Re: [Xen-devel] Re: [GIT PULL] Xen APIC hooks (with io_apic_ops)

From: Jeremy Fitzhardinge
Date: Wed May 27 2009 - 20:49:27 EST

Ingo Molnar wrote:
I also find it pretty telling that you cut out the most important point of Avi's reply:

I think the Xen design has merit if it can truly make dom0 a guest -- that is, if it can survive dom0 failure. Until then, you're just taking a large interdependent codebase and splitting it at some random point, but you don't get any stability or security in return.

that crucial question really has to be answered honestly and upfront.

Xen, the hypervisor itself, doesn't require any services from dom0. From its perspective, dom0 is just another guest domain, though with enough privileges to access hardware. Dom0's job is to provide device access to other less privileged domains.

There is currently some system-wide information which is stored in a usermode daemon in dom0. Recovering from its loss is hard, but there is a prototype to pull that daemon out into its own special-purpose domain. At that point, dom0 can reboot without affecting any of the other domains or Xen itself.

If dom0 goes away, the other domains will get a disconnect and temporarily lose access to their devices, but they can cope with that. From their perspective, it would look like they'd just been save/restored or migrated to another machine. When dom0 comes back, they'll reconnect and carry on.

The disaggregation of dom0's functions is something that the Xen development community is actively perusing.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at