Xen project Mailing List

Re: Detecting whether dom0 is in a VM

To: George Dunlap <george.dunlap@xxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

From: Jan Beulich <jbeulich@xxxxxxxx>

Date: Mon, 22 Apr 2024 09:12:10 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: zithro <slack@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monne <roger.pau@xxxxxxxxx>

Delivery-date: Mon, 22 Apr 2024 07:12:13 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 19.04.2024 17:29, George Dunlap wrote: > On Fri, Jul 7, 2023 at 3:56 PM George Dunlap <george.dunlap@xxxxxxxxx> wrote: >>>>>> Xen's public interface offers access to the featuresets known / found / >>>>>> used by the hypervisor. See XEN_SYSCTL_get_cpu_featureset, accessible >>>>>> via xc_get_cpu_featureset(). >>>>>> >>>>> >>>>> Are any of these exposed in dom0 via sysctl, or hypfs? >>>> >>>> sysctl - yes (as the quoted name also says). hypfs no, afaict. >>>> >>>>> SYSCTLs are >>>>> unfortunately not stable interfaces, correct? So it wouldn't be practical >>>>> for systemd to use them. >>>> >>>> Indeed, neither sysctl-s nor the libxc interfaces are stable. >>> >>> Thinking of it, xen-cpuid is a wrapper tool around those. They may want >>> to look at its output (and, if they want to use it, advise distros to >>> also package it), which I think we try to keep reasonably stable, >>> albeit without providing any guarantees. >> >> >> We haven't had any clear guidance yet on what the systemd team want in the >> <xen in a VM, systemd in a dom0> question; I just sort of assumed they >> wanted the L-1 virtualization *if possible*. It sounds like `vm-other` >> would be acceptable, particularly as a fall-back output if there's no way to >> get Xen's picture of the cpuid. >> >> It looks like xen-cpuid is available on Fedora, Debian, Ubuntu, and the old >> Virt SIG CentOS packages; so I'd expect most packages to follow suit. >> That's a place to start. >> >> Just to take the discussion all the way to its conclusion: >> >> - Supposing xen-cpuid isn't available, is there any other way to tell if Xen >> is running in a VM from dom0? >> >> - Would it make sense to expose that information somewhere, either in sysfs >> or in hypfs (or both?), so that eventually even systems which may not get >> the memo about packaging xen-cpuid will get support (or if the systemd guys >> would rather avoid executing another process if possible)? > > Resurrecting this thread. > > To recap: > > Currently, `systemd-detect-virt` has the following input / output table: > > 1. Xen on real hardware, domU: xen > 2. Xen on real hardware, dom0: vm-other > 3. Xen in a VM, domU: xen > 4. Xen in aVM, dom0: vm-other > > It's the dom0 lines (2 and 4) which are problematic; we'd ideally like > those to be `none` and `vm-other` (or the actual value, like `xen` or > `kvm`). > > It looks like ATM, /proc/xen/capabilities will contain `control_d` if > it's a dom0. Simply unilaterally returning `none` if > /proc/xen/capabilities contains `control_d` would correct the vast > majority of instances (since the number of instances of Xen on real > hardware is presumably higher than the number running virtualized). > > Is /proc/xen/capabilities expected to stay around? I don't see > anything equivalent in /dev/xen. I believe it's intended to stay around, but a definitive answer can only come from Linux folks. Jürgen, Stefano? Jan > Other than adding a new interface to Xen, is there any way to tell if > Xen is running in a VM? If we do need to expose an interface, what > would be the best way to do that? > > -George

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.