Re: Q: How to find own domid or uuid from domU?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Markus Armbruster <armbru@redhat.com>
To: Ewan Mellor <ewan@xensource.com>
Cc: xen-devel@lists.xensource.com,
	"Andrew D. Ball" <aball@us.ibm.com>,
	Christian Limpach <Christian.Limpach@cl.cam.ac.uk>
Subject: Re: Q: How to find own domid or uuid from domU?
Date: Tue, 23 May 2006 13:02:42 +0200	[thread overview]
Message-ID: <87hd3hc8bx.fsf@pike.pond.sub.org> (raw)
In-Reply-To: <20060523100255.GA16064@leeni.uk.xensource.com> (Ewan Mellor's message of "Tue, 23 May 2006 11:02:55 +0100")

Ewan Mellor <ewan@xensource.com> writes:

> On Tue, May 23, 2006 at 09:31:21AM +0100, Christian Limpach wrote:
>
>> On Tue, May 23, 2006 at 09:52:00AM +0200, Markus Armbruster wrote:
>> > "Christian Limpach" <christian.limpach@gmail.com> writes:
>> > 
>> > > There's a uuid node under the vm path.  I.e. you'd do:
>> > > vmpath=$(xenstore-read vm)
>> > > uuid=$(xenstore-read $vmpath/uuid)
>> > 
>> > Fails in domU:
>> > 
>> >     # xenstore-read vm
>> >     /vm/947df77a-58b5-4e3d-9b6c-aa0178d8e133
>> >     # xenstore-read /vm/947df77a-58b5-4e3d-9b6c-aa0178d8e133/uuid
>> >     xenstore-read: couldn't read path /vm/947df77a-58b5-4e3d-9b6c-aa0178d8e133/uuid
>> 
>> Indeed, it's either broken because we've set the permissions not to
>> allow domains to have access to the /vm tree or because we don't allow
>> domains to read outside of their "home" directory.
>
> Permissions for doing this are set in Xend.  At the moment, for security, we
> only allow a domain to look at /local/domain/<domid>, and
> /local/domain/0/backend/<device type>/<domid>, IIRC.  If it is reasonable to
> allow a guest to determine its UUID, then we could trivially add that to Xend,
> by allowing it to read that particular value from the vm directory.
>
> Ewan.

To me it feels like there's a rough consensus that there are
legitimate uses for the UUID in domU.

It was pointed out that xenstore isn't really designed to be used in
anger from domU, and that unprivileged access could create real
problems.

Keir indicated that he's willing to merge a patch to put the UUID into
sysfs.  Makes sense to me, because the UUID is to be used by
unprivileged processes.

I understand that xen_sysfs may not be accepted upstream, or only with
changes.  Fine with me, I'm not looking for a stable API at this time,
I'm looking for something that works to get us going.  If it goes away
later, tough, welcome to the bleeding edge, go look for something else
that works.

I also understand that this is no precedent for stuffing all kinds of
xenstore data into xen_sysfs.

I was looking into Christian's suggestion to read a proper UUID key
rather than extracting it from the vm value.  Well, it doesn't work.
I'll be happy to revise my patch when it does.

In light of the above and all the other contributions to this thread:
what about merging my patch?

next prev parent reply	other threads:[~2006-05-23 11:02 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-18  8:32 Q: How to find own domid or uuid from domU? Markus Armbruster
2006-05-18  8:55 ` Keir Fraser
2006-05-18  9:46   ` Markus Armbruster
2006-05-18 10:01     ` Keir Fraser
2006-05-18 10:52       ` Markus Armbruster
2006-05-18 12:27         ` Keir Fraser
2006-05-18 13:18           ` Markus Armbruster
2006-05-18 13:29             ` Keir Fraser
     [not found]               ` <446C8488.1030503@us.ibm.com>
     [not found]                 ` <8d2b2f0e40dfb24f939a81970a493a7f@cl.cam.ac.uk>
2006-05-18 15:21                   ` Andrew D. Ball
2006-05-18 16:59                     ` Christian Limpach
2006-05-22 14:18                       ` Andrew D. Ball
2006-05-22 14:45                         ` Christian Limpach
2006-05-22 18:36                           ` Andrew D. Ball
2006-05-23  7:52                       ` Markus Armbruster
2006-05-23  8:31                         ` Christian Limpach
2006-05-23 10:02                           ` Ewan Mellor
2006-05-23 11:02                             ` Markus Armbruster [this message]
2006-05-23 11:43                               ` Keir Fraser
2006-05-23 15:25                                 ` Ewan Mellor
2006-05-18 13:43 ` Gerd Hoffmann
  -- strict thread matches above, loose matches on Subject: below --
2006-05-18 12:06 James Harper
2006-05-18 14:53 Andrew D. Ball

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87hd3hc8bx.fsf@pike.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=Christian.Limpach@cl.cam.ac.uk \
    --cc=aball@us.ibm.com \
    --cc=ewan@xensource.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.