NAME
xm - Xen management user interface
SYNOPSIS
xm subcommand [args]
DESCRIPTION
The xm program is the main interface for managing Xen guest domains.
The program can be used to create, pause, and shutdown domains. It can
also be used to list current domains, enable or pin VCPUs, and attach
or detach virtual block devices.
The basic structure of every xm command is almost always:
xm subcommand domain-id [OPTIONS]
Where subcommand is one of the subcommands listed below, domain-id is
the numeric domain id, or the domain name (which will be internally
translated to domain id), and OPTIONS are subcommand specific options.
There are a few exceptions to this rule in the cases where the
subcommand in question acts on all domains, the entire machine, or
directly on the Xen hypervisor. Those exceptions will be clear for
each of those subcommands.
NOTES
All xm operations rely upon the Xen control daemon, aka xend. For any
xm commands to run, xend must also be running. For this reason you
should start xend as a service when your system first boots using Xen.
Most xm commands require root privileges to run due to the
communications channels used to talk to the hypervisor. Running as non
root will return an error.
Most xm commands act asynchronously, so just because the xm command
returned doesn’t mean the action is complete. This is important, as
many operations on domains, like create and shutdown, can take
considerable time (30 seconds or more) to bring the machine into a
fully compliant state. If you want to know when one of these actions
has finished you must poll through xm list periodically.
DOMAIN SUBCOMMANDS
The following subcommands manipulate domains directly. As stated
previously, most commands take domain-id as the first parameter.
console domain-id
Attach to domain domain-id’s console. If you’ve set up your
domains to have a traditional log in console this will look much
like a normal text log in screen.
This uses the back end xenconsole service which currently only
works for para-virtual domains.
The attached console will perform much like a standard serial
console, so running curses based interfaces over the console is not
advised. Vi tends to get very odd when using it over this
interface.
create [-c] configfile [name=value]..
The create sub command requires a config file and can optionally
take a series of name value pairs that add to or override variables
defined in the config file. See xmdomain.cfg for full details of
that file format, and possible options used in either the
configfile or name=value combinations.
configfile can either be an absolute path to a file, or a relative
path to a file located in /etc/xen.
Create will return as soon as the domain is started. This does not
mean the guest OS in the domain has actually booted, or is
available for input.
OPTIONS
-c Attache console to the domain as soon as it has started. This
is useful for determining issues with crashing domains.
EXAMPLES
with config file
xm create Fedora4
This creates a domain with the file /etc/xen/Fedora4, and
returns as soon as it is run.
without config file
xm create /dev/null ramdisk=initrd.img \
kernel=/boot/vmlinuz-2.6.12.6-xenU \
name=ramdisk vif='' vcpus=1 \
memory=64 root=/dev/ram0
This creates the domain without using a config file (more
specifically using /dev/null as an empty config file), kernel
and ramdisk as specified, setting the name of the domain to
"ramdisk", also disabling virtual networking. (This example
comes from the xm-test test suite.)
destroy domain-id
Immediately terminate the domain domain-id. This doesn’t give the
domain OS any chance to react, and is the equivalent of ripping the
power cord out on a physical machine. In most cases you will want
to use the shutdown command instead.
domid domain-name
Converts a domain name to a domain id using xend’s internal
mapping.
domname domain-id
Converts a domain id to a domain name using xend’s internal
mapping.
help [--long]
Displays the short help message (i.e. common commands).
The --long option prints out the complete set of xm subcommands,
grouped by function.
list [--long | --label] [domain-id ...]
Prints information about one or more domains. If no domains are
specified it prints out information about all domains.
An example format for the list is as follows:
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 98 1 r----- 5068.6
Fedora3 164 128 1 r----- 7.6
Fedora4 165 128 1 ------ 0.6
Mandrake2006 166 128 1 -b---- 3.6
Mandrake10.2 167 128 1 ------ 2.5
Suse9.2 168 100 1 ------ 1.8
Name is the name of the domain. ID the numeric domain id. Mem is
the desired amount of memory to allocate to the domain (although it
may not be the currently allocated amount). VCPUs is the number of
virtual CPUs allocated to the domain. State is the run state (see
below). Time is the total run time of the domain as accounted for
by Xen.
STATES
The State field lists 6 states for a Xen domain, and which ones
the current domain is in.
r - running
The domain is currently running on a CPU.
b - blocked
The domain is blocked, and not running or runnable. This can
be caused because the domain is waiting on IO (a traditional
wait state) or has gone to sleep because there was nothing else
for it to do.
p - paused
The domain has been paused, usually occurring through the
administrator running xm pause. When in a paused state the
domain will still consume allocated resources like memory, but
will not be eligible for scheduling by the Xen hypervisor.
s - shutdown
FIXME: Why would you ever see this state?
c - crashed
The domain has crashed, which is always a violent ending.
Usually this state can only occur if the domain has been
configured not to restart on crash. See xmdomain.cfg for more
info.
d - dying
The domain is in process of dying, but hasn’t completely
shutdown or crashed.
FIXME: Is this right?
LONG OUTPUT
If --long is specified, the output for xm list is not the table
view shown above, but instead is an S-Expression representing
all information known about all domains asked for. This is
mostly only useful for external programs to parse the data.
Note: There is no stable guarantees on the format of this data.
Use at your own risk.
LABEL OUTPUT
If --label is specified, the security labels are added to the
output of xm list and the lines are sorted by the labels
(ignoring case). The --long option prints the labels by default
and cannot be combined with --label. See the ACCESS CONTROL
SUBCOMMAND section of this man page for more information about
labels.
==back
NOTES
The Time column is deceptive. Virtual IO (network and
block devices) used by domains requires coordination by
Domain0, which means that Domain0 is actually charged for
much of the time that a DomainU is doing IO. Use of this
time value to determine relative utilizations by domains is
thus very suspect, as a high IO workload may show as less
utilized than a high CPU workload. Consider yourself
warned.
mem-max domain-id mem
Specify the maximum amount of memory the domain is able to use.
mem is specified in megabytes.
The mem-max value may not correspond to the actual memory used
in the domain, as it may balloon down its memory to give more
back to the OS.
mem-set domain-id mem
Set the domain’s used memory using the balloon driver.
Because this operation requires cooperation from the domain
operating system, there is no guarantee that it will succeed.
This command will definitely not work unless the domain has the
required paravirt driver.
Warning: There is no good way to know in advance how small of a
mem-set will make a domain unstable and cause it to crash. Be
very careful when using this command on running domains.
migrate domain-id host [OPTIONS]
Migrate a domain to another host machine. Xend must be running
on other host machine, it must be running the same version of
Xen, it must have the migration TCP port open and accepting
connections from the source host, and there must be sufficient
resources for the domain to run (memory, disk, etc).
Migration is pretty complicated, and has many security
implications. Please read the Xen User’s Guide to ensure you
understand the ramifications and limitations on migration
before attempting it in production.
OPTIONS
-l, --live
Use live migration. This will migrate the domain between
hosts without shutting down the domain. See the Xen User’s
Guide for more information.
-r, --resource Mbs
Set maximum Mbs allowed for migrating the domain. This
ensures that the network link is not saturated with
migration traffic while attempting to do other useful work.
pause domain-id
Pause a domain. When in a paused state the domain will still
consume allocated resources such as memory, but will not be
eligible for scheduling by the Xen hypervisor.
reboot [OPTIONS] domain-id
Reboot a domain. This acts just as if the domain had the
reboot command run from the console. The command returns as
soon as it has executed the reboot action, which may be
significantly before the domain actually reboots.
The behavior of what happens to a domain when it reboots is set
by the on_reboot parameter of the xmdomain.cfg file when the
domain was created.
OPTIONS
-a, --all
Reboot all domains.
-w, --wait
Wait for reboot to complete before returning. This may
take a while, as all services in the domain will have to be
shut down cleanly.
restore state-file
Build a domain from an xm save state file. See save for more
info.
save domain-id state-file
Saves a running domain to a state file so that it can be
restored later. Once saved, the domain will no longer be
running on the system, thus the memory allocated for the domain
will be free for other domains to use. xm restore restores
from this state file.
This is roughly equivalent to doing a hibernate on a running
computer, with all the same limitations. Open network
connections may be severed upon restore, as TCP timeouts may
have expired.
shutdown [OPTIONS] domain-id
Gracefully shuts down a domain. This coordinates with the
domain OS to perform graceful shutdown, so there is no
guarantee that it will succeed, and may take a variable length
of time depending on what services must be shutdown in the
domain. The command returns immediately after signally the
domain unless that -w flag is used.
The behavior of what happens to a domain when it reboots is set
by the on_shutdown parameter of the xmdomain.cfg file when the
domain was created.
OPTIONS
-a Shutdown all domains. Often used when doing a complete
shutdown of a Xen system.
-w Wait for the domain to complete shutdown before returning.
sysrq domain-id letter
Send a Magic System Request signal to the domain. For more
information on available magic sys req operations, see
sysrq.txt in your Linux Kernel sources.
unpause domain-id
Moves a domain out of the paused state. This will allow a
previously paused domain to now be eligible for scheduling by
the Xen hypervisor.
vcpu-set domain-id vcpu-count
Enables the vcpu-count virtual CPUs for the domain in question.
Like mem-set, this command can only allocate up to the maximum
virtual CPU count configured at boot for the domain.
If the vcpu-count is smaller than the current number of active
VCPUs, the highest number VCPUs will be hotplug removed. This
may be important for pinning purposes.
Attempting to set the VCPUs to a number larger than the
initially configured VCPU count is an error. Trying to set
VCPUs to < 1 will be quietly ignored.
Because this operation requires cooperation from the domain
operating system, there is no guarantee that it will succeed.
This command will not work with a full virt domain.
vcpu-list [domain-id]
Lists VCPU information for a specific domain. If no domain is
specified, VCPU information for all domains will be provided.
vcpu-pin domain-id vcpu cpus
Pins the the VCPU to only run on the specific CPUs. The
keyword all can be used to apply the cpus list to all VCPUs in
the domain.
Normally VCPUs can float between available CPUs whenever Xen
deems a different run state is appropriate. Pinning can be
used to restrict this, by ensuring certain VCPUs can only run
on certain physical CPUs.
XEN HOST SUBCOMMANDS
dmesg [-c]
Reads the Xen message buffer, similar to dmesg on a Linux system.
The buffer contains informational, warning, and error messages
created during Xen’s boot process. If you are having problems with
Xen, this is one of the first places to look as part of problem
determination.
OPTIONS
-c, --clear
Clears Xen’s message buffer.
info
Print information about the Xen host in name : value format. When
reporting a Xen bug, please provide this information as part of the
bug report.
Sample output looks as follows (lines wrapped manually to make the
man page more readable):
host : talon
release : 2.6.12.6-xen0
version : #1 Mon Nov 14 14:26:26 EST 2005
machine : i686
nr_cpus : 2
nr_nodes : 1
cores_per_socket : 1
threads_per_core : 1
cpu_mhz : 696
hw_caps : 0383fbff:00000000:00000000:00000040
total_memory : 767
free_memory : 37
xen_major : 3
xen_minor : 0
xen_extra : -devel
xen_caps : xen-3.0-x86_32
xen_scheduler : credit
xen_pagesize : 4096
platform_params : virt_start=0xfc000000
xen_changeset : Mon Nov 14 18:13:38 2005 +0100
7793:090e44133d40
cc_compiler : gcc version 3.4.3 (Mandrakelinux
10.2 3.4.3-7mdk)
cc_compile_by : sdague
cc_compile_domain : (none)
cc_compile_date : Mon Nov 14 14:16:48 EST 2005
xend_config_format : 3
FIELDS
Not all fields will be explained here, but some of the less
obvious ones deserve explanation:
hw_caps
A vector showing what hardware capabilities are supported by
your processor. This is equivalent to, though more cryptic,
the flags field in /proc/cpuinfo on a normal Linux machine.
free_memory
Available memory (in MB) not allocated to Xen, or any other
domains.
xen_caps
The Xen version and architecture. Architecture values can be
one of: x86_32, x86_32p (i.e. PAE enabled), x86_64, ia64.
xen_changeset
The Xen mercurial changeset id. Very useful for determining
exactly what version of code your Xen system was built from.
log Print out the xend log. This log file can be found in
/var/log/xend.log.
top Executes the xentop command, which provides real time monitoring of
domains. Xentop is a curses interface, and reasonably self
explanatory.
SCHEDULER SUBCOMMANDS
Xen ships with a number of domain schedulers, which can be set at boot
time with the sched= parameter on the Xen command line. By default
credit is used for scheduling.
FIXME: we really need a scheduler expert to write up this section.
sched-credit [ -d domain-id [ -w[=WEIGHT] | -c[=CAP] ] ]
Set credit scheduler parameters. The credit scheduler is a
proportional fair share CPU scheduler built from the ground up to
be work conserving on SMP hosts.
Each domain (including Domain0) is assigned a weight and a cap.
PARAMETERS
WEIGHT
A domain with a weight of 512 will get twice as much CPU as a
domain with a weight of 256 on a contended host. Legal weights
range from 1 to 65535 and the default is 256.
CAP The cap optionally fixes the maximum amount of CPU a domain
will be able to consume, even if the host system has idle CPU
cycles. The cap is expressed in percentage of one physical CPU:
100 is 1 physical CPU, 50 is half a CPU, 400 is 4 CPUs, etc.
The default, 0, means there is no upper cap.
sched-sedf period slice latency-hint extratime weight
Set Simple EDF (Earliest Deadline First) scheduler parameters.
This scheduler provides weighted CPU sharing in an intuitive way
and uses realtime-algorithms to ensure time guarantees. For more
information see docs/misc/sedf_scheduler_mini-HOWTO.txt in the Xen
distribution.
PARAMETERS
period
The normal EDF scheduling usage in nanoseconds
slice
The normal EDF scheduling usage in nanoseconds
FIXME: these are lame, should explain more.
latency-hint
Scaled period if domain is doing heavy I/O.
extratime
Flag for allowing domain to run in extra time.
weight
Another way of setting CPU slice.
EXAMPLES
normal EDF (20ms/5ms):
xm sched-sedf <dom-id> 20000000 5000000 0 0 0
best-effort domains (i.e. non-realtime):
xm sched-sedf <dom-id> 20000000 0 0 1 0
normal EDF (20ms/5ms) + share of extra-time:
xm sched-sedf <dom-id> 20000000 5000000 0 1 0
4 domains with weights 2:3:4:2
xm sched-sedf <d1> 0 0 0 0 2
xm sched-sedf <d2> 0 0 0 0 3
xm sched-sedf <d3> 0 0 0 0 4
xm sched-sedf <d4> 0 0 0 0 2
1 fully-specified (10ms/3ms) domain, 3 other domains share
available rest in 2:7:3 ratio:
xm sched-sedf <d1> 10000000 3000000 0 0 0
xm sched-sedf <d2> 0 0 0 0 2
xm sched-sedf <d3> 0 0 0 0 7
xm sched-sedf <d4> 0 0 0 0 3
VIRTUAL DEVICE COMMANDS
Most virtual devices can be added and removed while guests are running.
The effect to the guest OS is much the same as any hotplug event.
BLOCK DEVICES
block-attach domain-id be-dev fe-dev mode [bedomain-id]
Create a new virtual block device. This will trigger a hotplug
event for the guest.
OPTIONS
domain-id
The domain id of the guest domain that the device will be
attached to.
be-dev
The device in the backend domain (usually domain 0) to be
exported. This can be specified as a physical partition
(phy:sda7) or as a file mounted as loopback
(file://path/to/loop.iso).
fe-dev
How the device should be presented to the guest domain. It can
be specified as either a symbolic name, such as /dev/hdc, for
common devices, or by device id, such as 0x1400 (/dev/hdc
device id in hex).
mode
The access mode for the device from the guest domain.
Supported modes are w (read/write) or r (read-only).
bedomain-id
The back end domain hosting the device. This defaults to
domain 0.
EXAMPLES
Mount an ISO as a Disk
xm block-attach guestdomain file://path/to/dsl-2.0RC2.iso
/dev/hdc ro
This will mount the dsl ISO as /dev/hdc in the guestdomain as a
read only device. This will probably not be detected as a CD-
ROM by the guest, but mounting /dev/hdc manually will work.
block-detach domain-id devid [--force]
Detach a domain’s virtual block device. devid may be the symbolic
name or the numeric device id given to the device by domain 0. You
will need to run xm block-list to determine that number.
Detaching the device requires the cooperation of the domain. If
the domain fails to release the device (perhaps because the domain
is hung or is still using the device), the detach will fail. The
--force parameter will forcefully detach the device, but may cause
IO errors in the domain.
block-list [-l|--long] domain-id
List virtual block devices for a domain. The returned output is
formatted as a list or as an S-Expression if the --long option was
given.
NETWORK DEVICES
network-attach domain-id [script=scriptname] [ip=ipaddr] [mac=macaddr]
[bridge=bridge-name] [backend=bedomain-id]
Creates a new network device in the domain specified by domain-id.
It takes the following optional options:
OPTIONS
script=scriptname
Use the specified script name to bring up the network.
Defaults to the default setting in xend-config.sxp for vif-
script.
ip=ipaddr
Passes the specified IP Address to the adapter on creation.
FIXME: this currently appears to be broken. I’m not sure under
what circumstances this should actually work.
mac=macaddr
The MAC address that the domain will see on its Ethernet
device. If the device is not specified it will be randomly
generated with the 00:16:3e vendor id prefix.
bridge=bridge-name
The name of the bridge to attach the vif to, in case you have
more than one. This defaults to xenbr0.
backend=bedomain-id
The backend domain id. By default this is domain 0.
network-detach domain-id devid
Removes the network device from the domain specified by domain-id.
devid is the virtual interface device number within the domain
(i.e. the 3 in vif22.3).
FIXME: this is currently broken. Network devices aren’t completely
removed from domain 0.
network-list [-l|--long]> domain-id
List virtual network interfaces for a domain. The returned output
is formatted as a list or as an S-Expression if the --long option
was given.
VIRTUAL TPM DEVICES
vtpm-list [-l|--long] domain-id
Show the virtual TPM device for a domain. The returned output is
formatted as a list or as an S-Expression if the --long option was
given.
VNET COMMANDS
The Virtual Network interfaces for Xen.
FIXME: This needs a lot more explanation, or it needs to be ripped out
entirely.
vnet-list [-l|--long]
List vnets.
vnet-create config
Create a vnet from a config file.
vnet-delete vnetid
Delete a vnet.
ACCESS CONTROL SUBCOMMANDS
Access Control in Xen consists of two components: (i) The Access
Control Policy (ACP) defines security labels and access rules based on
these labels. (ii) The Access Control Module (ACM) makes access control
decisions by interpreting the policy when domains require to
communicate or to access resources. The Xen access control has
sufficient mechanisms in place to enforce the access decisions even
against maliciously acting user domains (mandatory access control).
Access rights for domains in Xen are determined by the domain security
label only and not based on the domain Name or ID. The ACP specifies
security labels that can then be assigned to domains and resources.
Every domain must be assigned exactly one security label, otherwise
access control decisions could become indeterministic. ACPs are
distinguished by their name, which is a parameter to most of the
subcommands described below. Currently, the ACP specifies two ways to
interpret labels:
(1) Simple Type Enforcement: Labels are interpreted to decide access of
domains to communication means and virtual or physical resources.
Communication between domains as well as access to resources are
forbidden by default and can only take place if they are explicitly
allowed by the security policy. The proper assignment of labels to
domains controls the sharing of information (directly through
communication or indirectly through shared resources) between domains.
This interpretation allows to control the overt (intended)
communication channels in Xen.
(2) Chinese Wall: Labels are interpreted to decide which domains can
co-exist (be run simultaneously) on the same system. This
interpretation allows to prevent direct covert (unintended) channels
and mitigates risks caused by imperfect core domain isolation (trade-
off between security and other system requirements). For a short
introduction to covert channels, please refer to
http://www.multicians.org/timing-chn.html.
The following subcommands help you to manage security policies in Xen
and to assign security labels to domains. To enable access control
security in Xen, you must compile Xen with ACM support enabled as
described under "Configuring Security" below. There, you will find also
examples of each subcommand described here.
setpolicy ACM policy
Makes the given ACM policy available to xend as a xend-managed
policy. The policy is compiled and a mapping (.map) as well as a
binary (.bin) version of the policy is created. The policy is
loaded and the system’s bootloader is prepared to boot the system
with this policy the next time it is started.
policy is a dot-separated list of names. The last part is the
file name pre-fix for the policy XML file. The preceding name
parts are translated into the local path pointing to the policy
XML file relative to the global policy root directory
(/etc/xen/acm-security/policies). For example,
example.chwall_ste.client_v1 denotes the policy file
example/chwall_ste/client_v1-security_policy.xml relative to
the global policy root directory.
resetpolicy
Reset the system’s policy to the default state where the DEFAULT
policy is loaded and enforced. This operation may fail if for
example guest VMs are running and and one of them uses a different
label than what Domain-0 does. It is best to make sure that no
guests are running before issuing this command.
getpolicy [--dumpxml]
Displays information about the current xend-managed policy, such as
name and type of the policy, the uuid xend has assigned to it on
the local system, the version of the XML representation and the
status of the policy, such as whether it is currently loaded into
Xen or whether the policy is automatically loaded during system
boot. With the --dumpxml option, the XML representation of the
policy is displayed.
dumppolicy
Prints the current security policy state information of Xen.
labels [policy] [type=dom|res|any]
Lists all labels of a type (domain, resource, or both) that are
defined in the policy. Unless specified, the default policy is the
currently enforced access control policy. The default for type is
’dom’. The labels are arranged in alphabetical order.
addlabel label dom configfile [policy]
addlabel label mgt domain name [policy type:policy]
addlabel label res resource [policy]
addlabel label vif-idx domain name [policy type:policy]
Adds the security label with name label to a domain configfile
(dom), a Xend-managed domain (mgt), to the global resource label
file for the given resource (res), or to a managed domain’s virtual
network interface (vif) that is specified by its index. Unless
specified, the default policy is the currently enforced access
control policy. This subcommand also verifies that the policy
definition supports the specified label name.
The only policy type that is currently supported is ACM.
rmlabel dom configfile
rmlabel mgt domain name
rmlabel res resource
rmlabel vif-idx domain name
Works the same as the addlabel command (above), except that this
command will remove the label from the domain configfile (dom), a
Xend-managed domain (mgt), the global resource label file (res), or
a managed domain’s network interface (vif).
getlabel dom configfile
getlabel mgt domain name
getlabel res resource
getlabel vif-idx domain name
Shows the label for a domain’s configuration in the given
configfile, a xend-managed domain (mgt), a resource, or a managed
domain’s network interface (vif).
resources
Lists all resources in the global resource label file. Each
resource is listed with its associated label and policy name.
dry-run configfile
Determines if the specified configfile describes a domain with a
valid security configuration for type enforcement. The test shows
the policy decision made for each resource label against the domain
label as well as the overall decision.
CONFIGURING SECURITY
In xen_source_dir/Config.mk set the following parameter:
XSM_ENABLE ?= y
ACM_SECURITY ?= y
Then recompile and install xen and the security tools and then
reboot:
cd xen_source_dir; make clean; make install
reboot into Xen
RESETTING THE SYSTEM’S SECURITY
To set the system’s security policy enforcement into its
default state, the follow command can be issued. Make sure that
no guests are running while doing this.
xm resetpolicy
After this command has successfully completed, the system’s
DEFAULT policy is enforced.
SETTING A SECURITY POLICY
This step sets the system’s policy and automatically loads it
into Xen for enforcement.
xm setpolicy ACM example.client_v1
LISTING SECURITY LABELS
This subcommand shows all labels that are defined and which can
be attached to domains.
xm labels example.client_v1 type=dom
will print for our example policy:
dom_BoincClient
dom_Fun
dom_HomeBanking
dom_NetworkDomain
dom_StorageDomain
dom_SystemManagement
ATTACHING A SECURITY LABEL TO A DOMAIN
The addlabel subcommand can attach a security label to a domain
configuration file, here a HomeBanking label. The example
policy ensures that this domain does not share information with
other non-homebanking user domains (i.e., domains labeled as
dom_Fun or dom_Boinc) and that it will not run simultaneously
with domains labeled as dom_Fun.
We assume that the specified myconfig.xm configuration file
actually instantiates a domain that runs workloads related to
home-banking, probably just a browser environment for online-
banking.
xm addlabel dom_HomeBanking dom myconfig.xm
The very simple configuration file might now look as printed
below. The addlabel subcommand added the access_control entry
at the end of the file, consisting of a label name and the
policy that specifies this label name:
kernel = "/boot/vmlinuz-2.6.16-xen"
ramdisk="/boot/U1_home_banking_ramdisk.img"
memory = 164
name = "homebanking"
vif = [ '' ]
dhcp = "dhcp"
access_control = ['policy=example.chwall_ste.client_v1,
label=dom_HomeBanking']
Security labels must be assigned to domain configurations
because these labels are essential for making access control
decisions as early as during the configuration phase of a newly
instantiated domain. Consequently, a security-enabled Xen
hypervisor will only start domains that have a security label
configured and whose security label is consistent with the
currently enforced policy. Otherwise, starting the domain will
fail with the error condition "operation not permitted".
ATTACHING A SECURITY LABEL TO A XEND-MANAGED DOMAIN
The addlabel subcommand supports labeling of domains that are
managed by xend. This includes domains that are currently
running, such as for example Domain-0, or those that are in a
dormant state. Depending on the state of the system, it is
possible that the new label is rejected. An example for a
reason for the rejection of the relabeling of a domain would be
if a domain is currently allowed to access its labeled
resources but due to the new label would be prevented from
accessing one or more of them.
xm addlabel dom_Fun mgt Domain-0
This changes the label of Domain-0 to dom_Fun under the
condition that this new label of Domain-0 would not prevent any
other domain from accessing its resources that are provided
through Domain-0, such as for example network or block device
access.
ATTACHING A SECURITY LABEL TO A RESOURCE
The addlabel subcommand can also be used to attach a security
label to a resource. Following the home banking example from
above, we can label a disk resource (e.g., a physical partition
or a file) to make it accessible to the home banking domain.
The example policy provides a resource label,
res_LogicalDiskPartition1(hda1), that is compatible with the
HomeBanking domain label.
xm addlabel "res_LogicalDiskPartition1(hda1)" res phy:hda6
After labeling this disk resource, it can be attached to the
domain by adding a line to the domain configuration file. The
line below attaches this disk to the domain at boot time.
disk = [ 'phy:hda6,sda2,w' ]
Alternatively, the resource can be attached after booting the
domain by using the block-attach subcommand.
xm block-attach homebanking phy:hda6 sda2 w
Note that labeled resources cannot be used when security is
turned off. Any attempt to use labeled resources with security
turned off will result in a failure with a corresponding error
message. The solution is to enable security or, if security is
no longer desired, to remove the resource label using the
rmlabel subcommand.
STARTING AND LISTING LABELED DOMAINS
xm create myconfig.xm
xm list --label
Name ID ... Time(s) Label
homebanking 23 ... 4.4 dom_HomeBanking
Domain-0 0 ... 2658.8 dom_SystemManagement
LISTING LABELED RESOURCES
xm resources
phy:hda6
type: ACM
policy: example.chwall_ste.client_v1
label: res_LogicalDiskPartition1(hda1)
file:/xen/disk_image/disk.img
type: ACM
policy: example.chwall_ste.client_v1
label: res_LogicalDiskPartition2(hda2)
POLICY REPRESENTATIONS
We distinguish three representations of the Xen access control
policy: the source XML version, its binary counterpart, and a
mapping representation that enables the tools to
deterministically translate back and forth between label names
of the XML policy and label identifiers of the binary policy.
All three versions must be kept consistent to achieve
predictable security guarantees.
The XML version is the version that users are supposed to
create or change, either by manually editing the XML file or by
using the Xen policy generation tool (xensec_gen). After
changing the XML file, run the setpolicy subcommand to ensure
that the new policy is available to xend. Use, for example, the
subcommand activatepolicy to activate the changes during the
next system reboot.
The binary version of the policy is derived from the XML policy
by tokenizing the specified labels and is used inside Xen only.
It is created with the setpolicy subcommand. Essentially, the
binary version is much more compact than the XML version and is
easier to evaluate during access control decisions.
The mapping version of the policy is created during the XML-to-
binary policy translation (setpolicy) and is used by xend and
the management tools to translate between label names used as
input to the tools and their binary identifiers (ssidrefs) used
inside Xen.
SEE ALSO
xmdomain.cfg(5), xentop(1)
AUTHOR
Sean Dague <sean at dague dot net>
Daniel Stekloff <dsteklof at us dot ibm dot com>
Reiner Sailer <sailer at us dot ibm dot com>
Stefan Berger <stefanb at us dot ibm dot com>
BUGS
POD ERRORS
Hey! The above document had some coding errors, which are explained
below:
Around line 167:
You can’t have =items (as at line 172) unless the first thing after
the =over is an =item
Around line 224:
You can’t have =items (as at line 247) unless the first thing after
the =over is an =item
Around line 420:
You forgot a ’=back’ before ’=head1’
Around line 480:
You can’t have =items (as at line 485) unless the first thing after
the =over is an =item
Around line 701:
You forgot a ’=back’ before ’=head2’
Around line 703:
’=item’ outside of any ’=over’
Around line 756:
You forgot a ’=back’ before ’=head2’
Around line 758:
’=item’ outside of any ’=over’
Around line 831:
’=item’ outside of any ’=over’
Around line 1158:
You forgot a ’=back’ before ’=head1’