one could
1581 equally well export it as \path{/dev/hda} or \path{/dev/sdb5} should
1582 one wish.
1584 In addition to local disks and partitions, it is possible to export
1585 any device that Linux considers to be ``a disk'' in the same manner.
1586 For example, if you have iSCSI disks or GNBD volumes imported into
1587 domain~0 you can export these to other domains using the \path{phy:}
1588 disk syntax. E.g.:
1589 \begin{quote}
1590 \verb_disk = ['phy:vg/lvm1,sda2,w']_
1591 \end{quote}
1593 \begin{center}
1594 \framebox{\bf Warning: Block device sharing}
1595 \end{center}
1596 \begin{quote}
1597 Block devices should typically only be shared between domains in a
1598 read-only fashion otherwise the Linux kernel's file systems will get
1599 very confused as the file system structure may change underneath
1600 them (having the same ext3 partition mounted \path{rw} twice is a
1601 sure fire way to cause irreparable damage)! \Xend\ will attempt to
1602 prevent you from doing this by checking that the device is not
1603 mounted read-write in domain~0, and hasn't already been exported
1604 read-write to another domain. If you want read-write sharing,
1605 export the directory to other domains via NFS from domain~0 (or use
1606 a cluster file system such as GFS or ocfs2).
1607 \end{quote}
1610 \section{Using File-backed VBDs}
1612 It is also possible to use a file in Domain~0 as the primary storage
1613 for a virtual machine. As well as being convenient, this also has the
1614 advantage that the virtual block device will be \emph{sparse} ---
1615 space will only really be allocated as parts of the file are used. So
1616 if a virtual machine uses only half of its disk space then the file
1617 really takes up half of the size allocated.
1619 For example, to create a 2GB sparse file-backed virtual block device
1620 (actually only consumes 1KB of disk):
1621 \begin{quote}
1622 \verb_# dd if=/dev/zero of=vm1disk bs=1k seek=2048k count=1_
1623 \end{quote}
1625 Make a file system in the disk file:
1626 \begin{quote}
1627 \verb_# mkfs -t ext3 vm1disk_
1628 \end{quote}
1630 (when the tool asks for confirmation, answer `y')
1632 Populate the file system e.g.\ by copying from the current root:
1633 \begin{quote}
1634 \begin{verbatim}
1635 # mount -o loop vm1disk /mnt
1636 # cp -ax /{root,dev,var,etc,usr,bin,sbin,lib} /mnt
1637 # mkdir /mnt/{proc,sys,home,tmp}
1638 \end{verbatim}
1639 \end{quote}
1641 Tailor the file system by editing \path{/etc/fstab},
1642 \path{/etc/hostname}, etc.\ Don't forget to edit the files in the
1643 mounted file system, instead of your domain~0 filesystem, e.g.\ you
1644 would edit \path{/mnt/etc/fstab} instead of \path{/etc/fstab}. For
1645 this example put \path{/dev/sda1} to root in fstab.
1647 Now unmount (this is important!):
1648 \begin{quote}
1649 \verb_# umount /mnt_
1650 \end{quote}
1652 In the configuration file set:
1653 \begin{quote}
1654 \verb_disk = ['file:/full/path/to/vm1disk,sda1,w']_
1655 \end{quote}
1657 As the virtual machine writes to its `disk', the sparse file will be
1658 filled in and consume more space up to the original 2GB.
1660 {\bf Note that file-backed VBDs may not be appropriate for backing
1661 I/O-intensive domains.} File-backed VBDs are known to experience
1662 substantial slowdowns under heavy I/O workloads, due to the I/O
1663 handling by the loopback block device used to support file-backed VBDs
1664 in dom0. Better I/O performance can be achieved by using either
1665 LVM-backed VBDs (Section~\ref{s:using-lvm-backed-vbds}) or physical
1666 devices as VBDs (Section~\ref{s:exporting-physical-devices-as-vbds}).
1668 Linux supports a maximum of eight file-backed VBDs across all domains
1669 by default. This limit can be statically increased by using the
1670 \emph{max\_loop} module parameter if CONFIG\_BLK\_DEV\_LOOP is
1671 compiled as a module in the dom0 kernel, or by using the
1672 \emph{max\_loop=n} boot option if CONFIG\_BLK\_DEV\_LOOP is compiled
1673 directly into the dom0 kernel.
1676 \section{Using LVM-backed VBDs}
1677 \label{s:using-lvm-backed-vbds}
1679 A particularly appealing solution is to use LVM volumes as backing for
1680 domain file-systems since this allows dynamic growing/shrinking of
1681 volumes as well as snapshot and other features.
1683 To initialize a partition to support LVM volumes:
1684 \begin{quote}
1685 \begin{verbatim}
1686 # pvcreate /dev/sda10
1687 \end{verbatim}
1688 \end{quote}
1690 Create a volume group named `vg' on the physical partition:
1691 \begin{quote}
1692 \begin{verbatim}
1693 # vgcreate vg /dev/sda10
1694 \end{verbatim}
1695 \end{quote}
1697 Create a logical volume of size 4GB named `myvmdisk1':
1698 \begin{quote}
1699 \begin{verbatim}
1700 # lvcreate -L4096M -n myvmdisk1 vg
1701 \end{verbatim}
1702 \end{quote}
1704 You should now see that you have a \path{/dev/vg/myvmdisk1} Make a
1705 filesystem, mount it and populate it, e.g.:
1706 \begin{quote}
1707 \begin{verbatim}
1708 # mkfs -t ext3 /dev/vg/myvmdisk1
1709 # mount /dev/vg/myvmdisk1 /mnt
1710 # cp -ax / /mnt
1711 # umount /mnt
1712 \end{verbatim}
1713 \end{quote}
1715 Now configure your VM with the following disk configuration:
1716 \begin{quote}
1717 \begin{verbatim}
1718 disk = [ 'phy:vg/myvmdisk1,sda1,w' ]
1719 \end{verbatim}
1720 \end{quote}
1722 LVM enables you to grow the size of logical volumes, but you'll need
1723 to resize the corresponding file system to make use of the new space.
1724 Some file systems (e.g.\ ext3) now support online resize. See the LVM
1725 manuals for more details.
1727 You can also use LVM for creating copy-on-write (CoW) clones of LVM
1728 volumes (known as writable persistent snapshots in LVM terminology).
1729 This facility is new in Linux 2.6.8, so isn't as stable as one might
1730 hope. In particular, using lots of CoW LVM disks consumes a lot of
1731 dom0 memory, and error conditions such as running out of disk space
1732 are not handled well. Hopefully this will improve in future.
1734 To create two copy-on-write clones of the above file system you would
1735 use the following commands:
1737 \begin{quote}
1738 \begin{verbatim}
1739 # lvcreate -s -L1024M -n myclonedisk1 /dev/vg/myvmdisk1
1740 # lvcreate -s -L1024M -n myclonedisk2 /dev/vg/myvmdisk1
1741 \end{verbatim}
1742 \end{quote}
1744 Each of these can grow to have 1GB of differences from the master
1745 volume. You can grow the amount of space for storing the differences
1746 using the lvextend command, e.g.:
1747 \begin{quote}
1748 \begin{verbatim}
1749 # lvextend +100M /dev/vg/myclonedisk1
1750 \end{verbatim}
1751 \end{quote}
1753 Don't let the `differences volume' ever fill up otherwise LVM gets
1754 rather confused. It may be possible to automate the growing process by
1755 using \path{dmsetup wait} to spot the volume getting full and then
1756 issue an \path{lvextend}.
1758 In principle, it is possible to continue writing to the volume that
1759 has been cloned (the changes will not be visible to the clones), but
1760 we wouldn't recommend this: have the cloned volume as a `pristine'
1761 file system install that isn't mounted directly by any of the virtual
1762 machines.
1765 \section{Using NFS Root}
1767 First, populate a root filesystem in a directory on the server
1768 machine. This can be on a distinct physical machine, or simply run
1769 within a virtual machine on the same node.
1771 Now configure the NFS server to export this filesystem over the
1772 network by adding a line to \path{/etc/exports}, for instance:
1774 \begin{quote}
1775 \begin{small}
1776 \begin{verbatim}
1777 /export/vm1root (rw,sync,no_root_squash)
1778 \end{verbatim}
1779 \end{small}
1780 \end{quote}
1782 Finally, configure the domain to use NFS root. In addition to the
1783 normal variables, you should make sure to set the following values in
1784 the domain's configuration file:
1786 \begin{quote}
1787 \begin{small}
1788 \begin{verbatim}
1789 root = '/dev/nfs'
1790 nfs_server = '' # substitute IP address of server
1791 nfs_root = '/path/to/root' # path to root FS on the server
1792 \end{verbatim}
1793 \end{small}
1794 \end{quote}
1796 The domain will need network access at boot time, so either statically
1797 configure an IP address using the config variables \path{ip},
1798 \path{netmask}, \path{gateway}, \path{hostname}; or enable DHCP
1799 (\path{dhcp='dhcp'}).
1801 Note that the Linux NFS root implementation is known to have stability
1802 problems under high load (this is not a Xen-specific problem), so this
1803 configuration may not be appropriate for critical servers.
1806 \chapter{CPU Management}
1808 %% KMS Something sage about CPU / processor management.
1810 Xen allows a domain's virtual CPU(s) to be associated with one or more
1811 host CPUs. This can be used to allocate real resources among one or
1812 more guests, or to make optimal use of processor resources when
1813 utilizing dual-core, hyperthreading, or other advanced CPU technologies.
1815 Xen enumerates physical CPUs in a `depth first' fashion. For a system
1816 with both hyperthreading and multiple cores, this would be all the
1817 hyperthreads on a given core, then all the cores on a given socket,
1818 and then all sockets. I.e. if you had a two socket, dual core,
1819 hyperthreaded Xeon the CPU order would be:
1822 \begin{center}
1823 \begin{tabular}{l|l|l|l|l|l|l|r}
1824 \multicolumn{4}{c|}{socket0} & \multicolumn{4}{c}{socket1} \\ \hline
1825 \multicolumn{2}{c|}{core0} & \multicolumn{2}{c|}{core1} &
1826 \multicolumn{2}{c|}{core0} & \multicolumn{2}{c}{core1} \\ \hline
1827 ht0 & ht1 & ht0 & ht1 & ht0 & ht1 & ht0 & ht1 \\
1828 \#0 & \#1 & \#2 & \#3 & \#4 & \#5 & \#6 & \#7 \\
1829 \end{tabular}
1830 \end{center}
1833 Having multiple vcpus belonging to the same domain mapped to the same
1834 physical CPU is very likely to lead to poor performance. It's better to
1835 use `vcpus-set' to hot-unplug one of the vcpus and ensure the others are
1836 pinned on different CPUs.
1838 If you are running IO intensive tasks, its typically better to dedicate
1839 either a hyperthread or whole core to running domain 0, and hence pin
1840 other domains so that they can't use CPU 0. If your workload is mostly
1841 compute intensive, you may want to pin vcpus such that all physical CPU
1842 threads are available for guest domains.
1844 \chapter{Migrating Domains}
1846 \section{Domain Save and Restore}
1848 The administrator of a Xen system may suspend a virtual machine's
1849 current state into a disk file in domain~0, allowing it to be resumed at
1850 a later time.
1852 For example you can suspend a domain called ``VM1'' to disk using the
1853 command:
1854 \begin{verbatim}
1855 # xm save VM1 VM1.chk
1856 \end{verbatim}
1858 This will stop the domain named ``VM1'' and save its current state
1859 into a file called \path{VM1.chk}.
1861 To resume execution of this domain, use the \path{xm restore} command:
1862 \begin{verbatim}
1863 # xm restore VM1.chk
1864 \end{verbatim}
1866 This will restore the state of the domain and resume its execution.
1867 The domain will carry on as before and the console may be reconnected
1868 using the \path{xm console} command, as described earlier.
1870 \section{Migration and Live Migration}
1872 Migration is used to transfer a domain between physical hosts. There
1873 are two varieties: regular and live migration. The former moves a
1874 virtual machine from one host to another by pausing it, copying its
1875 memory contents, and then resuming it on the destination. The latter
1876 performs the same logical functionality but without needing to pause
1877 the domain for the duration. In general when performing live migration
1878 the domain continues its usual activities and---from the user's
1879 perspective---the migration should be imperceptible.
1881 To perform a live migration, both hosts must be running Xen / \xend\ and
1882 the destination host must have sufficient resources (e.g.\ memory
1883 capacity) to accommodate the domain after the move. Furthermore we
1884 currently require both source and destination machines to be on the same
1885 L2 subnet.
1887 Currently, there is no support for providing automatic remote access
1888 to filesystems stored on local disk when a domain is migrated.
1889 Administrators should choose an appropriate storage solution (i.e.\
1890 SAN, NAS, etc.) to ensure that domain filesystems are also available
1891 on their destination node. GNBD is a good method for exporting a
1892 volume from one machine to another. iSCSI can do a similar job, but is
1893 more complex to set up.
1895 When a domain migrates, it's MAC and IP address move with it, thus it is
1896 only possible to migrate VMs within the same layer-2 network and IP
1897 subnet. If the destination node is on a different subnet, the
1898 administrator would need to manually configure a suitable etherip or IP
1899 tunnel in the domain~0 of the remote node.
1901 A domain may be migrated using the \path{xm migrate} command. To live
1902 migrate a domain to another machine, we would use the command:
1904 \begin{verbatim}
1905 # xm migrate --live mydomain
1906 \end{verbatim}
1908 Without the \path{--live} flag, \xend\ simply stops the domain and
1909 copies the memory image over to the new node and restarts it. Since
1910 domains can have large allocations this can be quite time consuming,
1911 even on a Gigabit network. With the \path{--live} flag \xend\ attempts
1912 to keep the domain running while the migration is in progress, resulting
1913 in typical down times of just 60--300ms.
1915 For now it will be necessary to reconnect to the domain's console on the
1916 new machine using the \path{xm console} command. If a migrated domain
1917 has any open network connections then they will be preserved, so SSH
1918 connections do not have this limitation.
1921 %% Chapter Securing Xen
1922 \chapter{Securing Xen}
1924 This chapter describes how to secure a Xen system. It describes a number
1925 of scenarios and provides a corresponding set of best practices. It
1926 begins with a section devoted to understanding the security implications
1927 of a Xen system.
1930 \section{Xen Security Considerations}
1932 When deploying a Xen system, one must be sure to secure the management
1933 domain (Domain-0) as much as possible. If the management domain is
1934 compromised, all other domains are also vulnerable. The following are a
1935 set of best practices for Domain-0:
1937 \begin{enumerate}
1938 \item \textbf{Run the smallest number of necessary services.} The less
1939 things that are present in a management partition, the better.
1940 Remember, a service running as root in the management domain has full
1941 access to all other domains on the system.
1942 \item \textbf{Use a firewall to restrict the traffic to the management
1943 domain.} A firewall with default-reject rules will help prevent
1944 attacks on the management domain.
1945 \item \textbf{Do not allow users to access Domain-0.} The Linux kernel
1946 has been known to have local-user root exploits. If you allow normal
1947 users to access Domain-0 (even as unprivileged users) you run the risk
1948 of a kernel exploit making all of your domains vulnerable.
1949 \end{enumerate}
1951 \section{Driver Domain Security Considerations}
1952 \label{s:ddsecurity}
1954 Driver domains address a range of security problems that exist regarding
1955 the use of device drivers and hardware. On many operating systems in common
1956 use today, device drivers run within the kernel with the same privileges as
1957 the kernel. Few or no mechanisms exist to protect the integrity of the kernel
1958 from a misbehaving (read "buggy") or malicious device driver. Driver
1959 domains exist to aid in isolating a device driver within its own virtual
1960 machine where it cannot affect the stability and integrity of other
1961 domains. If a driver crashes, the driver domain can be restarted rather than
1962 have the entire machine crash (and restart) with it. Drivers written by
1963 unknown or untrusted third-parties can be confined to an isolated space.
1964 Driver domains thus address a number of security and stability issues with
1965 device drivers.
1967 However, due to limitations in current hardware, a number of security
1968 concerns remain that need to be considered when setting up driver domains (it
1969 should be noted that the following list is not intended to be exhaustive).
1971 \begin{enumerate}
1972 \item \textbf{Without an IOMMU, a hardware device can DMA to memory regions
1973 outside of its controlling domain.} Architectures which do not have an
1974 IOMMU (e.g. most x86-based platforms) to restrict DMA usage by hardware
1975 are vulnerable. A hardware device which can perform arbitrary memory reads
1976 and writes can read/write outside of the memory of its controlling domain.
1977 A malicious or misbehaving domain could use a hardware device it controls
1978 to send data overwriting memory in another domain or to read arbitrary
1979 regions of memory in another domain.
1980 \item \textbf{Shared buses are vulnerable to sniffing.} Devices that share
1981 a data bus can sniff (and possible spoof) each others' data. Device A that
1982 is assigned to Domain A could eavesdrop on data being transmitted by
1983 Domain B to Device B and then relay that data back to Domain A.
1984 \item \textbf{Devices which share interrupt lines can either prevent the
1985 reception of that interrupt by the driver domain or can trigger the
1986 interrupt service routine of that guest needlessly.} A devices which shares
1987 a level-triggered interrupt (e.g. PCI devices) with another device can
1988 raise an interrupt and never clear it. This effectively blocks other devices
1989 which share that interrupt line from notifying their controlling driver
1990 domains that they need to be serviced. A device which shares an
1991 any type of interrupt line can trigger its interrupt continually which
1992 forces execution time to be spent (in multiple guests) in the interrupt
1993 service routine (potentially denying time to other processes within that
1994 guest). System architectures which allow each device to have its own
1995 interrupt line (e.g. PCI's Message Signaled Interrupts) are less
1996 vulnerable to this denial-of-service problem.
1997 \item \textbf{Devices may share the use of I/O memory address space.} Xen can
1998 only restrict access to a device's physical I/O resources at a certain
1999 granularity. For interrupt lines and I/O port address space, that
2000 granularity is very fine (per interrupt line and per I/O port). However,
2001 Xen can only restrict access to I/O memory address space on a page size
2002 basis. If more than one device shares use of a page in I/O memory address
2003 space, the domains to which those devices are assigned will be able to
2004 access the I/O memory address space of each other's devices.
2005 \end{enumerate}
2008 \section{Security Scenarios}
2011 \subsection{The Isolated Management Network}
2013 In this scenario, each node has two network cards in the cluster. One
2014 network card is connected to the outside world and one network card is a
2015 physically isolated management network specifically for Xen instances to
2016 use.
2018 As long as all of the management partitions are trusted equally, this is
2019 the most secure scenario. No additional configuration is needed other
2020 than forcing Xend to bind to the management interface for relocation.
2023 \subsection{A Subnet Behind a Firewall}
2025 In this scenario, each node has only one network card but the entire
2026 cluster sits behind a firewall. This firewall should do at least the
2027 following:
2029 \begin{enumerate}
2030 \item Prevent IP spoofing from outside of the subnet.
2031 \item Prevent access to the relocation port of any of the nodes in the
2032 cluster except from within the cluster.
2033 \end{enumerate}
2035 The following iptables rules can be used on each node to prevent
2036 migrations to that node from outside the subnet assuming the main
2037 firewall does not do this for you:
2039 \begin{verbatim}
2040 # this command disables all access to the Xen relocation
2041 # port:
2042 iptables -A INPUT -p tcp --destination-port 8002 -j REJECT
2044 # this command enables Xen relocations only from the specific
2045 # subnet:
2046 iptables -I INPUT -p tcp -{}-source \
2047 --destination-port 8002 -j ACCEPT
2048 \end{verbatim}
2050 \subsection{Nodes on an Untrusted Subnet}
2052 Migration on an untrusted subnet is not safe in current versions of Xen.
2053 It may be possible to perform migrations through a secure tunnel via an
2054 VPN or SSH. The only safe option in the absence of a secure tunnel is to
2055 disable migration completely. The easiest way to do this is with
2056 iptables:
2058 \begin{verbatim}
2059 # this command disables all access to the Xen relocation port
2060 iptables -A INPUT -p tcp -{}-destination-port 8002 -j REJECT
2061 \end{verbatim}
2063 %% Chapter Xen Mandatory Access Control Framework
2064 \chapter{sHype/Xen Access Control}
2066 The Xen mandatory access control framework is an implementation of the
2067 sHype Hypervisor Security Architecture
2068 (\_shype). It permits or denies communication
2069 and resource access of domains based on a security policy. The
2070 mandatory access controls are enforced in addition to the Xen core
2071 controls, such as memory protection. They are designed to remain
2072 transparent during normal operation of domains (policy-conform
2073 behavior) but to intervene when domains move outside their intended
2074 sharing behavior. This chapter will describe how the sHype access
2075 controls in Xen can be configured to prevent viruses from spilling
2076 over from one into another workload type and secrets from leaking from
2077 one workload type to another. sHype/Xen depends on the correct
2078 behavior of Domain0 (cf previous chapter).
2080 Benefits of configuring sHype/ACM in Xen include:
2081 \begin{itemize}
2082 \item robust workload and resource protection effective against rogue
2083 user domains
2084 \item simple, platform- and operating system-independent security
2085 policies (ideal for heterogeneous distributed environments)
2086 \item safety net with minimal performance overhead in case operating
2087 system security is missing, does not scale, or fails
2088 \end{itemize}
2090 These benefits are very valuable because today's operating systems
2091 become increasingly complex and often have no or insufficient
2092 mandatory access controls. (Discretionary access controls, supported
2093 by of most operating systems, are not effective against viruses or
2094 misbehaving programs.) Where mandatory access control exists (e.g.,
2095 SELinux), they usually deploy complex and difficult to understand
2096 security policies. Additionally, multi-tier applications in business
2097 environments usually require different types of operating systems
2098 (e.g., AIX, Windows, Linux) which cannot be configured with compatible
2099 security policies. Related distributed transactions and workloads
2100 cannot be easily protected on the OS level. The Xen access control
2101 framework steps in to offer a coarse-grained but very robust security
2102 layer and safety net in case operating system security fails or is
2103 missing.
2105 To control sharing between domains, Xen mediates all inter-domain
2106 communication (shared memory, events) as well as the access of domains
2107 to resources such as disks. Thus, Xen can confine distributed
2108 workloads (domain payloads) by permitting sharing among domains
2109 running the same type of workload and denying sharing between pairs of
2110 domains that run different workload types. We assume that--from a Xen
2111 perspective--only one workload type is running per user domain. To
2112 enable Xen to associate domains and resources with workload types,
2113 security labels including the workload types are attached to domains
2114 and resources. These labels and the hypervisor sHype controls cannot
2115 be manipulated or bypassed and are effective even against rogue
2116 domains.
2118 \section{Overview}
2119 This section gives an overview of how workloads can be protected using
2120 the sHype mandatory access control framework in Xen.
2121 Figure~\ref{fig:acmoverview} shows the necessary steps in activating
2122 the Xen workload protection. These steps are described in detail in
2123 Section~\ref{section:acmexample}.
2125 \begin{figure}
2126 \centering
2127 \includegraphics[width=13cm]{figs/acm_overview.eps}
2128 \caption{Overview of activating sHype workload protection in Xen.
2129 Section numbers point to representative examples.}
2130 \label{fig:acmoverview}
2131 \end{figure}
2133 First, the sHype/ACM access control must be enabled in the Xen
2134 distribution and the distribution must be built and installed (cf
2135 Subsection~\ref{subsection:acmexampleconfigure}). Before we can
2136 enforce security, a Xen security policy must be created (cf
2137 Subsection~\ref{subsection:acmexamplecreate}) and deployed (cf
2138 Subsection~\ref{subsection:acmexampleinstall}). This policy defines
2139 the workload types differentiated during access control. It also
2140 defines the rules that compare workload types of domains and resources
2141 to provide access decisions. Workload types are represented by
2142 security labels that can be attached to domains and resources (cf
2143 Subsections~\ref{subsection:acmexamplelabeldomains}
2144 and~\ref{subsection:acmexamplelabelresources}). The functioning of
2145 the active sHype/Xen workload protection is demonstrated using simple
2146 resource assignment, and domain creation tests in
2147 Subsection~\ref{subsection:acmexampletest}.
2148 Section~\ref{section:acmpolicy} describes the syntax and semantics of
2149 the sHype/Xen security policy in detail and introduces briefly the
2150 tools that are available to help create valid security policies.
2152 The next section describes all the necessary steps to create, deploy,
2153 and test a simple workload protection policy. It is meant to enable
2154 anybody to quickly try out the sHype/Xen workload protection. Those
2155 readers who are interested in learning more about how the sHype access
2156 control in Xen works and how it is configured using the XML security
2157 policy should read Section~\ref{section:acmpolicy} as well.
2158 Section~\ref{section:acmlimitations} concludes this chapter with
2159 current limitations of the sHype implementation for Xen.
2161 \section{Xen Workload Protection Step-by-Step}
2162 \label{section:acmexample}
2164 What you are about to do consists of the following sequence:
2165 \begin{itemize}
2166 \item configure and install sHype/Xen
2167 \item create a simple workload protection security policy
2168 \item deploy the sHype/Xen security policy
2169 \item associate domains and resources with workload labels,
2170 \item test the workload protection
2171 \end{itemize}
2172 The essential commands to create and deploy a sHype/Xen security
2173 policy are numbered throughout the following sections. If you want a
2174 quick-guide or return at a later time to go quickly through this
2175 demonstration, simply look for the numbered commands and apply them in
2176 order.
2178 \subsection{Configuring/Building sHype Support into Xen}
2179 \label{subsection:acmexampleconfigure}
2180 First, we need to configure the access control module in Xen and
2181 install the ACM-enabled Xen hypervisor. This step installs security
2182 tools and compiles sHype/ACM controls into the Xen hypervisor.
2184 To enable sHype/ACM in Xen, please edit the file in the top
2185 Xen directory.
2187 \begin{verbatim}
2188 (1) In
2189 Change: ACM_SECURITY ?= n
2190 To: ACM_SECURITY ?= y
2191 \end{verbatim}
2193 Then install the security-enabled Xen environment as follows:
2195 \begin{verbatim}
2196 (2) # make world
2197 # make install
2198 \end{verbatim}
2200 \subsection{Creating A WLP Policy in 3 Simple Steps with ezPolicy}
2201 \label{subsection:acmexamplecreate}
2203 We will use the ezPolicy tool to quickly create a policy that protects
2204 workloads. You will need both the Python and wxPython packages to run
2205 this tool. To run the tool in Domain0, you can download the wxPython
2206 package from or use the command
2207 \verb|yum install wxPython| in Redhat/Fedora. To run the tool on MS
2208 Windows, you also need to download the Python package from
2209 After these packages are installed, start the ezPolicy
2210 tool with the following command:
2212 \begin{verbatim}
2213 (3) # xensec_ezpolicy
2214 \end{verbatim}
2216 Figure~\ref{fig:acmezpolicy} shows a screen-shot of the tool. The
2217 following steps show you how to create the policy shown in
2218 Figure~\ref{fig:acmezpolicy}. You can use \verb|<CTRL>-h| to pop up a
2219 help window at any time. The indicators (a), (b), and (c) in
2220 Figure~\ref{fig:acmezpolicy} show the buttons that are used during the
2221 3 steps of creating a policy:
2222 \begin{enumerate}
2223 \item defining workloads
2224 \item defining run-time conflicts
2225 \item translating the workload definition into a sHype/Xen access
2226 control policy
2227 \end{enumerate}
2229 \paragraph{Defining workloads.} Workloads are defined for each
2230 organization and department that you enter in the left panel. Please
2231 use the ``New Org'' button (a) to create the organizations ``Avis'',
2232 ``Hertz'', ``CocaCola'', and ``PepsiCo''.
2234 You can refine an organization to differentiate between multiple
2235 department workloads by right-clicking the organization and selecting
2236 \verb|Add Department| (or selecting an organization and pressing
2237 \verb|<CRTL>-a|). Create department workloads ``Intranet'',
2238 ``Extranet'', ``HumanResources'', and ``Payroll'' for the ``CocaCola''
2239 organization and department workloads ``Intranet'' and ``Extranet''
2240 for the ``PepsiCo'' organization. The resulting layout of the tool
2241 should be similar to the left panel shown in
2242 Figure~\ref{fig:acmezpolicy}.
2244 \paragraph{Defining run-time conflicts.} Workloads that shall be
2245 prohibited from running concurrently on the same hypervisor platform
2246 are grouped into ``Run-time Exclusion rules'' on the right panel of
2247 the window.
2249 To prevent PepsiCo and CocaCola workloads (including their
2250 departmental workloads) from running simultaneously on the same
2251 hypervisor system, select the organization ``PepsiCo'' and, while
2252 pressing the \verb|<CTRL>|-key, select the organization ``CocaCola''.
2253 Now press the button (b) named ``Create run-time exclusion rule from
2254 selection''. A popup window will ask for the name for this run-time
2255 exclusion rule (enter a name or just hit \verb|<ENTER>|). A rule will
2256 appear on the right panel. The name is used as reference only and does
2257 not affect the hypervisor policy.
2259 Repeat the process to create a run-time exclusion rule just for the
2260 department workloads CocaCola.Extranet and CocaCola.Payroll.
2262 \begin{figure}[htb]
2263 \centering
2264 \includegraphics[width=13cm]{figs/acm_ezpolicy.eps}
2265 \caption{Final layout including workload definition and Run-time Exclusion rules.}
2266 \label{fig:acmezpolicy}
2267 \end{figure}
2269 The resulting layout of your window should be similar to
2270 Figure~\ref{fig:acmezpolicy}. Save this workload definition by
2271 selecting ``Save Workload Definition as ...'' in the ``File'' menu
2272 (c). This workload definition can be later refined if required.
2274 \paragraph{Translating the workload definition into a sHype/Xen access
2275 control policy.} To translate the workload definition into a access
2276 control policy understood by Xen, please select the ``Save as Xen ACM
2277 Security Policy'' in the ``File'' menu (c). Enter the following policy
2278 name in the popup window: \verb|example.chwall_ste.test-wld|. If you
2279 are running ezPolicy in Domain0, the resulting policy file
2280 test-wld\_security-policy.xml will automatically be placed into the
2281 right directory (/etc/xen/acm-security/ policies/example/chwall\_ste).
2282 If you run the tool on another system, then you need to copy the
2283 resulting policy file into Domain0 before continuing. See
2284 Section~\ref{subsection:acmnaming} for naming conventions of security
2285 policies.
2287 \subsection{Deploying a WLP Policy}
2288 \label{subsection:acmexampleinstall}
2289 To deploy the workload protection policy we created in
2290 Section~\ref{subsection:acmexamplecreate}, we create a policy
2291 representation (test-wld.bin) that can be loaded into the Xen
2292 hypervisor and we configure Xen to actually load this policy at
2293 startup time.
2295 The following command translates the source policy representation
2296 into a format that can be loaded into Xen with sHype/ACM support.
2297 Refer to the \verb|xm| man page for further details:
2299 \begin{verbatim}
2300 (4) # xm makepolicy example.chwall_ste.test-wld
2301 \end{verbatim}
2303 The easiest way to install a security policy for Xen is to include the
2304 policy in the boot sequence. The following command does just this:
2306 \begin{verbatim}
2307 (5) # xm cfgbootpolicy example.chwall_ste.test-wld
2308 \end{verbatim}
2310 \textit{Alternatively, if this command fails} (e.g., because it cannot
2311 identify the Xen boot entry), you can manually install the policy in 2
2312 steps. First, manually copy the policy binary file into the boot
2313 directory:
2315 \begin{scriptsize}
2316 \begin{verbatim}
2317 # cp /etc/xen/acm-security/policies/example/chwall_ste/test-wld.bin \
2318 /boot/example.chwall_ste.test-wld.bin
2319 \end{verbatim}
2320 \end{scriptsize}
2322 Second, manually add a module line to your Xen boot entry so that grub
2323 loads this policy file during startup:
2325 \begin{scriptsize}
2326 \begin{verbatim}
2327 title Xen (
2328 root (hd0,0)
2329 kernel /xen.gz dom0_mem=2000000 console=vga
2330 module /vmlinuz- ro root=/dev/hda3
2331 module /initrd-
2332 module /example.chwall_ste.test-wld.bin
2333 \end{verbatim}
2334 \end{scriptsize}
2336 Now reboot into this Xen boot entry to activate the policy and the
2337 security-enabled Xen hypervisor.
2339 \begin{verbatim}
2340 (6) # reboot
2341 \end{verbatim}
2343 After reboot, check if security is enabled:
2345 \begin{scriptsize}
2346 \begin{verbatim}
2347 # xm list --label
2348 Name ID Mem(MiB) VCPUs State Time(s) Label
2349 Domain-0 0 1949 4 r----- 163.9 SystemManagement
2350 \end{verbatim}
2351 \end{scriptsize}
2353 If the security label at the end of the line says ``INACTIV'' then the
2354 security is not enabled. Verify the previous steps. Note: Domain0 is
2355 assigned a default label (see \verb|bootstrap| policy attribute
2356 explained in Section~\ref{section:acmpolicy}). All other domains must
2357 be labeled in order to start on this sHype/ACM-enabled Xen hypervisor
2358 (see following sections for labeling domains and resources).
2360 \subsection{Labeling Domains}
2361 \label{subsection:acmexamplelabeldomains}
2362 You should have a Xen domain configuration file that looks like the
2363 following (Note: or might be good
2364 places to look for example domU images). The following configuration
2365 file defines \verb|domain1|:
2367 \begin{scriptsize}
2368 \begin{verbatim}
2369 # cat domain1.xm
2370 kernel = "/boot/vmlinuz-"
2371 memory = 128
2372 name = "domain1"
2373 vif = [ '' ]
2374 dhcp = "dhcp"
2375 disk = ['file:/home/xen/dom_fc5/fedora.fc5.img,sda1,w', \
2376 'file:/home/xen/dom_fc5/fedora.swap,sda2,w']
2377 root = "/dev/sda1 ro"
2378 \end{verbatim}
2379 \end{scriptsize}
2381 If you try to start domain1, you will get the following error:
2383 \begin{scriptsize}
2384 \begin{verbatim}
2385 # xm create domain1.xm
2386 Using config file "domain1.xm".
2387 domain1: DENIED
2388 --> Domain not labeled
2389 Checking resources: (skipped)
2390 Security configuration prevents domain from starting
2391 \end{verbatim}
2392 \end{scriptsize}
2394 Every domain must be associated with a security label before it can
2395 start on sHype/Xen. Otherwise, sHype/Xen would not be able to enforce
2396 the policy consistently. The following command prints all domain
2397 labels available in the active policy:
2399 \begin{scriptsize}
2400 \begin{verbatim}
2401 # xm labels type=dom
2402 Avis
2403 CocaCola
2404 CocaCola.Extranet
2405 CocaCola.HumanResources
2406 CocaCola.Intranet
2407 CocaCola.Payroll
2408 Hertz
2409 PepsiCo
2410 PepsiCo.Extranet
2411 PepsiCo.Intranet
2412 SystemManagement
2413 \end{verbatim}
2414 \end{scriptsize}
2416 Now label domain1 with the CocaCola label and another domain2 with the
2417 PepsiCo.Extranet label. Please refer to the xm man page for further
2418 information.
2420 \begin{verbatim}
2421 (7) # xm addlabel CocaCola dom domain1.xm
2422 # xm addlabel PepsiCo.Extranet dom domain2.xm
2423 \end{verbatim}
2425 Let us try to start the domain again:
2427 \begin{scriptsize}
2428 \begin{verbatim}
2429 # xm create domain1.xm
2430 Using config file "domain1.xm".
2431 file:/home/xen/dom_fc5/fedora.fc5.img: DENIED
2432 --> res:__NULL_LABEL__ (NULL)
2433 --> dom:CocaCola (example.chwall_ste.test-wld)
2434 file:/home/xen/dom_fc5/fedora.swap: DENIED
2435 --> res:__NULL_LABEL__ (NULL)
2436 --> dom:CocaCola (example.chwall_ste.test-wld)
2437 Security configuration prevents domain from starting
2438 \end{verbatim}
2439 \end{scriptsize}
2441 This error indicates that domain1, if started, would not be able to
2442 access its image and swap files because they are not labeled. This
2443 makes sense because to confine workloads, access of domains to
2444 resources must be controlled. Otherwise, domains that are not allowed
2445 to communicate or run simultaneously could share data through storage
2446 resources.
2448 \subsection{Labeling Resources}
2449 \label{subsection:acmexamplelabelresources}
2450 You can use the \verb|xm labels type=res| command to list available
2451 resource labels. Let us assign the CocaCola resource label to the domain1
2452 image file representing \verb|/dev/sda1| and to its swap file:
2454 \begin{verbatim}
2455 (8) # xm addlabel CocaCola res \
2456 file:/home/xen/dom_fc5/fedora.fc5.img
2457 Resource file not found, creating new file at:
2458 /etc/xen/acm-security/policies/resource_labels
2459 # xm addlabel CocaCola res \
2460 file:/home/xen/dom_fc5/fedora.swap
2461 \end{verbatim}
2463 Starting \verb|domain1| now will succeed:
2465 \begin{scriptsize}
2466 \begin{verbatim}
2467 # xm create domain1.xm
2468 # xm list --label
2469 Name ID Mem(MiB) VCPUs State Time(s) Label
2470 domain1 1 128 1 r----- 2.8 CocaCola
2471 Domain-0 0 1949 4 r----- 387.7 SystemManagement
2472 \end{verbatim}
2473 \end{scriptsize}
2475 The following command lists all labeled resources on the
2476 system, e.g., to lookup or verify the labeling:
2478 \begin{scriptsize}
2479 \begin{verbatim}
2480 # xm resources
2481 file:/home/xen/dom_fc5/fedora.swap
2482 policy: example.chwall_ste.test-wld
2483 label: CocaCola
2484 file:/home/xen/dom_fc5/fedora.fc5.img
2485 policy: example.chwall_ste.test-wld
2486 label: CocaCola
2487 \end{verbatim}
2488 \end{scriptsize}
2490 Currently, if a labeled resource is moved to another location, the
2491 label must first be manually removed, and after the move re-attached
2492 using the xm commands \verb|xm rmlabel| and \verb|xm addlabel|
2493 respectively. Please see Section~\ref{section:acmlimitations} for
2494 further details.
2496 \begin{verbatim}
2497 (9) Label the resources of domain2 as PepsiCo.Extranet
2498 Do not try to start this domain yet
2499 \end{verbatim}
2501 \subsection{Testing The Xen Workload Protection}
2502 \label{subsection:acmexampletest}
2503 We are about to demonstrate how the workload protection works by
2504 verifying:
2505 \begin{itemize}
2506 \item that domains with conflicting workloads cannot run
2507 simultaneously
2508 \item that domains cannot access resources of other workloads
2509 \item that domains cannot exchange network packets if they are not
2510 associated with the same workload type
2511 \end{itemize}
2513 \paragraph{Test 1: Run-time exclusion rules.} We assume that domain1
2514 with the CocaCola label is still running. While domain1 is running,
2515 the run-time exclusion set of our policy says that domain2 cannot
2516 start because the label of domain1 includes the CHWALL type CocaCola
2517 and the label of domain2 includes the CHWALL type PepsiCo. The
2518 run-time exclusion rule of our policy enforces that PepsiCo and
2519 CocaCola cannot run at the same time on the same hypervisor platform.
2520 Once domain1 is stopped or saved, domain2 can start but domain1 can no
2521 longer start or be resumed. The ezPolicy tool, when creating the
2522 Chinese Wall types for the workload labels, ensures that department
2523 workloads inherit the organization type (and with it any organization
2524 exclusions).
2526 \begin{scriptsize}
2527 \begin{verbatim}
2528 # xm list --label
2529 Name ID Mem(MiB) VCPUs State Time(s) Label
2530 domain1 2 128 1 -b---- 6.9 CocaCola
2531 Domain-0 0 1949 4 r----- 273.1 SystemManagement
2533 # xm create domain2.xm
2534 Using config file "domain2.xm".
2535 Error: (1, 'Operation not permitted')
2537 # xm destroy domain1
2538 # xm create domain2.xm
2539 Using config file "domain2.xm".
2540 Started domain domain2
2542 # xm list --label
2543 Name ID Mem(MiB) VCPUs State Time(s) Label
2544 domain2 4 164 1 r----- 4.3 PepsiCo.Extranet
2545 Domain-0 0 1949 4 r----- 298.4 SystemManagement
2547 # xm create domain1.xm
2548 Using config file "domain1.xm".
2549 Error: (1, 'Operation not permitted')
2551 # xm destroy domain2
2552 # xm list
2553 Name ID Mem(MiB) VCPUs State Time(s)
2554 Domain-0 0 1949 4 r----- 391.2
2555 \end{verbatim}
2556 \end{scriptsize}
2558 You can verify that domains with Avis label can run together with
2559 domains labeled CocaCola, PepsiCo, or Hertz.
2561 \paragraph{Test2: Resource access.} In this test, we will re-label the
2562 swap file for domain1 with the Avis resource label. We expect that
2563 Domain1 will no longer start because it cannot access this resource.
2564 This test checks the sharing abilities of domains, which are defined
2565 by the Simple Type Enforcement Policy component.
2567 \begin{scriptsize}
2568 \begin{verbatim}
2569 # xm rmlabel res file:/home/xen/dom_fc5/fedora.swap
2570 # xm addlabel Avis res file:/home/xen/dom_fc5/fedora.swap
2571 # xm resources
2572 file:/home/xen/dom_fc5/fedora.swap
2573 policy: example.chwall_ste.test-wld
2574 label: Avis
2575 file:/home/xen/dom_fc5/fedora.fc5.img
2576 policy: example.chwall_ste.test-wld
2577 label: CocaCola
2579 # xm create domain1.xm
2580 Using config file "domain1.xm".
2581 file:/home/xen/dom_fc4/fedora.swap: DENIED
2582 --> res:Avis (example.chwall_ste.test-wld)
2583 --> dom:CocaCola (example.chwall_ste.test-wld)
2584 Security configuration prevents domain from starting
2585 \end{verbatim}
2586 \end{scriptsize}
2588 \paragraph{Test 3: Communication.} In this test we would verify that
2589 two domains with labels Hertz and Avis cannot exchange network packets
2590 by using the 'ping' connectivity test. It is also related to the STE
2591 policy.{\bf Note:} sHype/Xen does control direct communication between
2592 domains. However, domains associated with different workloads can
2593 currently still communicate through the Domain0 virtual network. We
2594 are working on the sHype/ACM controls for local and remote network
2595 traffic through Domain0. Please monitor the xen-devel mailing list
2596 for updated information.
2598 \section{Xen Access Control Policy}
2599 \label{section:acmpolicy}
2601 This section describes the sHype/Xen access control policy in detail.
2602 It gives enough information to enable the reader to write custom
2603 access control policies and to use the available Xen policy tools. The
2604 policy language is expressive enough to specify most symmetric access
2605 relationships between domains and resources efficiently.
2607 The Xen access control policy consists of two policy components. The
2608 first component, called Chinese Wall (CHWALL) policy, controls which
2609 domains can run simultaneously on the same virtualized platform. The
2610 second component, called Simple Type Enforcement (STE) policy,
2611 controls the sharing between running domains, i.e., communication or
2612 access to shared resources. The CHWALL and STE policy components can
2613 be configured to run alone, however in our examples we will assume
2614 that both policy components are configured together since they
2615 complement each other. The XML policy file includes all information
2616 needed by Xen to enforce the policies.
2618 Figures~\ref{fig:acmxmlfilea} and \ref{fig:acmxmlfileb} show a fully
2619 functional but very simple example policy for Xen. The policy can
2620 distinguish two workload types \verb|CocaCola| and \verb|PepsiCo| and
2621 defines the labels necessary to associate domains and resources with
2622 one of these workload types. The XML Policy consists of four parts:
2623 \begin{enumerate}
2624 \item policy header including the policy name
2625 \item Simple Type Enforcement block
2626 \item Chinese Wall Policy block
2627 \item label definition block
2628 \end{enumerate}
2630 \begin{figure}
2631 \begin{scriptsize}
2632 \begin{verbatim}
2633 01 <?xml version="1.0" encoding="UTF-8"?>
2634 02 <!-- Auto-generated by ezPolicy -->
2635 03 <SecurityPolicyDefinition
2636 xmlns=""
2637 xmlns:xsi=""
2638 xsi:schemaLocation=
2639 " ../../security_policy.xsd ">
2640 04 <PolicyHeader>
2641 05 <PolicyName>example.chwall_ste.test</PolicyName>
2642 06 <Date>Wed Jul 12 17:32:59 2006</Date>
2643 07 </PolicyHeader>
2644 08
2645 09 <SimpleTypeEnforcement>
2646 10 <SimpleTypeEnforcementTypes>
2647 11 <Type>SystemManagement</Type>
2648 12 <Type>PepsiCo</Type>
2649 13 <Type>CocaCola</Type>
2650 14 </SimpleTypeEnforcementTypes>
2651 15 </SimpleTypeEnforcement>
2652 16
2653 17 <ChineseWall priority="PrimaryPolicyComponent">
2654 18 <ChineseWallTypes>
2655 19 <Type>SystemManagement</Type>
2656 20 <Type>PepsiCo</Type>
2657 21 <Type>CocaCola</Type>
2658 22 </ChineseWallTypes>
2659 23
2660 24 <ConflictSets>
2661 25 <Conflict name="RER1">
2662 26 <Type>CocaCola</Type>
2663 27 <Type>PepsiCo</Type>
2664 28 </Conflict>
2665 29 </ConflictSets>
2666 30 </ChineseWall>
2667 31
2668 \end{verbatim}
2669 \end{scriptsize}
2670 \caption{Example XML security policy file -- Part I: Types and Rules Definition.}
2671 \label{fig:acmxmlfilea}
2672 \end{figure}
2674 \subsection{Policy Header and Policy Name}
2675 \label{subsection:acmnaming}
2676 Lines 1-2 (cf Figure~\ref{fig:acmxmlfilea}) include the usual XML
2677 header. The security policy definition starts in Line 3 and refers to
2678 the policy schema. The XML-Schema definition for the Xen policy can be
2679 found in the file
2680 \textit{/etc/xen/acm-security/policies/security-policy.xsd}. Examples
2681 for security policies can be found in the example subdirectory. The
2682 acm-security directory is only installed if ACM security is configured
2683 during installation (cf Section~\ref{subsection:acmexampleconfigure}).
2685 The \verb|Policy Header| spans lines 4-7. It includes a date field and
2686 defines the policy name \verb|example.chwall_ste.test|. It can also
2687 include optional fields that are not shown and are for future use (see
2688 schema definition).
2690 The policy name serves two purposes: First, it provides a unique name
2691 for the security policy. This name is also exported by the Xen
2692 hypervisor to the Xen management tools in order to ensure that both
2693 enforce the same policy. We plan to extend the policy name with a
2694 digital fingerprint of the policy contents to better protect this
2695 correlation. Second, it implicitly points the xm tools to the
2696 location where the XML policy file is stored on the Xen system.
2697 Replacing the colons in the policy name by slashes yields the local
2698 path to the policy file starting from the global policy directory
2699 \verb|/etc/xen/acm-security/policies|. The last part of the policy
2700 name is the prefix for the XML policy file name, completed by
2701 \verb|-security_policy.xml|. Consequently, the policy with the name
2702 \verb|example.chwall_ste.test| can be found in the XML policy file
2703 named \verb|test-security_policy.xml| that is stored in the local
2704 directory \verb|example/chwall_ste| under the global policy directory.
2706 \subsection{Simple Type Enforcement Policy Component}
2708 The Simple Type Enforcement (STE) policy controls which domains can
2709 communicate or share resources. This way, Xen can enforce confinement
2710 of workload types by confining the domains running those workload
2711 types. The mandatory access control framework enforces its policy when
2712 domains access intended ways of communication or cooperation (shared
2713 memory, events, shared resources such as block devices). It builds on
2714 top of the core hypervisor isolation, which restricts the ways of
2715 inter-communication to those intended means. STE does not protect or
2716 intend to protect from covert channels in the hypervisor or hardware;
2717 this is an orthogonal problem that can be mitigated by using the
2718 Run-time Exclusion rules described above or by fixing the problem in
2719 the core hypervisor.
2721 Xen controls sharing between domains on the resource and domain level
2722 because this is the abstraction the hypervisor and its management
2723 understand naturally. While this is coarse-grained, it is also very
2724 reliable and robust and it requires minimal changes to implement
2725 mandatory access controls in the hypervisor. It enables platform- and
2726 operation system-independent policies as part of a layered security
2727 approach.
2729 Lines 9-15 (cf Figure~\ref{fig:acmxmlfilea}) define the Simple Type
2730 Enforcement policy component. Essentially, they define the workload
2731 type names \verb|SystemManagement|, \verb|PepsiCo|, and
2732 \verb|CocaCola| that are available in the STE policy component. The
2733 policy rules are implicit: Xen permits a domain to communicate with
2734 another domain if and only if the labels of the domains share an
2735 common STE type. Xen permits a domain to access a resource if and
2736 only if the labels of the domain and the resource share a common STE
2737 workload type.
2739 \subsection{Chinese Wall Policy Component}
2741 The Chinese Wall security policy interpretation of sHype enables users
2742 to prevent certain workloads from running simultaneously on the same
2743 hypervisor platform. Run-time Exclusion rules (RER), also called
2744 Conflict Sets, define a set of workload types that are not permitted
2745 to run simultaneously. Of all the workloads specified in a Run-time
2746 Exclusion rule, at most one type can run on the same hypervisor
2747 platform at a time. Run-time Exclusion Rules implement a less
2748 rigorous variant of the original Chinese Wall security component. They
2749 do not implement the *-property of the policy, which would require to
2750 restrict also types that are not part of an exclusion rule once they
2751 are running together with a type in an exclusion rule (please refer to
2752 for more information
2753 on the original Chinese Wall policy).
2755 Xen considers the \verb|ChineseWallTypes| part of the label for the
2756 enforcement of the Run-time Exclusion rules. It is illegal to define
2757 labels including conflicting Chinese Wall types.
2759 Lines 17-30 (cf Figure~\ref{fig:acmxmlfilea}) define the Chinese Wall
2760 policy component. Lines 17-22 define the known Chinese Wall types,
2761 which coincide here with the STE types defined above. This usually
2762 holds if the criteria for sharing among domains and sharing of the
2763 hardware platform are the same. Lines 24-29 define one Run-time
2764 Exclusion rule:
2766 \begin{scriptsize}
2767 \begin{verbatim}
2768 <Conflict name="RER1">
2769 <Type>CocaCola</Type>
2770 <Type>PepsiCo</Type>
2771 </Conflict>
2772 \end{verbatim}
2773 \end{scriptsize}
2775 Based on this rule, Xen enforces that only one of the types
2776 \verb|CocaCola| or \verb|PepsiCo| will run on a single hypervisor
2777 platform at a time. For example, once a domain assigned a
2778 \verb|CocaCola| workload type is started, domains with the
2779 \verb|PepsiCo| type will be denied to start. When the former domain
2780 stops and no other domains with the \verb|CocaCola| type are running,
2781 then domains with the \verb|PepsiCo| type can start.
2783 Xen maintains reference counts on each running workload type to keep
2784 track of which workload types are running. Every time a domain starts
2785 or resumes, the reference count on those Chinese Wall types that are
2786 referenced in the domain's label are incremented. Every time a domain
2787 is destroyed or saved, the reference counts of its Chinese Wall types
2788 are decremented. sHype in Xen covers migration and live-migration,
2789 which is treated the same way as saving a domain on the source
2790 platform and resuming it on the destination platform.
2792 Reasons why users would want to restrict which workloads or domains
2793 can share the system hardware include:
2795 \begin{itemize}
2796 \item Imperfect resource management or control might enable a rogue
2797 domain to starve another domain and the workload running in it.
2798 \item Redundant domains might run the same workload to increase
2799 availability; such domains should not run on the same hardware to
2800 avoid single points of failure.
2801 \item Imperfect Xen core domain isolation might enable two rogue
2802 domains running different workload types to use unintended and
2803 unknown ways (covert channels) to exchange some data. This way, they
2804 bypass the policed Xen access control mechanisms. Such
2805 imperfections cannot be completely eliminated and are a result of
2806 trade-offs between security and other design requirements. For a
2807 simple example of a covert channel see
2808 Such covert channels
2809 exist also between workloads running on different platforms if they
2810 are connected through networks. The Xen Chinese Wall policy provides
2811 an approximation of this imperfect ``air-gap'' between selected
2812 workload types.
2813 \end{itemize}
2815 \subsection{Security Labels}
2817 To enable Xen to associate domains with workload types running in
2818 them, each domain is assigned a security label that includes the
2819 workload types of the domain.
2821 \begin{figure}
2822 \begin{scriptsize}
2823 \begin{verbatim}
2824 32 <SecurityLabelTemplate>
2825 33 <SubjectLabels bootstrap="SystemManagement">
2826 34 <VirtualMachineLabel>
2827 35 <Name>SystemManagement</Name>
2828 36 <SimpleTypeEnforcementTypes>
2829 37 <Type>SystemManagement</Type>
2830 38 <Type>PepsiCo</Type>
2831 39 <Type>CocaCola</Type>
2832 40 </SimpleTypeEnforcementTypes>
2833 41 <ChineseWallTypes>
2834 42 <Type>SystemManagement</Type>
2835 43 </ChineseWallTypes>
2836 44 </VirtualMachineLabel>
2837 45
2838 46 <VirtualMachineLabel>
2839 47 <Name>PepsiCo</Name>
2840 48 <SimpleTypeEnforcementTypes>
2841 49 <Type>PepsiCo</Type>
2842 50 </SimpleTypeEnforcementTypes>
2843 51 <ChineseWallTypes>
2844 52 <Type>PepsiCo</Type>
2845 53 </ChineseWallTypes>
2846 54 </VirtualMachineLabel>
2847 55
2848 56 <VirtualMachineLabel>
2849 57 <Name>CocaCola</Name>
2850 58 <SimpleTypeEnforcementTypes>
2851 59 <Type>CocaCola</Type>
2852 60 </SimpleTypeEnforcementTypes>
2853 61 <ChineseWallTypes>
2854 62 <Type>CocaCola</Type>
2855 63 </ChineseWallTypes>
2856 64 </VirtualMachineLabel>
2857 65 </SubjectLabels>
2858 66
2859 67 <ObjectLabels>
2860 68 <ResourceLabel>
2861 69 <Name>SystemManagement</Name>
2862 70 <SimpleTypeEnforcementTypes>
2863 71 <Type>SystemManagement</Type>
2864 72 </SimpleTypeEnforcementTypes>
2865 73 </ResourceLabel>
2866 74
2867 75 <ResourceLabel>
2868 76 <Name>PepsiCo</Name>
2869 77 <SimpleTypeEnforcementTypes>
2870 78 <Type>PepsiCo</Type>
2871 79 </SimpleTypeEnforcementTypes>
2872 80 </ResourceLabel>
2873 81
2874 82 <ResourceLabel>
2875 83 <Name>CocaCola</Name>
2876 84 <SimpleTypeEnforcementTypes>
2877 85 <Type>CocaCola</Type>
2878 86 </SimpleTypeEnforcementTypes>
2879 87 </ResourceLabel>
2880 88 </ObjectLabels>
2881 89 </SecurityLabelTemplate>
2882 90 </SecurityPolicyDefinition>
2883 \end{verbatim}
2884 \end{scriptsize}
2885 \caption{Example XML security policy file -- Part II: Label Definition.}
2886 \label{fig:acmxmlfileb}
2887 \end{figure}
2889 Lines 32-89 (cf Figure~\ref{fig:acmxmlfileb}) define the
2890 \verb|SecurityLabelTemplate|, which includes the labels that can be
2891 attached to domains and resources when this policy is active. The
2892 domain labels include Chinese Wall types while resource labels do not
2893 include Chinese Wall types. Lines 33-65 define the
2894 \verb|SubjectLabels| that can be assigned to domains. For example, the
2895 virtual machine label \verb|CocaCola| (cf lines 56-64 in
2896 Figure~\ref{fig:acmxmlfileb}) associates the domain that carries it
2897 with the workload type \verb|CocaCola|.
2899 The \verb|bootstrap| attribute names the label
2900 \verb|SystemManagement|. Xen will assign this label to Domain0 at
2901 boot time. All other domains are assigned labels according to their
2902 domain configuration file (see
2903 Section~\ref{subsection:acmexamplelabeldomains} for examples of how to
2904 label domains). Lines 67-88 define the \verb|ObjectLabels|. Those
2905 labels can be assigned to resources when this policy is active.
2907 In general, user domains should be assigned labels that have only a
2908 single SimpleTypeEnforcement workload type. This way, workloads remain
2909 confined even if user domains become rogue. Any domain that is
2910 assigned a label with multiple STE types must be trusted to keep
2911 information belonging to the different STE types separate (confined).
2912 For example, Domain0 is assigned the bootstrap label
2913 \verb|SystemsManagement|, which includes all existing STE types.
2914 Therefore, Domain0 must take care not to enable unauthorized
2915 information flow (eg. through block devices or virtual networking)
2916 between domains or resources that are assigned different STE types.
2918 Security administrators simply use the name of a label (specified in
2919 the \verb|<Name>| field) to associate a label with a domain (cf.
2920 Section~\ref{subsection:acmexamplelabeldomains}). The types inside the
2921 label are used by the Xen access control enforcement. While the name
2922 can be arbitrarily chosen (as long as it is unique), it is advisable
2923 to choose the label name in accordance to the security types included.
2924 While the XML representation in the above label seems unnecessary
2925 flexible, labels in general can consist of multiple types as we will
2926 see in the following example.
2928 Assume that \verb|PepsiCo| and \verb|CocaCola| workloads use virtual
2929 disks that are provided by a virtual I/O domain hosting a physical
2930 storage device and carrying the following label:
2932 \begin{scriptsize}
2933 \begin{verbatim}
2934 <VirtualMachineLabel>
2935 <Name>VIO</Name>
2936 <SimpleTypeEnforcementTypes>
2937 <Type>CocaCola</Type>
2938 <Type>PepsiCo</Type>
2939 </SimpleTypeEnforcementTypes>
2940 <ChineseWallTypes>
2941 <Type>VIOServer</Type>
2942 </ChineseWallTypes>
2943 </VirtualMachineLabel>
2944 \end{verbatim}
2945 \end{scriptsize}
2947 This Virtual I/O domain (VIO) exports its virtualized disks by
2948 communicating both to domains labeled with the \verb|PepsiCo| label
2949 and domains labeled with the \verb|CocaCola| label. This requires the
2950 VIO domain to carry both the STE types \verb|CocaCola| and
2951 \verb|PepsiCo|. In this example, the confinement of \verb|CocaCola|
2952 and \verb|PepsiCo| workload depends on a VIO domain that must keep the
2953 data of those different workloads separate. The virtual disks are
2954 labeled as well (see Section~\ref{subsection:acmexamplelabelresources}
2955 for labeling resources) and enforcement functions inside the VIO
2956 domain must ensure that the labels of the domain mounting a virtual
2957 disk and the virtual disk label share a common STE type. The VIO label
2958 carrying its own VIOServer CHWALL type introduces the flexibility to
2959 permit the trusted VIO server to run together with CocaCola or PepsiCo
2960 workloads.
2962 Alternatively, a system that has two hard-drives does not need a VIO
2963 domain but can directly assign one hardware storage device to each of
2964 the workloads (if the platform offers an IO-MMU, cf
2965 Section~\ref{s:ddsecurity}. Sharing hardware through virtualization
2966 is a trade-off between the amount of trusted code (size of the trusted
2967 computing base) and the amount of acceptable over-provisioning. This
2968 holds both for peripherals and for system platforms.
2970 \subsection{Tools For Creating sHype/Xen Security Policies}
2971 To create a security policy for Xen, you can use one of the following
2972 tools:
2973 \begin{itemize}
2974 \item \verb|ezPolicy| GUI tool -- start writing policies
2975 \item \verb|xensec_gen| tool -- refine policies created with \verb|ezPolicy|
2976 \item text or XML editor
2977 \end{itemize}
2979 We use the \verb|ezPolicy| tool in
2980 Section~\ref{subsection:acmexamplecreate} to quickly create a workload
2981 protection policy. If desired, the resulting XML policy file can be
2982 loaded into the \verb|xensec_gen| tool to refine it. It can also be
2983 directly edited using an XML editor. Any XML policy file is verified
2984 against the security policy schema when it is translated (see
2985 Subsection~\ref{subsection:acmexampleinstall}).
2987 \section{Current Limitations}
2988 \label{section:acmlimitations}
2990 The sHype/ACM configuration for Xen is work in progress. There is
2991 ongoing work for protecting virtualized resources and planned and
2992 ongoing work for protecting access to remote resources and domains.
2993 The following sections describe limitations of some of the areas into
2994 which access control is being extended.
2996 \subsection{Network Traffic}
2997 Local and remote network traffic is currently not controlled.
2998 Solutions to add sHype/ACM policy enforcement to the virtual network
2999 exist but need to be discussed before they can become part of Xen.
3000 Subjecting external network traffic to the ACM security policy is work
3001 in progress. Manually setting up filters in domain 0 is required for
3002 now but does not scale well.
3004 \subsection{Resource Access and Usage Control}
3006 Enforcing the security policy across multiple hypervisor systems and
3007 on access to remote shared resources is work in progress. Extending
3008 access control to new types of resources is ongoing work (e.g. network
3009 storage).
3011 On a single Xen system, information about the association of resources
3012 and security labels is stored in
3013 \verb|/etc/xen/acm-security/policy/resource_labels|. This file relates
3014 a full resource path with a security label. This association is weak
3015 and will break if resources are moved or renamed without adapting the
3016 label file. Improving the protection of label-resource relationships
3017 is ongoing work.
3019 Controlling resource usage and enforcing resource limits in general is
3020 ongoing work in the Xen community.
3022 \subsection{Domain Migration}
3024 Labels on domains are enforced during domain migration and the
3025 destination hypervisor will ensure that the domain label is valid and
3026 the domain is permitted to run (considering the Chinese Wall policy
3027 rules) before it accepts the migration. However, the network between
3028 the source and destination hypervisor as well as both hypervisors must
3029 be trusted. Architectures and prototypes exist that both protect the
3030 network connection and ensure that the hypervisors enforce access
3031 control consistently but patches are not yet available for the main
3032 stream.
3034 \subsection{Covert Channels}
3036 The sHype access control aims at system independent security policies.
3037 It builds on top of the core hypervisor isolation. Any covert channels
3038 that exist in the core hypervisor or in the hardware (e.g., shared
3039 processor cache) will be inherited. If those covert channels are not
3040 the result of trade-offs between security and other system properties,
3041 then they are most effectively minimized or eliminated where they are
3042 caused. sHype offers however some means to mitigate their impact
3043 (cf. run-time exclusion rules).
3045 \part{Reference}
3047 %% Chapter Build and Boot Options
3048 \chapter{Build and Boot Options}
3050 This chapter describes the build- and boot-time options which may be
3051 used to tailor your Xen system.
3053 \section{Top-level Configuration Options}
3055 Top-level configuration is achieved by editing one of two
3056 files: \path{} and \path{Makefile}.
3058 The former allows the overall build target architecture to be
3059 specified. You will typically not need to modify this unless
3060 you are cross-compiling or if you wish to build a PAE-enabled
3061 Xen system. Additional configuration options are documented
3062 in the \path{} file.
3064 The top-level \path{Makefile} is chiefly used to customize the set of
3065 kernels built. Look for the line:
3066 \begin{quote}
3067 \begin{verbatim}
3068 KERNELS ?= linux-2.6-xen0 linux-2.6-xenU
3069 \end{verbatim}
3070 \end{quote}
3072 Allowable options here are any kernels which have a corresponding
3073 build configuration file in the \path{buildconfigs/} directory.
3077 \section{Xen Build Options}
3079 Xen provides a number of build-time options which should be set as
3080 environment variables or passed on make's command-line.
3082 \begin{description}
3083 \item[verbose=y] Enable debugging messages when Xen detects an
3084 unexpected condition. Also enables console output from all domains.
3085 \item[debug=y] Enable debug assertions. Implies {\bf verbose=y}.
3086 (Primarily useful for tracing bugs in Xen).
3087 \item[debugger=y] Enable the in-Xen debugger. This can be used to
3088 debug Xen, guest OSes, and applications.
3089 \item[perfc=y] Enable performance counters for significant events
3090 within Xen. The counts can be reset or displayed on Xen's console
3091 via console control keys.
3092 \end{description}
3095 \section{Xen Boot Options}
3096 \label{s:xboot}
3098 These options are used to configure Xen's behaviour at runtime. They
3099 should be appended to Xen's command line, either manually or by
3100 editing \path{grub.conf}.
3102 \begin{description}
3103 \item [ noreboot ] Don't reboot the machine automatically on errors.
3104 This is useful to catch debug output if you aren't catching console
3105 messages via the serial line.
3106 \item [ nosmp ] Disable SMP support. This option is implied by
3107 `ignorebiostables'.
3108 \item [ watchdog ] Enable NMI watchdog which can report certain
3109 failures.
3110 \item [ noirqbalance ] Disable software IRQ balancing and affinity.
3111 This can be used on systems such as Dell 1850/2850 that have
3112 workarounds in hardware for IRQ-routing issues.
3113 \item [ badpage=$<$page number$>$,$<$page number$>$, \ldots ] Specify
3114 a list of pages not to be allocated for use because they contain bad
3115 bytes. For example, if your memory tester says that byte 0x12345678
3116 is bad, you would place `badpage=0x12345' on Xen's command line.
3117 \item [ com1=$<$baud$>$,DPS,$<$io\_base$>$,$<$irq$>$
3118 com2=$<$baud$>$,DPS,$<$io\_base$>$,$<$irq$>$ ] \mbox{}\\
3119 Xen supports up to two 16550-compatible serial ports. For example:
3120 `com1=9600, 8n1, 0x408, 5' maps COM1 to a 9600-baud port, 8 data
3121 bits, no parity, 1 stop bit, I/O port base 0x408, IRQ 5. If some
3122 configuration options are standard (e.g., I/O base and IRQ), then
3123 only a prefix of the full configuration string need be specified. If
3124 the baud rate is pre-configured (e.g., by the bootloader) then you
3125 can specify `auto' in place of a numeric baud rate.
3126 \item [ console=$<$specifier list$>$ ] Specify the destination for Xen
3127 console I/O. This is a comma-separated list of, for example:
3128 \begin{description}
3129 \item[ vga ] Use VGA console (only until domain 0 boots, unless {\bf
3130 vga[keep] } is specified).
3131 \item[ com1 ] Use serial port com1.
3132 \item[ com2H ] Use serial port com2. Transmitted chars will have the
3133 MSB set. Received chars must have MSB set.
3134 \item[ com2L] Use serial port com2. Transmitted chars will have the
3135 MSB cleared. Received chars must have MSB cleared.
3136 \end{description}
3137 The latter two examples allow a single port to be shared by two
3138 subsystems (e.g.\ console and debugger). Sharing is controlled by
3139 MSB of each transmitted/received character. [NB. Default for this
3140 option is `com1,vga']
3141 \item [ sync\_console ] Force synchronous console output. This is
3142 useful if you system fails unexpectedly before it has sent all
3143 available output to the console. In most cases Xen will
3144 automatically enter synchronous mode when an exceptional event
3145 occurs, but this option provides a manual fallback.
3146 \item [ conswitch=$<$switch-char$><$auto-switch-char$>$ ] Specify how
3147 to switch serial-console input between Xen and DOM0. The required
3148 sequence is CTRL-$<$switch-char$>$ pressed three times. Specifying
3149 the backtick character disables switching. The
3150 $<$auto-switch-char$>$ specifies whether Xen should auto-switch
3151 input to DOM0 when it boots --- if it is `x' then auto-switching is
3152 disabled. Any other value, or omitting the character, enables
3153 auto-switching. [NB. Default switch-char is `a'.]
3154 \item [ nmi=xxx ]
3155 Specify what to do with an NMI parity or I/O error. \\
3156 `nmi=fatal': Xen prints a diagnostic and then hangs. \\
3157 `nmi=dom0': Inform DOM0 of the NMI. \\
3158 `nmi=ignore': Ignore the NMI.
3159 \item [ mem=xxx ] Set the physical RAM address limit. Any RAM
3160 appearing beyond this physical address in the memory map will be
3161 ignored. This parameter may be specified with a B, K, M or G suffix,
3162 representing bytes, kilobytes, megabytes and gigabytes respectively.
3163 The default unit, if no suffix is specified, is kilobytes.
3164 \item [ dom0\_mem=xxx ] Set the amount of memory to be allocated to
3165 domain0. In Xen 3.x the parameter may be specified with a B, K, M or
3166 G suffix, representing bytes, kilobytes, megabytes and gigabytes
3167 respectively; if no suffix is specified, the parameter defaults to
3168 kilobytes. In previous versions of Xen, suffixes were not supported
3169 and the value is always interpreted as kilobytes.
3170 \item [ tbuf\_size=xxx ] Set the size of the per-cpu trace buffers, in
3171 pages (default 0).
3172 \item [ sched=xxx ] Select the CPU scheduler Xen should use. The
3173 current possibilities are `credit' (default), `sedf', and `bvt'.
3174 \item [ apic\_verbosity=debug,verbose ] Print more detailed
3175 information about local APIC and IOAPIC configuration.
3176 \item [ lapic ] Force use of local APIC even when left disabled by
3177 uniprocessor BIOS.
3178 \item [ nolapic ] Ignore local APIC in a uniprocessor system, even if
3179 enabled by the BIOS.
3180 \item [ apic=bigsmp,default,es7000,summit ] Specify NUMA platform.
3181 This can usually be probed automatically.
3182 \end{description}
3184 In addition, the following options may be specified on the Xen command
3185 line. Since domain 0 shares responsibility for booting the platform,
3186 Xen will automatically propagate these options to its command line.
3187 These options are taken from Linux's command-line syntax with
3188 unchanged semantics.
3190 \begin{description}
3191 \item [ acpi=off,force,strict,ht,noirq,\ldots ] Modify how Xen (and
3192 domain 0) parses the BIOS ACPI tables.
3193 \item [ acpi\_skip\_timer\_override ] Instruct Xen (and domain~0) to
3194 ignore timer-interrupt override instructions specified by the BIOS
3195 ACPI tables.
3196 \item [ noapic ] Instruct Xen (and domain~0) to ignore any IOAPICs
3197 that are present in the system, and instead continue to use the
3198 legacy PIC.
3199 \end{description}
3202 \section{XenLinux Boot Options}
3204 In addition to the standard Linux kernel boot options, we support:
3205 \begin{description}
3206 \item[ xencons=xxx ] Specify the device node to which the Xen virtual
3207 console driver is attached. The following options are supported:
3208 \begin{center}
3209 \begin{tabular}{l}
3210 `xencons=off': disable virtual console \\
3211 `xencons=tty': attach console to /dev/tty1 (tty0 at boot-time) \\
3212 `xencons=ttyS': attach console to /dev/ttyS0
3213 \end{tabular}
3214 \end{center}
3215 The default is ttyS for dom0 and tty for all other domains.
3216 \end{description}
3219 %% Chapter Further Support
3220 \chapter{Further Support}
3222 If you have questions that are not answered by this manual, the
3223 sources of information listed below may be of interest to you. Note
3224 that bug reports, suggestions and contributions related to the
3225 software (or the documentation) should be sent to the Xen developers'
3226 mailing list (address below).
3229 \section{Other Documentation}
3231 For developers interested in porting operating systems to Xen, the
3232 \emph{Xen Interface Manual} is distributed in the \path{docs/}
3233 directory of the Xen source distribution.
3236 \section{Online References}
3238 The official Xen web site can be found at:
3239 \begin{quote} {\tt}
3240 \end{quote}
3242 This contains links to the latest versions of all online
3243 documentation, including the latest version of the FAQ.
3245 Information regarding Xen is also available at the Xen Wiki at
3246 \begin{quote} {\tt}\end{quote}
3247 The Xen project uses Bugzilla as its bug tracking system. You'll find
3248 the Xen Bugzilla at
3251 \section{Mailing Lists}
3253 There are several mailing lists that are used to discuss Xen related
3254 topics. The most widely relevant are listed below. An official page of
3255 mailing lists and subscription information can be found at \begin{quote}
3256 {\tt} \end{quote}
3258 \begin{description}
3259 \item[] Used for development
3260 discussions and bug reports. Subscribe at: \\
3261 {\small {\tt}}
3262 \item[] Used for installation and usage
3263 discussions and requests for help. Subscribe at: \\
3264 {\small {\tt}}
3265 \item[] Used for announcements only.
3266 Subscribe at: \\
3267 {\small {\tt}}
3268 \item[] Changelog feed
3269 from the unstable and 2.0 trees - developer oriented. Subscribe at: \\
3270 {\small {\tt}}
3271 \end{description}
3275 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
3277 \appendix
3279 \chapter{Unmodified (VMX) guest domains in Xen with Intel\textregistered Virtualization Technology (VT)}
3281 Xen supports guest domains running unmodified Guest operating systems using Virtualization Technology (VT) available on recent Intel Processors. More information about the Intel Virtualization Technology implementing Virtual Machine Extensions (VMX) in the processor is available on the Intel website at \\
3282 {\small {\tt}}
3284 \section{Building Xen with VT support}
3286 The following packages need to be installed in order to build Xen with VT support. Some Linux distributions do not provide these packages by default.
3288 \begin{tabular}{lp{11.0cm}}
3289 {\bfseries Package} & {\bfseries Description} \\
3291 dev86 & The dev86 package provides an assembler and linker for real mode 80x86 instructions. You need to have this package installed in order to build the BIOS code which runs in (virtual) real mode.
3293 If the dev86 package is not available on the x86\_64 distribution, you can install the i386 version of it. The dev86 rpm package for various distributions can be found at {\scriptsize {\tt\&submit=Search}} \\
3295 LibVNCServer & The unmodified guest's VGA display, keyboard, and mouse can be virtualized by the vncserver library. You can get the sources of libvncserver from {\small {\tt}}. Build and install the sources on the build system to get the libvncserver library. There is a significant performance degradation in 0.8 version. The current sources in the CVS tree have fixed this degradation. So it is highly recommended to download the latest CVS sources and install them.\\
3297 SDL-devel, SDL & Simple DirectMedia Layer (SDL) is another way of virtualizing the unmodified guest console. It provides an X window for the guest console.
3299 If the SDL and SDL-devel packages are not installed by default on the build system, they can be obtained from {\scriptsize {\tt\&amp;submit=Search}}
3300 , {\scriptsize {\tt\&submit=Search}} \\
3302 \end{tabular}
3304 \section{Configuration file for unmodified VMX guests}
3306 The Xen installation includes a sample configuration file, {\small {\tt /etc/xen/xmexample.vmx}}. There are comments describing all the options. In addition to the common options that are the same as those for paravirtualized guest configurations, VMX guest configurations have the following settings:
3308 \begin{tabular}{lp{11.0cm}}
3310 {\bfseries Parameter} & {\bfseries Description} \\
3312 kernel & The VMX firmware loader, {\small {\tt /usr/lib/xen/boot/vmxloader}}\\
3314 builder & The domain build function. The VMX domain uses the vmx builder.\\
3316 acpi & Enable VMX guest ACPI, default=0 (disabled)\\
3318 apic & Enable VMX guest APIC, default=0 (disabled)\\
3320 pae & Enable VMX guest PAE, default=0 (disabled)\\
3322 vif & Optionally defines MAC address and/or bridge for the network interfaces. Random MACs are assigned if not given. {\small {\tt type=ioemu}} means ioemu is used to virtualize the VMX NIC. If no type is specified, vbd is used, as with paravirtualized guests.\\
3324 disk & Defines the disk devices you want the domain to have access to, and what you want them accessible as. If using a physical device as the VMX guest's disk, each disk entry is of the form
3326 {\small {\tt phy:UNAME,ioemu:DEV,MODE,}}
3328 where UNAME is the device, DEV is the device name the domain will see, and MODE is r for read-only, w for read-write. ioemu means the disk will use ioemu to virtualize the VMX disk. If not adding ioemu, it uses vbd like paravirtualized guests.
3330 If using disk image file, its form should be like
3332 {\small {\tt file:FILEPATH,ioemu:DEV,MODE}}
3334 If using more than one disk, there should be a comma between each disk entry. For example:
3336 {\scriptsize {\tt disk = ['file:/var/images/image1.img,ioemu:hda,w', 'file:/var/images/image2.img,ioemu:hdb,w']}}\\
3338 cdrom & Disk image for CD-ROM. The default is {\small {\tt /dev/cdrom}} for Domain0. Inside the VMX domain, the CD-ROM will available as device {\small {\tt /dev/hdc}}. The entry can also point to an ISO file.\\
3340 boot & Boot from floppy (a), hard disk (c) or CD-ROM (d). For example, to boot from CD-ROM, the entry should be:
3342 boot='d'\\
3344 device\_model & The device emulation tool for VMX guests. This parameter should not be changed.\\
3346 sdl & Enable SDL library for graphics, default = 0 (disabled)\\
3348 vnc & Enable VNC library for graphics, default = 1 (enabled)\\
3350 vncviewer & Enable spawning of the vncviewer (only valid when vnc=1), default = 1 (enabled)
3352 If vnc=1 and vncviewer=0, user can use vncviewer to manually connect VMX from remote. For example:
3354 {\small {\tt vncviewer domain0\_IP\_address:VMX\_domain\_id}} \\
3356 ne2000 & Enable ne2000, default = 0 (disabled; use pcnet)\\
3358 serial & Enable redirection of VMX serial output to pty device\\
3360 \end{tabular}
3362 \begin{tabular}{lp{10cm}}
3364 usb & Enable USB support without defining a specific USB device.
3365 This option defaults to 0 (disabled) unless the option usbdevice is
3366 specified in which case this option then defaults to 1 (enabled).\\
3368 usbdevice & Enable USB support and also enable support for the given
3369 device. Devices that can be specified are {\small {\tt mouse}} (a PS/2 style
3370 mouse), {\small {\tt tablet}} (an absolute pointing device) and
3371 {\small {\tt host:id1:id2}} (a physical USB device on the host machine whose
3372 ids are {\small {\tt id1}} and {\small {\tt id2}}). The advantage
3373 of {\small {\tt tablet}} is that Windows guests will automatically recognize
3374 and support this device so specifying the config line
3376 {\small
3377 \begin{verbatim}
3378 usbdevice='tablet'
3379 \end{verbatim}
3382 will create a mouse that works transparently with Windows guests under VNC.
3383 Linux doesn't recognize the USB tablet yet so Linux guests under VNC will
3384 still need the Summagraphics emulation.
3385 Details about mouse emulation are provided in section \textbf{A.4.3}.\\
3387 localtime & Set the real time clock to local time [default=0, that is, set to UTC].\\
3389 enable-audio & Enable audio support. This is under development.\\
3391 full-screen & Start in full screen. This is under development.\\
3393 nographic & Another way to redirect serial output. If enabled, no 'sdl' or 'vnc' can work. Not recommended.\\
3395 \end{tabular}
3398 \section{Creating virtual disks from scratch}
3399 \subsection{Using physical disks}
3400 If you are using a physical disk or physical disk partition, you need to install a Linux OS on the disk first. Then the boot loader should be installed in the correct place. For example {\small {\tt dev/sda}} for booting from the whole disk, or {\small {\tt /dev/sda1}} for booting from partition 1.
3402 \subsection{Using disk image files}
3403 You need to create a large empty disk image file first; then, you need to install a Linux OS onto it. There are two methods you can choose. One is directly installing it using a VMX guest while booting from the OS installation CD-ROM. The other is copying an installed OS into it. The boot loader will also need to be installed.
3405 \subsubsection*{To create the image file:}
3406 The image size should be big enough to accommodate the entire OS. This example assumes the size is 1G (which is probably too small for most OSes).
3408 {\small {\tt \# dd if=/dev/zero of=hd.img bs=1M count=1 seek=1023}}
3410 \subsubsection*{To directly install Linux OS into an image file using a VMX guest:}
3412 Install Xen and create VMX with the original image file with booting from CD-ROM. Then it is just like a normal Linux OS installation. The VMX configuration file should have these two entries before creating:
3414 {\small {\tt cdrom='/dev/cdrom'
3415 boot='d'}}
3417 If this method does not succeed, you can choose the following method of copying an installed Linux OS into an image file.
3419 \subsubsection*{To copy a installed OS into an image file:}
3420 Directly installing is an easier way to make partitions and install an OS in a disk image file. But if you want to create a specific OS in your disk image, then you will most likely want to use this method.
3422 \begin{enumerate}
3423 \item {\bfseries Install a normal Linux OS on the host machine}\\
3424 You can choose any way to install Linux, such as using yum to install Red Hat Linux or YAST to install Novell SuSE Linux. The rest of this example assumes the Linux OS is installed in {\small {\tt /var/guestos/}}.
3426 \item {\bfseries Make the partition table}\\
3427 The image file will be treated as hard disk, so you should make the partition table in the image file. For example:
3429 {\scriptsize {\tt \# losetup /dev/loop0 hd.img\\
3430 \# fdisk -b 512 -C 4096 -H 16 -S 32 /dev/loop0\\
3431 press 'n' to add new partition\\
3432 press 'p' to choose primary partition\\
3433 press '1' to set partition number\\
3434 press "Enter" keys to choose default value of "First Cylinder" parameter.\\
3435 press "Enter" keys to choose default value of "Last Cylinder" parameter.\\
3436 press 'w' to write partition table and exit\\
3437 \# losetup -d /dev/loop0}}
3439 \item {\bfseries Make the file system and install grub}\\
3440 {\scriptsize {\tt \# ln -s /dev/loop0 /dev/loop\\
3441 \# losetup /dev/loop0 hd.img\\
3442 \# losetup -o 16384 /dev/loop1 hd.img\\
3443 \# mkfs.ext3 /dev/loop1\\
3444 \# mount /dev/loop1 /mnt\\
3445 \# mkdir -p /mnt/boot/grub\\
3446 \# cp /boot/grub/stage* /boot/grub/e2fs\_stage1\_5 /mnt/boot/grub\\
3447 \# umount /mnt\\
3448 \# grub\\
3449 grub> device (hd0) /dev/loop\\
3450 grub> root (hd0,0)\\
3451 grub> setup (hd0)\\
3452 grub> quit\\
3453 \# rm /dev/loop\\
3454 \# losetup -d /dev/loop0\\
3455 \# losetup -d /dev/loop1}}
3457 The {\small {\tt losetup}} option {\small {\tt -o 16384}} skips the partition table in the image file. It is the number of sectors times 512. We need {\small {\tt /dev/loop}} because grub is expecting a disk device \emph{name}, where \emph{name} represents the entire disk and \emph{name1} represents the first partition.
3459 \item {\bfseries Copy the OS files to the image}\\
3460 If you have Xen installed, you can easily use {\small {\tt lomount}} instead of {\small {\tt losetup}} and {\small {\tt mount}} when coping files to some partitions. {\small {\tt lomount}} just needs the partition information.
3462 {\scriptsize {\tt \# lomount -t ext3 -diskimage hd.img -partition 1 /mnt/guest\\
3463 \# cp -ax /var/guestos/\{root,dev,var,etc,usr,bin,sbin,lib\} /mnt/guest\\
3464 \# mkdir /mnt/guest/\{proc,sys,home,tmp\}}}
3466 \item {\bfseries Edit the {\small {\tt /etc/fstab}} of the guest image}\\
3467 The fstab should look like this:
3469 {\scriptsize {\tt \# vim /mnt/guest/etc/fstab\\
3470 /dev/hda1 / ext3 defaults 1 1\\
3471 none /dev/pts devpts gid=5,mode=620 0 0\\
3472 none /dev/shm tmpfs defaults 0 0\\
3473 none /proc proc defaults 0 0\\
3474 none /sys sysfs efaults 0 0}}
3476 \item {\bfseries umount the image file}\\
3477 {\small {\tt \# umount /mnt/guest}}
3478 \end{enumerate}
3480 Now, the guest OS image {\small {\tt hd.img}} is ready. You can also reference {\small {\tt}} for quickstart images. But make sure to install the boot loader.
3482 \subsection{Install Windows into an Image File using a VMX guest}
3483 In order to install a Windows OS, you should keep {\small {\tt acpi=0}} in your VMX configuration file.
3485 \section{VMX Guests}
3486 \subsection{Editing the Xen VMX config file}
3487 Make a copy of the example VMX configuration file {\small {\tt /etc/xen/xmeaxmple.vmx}} and edit the line that reads
3489 {\small {\tt disk = [ 'file:/var/images/\emph{guest.img},ioemu:hda,w' ]}}
3491 replacing \emph{guest.img} with the name of the guest OS image file you just made.
3493 \subsection{Creating VMX guests}
3494 Simply follow the usual method of creating the guest, using the -f parameter and providing the filename of your VMX configuration file:\\
3496 {\small {\tt \# xend start\\
3497 \# xm create /etc/xen/vmxguest.vmx}}
3499 In the default configuration, VNC is on and SDL is off. Therefore VNC windows will open when VMX guests are created. If you want to use SDL to create VMX guests, set {\small {\tt sdl=1}} in your VMX configuration file. You can also turn off VNC by setting {\small {\tt vnc=0}}.
3501 \subsection{Mouse issues, especially under VNC}
3502 Mouse handling when using VNC is a little problematic.
3503 The problem is that the VNC viewer provides a virtual pointer which is
3504 located at an absolute location in the VNC window and only absolute
3505 coordinates are provided.
3506 The VMX device model converts these absolute mouse coordinates
3507 into the relative motion deltas that are expected by the PS/2
3508 mouse driver running in the guest.
3509 Unfortunately,
3510 it is impossible to keep these generated mouse deltas
3511 accurate enough for the guest cursor to exactly match
3512 the VNC pointer.
3513 This can lead to situations where the guest's cursor
3514 is in the center of the screen and there's no way to
3515 move that cursor to the left
3516 (it can happen that the VNC pointer is at the left
3517 edge of the screen and,
3518 therefore,
3519 there are no longer any left mouse deltas that
3520 can be provided by the device model emulation code.)
3522 To deal with these mouse issues there are 4 different
3523 mouse emulations available from the VMX device model:
3525 \begin{description}
3526 \item[PS/2 mouse over the PS/2 port.]
3527 This is the default mouse
3528 that works perfectly well under SDL.
3529 Under VNC the guest cursor will get
3530 out of sync with the VNC pointer.
3531 When this happens you can re-synchronize
3532 the guest cursor to the VNC pointer by
3533 holding down the
3534 \textbf{left-ctl}
3535 and
3536 \textbf{left-alt}
3537 keys together.
3538 While these keys are down VNC pointer motions
3539 will not be reported to the guest so
3540 that the VNC pointer can be moved
3541 to a place where it is possible
3542 to move the guest cursor again.
3544 \item[Summagraphics mouse over the serial port.]
3545 The device model also provides emulation
3546 for a Summagraphics tablet,
3547 an absolute pointer device.
3548 This emulation is provided over the second
3549 serial port,
3550 \textbf{/dev/ttyS1}
3551 for Linux guests and
3552 \textbf{COM2}
3553 for Windows guests.
3554 Unfortunately,
3555 neither Linux nor Windows provides
3556 default support for the Summagraphics
3557 tablet so the guest will have to be
3558 manually configured for this mouse.
3560 \textbf{Linux configuration.}
3562 First,
3563 configure the GPM service to use the Summagraphics tablet.
3564 This can vary between distributions but,
3565 typically,
3566 all that needs to be done is modify the file
3567 \path{/etc/sysconfig/mouse} to contain the lines:
3569 {\small
3570 \begin{verbatim}
3571 MOUSETYPE="summa"
3573 DEVICE=/dev/ttyS1
3574 \end{verbatim}
3577 and then restart the GPM daemon.
3579 Next,
3580 modify the X11 config
3581 \path{/etc/X11/xorg.conf}
3582 to support the Summgraphics tablet by replacing
3583 the input device stanza with the following:
3585 {\small
3586 \begin{verbatim}
3587 Section "InputDevice"
3588 Identifier "Mouse0"
3589 Driver "summa"
3590 Option "Device" "/dev/ttyS1"
3591 Option "InputFashion" "Tablet"
3592 Option "Mode" "Absolute"
3593 Option "Name" "EasyPen"
3594 Option "Compatible" "True"
3595 Option "Protocol" "Auto"
3596 Option "SendCoreEvents" "on"
3597 Option "Vendor" "GENIUS"
3598 EndSection
3599 \end{verbatim}
3602 Restart X and the X cursor should now properly
3603 track the VNC pointer.
3606 \textbf{Windows configuration.}
3608 Get the file
3609 \path{}
3610 and execute that file on the guest,
3611 answering the questions as follows:
3613 \begin{enumerate}
3614 \item When the program asks for \textbf{model},
3615 scroll down and selese \textbf{SummaSketch (MM Compatible)}.
3617 \item When the program asks for \textbf{COM Port} specify \textbf{com2}.
3619 \item When the programs asks for a \textbf{Cursor Type} specify
3620 \textbf{4 button cursor/puck}.
3622 \item The guest system will then reboot and,
3623 when it comes back up,
3624 the guest cursor will now properly track
3625 the VNC pointer.
3626 \end{enumerate}
3628 \item[PS/2 mouse over USB port.]
3629 This is just the same PS/2 emulation except it is
3630 provided over a USB port.
3631 This emulation is enabled by the configuration flag:
3632 {\small
3633 \begin{verbatim}
3634 usbdevice='mouse'
3635 \end{verbatim}
3638 \item[USB tablet over USB port.]
3639 The USB tablet is an absolute pointing device
3640 that has the advantage that it is automatically
3641 supported under Windows guests,
3642 although Linux guests still require some
3643 manual configuration.
3644 This mouse emulation is enabled by the
3645 configuration flag:
3646 {\small
3647 \begin{verbatim}
3648 usbdevice='tablet'
3649 \end{verbatim}
3652 \textbf{Linux configuration.}
3654 Unfortunately,
3655 there is no GPM support for the
3656 USB tablet at this point in time.
3657 If you intend to use a GPM pointing
3658 device under VNC you should
3659 configure the guest for Summagraphics
3660 emulation.
3662 Support for X11 is available by following
3663 the instructions at\\
3664 \verb+\\
3665 with one minor change.
3666 The
3667 \path{xorg.conf}
3668 given in those instructions
3669 uses the wrong values for the X \& Y minimums and maximums,
3670 use the following config stanza instead:
3672 {\small
3673 \begin{verbatim}
3674 Section "InputDevice"
3675 Identifier "Tablet"
3676 Driver "evtouch"
3677 Option "Device" "/dev/input/event2"
3678 Option "DeviceName" "touchscreen"
3679 Option "MinX" "0"
3680 Option "MinY" "0"
3681 Option "MaxX" "32256"
3682 Option "MaxY" "32256"
3683 Option "ReportingMode" "Raw"
3684 Option "Emulate3Buttons"
3685 Option "Emulate3Timeout" "50"
3686 Option "SendCoreEvents" "On"
3687 EndSection
3688 \end{verbatim}
3691 \textbf{Windows configuration.}
3693 Just enabling the USB tablet in the
3694 guest's configuration file is sufficient,
3695 Windows will automatically recognize and
3696 configure device drivers for this
3697 pointing device.
3699 \end{description}
3701 \subsection{USB Support}
3702 There is support for an emulated USB mouse,
3703 an emulated USB tablet
3704 and physical low speed USB devices
3705 (support for high speed USB 2.0 devices is
3706 still under development).
3708 \begin{description}
3709 \item[USB PS/2 style mouse.]
3710 Details on the USB mouse emulation are
3711 given in sections
3712 \textbf{A.2}
3713 and
3714 \textbf{A.4.3}.
3715 Enabling USB PS/2 style mouse emulation
3716 is just a matter of adding the line
3718 {\small
3719 \begin{verbatim}
3720 usbdevice='mouse'
3721 \end{verbatim}
3724 to the configuration file.
3725 \item[USB tablet.]
3726 Details on the USB tablet emulation are
3727 given in sections
3728 \textbf{A.2}
3729 and
3730 \textbf{A.4.3}.
3731 Enabling USB tablet emulation
3732 is just a matter of adding the line
3734 {\small
3735 \begin{verbatim}
3736 usbdevice='tablet'
3737 \end{verbatim}
3740 to the configuration file.
3741 \item[USB physical devices.]
3742 Access to a physical (low speed) USB device
3743 is enabled by adding a line of the form
3745 {\small
3746 \begin{verbatim}
3747 usbdevice='host:vid:pid'
3748 \end{verbatim}
3751 into the the configuration file.\footnote{
3752 There is an alternate
3753 way of specifying a USB device that
3754 uses the syntax
3755 \textbf{host:bus.addr}
3756 but this syntax suffers from
3757 a major problem that makes
3758 it effectively useless.
3759 The problem is that the
3760 \textbf{addr}
3761 portion of this address
3762 changes every time the USB device
3763 is plugged into the system.
3764 For this reason this addressing
3765 scheme is not recommended and
3766 will not be documented further.
3768 \textbf{vid}
3769 and
3770 \textbf{pid}
3771 are a
3772 product id and
3773 vendor id
3774 that uniquely identify
3775 the USB device.
3776 These ids can be identified
3777 in two ways:
3779 \begin{enumerate}
3780 \item Through the control window.
3781 As described in section
3782 \textbf{A.4.6}
3783 the control window
3784 is activated by pressing
3785 \textbf{ctl-alt-2}
3786 in the guest VGA window.
3787 As long as USB support is
3788 enabled in the guest by including
3789 the config file line
3790 {\small
3791 \begin{verbatim}
3792 usb=1
3793 \end{verbatim}
3795 then executing the command
3796 {\small
3797 \begin{verbatim}
3798 info usbhost
3799 \end{verbatim}
3801 in the control window
3802 will display a list of all
3803 usb devices and their ids.
3804 For example,
3805 this output:
3806 {\small
3807 \begin{verbatim}
3808 Device 1.3, speed 1.5 Mb/s
3809 Class 00: USB device 04b3:310b
3810 \end{verbatim}
3812 was created from a USB mouse with
3813 vendor id
3814 \textbf{04b3}
3815 and product id
3816 \textbf{310b}.
3817 This device could be made available
3818 to the VMX guest by including the
3819 config file entry
3820 {\small
3821 \begin{verbatim}
3822 usbdevice='host:04be:310b'
3823 \end{verbatim}
3826 It is also possible to
3827 enable access to a USB
3828 device dynamically through
3829 the control window.
3830 The control window command
3831 {\small
3832 \begin{verbatim}
3833 usb_add host:vid:pid
3834 \end{verbatim}
3836 will also allow access to a
3837 USB device with vendor id
3838 \textbf{vid}
3839 and product id
3840 \textbf{pid}.
3841 \item Through the
3842 \path{/proc} file system.
3843 The contents of the pseudo file
3844 \path{/proc/bus/usb/devices}
3845 can also be used to identify
3846 vendor and product ids.
3847 Looking at this file,
3848 the line starting with
3849 \textbf{P:}
3850 has a field
3851 \textbf{Vendor}
3852 giving the vendor id and
3853 another field
3854 \textbf{ProdID}
3855 giving the product id.
3856 The contents of
3857 \path{/proc/bus/usb/devices}
3858 for the example mouse is as
3859 follows:
3860 {\small
3861 \begin{verbatim}
3862 T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=1.5 MxCh= 0
3863 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
3864 P: Vendor=04b3 ProdID=310b Rev= 1.60
3865 C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=100mA
3866 I: If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=02 Driver=(none)
3867 E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=10ms
3868 \end{verbatim}
3870 Note that the
3871 \textbf{P:}
3872 line correctly identifies the
3873 vendor id and product id
3874 for this mouse as
3875 \textbf{04b3:310b}.
3876 \end{enumerate}
3877 There is one other issue to
3878 be aware of when accessing a
3879 physical USB device from the guest.
3880 The Dom0 kernel must not have
3881 a device driver loaded for
3882 the device that the guest wishes
3883 to access.
3884 This means that the Dom0
3885 kernel must not have that
3886 device driver compiled into
3887 the kernel or,
3888 if using modules,
3889 that driver module must
3890 not be loaded.
3891 Note that this is the device
3892 specific USB driver that must
3893 not be loaded,
3894 either the
3895 \textbf{UHCI}
3896 or
3897 \textbf{OHCI}
3898 USB controller driver must
3899 still be loaded.
3901 Going back to the USB mouse
3902 as an example,
3903 if \textbf{lsmod}
3904 gives the output:
3906 {\small
3907 \begin{verbatim}
3908 Module Size Used by
3909 usbmouse 4128 0
3910 usbhid 28996 0
3911 uhci_hcd 35409 0
3912 \end{verbatim}
3915 then the USB mouse is being
3916 used by the Dom0 kernel and is
3917 not available to the guest.
3918 Executing the command
3919 \textbf{rmmod usbhid}\footnote{
3920 Turns out the
3921 \textbf{usbhid}
3922 driver is the significant
3923 one for the USB mouse,
3924 the presence or absence of
3925 the module
3926 \textbf{usbmouse}
3927 has no effect on whether or
3928 not the guest can see a USB mouse.}
3929 will remove the USB mouse
3930 driver from the Dom0 kernel
3931 and the mouse will now be
3932 accessible by the VMX guest.
3934 Be aware the the Linux USB
3935 hotplug system will reload
3936 the drivers if a USB device
3937 is removed and plugged back
3938 in.
3939 This means that just unloading
3940 the driver module might not
3941 be sufficient if the USB device
3942 is removed and added back.
3943 A more reliable technique is
3944 to first
3945 \textbf{rmmod}
3946 the driver and then rename the
3947 driver file in the
3948 \path{/lib/modules}
3949 directory,
3950 just to make sure it doesn't get
3951 reloaded.
3952 \end{description}
3954 \subsection{Destroy VMX guests}
3955 VMX guests can be destroyed in the same way as can paravirtualized guests. We recommend that you type the command
3957 {\small {\tt poweroff}}
3959 in the VMX guest's console first to prevent data loss. Then execute the command
3961 {\small {\tt xm destroy \emph{vmx\_guest\_id} }}
3963 at the Domain0 console.
3965 \subsection{VMX window (X or VNC) Hot Key}
3966 If you are running in the X environment after creating a VMX guest, an X window is created. There are several hot keys for control of the VMX guest that can be used in the window.
3968 {\bfseries Ctrl+Alt+2} switches from guest VGA window to the control window. Typing {\small {\tt help }} shows the control commands help. For example, 'q' is the command to destroy the VMX guest.\\
3969 {\bfseries Ctrl+Alt+1} switches back to VMX guest's VGA.\\
3970 {\bfseries Ctrl+Alt+3} switches to serial port output. It captures serial output from the VMX guest. It works only if the VMX guest was configured to use the serial port. \\
3972 \subsection{Save/Restore and Migration}
3973 VMX guests currently cannot be saved and restored, nor migrated. These features are currently under active development.
3975 \chapter{Vnets - Domain Virtual Networking}
3977 Xen optionally supports virtual networking for domains using {\em vnets}.
3978 These emulate private LANs that domains can use. Domains on the same
3979 vnet can be hosted on the same machine or on separate machines, and the
3980 vnets remain connected if domains are migrated. Ethernet traffic
3981 on a vnet is tunneled inside IP packets on the physical network. A vnet is a virtual
3982 network and addressing within it need have no relation to addressing on
3983 the underlying physical network. Separate vnets, or vnets and the physical network,
3984 can be connected using domains with more than one network interface and
3985 enabling IP forwarding or bridging in the usual way.
3987 Vnet support is included in \texttt{xm} and \xend:
3988 \begin{verbatim}
3989 # xm vnet-create <config>
3990 \end{verbatim}
3991 creates a vnet using the configuration in the file \verb|<config>|.
3992 When a vnet is created its configuration is stored by \xend and the vnet persists until it is
3993 deleted using
3994 \begin{verbatim}
3995 # xm vnet-delete <vnetid>
3996 \end{verbatim}
3997 The vnets \xend knows about are listed by
3998 \begin{verbatim}
3999 # xm vnet-list
4000 \end{verbatim}
4001 More vnet management commands are available using the
4002 \texttt{vn} tool included in the vnet distribution.
4004 The format of a vnet configuration file is
4005 \begin{verbatim}
4006 (vnet (id <vnetid>)
4007 (bridge <bridge>)
4008 (vnetif <vnet interface>)
4009 (security <level>))
4010 \end{verbatim}
4011 White space is not significant. The parameters are:
4012 \begin{itemize}
4013 \item \verb|<vnetid>|: vnet id, the 128-bit vnet identifier. This can be given
4014 as 8 4-digit hex numbers separated by colons, or in short form as a single 4-digit hex number.
4015 The short form is the same as the long form with the first 7 fields zero.
4016 Vnet ids must be non-zero and id 1 is reserved.
4018 \item \verb|<bridge>|: the name of a bridge interface to create for the vnet. Domains
4019 are connected to the vnet by connecting their virtual interfaces to the bridge.
4020 Bridge names are limited to 14 characters by the kernel.
4022 \item \verb|<vnetif>|: the name of the virtual interface onto the vnet (optional). The
4023 interface encapsulates and decapsulates vnet traffic for the network and is attached
4024 to the vnet bridge. Interface names are limited to 14 characters by the kernel.
4026 \item \verb|<level>|: security level for the vnet (optional). The level may be one of
4027 \begin{itemize}
4028 \item \verb|none|: no security (default). Vnet traffic is in clear on the network.
4029 \item \verb|auth|: authentication. Vnet traffic is authenticated using IPSEC
4030 ESP with hmac96.
4031 \item \verb|conf|: confidentiality. Vnet traffic is authenticated and encrypted
4032 using IPSEC ESP with hmac96 and AES-128.
4033 \end{itemize}
4034 Authentication and confidentiality are experimental and use hard-wired keys at present.
4035 \end{itemize}
4036 When a vnet is created its configuration is stored by \xend and the vnet persists until it is
4037 deleted using \texttt{xm vnet-delete <vnetid>}. The interfaces and bridges used by vnets
4038 are visible in the output of \texttt{ifconfig} and \texttt{brctl show}.
4040 \section{Example}
4041 If the file \path{vnet97.sxp} contains
4042 \begin{verbatim}
4043 (vnet (id 97) (bridge vnet97) (vnetif vnif97)
4044 (security none))
4045 \end{verbatim}
4046 Then \texttt{xm vnet-create vnet97.sxp} will define a vnet with id 97 and no security.
4047 The bridge for the vnet is called vnet97 and the virtual interface for it is vnif97.
4048 To add an interface on a domain to this vnet set its bridge to vnet97
4049 in its configuration. In Python:
4050 \begin{verbatim}
4051 vif="bridge=vnet97"
4052 \end{verbatim}
4053 In sxp:
4054 \begin{verbatim}
4055 (dev (vif (mac aa:00:00:01:02:03) (bridge vnet97)))
4056 \end{verbatim}
4057 Once the domain is started you should see its interface in the output of \texttt{brctl show}
4058 under the ports for \texttt{vnet97}.
4060 To get best performance it is a good idea to reduce the MTU of a domain's interface
4061 onto a vnet to 1400. For example using \texttt{ifconfig eth0 mtu 1400} or putting
4062 \texttt{MTU=1400} in \texttt{ifcfg-eth0}.
4063 You may also have to change or remove cached config files for eth0 under
4064 \texttt{/etc/sysconfig/networking}. Vnets work anyway, but performance can be reduced
4065 by IP fragmentation caused by the vnet encapsulation exceeding the hardware MTU.
4067 \section{Installing vnet support}
4068 Vnets are implemented using a kernel module, which needs to be loaded before
4069 they can be used. You can either do this manually before starting \xend, using the
4070 command \texttt{vn insmod}, or configure \xend to use the \path{network-vnet}
4071 script in the xend configuration file \texttt{/etc/xend/xend-config.sxp}:
4072 \begin{verbatim}
4073 (network-script network-vnet)
4074 \end{verbatim}
4075 This script insmods the module and calls the \path{network-bridge} script.
4077 The vnet code is not compiled and installed by default.
4078 To compile the code and install on the current system
4079 use \texttt{make install} in the root of the vnet source tree,
4080 \path{tools/vnet}. It is also possible to install to an installation
4081 directory using \texttt{make dist}. See the \path{Makefile} in
4082 the source for details.
4084 The vnet module creates vnet interfaces \texttt{vnif0002},
4085 \texttt{vnif0003} and \texttt{vnif0004} by default. You can test that
4086 vnets are working by configuring IP addresses on these interfaces
4087 and trying to ping them across the network. For example, using machines
4088 hostA and hostB:
4089 \begin{verbatim}
4090 hostA# ifconfig vnif0004 up
4091 hostB# ifconfig vnif0004 up
4092 hostB# ping
4093 \end{verbatim}
4095 The vnet implementation uses IP multicast to discover vnet interfaces, so
4096 all machines hosting vnets must be reachable by multicast. Network switches
4097 are often configured not to forward multicast packets, so this often
4098 means that all machines using a vnet must be on the same LAN segment,
4099 unless you configure vnet forwarding.
4101 You can test multicast coverage by pinging the vnet multicast address:
4102 \begin{verbatim}
4103 # ping -b
4104 \end{verbatim}
4105 You should see replies from all machines with the vnet module running.
4106 You can see if vnet packets are being sent or received by dumping traffic
4107 on the vnet UDP port:
4108 \begin{verbatim}
4109 # tcpdump udp port 1798
4110 \end{verbatim}
4112 If multicast is not being forwaded between machines you can configure
4113 multicast forwarding using vn. Suppose we have machines hostA on
4114 and hostB on and that multicast is not forwarded between them.
4115 We use vn to configure each machine to forward to the other:
4116 \begin{verbatim}
4117 hostA# vn peer-add hostB
4118 hostB# vn peer-add hostA
4119 \end{verbatim}
4120 Multicast forwarding needs to be used carefully - you must avoid creating forwarding
4121 loops. Typically only one machine on a subnet needs to be configured to forward,
4122 as it will forward multicasts received from other machines on the subnet.
4124 %% Chapter Glossary of Terms moved to glossary.tex
4125 \chapter{Glossary of Terms}
4127 \begin{description}
4129 \item[BVT] The BVT scheduler is used to give proportional fair shares
4130 of the CPU to domains.
4132 \item[Domain] A domain is the execution context that contains a
4133 running {\bf virtual machine}. The relationship between virtual
4134 machines and domains on Xen is similar to that between programs and
4135 processes in an operating system: a virtual machine is a persistent
4136 entity that resides on disk (somewhat like a program). When it is
4137 loaded for execution, it runs in a domain. Each domain has a {\bf
4138 domain ID}.
4140 \item[Domain 0] The first domain to be started on a Xen machine.
4141 Domain 0 is responsible for managing the system.
4143 \item[Domain ID] A unique identifier for a {\bf domain}, analogous to
4144 a process ID in an operating system.
4146 \item[Full virtualization] An approach to virtualization which
4147 requires no modifications to the hosted operating system, providing
4148 the illusion of a complete system of real hardware devices.
4150 \item[Hypervisor] An alternative term for {\bf VMM}, used because it
4151 means `beyond supervisor', since it is responsible for managing
4152 multiple `supervisor' kernels.
4154 \item[Live migration] A technique for moving a running virtual machine
4155 to another physical host, without stopping it or the services
4156 running on it.
4158 \item[Paravirtualization] An approach to virtualization which requires
4159 modifications to the operating system in order to run in a virtual
4160 machine. Xen uses paravirtualization but preserves binary
4161 compatibility for user space applications.
4163 \item[Shadow pagetables] A technique for hiding the layout of machine
4164 memory from a virtual machine's operating system. Used in some {\bf
4165 VMMs} to provide the illusion of contiguous physical memory, in
4166 Xen this is used during {\bf live migration}.
4168 \item[Virtual Block Device] Persistant storage available to a virtual
4169 machine, providing the abstraction of an actual block storage device.
4170 {\bf VBD}s may be actual block devices, filesystem images, or
4171 remote/network storage.
4173 \item[Virtual Machine] The environment in which a hosted operating
4174 system runs, providing the abstraction of a dedicated machine. A
4175 virtual machine may be identical to the underlying hardware (as in
4176 {\bf full virtualization}, or it may differ, as in {\bf
4177 paravirtualization}).
4179 \item[VMM] Virtual Machine Monitor - the software that allows multiple
4180 virtual machines to be multiplexed on a single physical machine.
4182 \item[Xen] Xen is a paravirtualizing virtual machine monitor,
4183 developed primarily by the Systems Research Group at the University
4184 of Cambridge Computer Laboratory.
4186 \item[XenLinux] A name for the port of the Linux kernel that
4187 runs on Xen.
4189 \end{description}
4192 \end{document}
4195 %% Other stuff without a home
4197 %% Instructions Re Python API
4199 %% Other Control Tasks using Python
4200 %% ================================
4202 %% A Python module 'Xc' is installed as part of the tools-install
4203 %% process. This can be imported, and an 'xc object' instantiated, to
4204 %% provide access to privileged command operations:
4206 %% # import Xc
4207 %% # xc =
4208 %% # dir(xc)
4209 %% # help(xc.domain_create)
4211 %% In this way you can see that the class 'xc' contains useful
4212 %% documentation for you to consult.
4214 %% A further package of useful routines (xenctl) is also installed:
4216 %% # import xenctl.utils
4217 %% # help(xenctl.utils)
4219 %% You can use these modules to write your own custom scripts or you
4220 %% can customise the scripts supplied in the Xen distribution.
4224 % Explain about AGP GART
4227 %% If you're not intending to configure the new domain with an IP
4228 %% address on your LAN, then you'll probably want to use NAT. The
4229 %% 'xen_nat_enable' installs a few useful iptables rules into domain0
4230 %% to enable NAT. [NB: We plan to support RSIP in future]
4234 %% Installing the file systems from the CD
4235 %% =======================================
4237 %% If you haven't got an existing Linux installation onto which you
4238 %% can just drop down the Xen and Xenlinux images, then the file
4239 %% systems on the CD provide a quick way of doing an install. However,
4240 %% you would be better off in the long run doing a proper install of
4241 %% your preferred distro and installing Xen onto that, rather than
4242 %% just doing the hack described below:
4244 %% Choose one or two partitions, depending on whether you want a
4245 %% separate /usr or not. Make file systems on it/them e.g.:
4246 %% mkfs -t ext3 /dev/hda3
4247 %% [or mkfs -t ext2 /dev/hda3 && tune2fs -j /dev/hda3 if using an old
4248 %% version of mkfs]
4250 %% Next, mount the file system(s) e.g.:
4251 %% mkdir /mnt/root && mount /dev/hda3 /mnt/root
4252 %% [mkdir /mnt/usr && mount /dev/hda4 /mnt/usr]
4254 %% To install the root file system, simply untar /usr/XenDemoCD/root.tar.gz:
4255 %% cd /mnt/root && tar -zxpf /usr/XenDemoCD/root.tar.gz
4257 %% You'll need to edit /mnt/root/etc/fstab to reflect your file system
4258 %% configuration. Changing the password file (etc/shadow) is probably a
4259 %% good idea too.
4261 %% To install the usr file system, copy the file system from CD on
4262 %% /usr, though leaving out the "XenDemoCD" and "boot" directories:
4263 %% cd /usr && cp -a X11R6 etc java libexec root src bin dict kerberos
4264 %% local sbin tmp doc include lib man share /mnt/usr
4266 %% If you intend to boot off these file systems (i.e. use them for
4267 %% domain 0), then you probably want to copy the /usr/boot
4268 %% directory on the cd over the top of the current symlink to /boot
4269 %% on your root filesystem (after deleting the current symlink)
4270 %% i.e.:
4271 %% cd /mnt/root ; rm boot ; cp -a /usr/boot .