Versions Compared

Old Version 15

changes.mady.by.user Ross Philipson

Saved on

compared with

New Version Current

changes.mady.by.user Tim Konick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
iconNone

Copyright 2013 by Citrix Systems, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

Info
iconNone

Image Removed

Copyright 2015 by Assured Information Security, Inc. Contributions by Martin Osterloh <osterlohm@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.


Table of Contents

Introduction

...

Code Block
languagebash
# nothing can be done by default
deny all

# allow stubdoms to talk to surfman,xenmgr,dbus
allow stubdom true destination destination com.citrix.xenclient.surfman
allow stubdom true destination com.citrix.xenclient.xenmgr
allow stubdom true destination org.freedesktop.DBus interface org.freedesktop.DBus

# allow guests to call 'gather' on diagnostics interface (required by xc-diag)
allow destination destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.diag member gather

# allow anybody to do some vm queries required for switcher bar
allow destination destination com.citrix.xenclient.xenmgr interface org.freedesktop.DBus.Properties member Get
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr member list_vms
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member get_db_key
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member read_icon
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member switch
allow destination com.citrix.xenclient.input interface com.citrix.xenclient.input member get_focus_domid
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr member find_vm_by_domid

# allow guest to do some requests allow destination 
com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.guestreq member request_attention

# allow conditional domstore (private db space) access 
allow destination destination com.citrix.xenclient.db interface com.citrix.xenclient.db member read if-boolean domstore-read-access true
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member read_binary if-boolean domstore-read-access true
trueallowallow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member list if-boolean domstore-read-access true
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member exists if-boolean domstore-read-access true

#
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member write if-boolean domstore-write-access true
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member rm if-boolean domstore-write-access true

...

It's sometimes handy to turn off the automatic overwrite of service VM templates each xenmgr start, so that the service VM can be reconfigured via manual xec-vm invocations. This can be achieved via

$ db-write /xenmgr/overwrite-<vmtype>-settings false

for example for NDVM: db-write /xenmgr/overwrite-ndvm-settings false

...

This configures how the toolstack handles requests to put a VM to S3. Note that this doesn't affect requests made from within guest, but just requests originating from the UI / closing the laptopt laptop lid etc. It can be one of the following:

...

  • XenMgr/Connect/* - wrappers to access other daemons in the system
  • XenMgr/Expose/* - entry points for all xenmgr's dbus server rpcs
  • XenMgr/CdLock.hs - relatively new code for handling the AFRL request cd drive lock model
  • XenMgr/Config.hs - global xenmgr config storage/query
  • XenMgr/Diagnostics.hs - gathering status reports from vms + other diagnostics
  • XenMgr/Diskmgr.hs - vhd creation
  • XenMgr/Errors.hs - definition of numbered errors reported to the UI
  • XenMgr/Host.hs - lots of host level query functions (eth0 mac adreesesadresses, bios versions, xc versions, update state etc)
  • XenMgr/HostOps.hs - host shutdown/sleesleep/hibernate/reboot entry points
  • XenMgr/PowerManagement.hs - actual implementation of host shutdown/sleep/hibernate/reboot etc plus code to handle lid state changes
  • XenMgr/Notify.hs - wrappers for easier generation of various dbus signals
  • XenMgr/Rpc.hs - definition of Rpc monad used in xenmgr for dbus access
  • XenMgr/XM.hs - definition of XM monad based on reader monad containing context forall vms. Useful for doing some cross vm interactions which require locking / synchronization

...

you can put the following parameters in your config file:

(common options)

key nametypedescription
hvmscommand line given to the kernel
startupsspecify what to do with the domain at startup possibles value: started, paused, shutdown or restore
debugblogs all operations to /tmp/xenvm-debug-%uuid
uuidsspecify the domain uuid (default to autogeneration)
on_crashsspecify the action to be taken after notifying a
on_haltscrash/halt/reboot. possible values:
on_rebootspreserve, reboot, destroy
kernelsspecify where to find the kernel to boot (can be empty for hvm. default to hvmloader)
memoryispecify the memory given to the guest in megabytes
vcpusinumber of vcpus available to the guest
disksadd a virtual disk.
  


format: physpath:phystype:virtpath:mode:devty[:k=v...]
  


- physpath: path to the disk image, raw device, ..
  


- phystype: phy
  


- virtpath: hd(a-d)
  


- mode: r
  


- devtype = cdrom
  


- extra k=v arguments (cipher, key-size, key-file)
nicsadd a virtual nic.
  


format: key=value,key=value,... (can be empty)
 
 


supported key: bridge, mac, id
 
 


examples:
  


"nic = bridge=xen-br0,mac=ab:ef:fe:dc:ba:ab"
  


"nic = mac=ab:ef:fe:dc:ba:ab"
 
 


"nic = "
pcisadd a pci device.
 
 


format: devid,bind,domain:bus device.function
serialsredirect serial to device or network tcp:ip:port
  


ex: "pty" or "tcp:1.2.3.4:1234"
displaysdetails the type of display available for the guest
  


format: :key[=value],key[=value],...
  


possible values:
  


- none
  


- vnc (keys allowed: use-port-unused, keymap, port)
  


- sdl
  


- intel

(the following are just useful for pv)

key nametypedescription
cmdlinescommand line given to the kernel
initrdsspecify the initrd use, leave empty for none

(the following are just useful for hvm)

key nametypedescription
paebspecify that the guest is using PAE
acpibspecify that the guest is using ACPI
apicbspecify that the guest is using APIC
nxbspecify that the guest is using NX
smbios-ptbspecify that the guest is using smbios pass-through
smbios-oem-type-ptitables number to passthrough
acpi-ptbspecify that the guest is using ACPI pass-through
diskinfo-ptbspecify the guest is using SCSI diskinfo pass-through
bootsspecify the qemu boot string
extra-hvmk=vspecify extra arguments passthrough to qemu as -k v
power-managementispecify the power management passthrough mode
  


- 1 : pass-through mode (limited scope)
  


- 2 : non pass-through mode (in doubt use this)
oem-featuresispecify whether or not to pass through oem features.
 
 


Note: At the moment any integer value can be passed
 
 


but this is likely to change in future especially if
  


we decide to pass through a subset of oem features
 
 


and let user configure that subset.
timer-modeispecify the timer mode used.
timeoffsetsspecify the time offset (i.e. timezone) used.
pci-msitranslateispecify whether to use MSI-INTx translation for guest.
pci-power-managementispecify whether or not to enable Dx power management
  


for passthrough devices.
inject-sciispecify whether or not to inject SCIs like lid close,
  


power button press to guest. (Default: no injection)

Sending command to the monitor

...