Mailing List Archive: Xen: Devel

Guest knowledge of own domid [was: docs: initial documentation for xenstore paths]

Index | Next | Previous | View Threaded

dgdegra at tycho

Aug 9, 2012, 2:02 PM

Post #1 of 7 (99 views)
Permalink

Guest knowledge of own domid [was: docs: initial documentation for xenstore paths]

On 07/30/2012 10:03 AM, Ian Campbell wrote:
> This is based upon my inspection of a system with a single PV domain running
> and is therefore very incomplete.
>
> There are several things I'm not sure of here, mostly marked with XXX in the
> text.
>
> In particular:
>
> - We seem to expose various things to the guest which really it has no need to
> know (at least not via xenstore). e.g. its own domid, its device model pid,
> the size of the video ram, store port and gref.

If the domid key is unneeded/removed, is there a recommended method for
a guest to query its own domid? I don't see a hypercall that returns it
directly, although there is one to return the guest's UUID - which seems
much less useful for a guest to know about itself.

While hypercalls are fairly consistent about accepting DOMID_SELF, a
domain does occasionally need to know its own ID: xenstore permission
changes do not accept DOMID_SELF, and if two domains are attempting to
set up communication such as V4V or vchan, they need to be able to tell
their peer what domain ID to use.

It is possible for a domain to query its own domain ID indirectly, so it
would be difficult to argue that a domain should not be able to obtain
its own ID. One method for a domain to query its own ID is to create an
unbound event channel with remote_domid = DOMID_SELF, and then execute
evtchn_status on the event channel in order to see the resolved domain
id. Querying Xenstore permissions on a newly-created key will show the
local domain as the first entry. Less reliably, the backend paths for
all xenbus devices contain the local and remote domain IDs.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

jean.guyader at gmail

Aug 9, 2012, 2:26 PM

Post #2 of 7 (89 views)
Permalink

Re: Guest knowledge of own domid [was: docs: initial documentation for xenstore paths] [In reply to]

On 9 August 2012 22:02, Daniel De Graaf <dgdegra [at] tycho> wrote:
> On 07/30/2012 10:03 AM, Ian Campbell wrote:
>> This is based upon my inspection of a system with a single PV domain running
>> and is therefore very incomplete.
>>
>> There are several things I'm not sure of here, mostly marked with XXX in the
>> text.
>>
>> In particular:
>>
>> - We seem to expose various things to the guest which really it has no need to
>> know (at least not via xenstore). e.g. its own domid, its device model pid,
>> the size of the video ram, store port and gref.
>
> If the domid key is unneeded/removed, is there a recommended method for
> a guest to query its own domid? I don't see a hypercall that returns it
> directly, although there is one to return the guest's UUID - which seems
> much less useful for a guest to know about itself.
>
> While hypercalls are fairly consistent about accepting DOMID_SELF, a
> domain does occasionally need to know its own ID: xenstore permission
> changes do not accept DOMID_SELF, and if two domains are attempting to
> set up communication such as V4V or vchan, they need to be able to tell
> their peer what domain ID to use.
>

That is one way for doing it another way would be to use a name
resolution system
a bit like a DNS. A system like that would need to live where the VM
are created and destroyed
(probably dom0 or a domain builder VM).
The server could be using vchan, v4v or even a shared XenStore node,
but I think we
need something like that.

In the long run it's much better to rely on a name instead of a domid
because domids can
change throughout the VM life cycle (reboot, hibernate, save/restore,
migration, ...).

Jean

> It is possible for a domain to query its own domain ID indirectly, so it
> would be difficult to argue that a domain should not be able to obtain
> its own ID. One method for a domain to query its own ID is to create an
> unbound event channel with remote_domid = DOMID_SELF, and then execute
> evtchn_status on the event channel in order to see the resolved domain
> id. Querying Xenstore permissions on a newly-created key will show the
> local domain as the first entry. Less reliably, the backend paths for
> all xenbus devices contain the local and remote domain IDs.
>

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

Ian.Campbell at citrix

Aug 16, 2012, 4:28 AM

Post #3 of 7 (83 views)
Permalink

Re: Guest knowledge of own domid [was: docs: initial documentation for xenstore paths] [In reply to]

On Thu, 2012-08-09 at 22:26 +0100, Jean Guyader wrote:
> On 9 August 2012 22:02, Daniel De Graaf <dgdegra [at] tycho> wrote:
> > On 07/30/2012 10:03 AM, Ian Campbell wrote:
> >> This is based upon my inspection of a system with a single PV domain running
> >> and is therefore very incomplete.
> >>
> >> There are several things I'm not sure of here, mostly marked with XXX in the
> >> text.
> >>
> >> In particular:
> >>
> >> - We seem to expose various things to the guest which really it has no need to
> >> know (at least not via xenstore). e.g. its own domid, its device model pid,
> >> the size of the video ram, store port and gref.
> >
> > If the domid key is unneeded/removed, is there a recommended method for
> > a guest to query its own domid? I don't see a hypercall that returns it
> > directly, although there is one to return the guest's UUID - which seems
> > much less useful for a guest to know about itself.
> >
> > While hypercalls are fairly consistent about accepting DOMID_SELF, a
> > domain does occasionally need to know its own ID: xenstore permission
> > changes do not accept DOMID_SELF,

I wonder if that would be a worthwhile protocol extension.

> and if two domains are attempting to
> > set up communication such as V4V or vchan, they need to be able to tell
> > their peer what domain ID to use.

That's trickier.

I suppose they could rendezvous via /vm/$UUID? Although there has been
talk of removing that path in the future.

> >
>
> That is one way for doing it another way would be to use a name
> resolution system
> a bit like a DNS. A system like that would need to live where the VM
> are created and destroyed
> (probably dom0 or a domain builder VM).
> The server could be using vchan, v4v or even a shared XenStore node,
> but I think we
> need something like that.
>
> In the long run it's much better to rely on a name instead of a domid
> because domids can
> change throughout the VM life cycle (reboot, hibernate, save/restore,
> migration, ...).

Right, this is the main reason to avoid building a reliance on domid
into a protocol.

>
> Jean
>
> > It is possible for a domain to query its own domain ID indirectly, so it
> > would be difficult to argue that a domain should not be able to obtain
> > its own ID. One method for a domain to query its own ID is to create an
> > unbound event channel with remote_domid = DOMID_SELF, and then execute
> > evtchn_status on the event channel in order to see the resolved domain
> > id. Querying Xenstore permissions on a newly-created key will show the
> > local domain as the first entry. Less reliably, the backend paths for
> > all xenbus devices contain the local and remote domain IDs.
> >

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

dgdegra at tycho

Aug 16, 2012, 7:33 AM

Post #4 of 7 (84 views)
Permalink

Re: Guest knowledge of own domid [was: docs: initial documentation for xenstore paths] [In reply to]

On 08/16/2012 07:28 AM, Ian Campbell wrote:
> On Thu, 2012-08-09 at 22:26 +0100, Jean Guyader wrote:
>> On 9 August 2012 22:02, Daniel De Graaf <dgdegra [at] tycho> wrote:
>>> On 07/30/2012 10:03 AM, Ian Campbell wrote:
>>>> This is based upon my inspection of a system with a single PV domain running
>>>> and is therefore very incomplete.
>>>>
>>>> There are several things I'm not sure of here, mostly marked with XXX in the
>>>> text.
>>>>
>>>> In particular:
>>>>
>>>> - We seem to expose various things to the guest which really it has no need to
>>>> know (at least not via xenstore). e.g. its own domid, its device model pid,
>>>> the size of the video ram, store port and gref.
>>>
>>> If the domid key is unneeded/removed, is there a recommended method for
>>> a guest to query its own domid? I don't see a hypercall that returns it
>>> directly, although there is one to return the guest's UUID - which seems
>>> much less useful for a guest to know about itself.
>>>
>>> While hypercalls are fairly consistent about accepting DOMID_SELF, a
>>> domain does occasionally need to know its own ID: xenstore permission
>>> changes do not accept DOMID_SELF,
>
> I wonder if that would be a worthwhile protocol extension.

It might be, although it's never required. After checking where this would
be useful, it looks like the caller could just call a get-permissions on
the node before set-permissions, and just avoid modification to the owner.
Since non-privileged xenstore clients cannot modify the owner of a xenstore
key, and cannot change permissions on keys they do not own, this change
would just end up saving one call to xenstore. Privileged domains already
take advantage of their override capabilities and usually do not add domain
0 to the node permissions list, so it's not useful there.

>> and if two domains are attempting to
>>> set up communication such as V4V or vchan, they need to be able to tell
>>> their peer what domain ID to use.
>
> That's trickier.
>
> I suppose they could rendezvous via /vm/$UUID? Although there has been
> talk of removing that path in the future.

The /vm/$UUID path isn't currently useful for this, since it doesn't maintain
domain IDs (just names) and doesn't contain writable sub-keys for a domain
to use. I also don't think such a sub-key should be added; it makes more
sense to keep all of a domain's modifiable keys under its home path.

Perhaps this could be changed to another identifier-to-domid mapping, like
the proposed addition of a location to map name to domid?

The toolstack would maintain something like:
/local/by-name/$name == domid
/local/by-uuid/$uuid == domid
/local/domain/$domid/name - same as existing
/local/domain/$domid/uuid - ? maybe unneeded, as it's available from Xen.

>>>
>>
>> That is one way for doing it another way would be to use a name
>> resolution system
>> a bit like a DNS. A system like that would need to live where the VM
>> are created and destroyed
>> (probably dom0 or a domain builder VM).
>> The server could be using vchan, v4v or even a shared XenStore node,
>> but I think we
>> need something like that.
>>
>> In the long run it's much better to rely on a name instead of a domid
>> because domids can
>> change throughout the VM life cycle (reboot, hibernate, save/restore,
>> migration, ...).
>
> Right, this is the main reason to avoid building a reliance on domid
> into a protocol.
>

Both ends of any xen-based communication need to handle each of these events
in order to re-establish grants/events or v4v rings/ports. The domid does
need to be treated as a short-term identifier of a domain in a protocol that
expects to continue to work across such events.

>>
>> Jean
>>
>>> It is possible for a domain to query its own domain ID indirectly, so it
>>> would be difficult to argue that a domain should not be able to obtain
>>> its own ID. One method for a domain to query its own ID is to create an
>>> unbound event channel with remote_domid = DOMID_SELF, and then execute
>>> evtchn_status on the event channel in order to see the resolved domain
>>> id. Querying Xenstore permissions on a newly-created key will show the
>>> local domain as the first entry. Less reliably, the backend paths for
>>> all xenbus devices contain the local and remote domain IDs.
>>>

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

Ian.Campbell at citrix

Aug 16, 2012, 7:36 AM

Post #5 of 7 (84 views)
Permalink

Re: Guest knowledge of own domid [was: docs: initial documentation for xenstore paths] [In reply to]

On Thu, 2012-08-16 at 15:33 +0100, Daniel De Graaf wrote:

> >> and if two domains are attempting to
> >>> set up communication such as V4V or vchan, they need to be able to tell
> >>> their peer what domain ID to use.
> >
> > That's trickier.
> >
> > I suppose they could rendezvous via /vm/$UUID? Although there has been
> > talk of removing that path in the future.
>
> The /vm/$UUID path isn't currently useful for this, since it doesn't maintain
> domain IDs (just names) and doesn't contain writable sub-keys for a domain
> to use. I also don't think such a sub-key should be added; it makes more
> sense to keep all of a domain's modifiable keys under its home path.
>
> Perhaps this could be changed to another identifier-to-domid mapping, like
> the proposed addition of a location to map name to domid?
>
> The toolstack would maintain something like:
> /local/by-name/$name == domid
> /local/by-uuid/$uuid == domid

This second one is a bit like the existing /vm/$uuid/domid.

I think I would go with:

/local/by-name/$name == /local/domain/$domid
/local/by-uuid/$uuid == /local/domain/$domid

though, So that you can just read it and use it without interpreting it.

> /local/domain/$domid/name - same as existing
> /local/domain/$domid/uuid - ? maybe unneeded, as it's available from Xen.

Is it available for other domains via xen, or just yourself?

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

dgdegra at tycho

Aug 16, 2012, 7:52 AM

Post #6 of 7 (85 views)
Permalink

Re: Guest knowledge of own domid [was: docs: initial documentation for xenstore paths] [In reply to]

On 08/16/2012 10:36 AM, Ian Campbell wrote:
> On Thu, 2012-08-16 at 15:33 +0100, Daniel De Graaf wrote:
>
>>>> and if two domains are attempting to
>>>>> set up communication such as V4V or vchan, they need to be able to tell
>>>>> their peer what domain ID to use.
>>>
>>> That's trickier.
>>>
>>> I suppose they could rendezvous via /vm/$UUID? Although there has been
>>> talk of removing that path in the future.
>>
>> The /vm/$UUID path isn't currently useful for this, since it doesn't maintain
>> domain IDs (just names) and doesn't contain writable sub-keys for a domain
>> to use. I also don't think such a sub-key should be added; it makes more
>> sense to keep all of a domain's modifiable keys under its home path.
>>
>> Perhaps this could be changed to another identifier-to-domid mapping, like
>> the proposed addition of a location to map name to domid?
>>
>> The toolstack would maintain something like:
>> /local/by-name/$name == domid
>> /local/by-uuid/$uuid == domid
>
> This second one is a bit like the existing /vm/$uuid/domid.

That key isn't being populated by xl on my system, so I didn't know it existed.

>
> I think I would go with:
>
> /local/by-name/$name == /local/domain/$domid
> /local/by-uuid/$uuid == /local/domain/$domid
>
> though, So that you can just read it and use it without interpreting it.

In that case, you would need to parse the domid out of the string in order
to use it in hypercalls (grant, event, v4v). The frontend/backend paths use
a distinct frontend-id/backend-id key for the domain ID, but we are trying
to avoid this since populating this key would mean the domain populating it
needs to know its own domain ID.

>> /local/domain/$domid/name - same as existing
>> /local/domain/$domid/uuid - ? maybe unneeded, as it's available from Xen.
>
> Is it available for other domains via xen, or just yourself?
>

Yourself and anyone who can call getdomaininfo (which is usually just dom0).
This is actually the same as the xenstore permissions on keys such as
/local/domain/$id/name. Changing these may need consideration, because on
public hosting servers, you might not want to allow domains to be enumerated
by name.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

Ian.Campbell at citrix

Aug 17, 2012, 1:05 AM

Post #7 of 7 (78 views)
Permalink

Re: Guest knowledge of own domid [was: docs: initial documentation for xenstore paths] [In reply to]

On Thu, 2012-08-16 at 15:52 +0100, Daniel De Graaf wrote:
> On 08/16/2012 10:36 AM, Ian Campbell wrote:
> > On Thu, 2012-08-16 at 15:33 +0100, Daniel De Graaf wrote:
> >
> >>>> and if two domains are attempting to
> >>>>> set up communication such as V4V or vchan, they need to be able to tell
> >>>>> their peer what domain ID to use.
> >>>
> >>> That's trickier.
> >>>
> >>> I suppose they could rendezvous via /vm/$UUID? Although there has been
> >>> talk of removing that path in the future.
> >>
> >> The /vm/$UUID path isn't currently useful for this, since it doesn't maintain
> >> domain IDs (just names) and doesn't contain writable sub-keys for a domain
> >> to use. I also don't think such a sub-key should be added; it makes more
> >> sense to keep all of a domain's modifiable keys under its home path.
> >>
> >> Perhaps this could be changed to another identifier-to-domid mapping, like
> >> the proposed addition of a location to map name to domid?
> >>
> >> The toolstack would maintain something like:
> >> /local/by-name/$name == domid
> >> /local/by-uuid/$uuid == domid
> >
> > This second one is a bit like the existing /vm/$uuid/domid.
>
> That key isn't being populated by xl on my system, so I didn't know it existed.

I could have sworn I'd seen it recently, but don't now. Maybe I had
started xend at some point.

> > I think I would go with:
> >
> > /local/by-name/$name == /local/domain/$domid
> > /local/by-uuid/$uuid == /local/domain/$domid
> >
> > though, So that you can just read it and use it without interpreting it.
>
> In that case, you would need to parse the domid out of the string in order
> to use it in hypercalls (grant, event, v4v). The frontend/backend paths use
> a distinct frontend-id/backend-id key for the domain ID, but we are trying
> to avoid this since populating this key would mean the domain populating it
> needs to know its own domain ID.

Right, dang ;-)

> >> /local/domain/$domid/name - same as existing
> >> /local/domain/$domid/uuid - ? maybe unneeded, as it's available from Xen.
> >
> > Is it available for other domains via xen, or just yourself?
> >
>
> Yourself and anyone who can call getdomaininfo (which is usually just dom0).
> This is actually the same as the xenstore permissions on keys such as
> /local/domain/$id/name. Changing these may need consideration, because on
> public hosting servers, you might not want to allow domains to be enumerated
> by name.

Sure.

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xen.org/xen-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads