Xen and the Art of System Administration

Johnny C. Lam

jlam@pkgsrc.org

The NetBSD Project

Caveats

The Problem

How do we isolate processes and users?

The Whole "UNIX" Thing

We can run everything on a single machine by taking care with file and directory permissions, using chroots, and having good bookkeeping skills.

Difficulties

Workaround

We can just run separate processes on separate machines.

Virtualization

Virtualization lets you do all this on a single machine.

Some virtualization technologies

These technologies provide varying degrees of virtualization:

Xen vs. Jails Deathmatch

Xen and jails are two completely different technologies, so comparisons are unfair. However, both can be applied to solve a particular domain of problems in system administration:

Xen provides "machine-level" virtualization, while jails provide "OS-level" virtualization and have different cost trade-offs.

Jails only exist on FreeBSD and DragonFly, and I use NetBSD, so I use Xen.

Xen hypervisor

Originally developed by University of Cambridge Computer Lab, and currently developed by XenSource.

Xen domains

Concrete Example

Domain 0 Setup

Domain U Setup

Example domain U configuration file

kernel = "/xen/netbsd-3/netbsd-XENU"
memory = 128
name = jabberwock
cpu = -1
nics = 1
vif = [ 'mac=ee:14:04:d0:ec:af, bridge=bridge0' ]

cmd = '/usr/pkg/etc/xen/block-file bind
		/xen/jabberwock/crypt.img'
out = os.popen(cmd)
vnd = out.readline().rstrip().rstrip('d') + 'a'
out.close()

disk = [ 'cgd:' + vnd + ':/xen/cgd/jabberwock,wd2d,w',
         'file:/xen/jabberwock/pkg.img,wd1d,r',
         'file:/xen/netbsd-3/root.img,wd0d,r' ]
root = "/dev/wd0d"

Example guest domains

Closing Thoughts

Links to more information