[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Very technical question about ballooning



Adding Dan Magenheimer for his thoughts..

-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Moritz Duge
Sent: Thursday, August 12, 2010 10:38 AM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Very technical question about ballooning

Hi there!
I'm having a quite difficult question about the ballooning feature of Xen.

The scenario is like this: I'm having a dom0 and some domUs. But I don't 
trust the operating-system inside one of the domUs. Please don't ask me 
why I just don't trust this operating-system! I can give you 1001 
reasons for it. This domU operating-system could be managed by an evil 
administrator or it could just be unsecure, so someone can break into it 
and gain root access.

Nevertheless, I would like to use ballooning for all of the domUs, also 
the untrusted one. Mainly because the memory requirements of the domUs 
change sometimes, but I don't want to reboot them.
That's why I want to use ballooning. And the added maxmem-values (not 
the memory values) will be more then the physical memory I have.


So the question is: Does Xen ensure, that the untrusted guest doesn't 
cheats the ballooning model?
What will happen, if memory is set to 512 mb for example and maxmem is 
768 mb. And then, the guest just unloads the ballooning stuff from it's 
operating-system kernel.

- Will the guest be able to "see" (by using the linux-command free in 
the guest for example) it's maxmem (768 mb)?

- And what will happend, if the guest tries to use it's full maxmem (768 
mb), not just the 512 mb? Will the guest crash???

- What happends if the guest can use maxmem and the whole system (dom0 
and the real hardware computer) runs out of memory? Will the whole real 
computer crash? Or just the malicious domU? Or all the domUs, but not 
the dom0???


Think of that: In the scenario I'm talking about, the bad domU is not 
really under my control. For shure, I wouldn't use more memory then I 
have. But in this case it's not my decision. It's the decision of 
somebody evil who gained the control over the domU (as I said, don't ask 
me why - there are enough exploids and undiscovered security holes out 
there).


At last:

- Are there differences concerning this, when using the paravirtualized 
mode (linux) and using the hvm mode with paravirtualized hvm drivers???

- Are there differences between the versions of the or the available 
xen-linux-kernels?

- It's not so hard to have a Xen Kernel without ballooning. For example 
look at Fedora 9. It brings a Xen-PV Kernel without ballooning!


At very last: Is there any detailed documentation for this?


Thanks!
Moritz Duge

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.