.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "xm 1" .TH xm 1 "2013-01-22" "xen-unstable" "Xen" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" xm \- Xen management user interface .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBxm\fR \fIsubcommand\fR [\fIargs\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBxm\fR program is the main interface for managing Xen guest domains. The program can be used to create, pause, and shutdown domains. It can also be used to list current domains, enable or pin VCPUs, and attach or detach virtual block devices. .PP The basic structure of every \fBxm\fR command is almost always: .Sp .RS 2 \&\fBxm\fR \fIsubcommand\fR \fIdomain-id\fR [\fI\s-1OPTIONS\s0\fR] .RE .PP Where \fIsubcommand\fR is one of the subcommands listed below, \fIdomain-id\fR is the numeric domain id, or the domain name (which will be internally translated to domain id), and \fI\s-1OPTIONS\s0\fR are subcommand specific options. There are a few exceptions to this rule in the cases where the subcommand in question acts on all domains, the entire machine, or directly on the Xen hypervisor. Those exceptions will be clear for each of those subcommands. .SH "NOTES" .IX Header "NOTES" All \fBxm\fR operations rely upon the Xen control daemon, aka \fBxend\fR. For any \fBxm\fR commands to run, xend must also be running. For this reason you should start xend as a service when your system first boots using Xen. .PP Most \fBxm\fR commands require root privileges to run due to the communications channels used to talk to the hypervisor. Running as non root will return an error. .PP Most \fBxm\fR commands act synchronously, except maybe create, shutdown, mem-set and vcpu-set. The fact that the \fBxm\fR command returned doesn't necessarily mean that the action is complete and you must poll through xm list periodically to detect that the operation completed. .SH "DOMAIN SUBCOMMANDS" .IX Header "DOMAIN SUBCOMMANDS" The following subcommands manipulate domains directly. As stated previously, most commands take \fIdomain-id\fR as the first parameter. .IP "\fBconsole\fR \fIdomain-id\fR" 4 .IX Item "console domain-id" Attach to domain \fIdomain-id\fR's console. If you've set up your domains to have a traditional log in console this will look much like a normal text log in screen. .Sp This uses the back end xenconsole service which currently only works for para-virtual domains. .Sp The attached console will perform much like a standard serial console, so running curses based interfaces over the console \fBis not advised\fR. Vi tends to get very odd when using it over this interface. .Sp Use the key combination Ctrl+] to detach the domain console. .IP "\fBcreate\fR \fIconfigfile\fR [\fI\s-1OPTIONS\s0\fR] [\fIvars\fR].." 4 .IX Item "create configfile [OPTIONS] [vars].." The create subcommand requires a config file and can optionally take a series of \fIvars\fR that add to or override variables defined in the config file. See xmdomain.cfg for full details of that file format, and possible options used in either the configfile or for \fIvars\fR. .Sp \&\fIconfigfile\fR can either be an absolute path to a file, or a relative path to a file located in /etc/xen. .Sp Create will return \fBas soon\fR as the domain is started. This \fBdoes not\fR mean the guest \s-1OS\s0 in the domain has actually booted, or is available for input. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-\-help_config\fR" 4 .IX Item "--help_config" Print the available configuration variables \fIvars\fR. These variables may be used on the command line or in the configuration file \fIconfigfile\fR. .IP "\fB\-q\fR, \fB\-\-quiet\fR" 4 .IX Item "-q, --quiet" No console output. .IP "\fB\-\-path\fR" 4 .IX Item "--path" Search path for configuration scripts. The value of \s-1PATH\s0 is a colon-separated directory list. .IP "\fB\-f=FILE\fR, \fB\-\-defconfig=FILE\fR" 4 .IX Item "-f=FILE, --defconfig=FILE" Use the given Python configuration script. The configuration script is loaded after arguments have been processed. Each command-line option sets a configuration variable named after its long option name, and these variables are placed in the environment of the script before it is loaded. Variables for options that may be repeated have list values. Other variables can be set using name=value on the command line. After the script is loaded, option values that were not set on the command line are replaced by the values set in the script. .IP "\fB\-F=FILE\fR, \fB\-\-config=FILE\fR" 4 .IX Item "-F=FILE, --config=FILE" Use the given \s-1SXP\s0 formated configuration script. \&\s-1SXP\s0 is the underlying configuration format used by Xen. \&\s-1SXP\s0 configuration scripts can be hand-written or generated from Python configuration scripts, using the \-n (dryrun) option to print the configuration. An \s-1SXP\s0 formatted configuration file may also be generated for a given \fIdomain-id\fR by redirecting the output from the the \fBxm list \-\-long \f(BIdomain-id\fB\fR to a file. .IP "\fB\-n\fR, \fB\-\-dryrun\fR" 4 .IX Item "-n, --dryrun" Dry run \- prints the resulting configuration in \s-1SXP\s0 but does not create the domain. .IP "\fB\-x\fR, \fB\-\-xmldryrun\fR" 4 .IX Item "-x, --xmldryrun" \&\s-1XML\s0 dry run \- prints the resulting configuration in \&\s-1XML\s0 but does not create the domain. .IP "\fB\-s\fR, \fB\-\-skipdtd\fR" 4 .IX Item "-s, --skipdtd" Skip \s-1DTD\s0 checking \- skips checks on \s-1XML\s0 before creating. Experimental. Can decrease create time. .IP "\fB\-p\fR, \fB\-\-paused\fR" 4 .IX Item "-p, --paused" Leave the domain paused after it is created. .IP "\fB\-c\fR, \fB\-\-console_autoconnect\fR" 4 .IX Item "-c, --console_autoconnect" Attach console to the domain as soon as it has started. This is useful for determining issues with crashing domains. .RE .RS 4 .Sp \&\fB\s-1EXAMPLES\s0\fR .IP "\fIwith config file\fR" 4 .IX Item "with config file" .Vb 1 \& xm create Fedora4 .Ve .Sp This creates a domain with the file /etc/xen/Fedora4, and returns as soon as it is run. .IP "\fIwithout config file\fR" 4 .IX Item "without config file" .Vb 4 \& xm create /dev/null ramdisk=initrd.img \e \& kernel=/boot/vmlinuz\-2.6.12.6\-xenU \e \& name=ramdisk vif=\*(Aq\*(Aq vcpus=1 \e \& memory=64 root=/dev/ram0 .Ve .Sp This creates the domain without using a config file (more specifically using /dev/null as an empty config file), kernel and ramdisk as specified, setting the name of the domain to \*(L"ramdisk\*(R", also disabling virtual networking. (This example comes from the xm-test test suite.) .RE .RS 4 .RE .IP "\fBdelete\fR" 4 .IX Item "delete" Remove a domain from Xend domain management. The \fBxm list\fR command shows the domain names. .IP "\fBdestroy\fR \fIdomain-id\fR" 4 .IX Item "destroy domain-id" Immediately terminate the domain \fIdomain-id\fR. This doesn't give the domain \s-1OS\s0 any chance to react, and is the equivalent of ripping the power cord out on a physical machine. In most cases you will want to use the \fBshutdown\fR command instead. .IP "\fBdomid\fR \fIdomain-name\fR" 4 .IX Item "domid domain-name" Converts a domain name to a domain id using xend's internal mapping. .IP "\fBdomname\fR \fIdomain-id\fR" 4 .IX Item "domname domain-id" Converts a domain id to a domain name using xend's internal mapping. .IP "\fBdump-core\fR [\fI\s-1OPTIONS\s0\fR] \fIdomain-id\fR [\fIfilename\fR]" 4 .IX Item "dump-core [OPTIONS] domain-id [filename]" Dumps the virtual machine's memory for the specified domain to the \&\fIfilename\fR specified. The dump file will be written to a distribution specific directory for dump files. Such as: /var/lib/xen/dump or /var/xen/dump Defaults to dumping the core without pausing the domain if no \fI\s-1OPTIONS\s0\fR are specified. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-L\fR, \fB\-\-live\fR" 4 .IX Item "-L, --live" Dump core without pausing the domain. .IP "\fB\-C\fR, \fB\-\-crash\fR" 4 .IX Item "-C, --crash" Crash domain after dumping core. .RE .RS 4 .RE .IP "\fBhelp\fR [\fB\-\-long\fR]" 4 .IX Item "help [--long]" Displays the short help message (i.e. common commands). .Sp The \fB\-\-long\fR option prints out the complete set of \fBxm\fR subcommands, grouped by function. .IP "\fBlist\fR [\fI\s-1OPTIONS\s0\fR] [\fIdomain-id\fR ...]" 4 .IX Item "list [OPTIONS] [domain-id ...]" Prints information about one or more domains. If no domains are specified it prints out information about all domains. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-l\fR, \fB\-\-long\fR" 4 .IX Item "-l, --long" The output for \fBxm list\fR is not the table view shown below, but instead presents the data in \s-1SXP\s0 format. .IP "\fB\-\-label\fR" 4 .IX Item "--label" Security labels are added to the output of xm list and the lines are sorted by the labels (ignoring case). See the \s-1ACCESS\s0 \s-1CONTROL\s0 \s-1SUBCOMMAND\s0 section of this man page for more information about labels. .IP "\fB\-\-state=" 4 .IX Item "--state=" Output information for VMs in the specified state. .RE .RS 4 .Sp \&\fB\s-1EXAMPLE\s0\fR .Sp An example format for the list is as follows: .Sp .Vb 7 \& Name ID Mem(MiB) VCPUs State Time(s) \& Domain\-0 0 98 1 r\-\-\-\-\- 5068.6 \& Fedora3 164 128 1 r\-\-\-\-\- 7.6 \& Fedora4 165 128 1 \-\-\-\-\-\- 0.6 \& Mandrake2006 166 128 1 \-b\-\-\-\- 3.6 \& Mandrake10.2 167 128 1 \-\-\-\-\-\- 2.5 \& Suse9.2 168 100 1 \-\-\-\-\-\- 1.8 .Ve .Sp Name is the name of the domain. \s-1ID\s0 the numeric domain id. Mem is the desired amount of memory to allocate to the domain (although it may not be the currently allocated amount). VCPUs is the number of virtual CPUs allocated to the domain. State is the run state (see below). Time is the total run time of the domain as accounted for by Xen. .Sp \&\fB\s-1STATES\s0\fR .Sp The State field lists 6 states for a Xen domain, and which ones the current domain is in. .IP "\fBr \- running\fR" 4 .IX Item "r - running" The domain is currently running on a \s-1CPU\s0. .IP "\fBb \- blocked\fR" 4 .IX Item "b - blocked" The domain is blocked, and not running or runnable. This can be caused because the domain is waiting on \s-1IO\s0 (a traditional wait state) or has gone to sleep because there was nothing else for it to do. .IP "\fBp \- paused\fR" 4 .IX Item "p - paused" The domain has been paused, usually occurring through the administrator running \fBxm pause\fR. When in a paused state the domain will still consume allocated resources like memory, but will not be eligible for scheduling by the Xen hypervisor. .IP "\fBs \- shutdown\fR" 4 .IX Item "s - shutdown" \&\s-1FIXME:\s0 Why would you ever see this state? .IP "\fBc \- crashed\fR" 4 .IX Item "c - crashed" The domain has crashed, which is always a violent ending. Usually this state can only occur if the domain has been configured not to restart on crash. See xmdomain.cfg for more info. .IP "\fBd \- dying\fR" 4 .IX Item "d - dying" The domain is in process of dying, but hasn't completely shutdown or crashed. .Sp \&\s-1FIXME:\s0 Is this right? .RE .RS 4 .Sp \&\fB\s-1NOTES\s0\fR .Sp .RS 4 The Time column is deceptive. Virtual \s-1IO\s0 (network and block devices) used by domains requires coordination by Domain0, which means that Domain0 is actually charged for much of the time that a DomainU is doing \s-1IO\s0. Use of this time value to determine relative utilizations by domains is thus very suspect, as a high \s-1IO\s0 workload may show as less utilized than a high \s-1CPU\s0 workload. Consider yourself warned. .RE .RE .RS 4 .RE .IP "\fBmem-max\fR \fIdomain-id\fR \fImem\fR" 4 .IX Item "mem-max domain-id mem" Specify the maximum amount of memory the domain is able to use. \fImem\fR is specified in megabytes. .Sp The mem-max value may not correspond to the actual memory used in the domain, as it may balloon down its memory to give more back to the \s-1OS\s0. .IP "\fBmem-set\fR \fIdomain-id\fR \fImem\fR" 4 .IX Item "mem-set domain-id mem" Set the domain's used memory using the balloon driver. .Sp Because this operation requires cooperation from the domain operating system, there is no guarantee that it will succeed. This command will definitely not work unless the domain has the required paravirt driver. .Sp \&\fBWarning:\fR There is no good way to know in advance how small of a mem-set will make a domain unstable and cause it to crash. Be very careful when using this command on running domains. .IP "\fBmigrate\fR \fIdomain-id\fR \fIhost\fR [\fI\s-1OPTIONS\s0\fR]" 4 .IX Item "migrate domain-id host [OPTIONS]" Migrate a domain to another host machine. Xend must be running on other host machine, it must be running the same version of Xen, it must have the migration \s-1TCP\s0 port open and accepting connections from the source host, and there must be sufficient resources for the domain to run (memory, disk, etc). .Sp Migration is pretty complicated, and has many security implications. Please read the Xen User's Guide to ensure you understand the ramifications and limitations on migration before attempting it in production. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-l\fR, \fB\-\-live\fR" 4 .IX Item "-l, --live" Use live migration. This will migrate the domain between hosts without shutting down the domain. See the Xen User's Guide for more information. .IP "\fB\-r\fR, \fB\-\-resource\fR \fIMbs\fR" 4 .IX Item "-r, --resource Mbs" Set maximum Mbs allowed for migrating the domain. This ensures that the network link is not saturated with migration traffic while attempting to do other useful work. .RE .RS 4 .RE .IP "\fBnew\fR \fIconfigfile\fR [\fI\s-1OPTIONS\s0\fR] [\fIvars\fR]..." 4 .IX Item "new configfile [OPTIONS] [vars]..." Adds a domain to Xend domain management. .Sp The new subcommand requires a config file and can optionally take a series of \fIvars\fR that add to or override variables defined in the config file. See xmdomain.cfg for full details of that file format, and possible options used in either the configfile or for \&\fIvars\fR. .Sp \&\fIconfigfile\fR can either be an absolute path to a file, or a relative path to a file located in /etc/xen. .Sp The new subcommand will return without starting the domain. The domain needs to be started using the \fBxm start\fR command. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-\-help_config\fR" 4 .IX Item "--help_config" Print the available configuration variables \fIvars\fR. These variables may be used on the command line or in the configuration file \fIconfigfile\fR. .IP "\fB\-q\fR, \fB\-\-quiet\fR" 4 .IX Item "-q, --quiet" No console output. .IP "\fB\-\-path\fR" 4 .IX Item "--path" Search path for configuration scripts. The value of \s-1PATH\s0 is a colon-separated directory list. .IP "\fB\-f=FILE\fR, \fB\-\-defconfig=FILE\fR" 4 .IX Item "-f=FILE, --defconfig=FILE" Use the given Python configuration script. The configuration script is loaded after arguments have been processed. Each command-line option sets a configuration variable named after its long option name, and these variables are placed in the environment of the script before it is loaded. Variables for options that may be repeated have list values. Other variables can be set using name=value on the command line. After the script is loaded, option values that were not set on the command line are replaced by the values set in the script. .IP "\fB\-F=FILE\fR, \fB\-\-config=FILE\fR" 4 .IX Item "-F=FILE, --config=FILE" Use the given \s-1SXP\s0 formated configuration script. \&\s-1SXP\s0 is the underlying configuration format used by Xen. \&\s-1SXP\s0 configuration scripts can be hand-written or generated from Python configuration scripts, using the \-n (dryrun) option to print the configuration. An \s-1SXP\s0 formatted configuration file may also be generated for a given \fIdomain-id\fR by redirecting the output from the the \fBxm list \-\-long \f(BIdomain-id\fB\fR to a file. .IP "\fB\-n\fR, \fB\-\-dryrun\fR" 4 .IX Item "-n, --dryrun" Dry run \- prints the resulting configuration in \s-1SXP\s0 but does not create the domain. .IP "\fB\-x\fR, \fB\-\-xmldryrun\fR" 4 .IX Item "-x, --xmldryrun" \&\s-1XML\s0 dry run \- prints the resulting configuration in \&\s-1XML\s0 but does not create the domain. .IP "\fB\-s\fR, \fB\-\-skipdtd\fR" 4 .IX Item "-s, --skipdtd" Skip \s-1DTD\s0 checking \- skips checks on \s-1XML\s0 before creating. Experimental. Can decrease create time. .IP "\fB\-p\fR, \fB\-\-paused\fR" 4 .IX Item "-p, --paused" Leave the domain paused after it is created. .IP "\fB\-c\fR, \fB\-\-console_autoconnect\fR" 4 .IX Item "-c, --console_autoconnect" Attach console to the domain as soon as it has started. This is useful for determining issues with crashing domains. .RE .RS 4 .RE .IP "\fBpause\fR \fIdomain-id\fR" 4 .IX Item "pause domain-id" Pause a domain. When in a paused state the domain will still consume allocated resources such as memory, but will not be eligible for scheduling by the Xen hypervisor. .IP "\fBreboot\fR [\fI\s-1OPTIONS\s0\fR] \fIdomain-id\fR" 4 .IX Item "reboot [OPTIONS] domain-id" Reboot a domain. This acts just as if the domain had the \fBreboot\fR command run from the console. The command returns as soon as it has executed the reboot action, which may be significantly before the domain actually reboots. .Sp The behavior of what happens to a domain when it reboots is set by the \&\fBon_reboot\fR parameter of the xmdomain.cfg file when the domain was created. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-a\fR, \fB\-\-all\fR" 4 .IX Item "-a, --all" Reboot all domains. .IP "\fB\-w\fR, \fB\-\-wait\fR" 4 .IX Item "-w, --wait" Wait for reboot to complete before returning. This may take a while, as all services in the domain will have to be shut down cleanly. .RE .RS 4 .RE .IP "\fBrestore\fR \fIstate-file\fR" 4 .IX Item "restore state-file" Build a domain from an \fBxm save\fR state file. See \fBsave\fR for more info. .IP "\fBresume\fR \fIdomain-name\fR [\fI\s-1OPTIONS\s0\fR]" 4 .IX Item "resume domain-name [OPTIONS]" Moves a domain out of the suspended state and back into memory. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-p\fR, <\-\-paused>" 4 .IX Item "-p, <--paused>" Moves a domain back into memory but leaves the domain in a paused state. The \fBxm unpause\fR subcommand may then be used to bring it out of the paused state. .RE .RS 4 .RE .IP "\fBsave\fR \fIdomain-id\fR \fIstate-file\fR" 4 .IX Item "save domain-id state-file" Saves a running domain to a state file so that it can be restored later. Once saved, the domain will no longer be running on the system, thus the memory allocated for the domain will be free for other domains to use. \fBxm restore\fR restores from this state file. .Sp This is roughly equivalent to doing a hibernate on a running computer, with all the same limitations. Open network connections may be severed upon restore, as \s-1TCP\s0 timeouts may have expired. .IP "\fBshutdown\fR [\fI\s-1OPTIONS\s0\fR] \fIdomain-id\fR" 4 .IX Item "shutdown [OPTIONS] domain-id" Gracefully shuts down a domain. This coordinates with the domain \s-1OS\s0 to perform graceful shutdown, so there is no guarantee that it will succeed, and may take a variable length of time depending on what services must be shutdown in the domain. The command returns immediately after signally the domain unless that \fB\-w\fR flag is used. .Sp The behavior of what happens to a domain when it reboots is set by the \&\fBon_shutdown\fR parameter of the xmdomain.cfg file when the domain was created. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-a\fR" 4 .IX Item "-a" Shutdown \fBall\fR domains. Often used when doing a complete shutdown of a Xen system. .IP "\fB\-w\fR" 4 .IX Item "-w" Wait for the domain to complete shutdown before returning. .RE .RS 4 .RE .IP "\fBstart\fR \fIdomain-name\fR [\fI\s-1OPTIONS\s0\fR]" 4 .IX Item "start domain-name [OPTIONS]" Start a Xend managed domain that was added using the \fBxm new\fR command. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-p\fR, \fB\-\-paused\fR" 4 .IX Item "-p, --paused" Do not unpause domain after starting it. .IP "\fB\-c\fR, \fB\-\-console_autoconnect\fR" 4 .IX Item "-c, --console_autoconnect" Connect to the console after the domain is created. .RE .RS 4 .RE .IP "\fBsuspend\fR \fIdomain-name\fR" 4 .IX Item "suspend domain-name" Suspend a domain to a state file so that it can be later resumed using the \fBxm resume\fR subcommand. Similar to the \fBxm save\fR subcommand although the state file may not be specified. .IP "\fBsysrq\fR \fIdomain-id\fR \fIletter\fR" 4 .IX Item "sysrq domain-id letter" Send a \fIMagic System Request\fR signal to the domain. For more information on available magic sys req operations, see sysrq.txt in your Linux Kernel sources. .IP "\fBunpause\fR \fIdomain-id\fR" 4 .IX Item "unpause domain-id" Moves a domain out of the paused state. This will allow a previously paused domain to now be eligible for scheduling by the Xen hypervisor. .IP "\fBvcpu-set\fR \fIdomain-id\fR \fIvcpu-count\fR" 4 .IX Item "vcpu-set domain-id vcpu-count" Enables the \fIvcpu-count\fR virtual CPUs for the domain in question. Like mem-set, this command can only allocate up to the maximum virtual \&\s-1CPU\s0 count configured at boot for the domain. .Sp If the \fIvcpu-count\fR is smaller than the current number of active VCPUs, the highest number VCPUs will be hotplug removed. This may be important for pinning purposes. .Sp Attempting to set the VCPUs to a number larger than the initially configured \s-1VCPU\s0 count is an error. Trying to set VCPUs to < 1 will be quietly ignored. .Sp Because this operation requires cooperation from the domain operating system, there is no guarantee that it will succeed. This command will not work with a full virt domain. .IP "\fBvcpu-list\fR [\fIdomain-id\fR]" 4 .IX Item "vcpu-list [domain-id]" Lists \s-1VCPU\s0 information for a specific domain. If no domain is specified, \s-1VCPU\s0 information for all domains will be provided. .IP "\fBvcpu-pin\fR \fIdomain-id\fR \fIvcpu\fR \fIcpus\fR" 4 .IX Item "vcpu-pin domain-id vcpu cpus" Pins the the \s-1VCPU\s0 to only run on the specific CPUs. The keyword \&\fBall\fR can be used to apply the \fIcpus\fR list to all VCPUs in the domain. .Sp Normally VCPUs can float between available CPUs whenever Xen deems a different run state is appropriate. Pinning can be used to restrict this, by ensuring certain VCPUs can only run on certain physical CPUs. .SH "XEN HOST SUBCOMMANDS" .IX Header "XEN HOST SUBCOMMANDS" .IP "\fBdmesg\fR [\fB\-c\fR]" 4 .IX Item "dmesg [-c]" Reads the Xen message buffer, similar to dmesg on a Linux system. The buffer contains informational, warning, and error messages created during Xen's boot process. If you are having problems with Xen, this is one of the first places to look as part of problem determination. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fB\-c\fR, \fB\-\-clear\fR" 4 .IX Item "-c, --clear" Clears Xen's message buffer. .RE .RS 4 .RE .IP "\fBinfo\fR" 4 .IX Item "info" Print information about the Xen host in \fIname : value\fR format. When reporting a Xen bug, please provide this information as part of the bug report. .Sp Sample output looks as follows (lines wrapped manually to make the man page more readable): .Sp .Vb 10 \& host : talon \& release : 2.6.12.6\-xen0 \& version : #1 Mon Nov 14 14:26:26 EST 2005 \& machine : i686 \& nr_cpus : 2 \& nr_nodes : 1 \& cores_per_socket : 1 \& threads_per_core : 1 \& cpu_mhz : 696 \& hw_caps : 0383fbff:00000000:00000000:00000040 \& total_memory : 767 \& free_memory : 37 \& xen_major : 3 \& xen_minor : 0 \& xen_extra : \-devel \& xen_caps : xen\-3.0\-x86_32 \& xen_scheduler : credit \& xen_pagesize : 4096 \& platform_params : virt_start=0xfc000000 \& xen_changeset : Mon Nov 14 18:13:38 2005 +0100 \& 7793:090e44133d40 \& cc_compiler : gcc version 3.4.3 (Mandrakelinux \& 10.2 3.4.3\-7mdk) \& cc_compile_by : sdague \& cc_compile_domain : (none) \& cc_compile_date : Mon Nov 14 14:16:48 EST 2005 \& xend_config_format : 3 .Ve .Sp \&\fB\s-1FIELDS\s0\fR .Sp Not all fields will be explained here, but some of the less obvious ones deserve explanation: .RS 4 .IP "\fBhw_caps\fR" 4 .IX Item "hw_caps" A vector showing what hardware capabilities are supported by your processor. This is equivalent to, though more cryptic, the flags field in /proc/cpuinfo on a normal Linux machine. .IP "\fBfree_memory\fR" 4 .IX Item "free_memory" Available memory (in \s-1MB\s0) not allocated to Xen, or any other domains. .IP "\fBxen_caps\fR" 4 .IX Item "xen_caps" The Xen version and architecture. Architecture values can be one of: x86_32, x86_32p (i.e. \s-1PAE\s0 enabled), x86_64, ia64. .IP "\fBxen_changeset\fR" 4 .IX Item "xen_changeset" The Xen mercurial changeset id. Very useful for determining exactly what version of code your Xen system was built from. .RE .RS 4 .RE .IP "\fBlog\fR" 4 .IX Item "log" Print out the xend log. This log file can be found in /var/log/xend.log. .IP "\fBtop\fR" 4 .IX Item "top" Executes the \fBxentop\fR command, which provides real time monitoring of domains. Xentop is a curses interface, and reasonably self explanatory. .IP "\fBuptime\fR" 4 .IX Item "uptime" Prints the current uptime of the domains running. .SH "SCHEDULER SUBCOMMANDS" .IX Header "SCHEDULER SUBCOMMANDS" Xen ships with a number of domain schedulers, which can be set at boot time with the \fBsched=\fR parameter on the Xen command line. By default \fBcredit\fR is used for scheduling. .PP \&\s-1FIXME:\s0 we really need a scheduler expert to write up this section. .IP "\fBsched-credit\fR [ \fB\-d\fR \fIdomain-id\fR [ \fB\-w\fR[\fB=\fR\fI\s-1WEIGHT\s0\fR] | \fB\-c\fR[\fB=\fR\fI\s-1CAP\s0\fR] ] ]" 4 .IX Item "sched-credit [ -d domain-id [ -w[=WEIGHT] | -c[=CAP] ] ]" Set credit scheduler parameters. The credit scheduler is a proportional fair share \s-1CPU\s0 scheduler built from the ground up to be work conserving on \s-1SMP\s0 hosts. .Sp Each domain (including Domain0) is assigned a weight and a cap. .Sp \&\fB\s-1PARAMETERS\s0\fR .RS 4 .IP "\fI\s-1WEIGHT\s0\fR" 4 .IX Item "WEIGHT" A domain with a weight of 512 will get twice as much \s-1CPU\s0 as a domain with a weight of 256 on a contended host. Legal weights range from 1 to 65535 and the default is 256. .IP "\fI\s-1CAP\s0\fR" 4 .IX Item "CAP" The cap optionally fixes the maximum amount of \s-1CPU\s0 a domain will be able to consume, even if the host system has idle \s-1CPU\s0 cycles. The cap is expressed in percentage of one physical \s-1CPU:\s0 100 is 1 physical \s-1CPU\s0, 50 is half a \s-1CPU\s0, 400 is 4 CPUs, etc. The default, 0, means there is no upper cap. .RE .RS 4 .RE .IP "\fBsched-sedf\fR \fIperiod\fR \fIslice\fR \fIlatency-hint\fR \fIextratime\fR \fIweight\fR" 4 .IX Item "sched-sedf period slice latency-hint extratime weight" Set Simple \s-1EDF\s0 (Earliest Deadline First) scheduler parameters. This scheduler provides weighted \s-1CPU\s0 sharing in an intuitive way and uses realtime-algorithms to ensure time guarantees. For more information see docs/misc/sedf_scheduler_mini\-HOWTO.txt in the Xen distribution. .Sp \&\fB\s-1PARAMETERS\s0\fR .RS 4 .IP "\fIperiod\fR" 4 .IX Item "period" The normal \s-1EDF\s0 scheduling usage in nanoseconds .IP "\fIslice\fR" 4 .IX Item "slice" The normal \s-1EDF\s0 scheduling usage in nanoseconds .Sp \&\s-1FIXME:\s0 these are lame, should explain more. .IP "\fIlatency-hint\fR" 4 .IX Item "latency-hint" Scaled period if domain is doing heavy I/O. .IP "\fIextratime\fR" 4 .IX Item "extratime" Flag for allowing domain to run in extra time. .IP "\fIweight\fR" 4 .IX Item "weight" Another way of setting \s-1CPU\s0 slice. .RE .RS 4 .Sp \&\fB\s-1EXAMPLES\s0\fR .Sp \&\fInormal \s-1EDF\s0 (20ms/5ms):\fR .Sp .Vb 1 \& xm sched\-sedf 20000000 5000000 0 0 0 .Ve .Sp \&\fIbest-effort domains (i.e. non-realtime):\fR .Sp .Vb 1 \& xm sched\-sedf 20000000 0 0 1 0 .Ve .Sp \&\fInormal \s-1EDF\s0 (20ms/5ms) + share of extra-time:\fR .Sp .Vb 1 \& xm sched\-sedf 20000000 5000000 0 1 0 .Ve .Sp \&\fI4 domains with weights 2:3:4:2\fR .Sp .Vb 4 \& xm sched\-sedf 0 0 0 0 2 \& xm sched\-sedf 0 0 0 0 3 \& xm sched\-sedf 0 0 0 0 4 \& xm sched\-sedf 0 0 0 0 2 .Ve .Sp \&\fI1 fully-specified (10ms/3ms) domain, 3 other domains share available rest in 2:7:3 ratio:\fR .Sp .Vb 4 \& xm sched\-sedf 10000000 3000000 0 0 0 \& xm sched\-sedf 0 0 0 0 2 \& xm sched\-sedf 0 0 0 0 7 \& xm sched\-sedf 0 0 0 0 3 .Ve .RE .SH "VIRTUAL DEVICE COMMANDS" .IX Header "VIRTUAL DEVICE COMMANDS" Most virtual devices can be added and removed while guests are running. The effect to the guest \s-1OS\s0 is much the same as any hotplug event. .SS "\s-1BLOCK\s0 \s-1DEVICES\s0" .IX Subsection "BLOCK DEVICES" .IP "\fBblock-attach\fR \fIdomain-id\fR \fIbe-dev\fR \fIfe-dev\fR \fImode\fR [\fIbedomain-id\fR]" 4 .IX Item "block-attach domain-id be-dev fe-dev mode [bedomain-id]" Create a new virtual block device. This will trigger a hotplug event for the guest. .Sp \&\fB\s-1OPTIONS\s0\fR .RS 4 .IP "\fIdomain-id\fR" 4 .IX Item "domain-id" The domain id of the guest domain that the device will be attached to. .IP "\fIbe-dev\fR" 4 .IX Item "be-dev" The device in the backend domain (usually domain 0) to be exported. This can be specified as a physical partition (phy:sda7) or as a file mounted as loopback (file://path/to/loop.iso). .IP "\fIfe-dev\fR" 4 .IX Item "fe-dev" How the device should be presented to the guest domain. It can be specified as either a symbolic name, such as /dev/hdc, for common devices, or by device id, such as 0x1400 (/dev/hdc device id in hex). .IP "\fImode\fR" 4 .IX Item "mode" The access mode for the device from the guest domain. Supported modes are \fBw\fR (read/write) or \fBr\fR (read-only). .IP "\fIbedomain-id\fR" 4 .IX Item "bedomain-id" The back end domain hosting the device. This defaults to domain 0. .RE .RS 4 .Sp \&\fB\s-1EXAMPLES\s0\fR .IP "\fIMount an \s-1ISO\s0 as a Disk\fR" 4 .IX Item "Mount an ISO as a Disk" xm block-attach guestdomain file://path/to/dsl\-2.0RC2.iso /dev/hdc ro .Sp This will mount the dsl \s-1ISO\s0 as /dev/hdc in the guestdomain as a read only device. This will probably not be detected as a CD-ROM by the guest, but mounting /dev/hdc manually will work. .RE .RS 4 .RE .IP "\fBblock-detach\fR \fIdomain-id\fR \fIdevid\fR [\fB\-\-force\fR]" 4 .IX Item "block-detach domain-id devid [--force]" Detach a domain's virtual block device. \fIdevid\fR may be the symbolic name or the numeric device id given to the device by domain 0. You will need to run \fBxm block-list\fR to determine that number. .Sp Detaching the device requires the cooperation of the domain. If the domain fails to release the device (perhaps because the domain is hung or is still using the device), the detach will fail. The \fB\-\-force\fR parameter will forcefully detach the device, but may cause \s-1IO\s0 errors in the domain. .IP "\fBblock-list\fR [\fB\-l\fR|\fB\-\-long\fR] \fIdomain-id\fR" 4 .IX Item "block-list [-l|--long] domain-id" List virtual block devices for a domain. The returned output is formatted as a list or as an S\-Expression if the \fB\-\-long\fR option was given. .SS "\s-1NETWORK\s0 \s-1DEVICES\s0" .IX Subsection "NETWORK DEVICES" .IP "\fBnetwork-attach\fR \fIdomain-id\fR [\fBscript=\fR\fIscriptname\fR] [\fBip=\fR\fIipaddr\fR] [\fBmac=\fR\fImacaddr\fR] [\fBbridge=\fR\fIbridge-name\fR] [\fBbackend=\fR\fIbedomain-id\fR]" 4 .IX Item "network-attach domain-id [script=scriptname] [ip=ipaddr] [mac=macaddr] [bridge=bridge-name] [backend=bedomain-id]" Creates a new network device in the domain specified by \fIdomain-id\fR. It takes the following optional options: .PP \&\fB\s-1OPTIONS\s0\fR .IP "\fBscript=\fR\fIscriptname\fR" 4 .IX Item "script=scriptname" Use the specified script name to bring up the network. Defaults to the default setting in xend\-config.sxp for \fBvif-script\fR. .IP "\fBip=\fR\fIipaddr\fR" 4 .IX Item "ip=ipaddr" Passes the specified \s-1IP\s0 Address to the adapter on creation. .Sp \&\s-1FIXME:\s0 this currently appears to be \fBbroken\fR. I'm not sure under what circumstances this should actually work. .IP "\fBmac=\fR\fImacaddr\fR" 4 .IX Item "mac=macaddr" The \s-1MAC\s0 address that the domain will see on its Ethernet device. If the device is not specified it will be randomly generated with the 00:16:3e vendor id prefix. .IP "\fBbridge=\fR\fIbridge-name\fR" 4 .IX Item "bridge=bridge-name" The name of the bridge to attach the vif to, in case you have more than one. This defaults to xenbr0. .IP "\fBbackend=\fR\fIbedomain-id\fR" 4 .IX Item "backend=bedomain-id" The backend domain id. By default this is domain 0. .IP "\fBnetwork-detach\fR \fIdomain-id\fR \fIdevid\fR" 4 .IX Item "network-detach domain-id devid" Removes the network device from the domain specified by \fIdomain-id\fR. \&\fIdevid\fR is the virtual interface device number within the domain (i.e. the 3 in vif22.3). .Sp \&\s-1FIXME:\s0 this is currently \fBbroken\fR. Network devices aren't completely removed from domain 0. .IP "\fBnetwork-list\fR [\fB\-l\fR|\fB\-\-long\fR]> \fIdomain-id\fR" 4 .IX Item "network-list [-l|--long]> domain-id" List virtual network interfaces for a domain. The returned output is formatted as a list or as an S\-Expression if the \fB\-\-long\fR option was given. .SS "\s-1VIRTUAL\s0 \s-1TPM\s0 \s-1DEVICES\s0" .IX Subsection "VIRTUAL TPM DEVICES" .IP "\fBvtpm-list\fR [\fB\-l\fR|\fB\-\-long\fR] \fIdomain-id\fR" 4 .IX Item "vtpm-list [-l|--long] domain-id" Show the virtual \s-1TPM\s0 device for a domain. The returned output is formatted as a list or as an S\-Expression if the \fB\-\-long\fR option was given. .SH "VNET COMMANDS" .IX Header "VNET COMMANDS" The Virtual Network interfaces for Xen. .PP \&\s-1FIXME:\s0 This needs a lot more explanation, or it needs to be ripped out entirely. .IP "\fBvnet-list\fR [\fB\-l\fR|\fB\-\-long\fR]" 4 .IX Item "vnet-list [-l|--long]" List vnets. .IP "\fBvnet-create\fR \fIconfig\fR" 4 .IX Item "vnet-create config" Create a vnet from a config file. .IP "\fBvnet-delete\fR \fIvnetid\fR" 4 .IX Item "vnet-delete vnetid" Delete a vnet. .SH "ACCESS CONTROL SUBCOMMANDS" .IX Header "ACCESS CONTROL SUBCOMMANDS" Access Control in Xen consists of two components: (i) The Access Control Policy (\s-1ACP\s0) defines security labels and access rules based on these labels. (ii) The Access Control Module (\s-1ACM\s0) makes access control decisions by interpreting the policy when domains require to communicate or to access resources. The Xen access control has sufficient mechanisms in place to enforce the access decisions even against maliciously acting user domains (mandatory access control). .PP Access rights for domains in Xen are determined by the domain security label only and not based on the domain Name or \s-1ID\s0. The \s-1ACP\s0 specifies security labels that can then be assigned to domains and resources. Every domain must be assigned exactly one security label, otherwise access control decisions could become indeterministic. ACPs are distinguished by their name, which is a parameter to most of the subcommands described below. Currently, the \s-1ACP\s0 specifies two ways to interpret labels: .PP (1) Simple Type Enforcement: Labels are interpreted to decide access of domains to communication means and virtual or physical resources. Communication between domains as well as access to resources are forbidden by default and can only take place if they are explicitly allowed by the security policy. The proper assignment of labels to domains controls the sharing of information (directly through communication or indirectly through shared resources) between domains. This interpretation allows to control the overt (intended) communication channels in Xen. .PP (2) Chinese Wall: Labels are interpreted to decide which domains can co-exist (be run simultaneously) on the same system. This interpretation allows to prevent direct covert (unintended) channels and mitigates risks caused by imperfect core domain isolation (trade-off between security and other system requirements). For a short introduction to covert channels, please refer to http://www.multicians.org/timing\-chn.html. .PP The following subcommands help you to manage security policies in Xen and to assign security labels to domains. To enable access control security in Xen, you must compile Xen with \s-1ACM\s0 support enabled as described under \*(L"Configuring Security\*(R" below. There, you will find also examples of each subcommand described here. .IP "\fBsetpolicy\fR \s-1ACM\s0 \fIpolicy\fR" 4 .IX Item "setpolicy ACM policy" Makes the given \s-1ACM\s0 policy available to xend as a \fIxend-managed policy\fR. The policy is compiled and a mapping (.map) as well as a binary (.bin) version of the policy is created. The policy is loaded and the system's bootloader is prepared to boot the system with this policy the next time it is started. .Sp .RS 4 \&\fIpolicy\fR is a dot-separated list of names. The last part is the file name pre-fix for the policy \s-1XML\s0 file. The preceding name parts are translated into the local path pointing to the policy \s-1XML\s0 file relative to the global policy root directory (/etc/xen/acm\-security/policies). For example, example.chwall_ste.client_v1 denotes the policy file example/chwall_ste/client_v1\-security_policy.xml relative to the global policy root directory. .RE .IP "\fBresetpolicy\fR" 4 .IX Item "resetpolicy" Reset the system's policy to the default state where the \s-1DEFAULT\s0 policy is loaded and enforced. This operation may fail if for example guest VMs are running and and one of them uses a different label than what Domain\-0 does. It is best to make sure that no guests are running before issuing this command. .IP "\fBgetpolicy\fR [\-\-dumpxml]" 4 .IX Item "getpolicy [--dumpxml]" Displays information about the current xend-managed policy, such as name and type of the policy, the uuid xend has assigned to it on the local system, the version of the \s-1XML\s0 representation and the status of the policy, such as whether it is currently loaded into Xen or whether the policy is automatically loaded during system boot. With the \fI\-\-dumpxml\fR option, the \s-1XML\s0 representation of the policy is displayed. .IP "\fBdumppolicy\fR" 4 .IX Item "dumppolicy" Prints the current security policy state information of Xen. .IP "\fBlabels\fR [\fIpolicy\fR] [\fBtype=dom\fR|\fBres\fR|\fBany\fR]" 4 .IX Item "labels [policy] [type=dom|res|any]" Lists all labels of a \fItype\fR (domain, resource, or both) that are defined in the \fIpolicy\fR. Unless specified, the default \fIpolicy\fR is the currently enforced access control policy. The default for \fItype\fR is 'dom'. The labels are arranged in alphabetical order. .IP "\fBaddlabel\fR \fIlabel\fR \fBdom\fR \fIconfigfile\fR [\fIpolicy\fR]" 4 .IX Item "addlabel label dom configfile [policy]" .PD 0 .IP "\fBaddlabel\fR \fIlabel\fR \fBmgt\fR \fIdomain name\fR [\fIpolicy type\fR:\fIpolicy\fR]" 4 .IX Item "addlabel label mgt domain name [policy type:policy]" .IP "\fBaddlabel\fR \fIlabel\fR \fBres\fR \fIresource\fR [\fIpolicy\fR]" 4 .IX Item "addlabel label res resource [policy]" .IP "\fBaddlabel\fR \fIlabel\fR \fBvif-idx\fR \fIdomain name\fR [\fIpolicy type\fR:\fIpolicy\fR]" 4 .IX Item "addlabel label vif-idx domain name [policy type:policy]" .PD Adds the security label with name \fIlabel\fR to a domain \&\fIconfigfile\fR (dom), a Xend-managed domain (mgt), to the global resource label file for the given \fIresource\fR (res), or to a managed domain's virtual network interface (vif) that is specified by its index. Unless specified, the default \fIpolicy\fR is the currently enforced access control policy. This subcommand also verifies that the \fIpolicy\fR definition supports the specified \fIlabel\fR name. .Sp The only \fIpolicy type\fR that is currently supported is \fI\s-1ACM\s0\fR. .IP "\fBrmlabel\fR \fBdom\fR \fIconfigfile\fR" 4 .IX Item "rmlabel dom configfile" .PD 0 .IP "\fBrmlabel\fR \fBmgt\fR \fIdomain name\fR" 4 .IX Item "rmlabel mgt domain name" .IP "\fBrmlabel\fR \fBres\fR \fIresource\fR" 4 .IX Item "rmlabel res resource" .IP "\fBrmlabel\fR \fBvif-idx\fR \fIdomain name\fR" 4 .IX Item "rmlabel vif-idx domain name" .PD Works the same as the \fBaddlabel\fR command (above), except that this command will remove the label from the domain \fIconfigfile\fR (dom), a Xend-managed domain (mgt), the global resource label file (res), or a managed domain's network interface (vif). .IP "\fBgetlabel\fR \fBdom\fR \fIconfigfile\fR" 4 .IX Item "getlabel dom configfile" .PD 0 .IP "\fBgetlabel\fR \fBmgt\fR \fIdomain name\fR" 4 .IX Item "getlabel mgt domain name" .IP "\fBgetlabel\fR \fBres\fR \fIresource\fR" 4 .IX Item "getlabel res resource" .IP "\fBgetlabel\fR \fBvif-idx\fR \fIdomain name\fR" 4 .IX Item "getlabel vif-idx domain name" .PD Shows the label for a domain's configuration in the given \fIconfigfile\fR, a xend-managed domain (mgt), a resource, or a managed domain's network interface (vif). .IP "\fBresources\fR" 4 .IX Item "resources" Lists all resources in the global resource label file. Each resource is listed with its associated label and policy name. .IP "\fBdry-run\fR \fIconfigfile\fR" 4 .IX Item "dry-run configfile" Determines if the specified \fIconfigfile\fR describes a domain with a valid security configuration for type enforcement. The test shows the policy decision made for each resource label against the domain label as well as the overall decision. .Sp \&\fB\s-1CONFIGURING\s0 \s-1SECURITY\s0\fR .RS 4 .Sp .RS 4 In xen_source_dir/Config.mk set the following parameter: .Sp .Vb 2 \& XSM_ENABLE ?= y \& ACM_SECURITY ?= y .Ve .Sp Then recompile and install xen and the security tools and then reboot: .Sp .Vb 2 \& cd xen_source_dir; make clean; make install \& reboot into Xen .Ve .RE .RE .RS 4 .Sp \&\fB\s-1RESETTING\s0 \s-1THE\s0 \s-1SYSTEM\s0'S \s-1SECURITY\s0\fR .Sp .RS 4 To set the system's security policy enforcement into its default state, the follow command can be issued. Make sure that no guests are running while doing this. .Sp .Vb 1 \& xm resetpolicy .Ve .Sp After this command has successfully completed, the system's \s-1DEFAULT\s0 policy is enforced. .RE .RE .RS 4 .Sp \&\fB\s-1SETTING\s0 A \s-1SECURITY\s0 \s-1POLICY\s0\fR .Sp .RS 4 This step sets the system's policy and automatically loads it into Xen for enforcement. .Sp .Vb 1 \& xm setpolicy ACM example.client_v1 .Ve .RE .RE .RS 4 .Sp \&\fB\s-1LISTING\s0 \s-1SECURITY\s0 \s-1LABELS\s0\fR .Sp .RS 4 This subcommand shows all labels that are defined and which can be attached to domains. .Sp .Vb 1 \& xm labels example.client_v1 type=dom .Ve .Sp will print for our example policy: .Sp .Vb 6 \& dom_BoincClient \& dom_Fun \& dom_HomeBanking \& dom_NetworkDomain \& dom_StorageDomain \& dom_SystemManagement .Ve .RE .RE .RS 4 .Sp \&\fB\s-1ATTACHING\s0 A \s-1SECURITY\s0 \s-1LABEL\s0 \s-1TO\s0 A \s-1DOMAIN\s0\fR .Sp .RS 4 The \fBaddlabel\fR subcommand can attach a security label to a domain configuration file, here a HomeBanking label. The example policy ensures that this domain does not share information with other non-homebanking user domains (i.e., domains labeled as dom_Fun or dom_Boinc) and that it will not run simultaneously with domains labeled as dom_Fun. .Sp We assume that the specified myconfig.xm configuration file actually instantiates a domain that runs workloads related to home-banking, probably just a browser environment for online-banking. .Sp .Vb 1 \& xm addlabel dom_HomeBanking dom myconfig.xm .Ve .Sp The very simple configuration file might now look as printed below. The \fBaddlabel\fR subcommand added the \fBaccess_control\fR entry at the end of the file, consisting of a label name and the policy that specifies this label name: .Sp .Vb 8 \& kernel = "/boot/vmlinuz\-2.6.16\-xen" \& ramdisk="/boot/U1_home_banking_ramdisk.img" \& memory = 164 \& name = "homebanking" \& vif = [ \*(Aq\*(Aq ] \& dhcp = "dhcp" \& access_control = [\*(Aqpolicy=example.chwall_ste.client_v1, \& label=dom_HomeBanking\*(Aq] .Ve .Sp Security labels must be assigned to domain configurations because these labels are essential for making access control decisions as early as during the configuration phase of a newly instantiated domain. Consequently, a security-enabled Xen hypervisor will only start domains that have a security label configured and whose security label is consistent with the currently enforced policy. Otherwise, starting the domain will fail with the error condition \*(L"operation not permitted\*(R". .RE .RE .RS 4 .Sp \&\fB\s-1ATTACHING\s0 A \s-1SECURITY\s0 \s-1LABEL\s0 \s-1TO\s0 A XEND-MANAGED \s-1DOMAIN\s0\fR .Sp .RS 4 The addlabel subcommand supports labeling of domains that are managed by xend. This includes domains that are currently running, such as for example Domain\-0, or those that are in a dormant state. Depending on the state of the system, it is possible that the new label is rejected. An example for a reason for the rejection of the relabeling of a domain would be if a domain is currently allowed to access its labeled resources but due to the new label would be prevented from accessing one or more of them. .Sp .Vb 1 \& xm addlabel dom_Fun mgt Domain\-0 .Ve .Sp This changes the label of Domain\-0 to dom_Fun under the condition that this new label of Domain\-0 would not prevent any other domain from accessing its resources that are provided through Domain\-0, such as for example network or block device access. .RE .RE .RS 4 .Sp \&\fB\s-1ATTACHING\s0 A \s-1SECURITY\s0 \s-1LABEL\s0 \s-1TO\s0 A \s-1RESOURCE\s0\fR .Sp .RS 4 The \fBaddlabel\fR subcommand can also be used to attach a security label to a resource. Following the home banking example from above, we can label a disk resource (e.g., a physical partition or a file) to make it accessible to the home banking domain. The example policy provides a resource label, res_LogicalDiskPartition1(hda1), that is compatible with the HomeBanking domain label. .Sp .Vb 1 \& xm addlabel "res_LogicalDiskPartition1(hda1)" res phy:hda6 .Ve .Sp After labeling this disk resource, it can be attached to the domain by adding a line to the domain configuration file. The line below attaches this disk to the domain at boot time. .Sp .Vb 1 \& disk = [ \*(Aqphy:hda6,sda2,w\*(Aq ] .Ve .Sp Alternatively, the resource can be attached after booting the domain by using the \fBblock-attach\fR subcommand. .Sp .Vb 1 \& xm block\-attach homebanking phy:hda6 sda2 w .Ve .Sp Note that labeled resources cannot be used when security is turned off. Any attempt to use labeled resources with security turned off will result in a failure with a corresponding error message. The solution is to enable security or, if security is no longer desired, to remove the resource label using the \fBrmlabel\fR subcommand. .RE .RE .RS 4 .Sp \&\fB\s-1STARTING\s0 \s-1AND\s0 \s-1LISTING\s0 \s-1LABELED\s0 \s-1DOMAINS\s0\fR .Sp .Vb 1 \& xm create myconfig.xm \& \& xm list \-\-label \& \& Name ID ... Time(s) Label \& homebanking 23 ... 4.4 dom_HomeBanking \& Domain\-0 0 ... 2658.8 dom_SystemManagement .Ve .RE .RS 4 .Sp \&\fB\s-1LISTING\s0 \s-1LABELED\s0 \s-1RESOURCES\s0\fR .Sp .Vb 1 \& xm resources \& \& phy:hda6 \& type: ACM \& policy: example.chwall_ste.client_v1 \& label: res_LogicalDiskPartition1(hda1) \& file:/xen/disk_image/disk.img \& type: ACM \& policy: example.chwall_ste.client_v1 \& label: res_LogicalDiskPartition2(hda2) .Ve .RE .RS 4 .Sp \&\fB\s-1POLICY\s0 \s-1REPRESENTATIONS\s0\fR .Sp .RS 4 We distinguish three representations of the Xen access control policy: the source \s-1XML\s0 version, its binary counterpart, and a mapping representation that enables the tools to deterministically translate back and forth between label names of the \s-1XML\s0 policy and label identifiers of the binary policy. All three versions must be kept consistent to achieve predictable security guarantees. .Sp The \s-1XML\s0 version is the version that users are supposed to create or change, either by manually editing the \s-1XML\s0 file or by using the Xen policy generation tool (\fBxensec_gen\fR). After changing the \s-1XML\s0 file, run the \fBsetpolicy\fR subcommand to ensure that the new policy is available to xend. Use, for example, the subcommand \&\fBactivatepolicy\fR to activate the changes during the next system reboot. .Sp The binary version of the policy is derived from the \s-1XML\s0 policy by tokenizing the specified labels and is used inside Xen only. It is created with the \fBsetpolicy\fR subcommand. Essentially, the binary version is much more compact than the \s-1XML\s0 version and is easier to evaluate during access control decisions. .Sp The mapping version of the policy is created during the XML-to-binary policy translation (\fBsetpolicy\fR) and is used by xend and the management tools to translate between label names used as input to the tools and their binary identifiers (ssidrefs) used inside Xen. .RE .RE .RS 4 .RE .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBxmdomain.cfg\fR(5), \fBxentop\fR(1) .SH "AUTHOR" .IX Header "AUTHOR" .Vb 4 \& Sean Dague \& Daniel Stekloff \& Reiner Sailer \& Stefan Berger .Ve .SH "BUGS" .IX Header "BUGS"