Getting started with Xen virtualization
The powerful and popular Xen virtualization system offers an easy solution for running Windows on Linux.
The popular Xen virtualization system lets you install different operating systems on the same hardware to leverage computational power efficiently.
In this article, we describe how to get started with Xen in Debian Etch, and you will learn about starting the guest and host systems and even how to set up a Windows guest on a Linux host. Some of the details might differ for other distros, but the steps are similar.
Etch with Xen 3.0.3
In the community, one software solution has practically become the virtualization standard. Xen , by the University of Cambridge, has a number of points in its favor. Because it emulates a complete computer in a style similar to VMware, users have an almost unrestricted choice of guest operating systems. Many management tools are available and the simple configuration procedure takes just a few steps. Debian has recognized these benefits, and Etch now has full support for Xen.
Although Debian 4.0 includes Xen, version 3.0.3 is not exactly state of the art. The tips and advice in this article can't be applied one-to-one to later versions of Xen in many cases because the configuration file layout, and other things, have changed.
Monitored by a Hypervisor
Xen introduces a hypervisor upstream of the kernel running directly on the hardware (see Figure 1); the hypervisor uses the Xen Virtual Machine Monitor to access the hardware. The Xen hypervisor allocates resources to the individual virtual machines. A guest operating system only communicates with the hypervisor and is completely independent of the other guests.
The hypervisor binds the individual virtual machines to the network and supports communications with the outside world. In the world of Xen, the host system with the hypervisor is referred to as Dom 0 (or Domain 0), and a guest system is known as Dom U (Domain U).
The only task that Dom 0 has is to contain each active Dom U. When you are planning a Debian Xen system, a fresh Debian install is a perfect starting point. Although theoretically, there is nothing to stop you from using Dom 0 for normal purposes, such as hosting a web server, the potential damage that an attacker could cause by hijacking Dom 0 is a very good reason to avoid putting Dom 0 into production.
Any user with full access to Dom 0 also has complete control over every active Dom U. For this reason, it is important to outsource any services to a separate Dom U when using Xen and to start off with a fresh host system that does not run any services (with the exception of SSH).
Just a couple of steps are needed to make a Debian installation Xen-capable. Working as root, start by installing Xen and the bridge control programs that Xen needs to set up the network configuration. The package names are bridge-utils, xen-linux-system-2.6.18-3-xen-686, xen-tools, and libc6-xen. Xen replaces the legacy C library with a specially modified version.
After completing this step, disable the C library's TLS functionality; the easiest way of doing this is to move the library by typing mv /lib/tls /lib/tls.disabled. Because the following steps require Internet access, a network card must be set up in /etc/network/interfaces.
After installing a specially prepared Xen kernel, type lsmod and check the /etc/modules file to see whether the system provides a netloop module. To make sure that everything will work after you reboot, you should see an entry for netloop nloopbacks=255. Reboot the machine and, at the boot prompt, select the Debian Xen kernel before logging on in the normal way. Some dmesg output with various hypervisor messages concerning available processors or memory capacity should appear.
This takes care of the prerequisites for running a Dom U. Working as root, type xm list to see whether the hypervisor is working.
The next step is to configure a guest machine, the first Dom U, which will be running Debian GNU/Linux Etch like the host machine in our example. First, you need to create a configuration file for Xen, then you need to install the guest operating system on your disk.
Files for Dom U
In Xen 3.0, the configuration files have their own special format. The files are stored in /etc/xen and have a file extension of .cfg. The Xen configuration file schema is fairly simple (Listing 1). name refers to a name that Xen uses to reference the Dom U; hostname refers to the virtual machine's hostname. kernel and ramdisk contain the full paths to the boot kernel and its ramdisk; root tells the kernel which of its partitions contains the root directory.
Xen Configuration for a Debian Dom U
01 name="debian1" 02 hostname="debian1" 03 kernel = "/boot/vmlinuz-2.6.18-3-xen-686" 04 ramdisk = "/boot/initrd.img-2.6.18-3-xen-686" 05 memory = 512 06 vcpus = 1 07 vif = [ 'mac=aa:00:00:12:23:34, bridge=bridge0' ] 08 disk = [ 'phy:/dev/hda3,hda1,w', 'phy:/dev/hda5,hda2,w' ] 09 cdrom = "/dev/cdrom" 10 root = "/dev/hda1"
The memory setting defines how much RAM the Xen hypervisor should reserve for this Dom U, and the disk entry specifies which disk or image files the Xen guest will detect. Because the guest machine also expects paths to the virtual filesystem, the administrator has to decide at this stage where the filesystems that will be created in the next step should be stored.
As you can see in Listing 1, a Dom U can also access a physical CD drive, specified as cdrom. The vcpus value specifies the number of processors that the Dom U is allowed to access. For example, if Dom 0 has a dual-core processor, you can use vcpus to specify whether the guest will be able to access one core or two.
Buy this article as PDF
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm