Versions Compared

Old Version 17

changes.mady.by.user Martin Osterloh

Saved on

compared with

New Version Current

changes.mady.by.user Tim Konick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
iconNone

Copyright 2013 by Citrix Systems, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

Info
iconNone

Image Removed

Copyright 2015 by Assured Information Security, Inc. Contributions by Martin Osterloh <osterlohm@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.


Table of Contents

Introduction

...

Code Block
languagebash
# nothing can be done by default
deny all

# allow stubdoms to talk to surfman,xenmgr,dbus
allow stubdom true destination destination com.citrix.xenclient.surfman
allow stubdom true destination com.citrix.xenclient.xenmgr
allow stubdom true destination org.freedesktop.DBus interface org.freedesktop.DBus

# allow guests to call 'gather' on diagnostics interface (required by xc-diag)
allow destination destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.diag member gather

# allow anybody to do some vm queries required for switcher bar
allow destination destination com.citrix.xenclient.xenmgr interface org.freedesktop.DBus.Properties member Get
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr member list_vms
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member get_db_key
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member read_icon
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member switch
allow destination com.citrix.xenclient.input interface com.citrix.xenclient.input member get_focus_domid
allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr member find_vm_by_domid

# allow guest to do some requests allow destination 
com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.guestreq member request_attention

# allow conditional domstore (private db space) access 
allow destination destination com.citrix.xenclient.db interface com.citrix.xenclient.db member read if-boolean domstore-read-access true
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member read_binary if-boolean domstore-read-access true
trueallowallow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member list if-boolean domstore-read-access true
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member exists if-boolean domstore-read-access true

# allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member write if-boolean domstore-write-access true
allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member rm if-boolean domstore-write-access true

...

It's sometimes handy to turn off the automatic overwrite of service VM templates each xenmgr start, so that the service VM can be reconfigured via manual xec-vm invocations. This can be achieved via

$ db-write /xenmgr/overwrite-<vmtype>-settings false

for example for NDVM: db-write /xenmgr/overwrite-ndvm-settings false

...

This configures how the toolstack handles requests to put a VM to S3. Note that this doesn't affect requests made from within guest, but just requests originating from the UI / closing the laptopt laptop lid etc. It can be one of the following:

...

  • XenMgr/Connect/* - wrappers to access other daemons in the system
  • XenMgr/Expose/* - entry points for all xenmgr's dbus server rpcs
  • XenMgr/CdLock.hs - relatively new code for handling the AFRL request cd drive lock model
  • XenMgr/Config.hs - global xenmgr config storage/query
  • XenMgr/Diagnostics.hs - gathering status reports from vms + other diagnostics
  • XenMgr/Diskmgr.hs - vhd creation
  • XenMgr/Errors.hs - definition of numbered errors reported to the UI
  • XenMgr/Host.hs - lots of host level query functions (eth0 mac adreesesadresses, bios versions, xc versions, update state etc)
  • XenMgr/HostOps.hs - host shutdown/sleesleep/hibernate/reboot entry points
  • XenMgr/PowerManagement.hs - actual implementation of host shutdown/sleep/hibernate/reboot etc plus code to handle lid state changes
  • XenMgr/Notify.hs - wrappers for easier generation of various dbus signals
  • XenMgr/Rpc.hs - definition of Rpc monad used in xenmgr for dbus access
  • XenMgr/XM.hs - definition of XM monad based on reader monad containing context forall vms. Useful for doing some cross vm interactions which require locking / synchronization

...

you can put the following parameters in your config file:

(common options)

key nametypedescription
hvmscommand line given to the kernel
startupsspecify what to do with the domain at startup possibles value: started, paused, shutdown or restore
debugblogs all operations to /tmp/xenvm-debug-%uuid
uuidsspecify the domain uuid (default to autogeneration)
on_crashsspecify the action to be taken after notifying a
on_haltscrash/halt/reboot. possible values:
on_rebootspreserve, reboot, destroy
kernelsspecify where to find the kernel to boot (can be empty for hvm. default to hvmloader)
memoryispecify the memory given to the guest in megabytes
vcpusinumber of vcpus available to the guest
disksadd a virtual disk.
  


format: physpath:phystype:virtpath:mode:devty[:k=v...]
  


- physpath: path to the disk image, raw device, ..
  


- phystype: phy
  


- virtpath: hd(a-d)
  


- mode: r
 
 


- devtype = cdrom
  


- extra k=v arguments (cipher, key-size, key-file)
nicsadd a virtual nic.
  


format: key=value,key=value,... (can be empty)
 
 


supported key: bridge, mac, id
  


examples:
  


"nic = bridge=xen-br0,mac=ab:ef:fe:dc:ba:ab"
  


"nic = mac=ab:ef:fe:dc:ba:ab"
  


"nic = "
pcisadd a pci device.
  


format: devid,bind,domain:bus device.function
serialsredirect serial to device or network tcp:ip:port
 
 


ex: "pty" or "tcp:1.2.3.4:1234"
displaysdetails the type of display available for the guest
  


format: :key[=value],key[=value],...
  


possible values:
  


- none
  


- vnc (keys allowed: use-port-unused, keymap, port)
  


- sdl
  


- intel

(the following are just useful for pv)

key nametypedescription
cmdlinescommand line given to the kernel
initrdsspecify the initrd use, leave empty for none

(the following are just useful for hvm)

key nametypedescription
paebspecify that the guest is using PAE
acpibspecify that the guest is using ACPI
apicbspecify that the guest is using APIC
nxbspecify that the guest is using NX
smbios-ptbspecify that the guest is using smbios pass-through
smbios-oem-type-ptitables number to passthrough
acpi-ptbspecify that the guest is using ACPI pass-through
diskinfo-ptbspecify the guest is using SCSI diskinfo pass-through
bootsspecify the qemu boot string
extra-hvmk=vspecify extra arguments passthrough to qemu as -k v
power-managementispecify the power management passthrough mode
 
 


- 1 : pass-through mode (limited scope)
  


- 2 : non pass-through mode (in doubt use this)
oem-featuresispecify whether or not to pass through oem features.
  Note


Note: At the moment any integer value can be passed
  


but this is likely to change in future especially if
  


we decide to pass through a subset of oem features
  


and let user configure that subset.
timer-modeispecify the timer mode used.
timeoffsetsspecify the time offset (i.e. timezone) used.
pci-msitranslateispecify whether to use MSI-INTx translation for guest.
pci-power-managementispecify whether or not to enable Dx power management
  


for passthrough devices.
inject-sciispecify whether or not to inject SCIs like lid close,
 
 


power button press to guest. (Default: no injection)

Sending command to the monitor

...

Code Block
languagetext
uuid = 00000000-0000-0000-0000-000000000002 
hvm = true 
memory = 256 
disk = /dev/vg/testhvm:phy:hda:w:disk 
disk = /var/opt/xen/iso_import/w2k3eesp2.iso:file:hdd:r:cdrom 
boot = dc 
pae = true
acpi = true 
apic = true 

LibXL / XL Installation Instructions

This section highlights how to install the current LibXL (plus associated XL binary) in OpenXT and how to use it. 

Installation of LibXL and XL

Firstly, we will make sure that LibXL and its associated binary will be compiled as part of the xen-tools package. In order to do so, we edit the file build/repos/xenclient-oe/recipes-extended/xen/xen-tools.bb  to contain:

oe_runmake -C tools subdir-all-libaio
oe_runmake -C tools subdir-all-blktap2
oe_runmake -C tools subdir-all-libxl

within the function do_compile() and 

oe_runmake -C tools subdir-install-blktap2
oe_runmake -C tools subdir-install-libxl

within the function do_install(). This will compile and install the necessary libraries and binaries to use LibXL. Next step is ensuring that the previously used blktap library is no longer in use. There are four recipes that reference the blktap library. They are:  

Removing the occurences of blktap (and making sure that xen-tools is listed) will guarantee that Xen's blktap library is being used from now on.

The interface is the new blktap library has slightly changed, so we need to make a few changes to the install scripts to accommodate for the changes.

In the xenclient-installer directory, edit the file:

part2/stages/Functions/install-main 

and replace tap-ctl destroy calls with:

tap-ctl destroy -p $UIVM_GCONF_DEV_PID -m $UIVM_GCONF_DEV_TRUNC >&2

The complete source can be found on my github page.

Once the installer is edited, we can make a new build via 

./do_build.sh -s dom0,installer,installer2,ship.

You will notice that uivm will not come up. That is because our blktap binary still works with the old blktap library interface. We can circumvent that particular problem by moving /usr/sbin/tap-ctl to /usr/sbin/tap-ctl.bak and instead, pasting the following wrapper as /usr/sbin/tap-ctl 

#!/bin/ash

if echo $@ | grep "create" > /dev/null 2>/dev/null; then
tmp="`echo $@ | sed 's/-R//'`"
/usr/sbin/tap-ctl.bak $tmp
elif echo $@ | grep "destroy" > /dev/null 2>/dev/null; then
MINOR=`echo $@ | sed -e 's/\(^.*\)\(.$\)/\2/'`
PID=$(/usr/sbin/tap-ctl.bak list -m ${MINOR} | grep "pid=" | awk '{print $1}' | sed -r 's/^.{4}//')
/usr/sbin/tap-ctl.bak destroy -p $PID -m $MINOR
else
/usr/sbin/tap-ctl.bak $@
fi

At this point, we need to make modifications to the running OpenXT system to allow XL to operate. In particular, we need to disable flask in /boot/system/grub/grub.cfg. After a reboot, we can proceed to paste the following into /usr/lib/xen/bin/qemu-system-i386:

#!/bin/bash
DOMID=`cat /tmp/domid`
let "NEWID=$DOMID+1"
echo "$NEWID" > /tmp/domid
/usr/bin/qemu-system-i386 -xen-domid $DOMID -nodefaults -name qemu-3.0 -machine xenfv,max-ram-below-4g=0xf0000000 -m 1024 -vga std -display surfman -drive file=/dev/xen/blktap-2/tapdev0,if=ide,index=0,media=disk,format=raw,readonly=off

Make sure that /tmp/domid exists and starts with a "1". A sample config file for a Win7 HVM guest can be:

builder = "hvm"
name = "Win7x64"
uuid = "8d85049a-9bdd-11e2-9e91-18037322eba8"
memory = 1024
vcpus = 1
disk = [ '/dev/xen/blktap-2/tapdev0,raw,xvda,rw' ]
vnc = 1
videoram = 16

 Note that the disk has to be a tap device since our QEMU does not understand VHDs. XL should now be able to create a domain and at least start the guest. 

 

...