WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Xen
Home Products Support Community News

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
<prev [Thread] next>

Re: [Xen-users] domU kernel

from [Steve Wray] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] domU kernel
From: Steve Wray <steve.wray@xxxxxxxxx>
Date: 2007年10月15日 13:17:06 +1300
Delivery-date: 2007年10月14日 17:17:49 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20071012045437.GA25878@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <470EF48A.5070601@xxxxxxxxxxx> <20071012045437.GA25878@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (Macintosh/20070728) 
Christian Horn wrote:

On Fri, Oct 12, 2007 at 12:14:02AM -0400, IDAGroup - R.W.Muller wrote:
Hi, I found lots of threads where people talk about domU kernel sitting in /boot of dom0. The only kernel I can see there is the one the machine and dom0 booted from (vmlinuz-2.6.18-8.el5xen) 
Two places are common:
- domU-kernel placed on dom0-filesystem directly, 'kernel' option in xen-
 config for the domU is used then. Only possible for paravirt-domU.
 pros: - kernel is directly reachable from dom0
cons: - domU depends on files outside of its disc-image, so you have to keep an eye of what domU uses what kernel-file 
 - on upgrading the domU-kernel is a bit more complicated, keep
 kernel, maybe existing initrd and modules-directory in sync
- domU-kernel placed inside the domU-diskimage. Works for both HVM and
 paravirt-domU. One sees mostly this nowadays. Kernel is located/booted
 by pygrub (or a script mounting the partition, making a copy of the
 kernel inside to dom0, and starting it then)
 pros: - easy updating, i.e. just 'yum update' from the domU updates the
 kernel, initrd, modules and kernel is booted on next domU-boot

You forgot the con.
cons: Security. You now have a domU in which a local exploit could result in code being executed in dom0 at the next boot of that domU. By the way, this actually happened. See CVE-2007-4993 IMHO putting the kernel in domU and using pygrub was always asking for trouble. In my opinion it is completely crazy to expose dom0 to potential exploits from domU. So far as I am aware this is the *only* way to so expose dom0 to domU security holes and I am deeply shocked if it is true that "One sees mostly this nowadays" 
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date: [Xen-users] USB Support for DomU - pciback.hide Problem , Alexandros Manakos
Next by Date: Re: [Xen-users] domU kernel , IDAGroup - R.W.Muller
Previous by Thread: Re: [Xen-users] domU kernel , Christian Horn
Next by Thread: Re: [Xen-users] domU kernel , IDAGroup - R.W.Muller
Indexes: [Date] [Thread] [Top] [All Lists]

Copyright ©, Citrix Systems Inc. All rights reserved. Legal and Privacy
Citrix This site is hosted by Citrix

AltStyle によって変換されたページ (->オリジナル) /