[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] help please - running a guest from an iSCSI disk ? getting more diagnostics than "cannot make domain: -3" ? how to make domain0 "privileged" ?

Aha! Finally I discovered 'xl dmesg' and saw
     'Xen does not allow DomU creation on this CPU for security reasons.'

   o why not give an option to make Xen write to the standard kernel
log, so I could have found this message with 'dmesg' ?
      It is far from obvious from the documentation that this the only
way of seeing Xen log messages .

It appears the dom0 CPU has AMD Errata 121 - see:
   http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html

But since both my dom0 kernel (3.7.9-1-ARCH) and my domU kernel
(2.6.39-300.26.1.el6uek) apparently have the fix for this
errata ,  I added 'allow_unsafe' to the Xen dom0 boot command line,
and I'm now able to progress beyond the EPERM issue .
It would have been nice if Xen or xl could have emitted some log
message other than 'cannot make domain: -3', particularly
when it was Xen itself that was refusing to allow the domain creation
to proceed .
It would also have been nice if Xen could have recognized that it was
running kernels with the fix for this issue, and NOT silently
disabled domain creation.

Regards,
Jason

On Thu, Feb 21, 2013 at 5:29 PM, Jason Vas Dias
<jason.vas.dias@xxxxxxxxx> wrote:
> Good day -
>
> This is my first post to this list , and I'm new to Xen - any help on
> this issue would be much appreciated .
>
> I downloaded, built and installed xen-4.2.1 (hypervisor and tools) on
> an x86_64 ArchLinux box
> updated to latest software as of today.
>
> I am trying to bring up a Linux guest from a remote iSCSI disk.
>
> The iSCSI-initiator (open-iscsi)  logs in to the remote target OK and
> makes it available as /dev/sde ,
> on which is a bootable linux distribution . containing /boot/vmlinuz* etc.
> I can mount this iSCSI disk rw OK on the domain_0 host - so presumably
> I should be able to
> boot up a guest domain from it ?
>
> I modified the domain_0 host's boot arguments to boot Xen OK :
>
>         multiboot /boot/xen.gz dom0_mem=1024M loglvl=all guest_loglvl=all
>         module  /boot/vmlinuz-linux root=/dev/sda2 ro  debug
>         module  /boot/initramfs-linux.img
>
> and made an /etc/xen/${domain}.cfg file:
> #
> # xl.cfg(1) file for booting the iSCSI share:
> #
> name="$domain"
> #vcpus=1
> #uuid="ceb083a2-feaa-45b0-afe2-3bd44eb4d8c3"
> memory=1024
> on_poweroff="destroy"
> on_reboot="destroy"
> disk=["/dev/sde,raw,hda,rw"]
> vif=["mac=00:09:3d:13:0d:57,model=tg3,bridge=xenbr0"]
> kernel="/boot/vmlinuz-2.6.39-300.26.1.el6uek.x86_64"
> ramdisk="/boot/initramfs-2.6.39-300.26.1.el6uek.x86_64.img"
>
> Is the disk line OK ?  Anything else wrong with this file ?
>
> But attempting to create the domain , as root, fails:
> # xl -vvv create -c /etc/xen/${domain}.cfg
> Parsing config from ${domain}.cfg
> libxl: debug: libxl_create.c:1174:do_domain_create: ao 0x119c890:
> create: how=(nil) callback=(nil) poller=0x119c920
> libxl: error: libxl_create.c:420:libxl__domain_make: domain creation fail
> libxl: error: libxl_create.c:646:initiate_domain_create: cannot make domain: 
> -3
> libxl: error: libxl.c:1394:libxl__destroy_domid: non-existant domain -1
> libxl: error: libxl.c:1358:domain_destroy_callback: unable to destroy
> guest with domid 4294967295
> libxl: error: libxl_create.c:1153:domcreate_destruction_cb: unable to
> destroy domain 4294967295 following failed creation
> libxl: debug: libxl_event.c:1499:libxl__ao_complete: ao 0x119c890:
> complete, rc=-3
> libxl: debug: libxl_create.c:1187:do_domain_create: ao 0x119c890:
> inprogress: poller=0x119c920, flags=ic
> libxl: debug: libxl_event.c:1471:libxl__ao__destroy: ao 0x119c890: destroy
> xc: debug: hypercall buffer: total allocations:5 total releases:5
> xc: debug: hypercall buffer: current allocations:0 maximum allocations:2
> xc: debug: hypercall buffer: cache current size:2
> xc: debug: hypercall buffer: cache hits:3 misses:2 toobig:0
>
> Even though I've enabled all possible log messages in Xen with '
> loglvl=all guest_loglvl=all' (or have I?)
> I don't see any log messages about this failed attempt to create a
> domain at all , in dmesg output or
> in the system log.
>
> Tracing this command in gdb shows the hypervisor command is returning
> -1, with errno set to 1 (EPERM) :
>
> libxl: debug: libxl_create.c:1174:do_domain_create: ao 0x622890:
> create: how=(nil) callback=(nil) poller=0x622920
>
> Breakpoint 2, xc_domain_create (xch=0x622240, ssidref=0,
> handle=handle@entry=0x7fffffffe1b0
> "\316\260\203\242\376\252E\260\257\342;\324N\264\330\303\031",
>     flags=flags@entry=0, pdomid=pdomid@entry=0x7fffffffe28c) at xc_domain.c:33
> 33      {
> (gdb) n
> 37          domctl.cmd = XEN_DOMCTL_createdomain;
> (gdb)
> 38          domctl.domain = (domid_t)*pdomid;
> (gdb)
> 39          domctl.u.createdomain.ssidref = ssidref;
> (gdb)
> 40          domctl.u.createdomain.flags   = flags;
> (gdb)
> 41          memcpy(domctl.u.createdomain.handle, handle,
> sizeof(xen_domain_handle_t));
> (gdb)
> 42          if ( (err = do_domctl(xch, &domctl)) != 0 )
> (gdb) s
> do_domctl (domctl=0x7fffffffe0a0, xch=0x622240) at xc_private.h:239
> 239         DECLARE_HYPERCALL_BOUNCE(domctl, sizeof(*domctl),
> XC_HYPERCALL_BUFFER_BOUNCE_BOTH);
> (gdb) n
> 241         domctl->interface_version = XEN_DOMCTL_INTERFACE_VERSION;
> (gdb)
> 243         if ( xc_hypercall_bounce_pre(xch, domctl) )
> (gdb)
> 249         hypercall.op     = __HYPERVISOR_domctl;
> (gdb)
> 250         hypercall.arg[0] = HYPERCALL_BUFFER_AS_ARG(domctl);
> (gdb)
> 252         if ( (ret = do_xen_hypercall(xch, &hypercall)) < 0 )
> (gdb) s
> do_xen_hypercall (xch=xch@entry=0x622240,
> hypercall=hypercall@entry=0x7fffffffe070) at xc_private.c:246
> 246         return xch->ops->u.privcmd.hypercall(xch, xch->ops_handle,
> hypercall);
> (gdb) s
> linux_privcmd_hypercall (xch=<optimized out>, h=9,
> hypercall=0x7fffffffe070) at xc_linux_osdep.c:116
> 116         return ioctl(fd, IOCTL_PRIVCMD_HYPERCALL, hypercall);
> (gdb) fin
> Run till exit from #0  linux_privcmd_hypercall (xch=<optimized out>,
> h=9, hypercall=0x7fffffffe070) at xc_linux_osdep.c:116
> do_xen_hypercall (xch=xch@entry=0x622240,
> hypercall=hypercall@entry=0x7fffffffe070) at xc_private.c:247
> 247     }
> Value returned is $3 = -1
> (gdb) fin
> Run till exit from #0  do_xen_hypercall (xch=xch@entry=0x622240,
> hypercall=hypercall@entry=0x7fffffffe070) at xc_private.c:247
> 0x00007ffff775b340 in do_domctl (domctl=0x7fffffffe0a0, xch=0x622240)
> at xc_private.h:252
> 252         if ( (ret = do_xen_hypercall(xch, &hypercall)) < 0 )
> Value returned is $4 = -1
> (gdb) p errno
> $5 = 1
>
> Any ideas how to get this working,  or on where I could get better
> diagnostics ?
>
> I'm guessing this is caused by this code in  arch/x86/platform_hypercall.c :
>
> ret_t do_platform_op(XEN_GUEST_HANDLE(xen_platform_op_t) u_xenpf_op)
> {
>     ret_t ret = 0;
>     struct xen_platform_op curop, *op = &curop;
>
>     if ( !IS_PRIV(current->domain) )
>         return -EPERM;
>
> So how do I make the IS_PRIV macro return non-zero for my domain_0 ,
> ie. set d->is_privileged /
> make my domain0 into a "privileged" domain ? What is meant by
> "privileged" in this context ?
>
> There seems to be no documentation on this issue in any manual page
> installed by xen's 'make install' ,
> or anywhere else I could find.
>
> Thanks in advance for any replies,
> Regards, Jason

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.