COVER STORY Virtualizing with joexx, photocase.com

XENSATIONALGetting started with Xen

The powerful and popular Xen virtualization system offers an easy solution for running Windows on . BY MARTIN LOSCHWITZ AND MARKUS FEILNER

he popular Xen virtualization ple configuration procedure takes just a The binds the individual system lets you install different few steps. has recognized these virtual machines to the network and Toperating systems on the same benefits, and Etch now has full support supports communications with the out- hardware to leverage computational for Xen. side world. In the world of Xen, the host power efficiently. Although Debian 4.0 includes Xen, system with the hypervisor is referred In this article, we describe how to get version 3.0.3 is not exactly state of the to as Dom 0 (or Domain 0), and a guest started with Xen in Debian Etch, and art. The tips and advice in this article system is known as Dom U (Domain U). you will learn about starting the guest can’t be applied one-to-one to later ver- The only task that Dom 0 has is to and host systems and even how to set up sions of Xen in many cases because the contain each active Dom U. When you a Windows guest on a Linux host. Some configuration file layout, and other are planning a Debian Xen system, a of the details might differ for other dis- things, have changed. fresh Debian install is a perfect starting tros, but the steps are similar. point. Although theoretically, there is Monitored by a Hypervisor nothing to stop you from using Dom 0 Etch with Xen 3.0.3 Xen introduces a hypervisor upstream of for normal purposes, such as hosting a In the community, one software solution the kernel running directly on the hard- web server, the potential damage that has practically become the virtualization ware (see Figure 1); the hypervisor uses an attacker could cause by hijacking standard. Xen [1], by the University of the Xen Monitor to ac- Dom 0 is a very good reason to avoid Cambridge, has a number of points in its cess the hardware. The Xen hypervisor putting Dom 0 into production. favor. Because it emulates a complete allocates resources to the individual vir- Any user with full access to Dom 0 computer in a style similar to VMware, tual machines. A guest also has complete control over every ac- users have an almost unrestricted choice only communicates with the hypervisor tive Dom U. For this reason, it is impor- of guest operating systems. Many man- and is completely independent of the tant to outsource any services to a sepa- agement tools are available and the sim- other guests. rate Dom U when using Xen and to start

30 ISSUE 90 MAY 2008

030-033_xen.indd 30 12.03.2008 14:17:00 Uhr Virtualizing with Xen COVER STORY

host machine in access. It is also possible to assign a our example. First, static (arbitrary) MAC address; other- you need to create wise, Xen will assign a randomly gener- a configuration ated MAC address to the network file for Xen, then adapter each time you start the virtual you need to install machine. In turn, this will cause Etch’s the guest operat- hotplug system to keep changing the ing system on network device number, and the auto- your disk. matic configuration in /etc/network/ interfaces will then fail. Files for Dom U Guest Filesystems In Xen 3.0, the Two basic options exist for guest filesys- configuration files tems: Either you can assign one or multi- Figure 1: The Xen Virtual Machine Monitor handles all hardware have their own ple partitions to Xen or the Dom U can access, using the hypervisor to pass requests to the host (Dom 0). special format. work with image files. Both solutions The hypervisor uses back-end drivers to allocate resources to Dom U The files are have advantages and disadvantages: virtual machines. stored in /etc/xen Physical partitions typically improve per- and have a file ex- formance, but files allow the administra- off with a fresh host system that does tension of .cfg. The Xen configuration tor to create backups by simply copying not run any services (with the exception file schema is fairly simple (Listing 1). from Dom 0. of SSH). name refers to a name that Xen uses to This decision is a matter of taste and Just a couple of steps are needed to reference the Dom U; hostname refers to will depend to a great extent on what make a Debian installation Xen-capable. the virtual machine’s hostname. kernel you will be using the system for. The Working as root, start by installing Xen and ramdisk contain the full paths to the example in the listing assumes that one and the bridge control programs that Xen boot kernel and its ramdisk; root tells the Dom U uses /dev/hda3 as a drive for its needs to set up the network configura- kernel which of its partitions contains root filesystem. On top of this, Xen can tion. The package names are bridge-utils, the root directory. assign multiple virtual disks as hard-disk xen-linux-system-2.6.18-3-xen-686, The memory setting defines how much partitions to the virtual machine. xen-tools, and libc6-xen. Xen replaces the RAM the Xen hypervisor should reserve legacy library with a specially modi- for this Dom U, and the disk entry speci- Virtual Debian fied version. fies which disk or image files the Xen The guest domain is installed completely After completing this step, disable the guest will detect. Because the guest ma- from within Dom 0. Theoretically, you C library’s TLS functionality; the easiest chine also expects paths to the virtual could boot the Debian installer with Xen way of doing this is to move the library filesystem, the administrator has to de- and then use it to install the new system, by typing mv /lib/tls /lib/tls.disabled. cide at this stage where the filesystems but in reality, this approach will fail be- Because the following steps require In- that will be created in the next step cause of the lack of Xen support in the ternet access, a network card must be should be stored. set up in /etc/network/interfaces. As you can see in Listing 1, a Dom U Listing 1: Xen Configu- After installing a specially prepared can also access a physical CD drive, ration for a Debian Dom U Xen kernel, type lsmod and check the specified as cdrom. The vcpus value 01 name="debian1" /etc/modules file to see whether the sys- specifies the number of processors that tem provides a netloop module. To make the Dom U is allowed to access. For ex- 02 hostname="debian1" sure that everything will work after you ample, if Dom 0 has a dual-core proces- 03 kernel = "/boot/ reboot, you should see an entry for net- sor, you can use vcpus to specify vmlinuz-2.6.18-3-xen-686" loop nloopbacks=255. Reboot the ma- whether the guest will be able to access 04 ramdisk = "/boot/initrd. chine and, at the boot prompt, select the one core or two. img-2.6.18-3-xen-686" Debian Xen kernel before logging on in 05 memory = 512 the normal way. Some dmesg output Kernel, Ramdisk, Root 06 vcpus = 1 with various hypervisor messages con- The values kernel and ramdisk in the cerning available processors or memory configuration relate to the filesystem for 07 vif = [ capacity should appear. Dom 0. If you want to replace the Dom 'mac=aa:00:00:12:23:34, This takes care of the prerequisites for U kernel at a later stage, you can copy bridge=bridge0' ] running a Dom U. Working as root, type the new kernel to the right place in Dom 08 disk = [ 'phy:/dev/ xm list to see whether the hypervisor is 0 and then just modify the configuration hda3,hda1,w', 'phy:/dev/ working. file for the virtual machine. hda5,hda2,w' ] The next step is to configure a guest The vif entry specifies which network 09 cdrom = "/dev/cdrom" machine, the first Dom U, which will be interface Dom U is allowed to access and 10 root = "/dev/hda1" running Debian GNU/Linux Etch like the which bridge Xen will use to handle this

MAY 2008 ISSUE 90 31

030-033_xen.indd 31 12.03.2008 14:17:09 Uhr COVER STORY Virtualizing with Xen

setup, you can now start the virtual sys- tem. To do so, change directory to /etc/ xen and give the following command: xm create -c name of configuration file. The -c parameter redirects the output from the Dom U’s virtual screen to the current console. If everything worked out, the login prompt should be dis- played after the boot mes- sages. From now on, the init scripts in- Figure 2: Four virtual machines, each a Dom U, running on a Debian Xen server. The xm top cluded with the Xen package will auto- tool provides a continually updated status report for the server and the guests. matically launch the new Dom U when- ever you boot the system. Debian installer kernel. Instead, the Now, the root user has to install the Debian Debootstrap [2] installation tool locales and console-data packages manu- … and Stopping It is used. Working as root, type apt-get ally and add the following line to the The xm list command gives an overview install debootstrap to install the tool in /etc/hosts file: of the virtual domains running on your Dom 0. If you haven’t already done so, system (Listing 3). In our example, mul- you will want to install a Linux-compati- 127.0.0.1 localhost tiple Dom U’s are running in the Dom 0, ble filesystem on the target partition for which has 64MB of RAM; one Dom U the Linux guest system now. The Dom U Next, add the hostname to /etc/host- has 1GB of RAM, and one has 296MB. will probably need a swap partition too; name, making sure that you use the Entering the xm destroy name of VM mk-swap sets this up. same name as in your Xen configuration command in Dom 0 terminates a virtual file. You still need to add a matching net- machine. The xm top tool displays an Debootstrap work card configuration to /etc/network/ updated list of the virtual machines, in- Again working as root, mount the for- interfaces for the Dom U. cluding their RAM, CPU, and network matted partition on the Dom 0 filesystem After linking the correct time zone file load, in a similar fashion to the Bash top and cd to the parent directory. The mes- to /etc/localtime, it’s time to tackle the command (Figure 2). sage debootstrap etch mountpoint for configuration of the virtual drives in the Domain U partition ftp://ftp.de.debian. /etc/fstab file. Listing 2 contains a ready- Windows as a Guest org/debian will now install a complete, made fstab that is based on the examples The Xen developers have made sure that basic Debian system from the ftp server. given previously. you can run Windows as a Guest operat- When Debootstrap is done, you should Finally, you will want to set the root ing system in a Dom U. But there are find a complete, basic Etch system in the password using the passwd command; directory you specified. to this you might also want to install the Listing 4: Configuration File folder; then install the libc6-xen package OpenSSH server and get out of the for a Windows Dom U and disable the libc TLA extensions. chroot jail. 01 kernel = '/usr/lib/ Etch system configuration is slightly xen-3.0.3-1/boot/hvmloader' more complex than previously, because Starting Dom U … base-config no longer exists; this handled After creating the configuration files for 02 builder = 'hvm' many tasks automatically in the past. the Dom U and finishing the system 03 memory = '512' 04 device_model='/usr/lib/ Listing 2: Fstab Example for a Debian Dom U xen-3.0.3-1/bin/-dm' 01 /dev/hda1 / ext3 defaults 1 2 05 disk = [ 'phy:/dev/ 02 /dev/hda2 none swap sw 0 0 hda3,ioemu:hda,w','file:/ 03 /dev/pts gid=5,mode=620 0 0 root/wincd.iso,ioemu:hdc: 04 none /dev/shm tmpfs defaults 0 0 cdrom,r' ] 06 name = "windows" Listing 3: Listing Virtual Machines 07 hostname = "windows" 01 xen-dom0:~# xm list 08 vif = ['type=ioemu, 02 Name ID Mem(MiB) VCPUs State Time(s) bridge=xenbr0'] 03 Domain 0 0 64 1 r----- 50082.7 09 # Behaviour 04 Dom U 1 31 1024 1 -b---- 182890.0 10 boot='d' 05 Dom U 2 67 296 1 -b---- 3966.4 11 vnc=1 06 (...) 12 vncviewer=1 07 xen-dom0:~# 13 sdl=0

32 ISSUE 90 MAY 2008

030-033_xen.indd 32 12.03.2008 14:17:11 Uhr Virtualizing with Xen COVER STORY

some restrictions: the trick only works reached version 0.6, on PCs with a recent processor ca- is a tool for manag- pable of supporting Vanderpool Technol- ing Xen servers and ogy (VT) or on a recent AMD process starting or stopping with Secure Virtual Machine (AMD virtual machines SVM). The list of suitable candidates [3] (Figure 3). The ad- is maintained by XenSource and is typi- ministrator can con- cally up to date. nect to one or multi- ple Xen servers, click Configuration to create new do- The steps for configuring a Windows mains, or move Dom U are similar to those for setting up domains from one a Linux guest. Listing 4 shows a ready- server to another. made configuration file: The example as- An overview of the Figure 4: Dashboard provides a graphical health state display for sumes that the hda3 Dom 0 partition is performance (Dash- the Xen server. the root partition for Windows. board, Figure 4) is The Windows guest can be installed also included. To migrate the virtual system from one directly from the installation CD, or, as Xenman makes life easier for both server to another, just type xm migrate shown in our example, from the wincd. newcomers and experienced administra- --live Dom U target server. iso backup image created with the dd tors. It is designed for multiple server Interruption to services while the tool. Installing from an ISO file is far management and SSH tunneling, and it virtual machine is on the move will not quicker and more convenient than virtu- gives you the option of collectively man- normally exceed a couple of tenths of a ally booting the CD. aging all server images, which means second. A Dom U is typically used as a server that Xen can boot the Dom U belonging without a monitor attached. The output to Server A on Server B if need be. Conclusions from the Windows system is thus di- Xen is a very powerful virtualization so- rected to a VNC server; the server’s IP Migration lution. In contrast to other options such address is defined by the vnc-listen pa- One of Xen’s special features is its ability as OpenVZ, it has the advantage of emu- rameter in the last line of the Xen config- to migrate the virtual server from one lating a complete computer in a fashion uration file /etc/xen/xend-config.sxp; the host to another while the server is run- similar to VMware. Xen is therefore ca- syntax is (vnc-lis-ten '1.2.3.4'). ning. To test this, all you need is two Xen pable of virtualizing guest operating sys- This completes the configuration of servers and a single virtual machine. In tems other than Linux. the Xen Windows Dom U; Windows it- the simplest case, you can use NFS for It is already possible to run NetBSD 4 self will create the required filesystem the shared data, but ISCSI or DRBD are as a Dom U on Linux or as a Dom 0 for in the Windows setup phase. Then, you also perfectly suitable. In your Xen Linux Dom U’s without any major diffi- can launch the Windows Dom U and use server configuration file, enable the fol- culties. The only issue is caused by Net- VNC to connect to port 5090 on the host lowing settings: BSD’s lack of Physical Address Extension system and complete the setup. (PAE) support, which makes it more dif- When Windows prompts you to re- (xend-relocation-server yes) ficult to install Debian than it actually move the CD from the drive after copy- (xend-relocation-address ' ') should be. ing the system files, you must make sure (xend-relocation-U Considering the speed at which Xen that Xen will boot the Xen domain from hosts-allow ' ') and NetBSD developers are working to the virtual disk, achieve a solution to this problem, you and not from the can expect rapid progress in the trend CD, on restart. To toward virtualizing different operating do so, you need to systems on the same hardware. ■ change the value for boot in the INFO configuration file [1] Xen homepage: http:// www. cl. cam. ac. from d to c and re- uk/ research/ srg/ netos/ xen/ start the virtual [2] Debootstrap: http:// packages. debian. machine. org/ stable/ admin/ debootstrap At the end of [3] Hardware for HVM virtualization: the installation, http:// wiki. xensource. com/ xenwiki/ you should have a HVM_Compatible_Processors working Windows system. [4] Graphical Dom U management with Xenman: Xenman [4], Figure 3: Xenman, a graphical admin console for a Xen server, boots a http:// xenman. sourceforge. net/ which has now Fedora guest system.

MAY 2008 ISSUE 90 33

030-033_xen.indd 33 12.03.2008 14:17:15 Uhr