From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: documentation@lists.ipfire.org
Subject: Re: Xen Documentation
Date: Fri, 20 Feb 2015 02:04:58 +0100
Message-ID: <1424394298.17826.214.camel@ipfire.org>
In-Reply-To: <54E3C541.1050407@dailydata.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4801240909942197953=="
List-Id: <documentation.lists.ipfire.org>

--===============4801240909942197953==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Tue, 2015-02-17 at 16:48 -0600, R. W. Rodolico wrote:
> FYI, a brief (and hopefully accurate) reply to your questions.
>=20
> paravirtualization (PV) uses the kernel from the underlying DOM0 (the OS
> running on the bare machine, which runs everything else).
>=20
> Hardware virtualization (HVM) is completely divorced from the underlying
> operating system. Instead, it uses its own kernel and some fake hardware
> exported by the underlying system.
>=20
> PV's are much faster since one kernel controls everything. The kernel is
> able to direct resource usage without any intermediate layer. However,
> you must keep the virtual and the underlying system in sync. One thing I
> remember is every time you upgrade the kernel on the DOM0, you must copy
> the new lib's to every virtual. Obviously, you can not run non-Linux
> systems on a PV. To move a PV from one DOM0 to another, the kernel's and
> libraries must match, or you need to copy the libraries to the virtual
> before running it.
>=20
> HVM's have a layer between them and the underlying kernel. I think that
> is QEMU, but I don't remember. Since it has to go through a second
> translation layer, it uses more resources. However, you can have a 2.4
> kernel on the DOM0, and be running the latest kernel on the virtual, or
> even Windows, BSD or OSX. HVM's can be moved between DOM0's with little
> or no modification (generally a small line in the config file).

All the hypervisors we have base on QEMU. VMware put it in their kernel.
VirtualBox is still using userspace but have added lots of graphics
features. The Xen project put it in a micro kernel. Of course lots of
development has been put in all of these projects and therefore they
diverged a lot.

> For IPFire, I prefer HVM's because you have spent so much time making
> sure the kernel and libraries are secure. Thus, even on an older DOM0, I
> can have a very secure firewall/router. However, some things such as
> automated shutdown of the IPFire instance are not available since IPFire
> does not include the HVM device drivers (they use a generic device
> driver when IPFire is installed). That can cause a problem during server
> shutdown, since the backup is to "destroy" the virtual, ie pull the plug.

I think that we should have a short mentioning that the HVM version is
the preferred one then. It is actually not that much slower any more.
CPUs do everything in regards of their jobs. Some devices needs to be
emulated which causes a bit more overhead yes. In perspective though
IPFire does not read or write a lot of data from/to disk so that there
will never be a bottleneck on that end. The virtual network drivers have
also a negligible overhead.

The PV approach comes with way more difficulties and I guess that HVM is
most used any way.

> As far as I know, tying a physical piece of hardware to a single DOMU is
> still supported, though I have not used that since 3.x,
> http://wiki.xenproject.org/wiki/XenPCIpassthrough indicates it is still
> available.

Maybe someone else can contribute this later.

>=20
> Rod
>=20
> On 02/17/2015 10:05 AM, Michael Tremer wrote:
> > Hi,
> >=20
> > if I may send you a little wishlist:
> >=20
> > There are many many guides about how to set up a Xen server with Debian.
> > I am not sure about the state of all of them. Some of them are based on
> > outdated versions of Debian. I suppose it is best to merge them all
> > together and delete the rest.
> >=20
> >   http://wiki.ipfire.org/start?do=3Dsearch&id=3Dxen
> >=20
> > Maybe it is a good idea to start a little virtualisation section
> > (http://wiki.ipfire.org/en/virtualization/start) with subsections for
> > Xen (http://wiki.ipfire.org/en/virtualization/xen/start), KVM and all
> > the rest.
> >=20
> > Explaining an installation of the IPFire system from scratch should not
> > be necessary but the differences to using Xen should be pointed out
> > somewhere.
> >=20
> > I personally am always confused about the HVM and PV thing. What should
> > people use? What are the advantages/disadvantages?
> >=20
> > There was also this:
> >=20
> > http://planet.ipfire.org/post/dropping-support-for-xen-3-x-deprecation-wa=
rning
> > http://planet.ipfire.org/post/bye-bye-xen-legacy-kernel
> >=20
> > Many people use the feature where you can hand over the physical
> > hardware to the guest machine. Does this actually still work? What are
> > the benefits of that?
> >=20
> > All this information should be out there somewhere in the wiki. Putting
> > it all together in a nice section with small pages which are easy to
> > find would be really great :)
> >=20
> > -Michael
> >=20
> > On Tue, 2015-02-17 at 03:10 -0600, R. W. Rodolico wrote:
> >> David,
> >>
> >> It would be great if you could get some notes on this. Even if they are
> >> rough, it would be better than nothing. Having never messed with KVM
> >> (I'm Debian/Xen for the most part), I really don't know much about it,
> >> though I do engage in "religious wars" over KVM vs Xen vs Virtual Box
> >> with from friends/associates of mine.
> >>
> >> Anyway, if you had some brief notes, it would be great to include them.
> >>
> >> Rod
> >>
> >> On 02/16/2015 11:07 PM, David J. Allen wrote:
> >>> On 02/16/2015 08:11 PM, R. W. Rodolico wrote:
> >>>> I am in the process of creating documentation for a Xen virtual IPFire
> >>>> install. If anyone else is doing it also, please let me know so we can
> >>>> collaborate. I'm hopeful to have it complete Friday 20 Feb.
> >>>>
> >>>> I am trying an install using the scon image. Assuming that works, shou=
ld
> >>>> I also write documentation on how to do it from a standard "installer"
> >>>> installation?
> >>>>
> >>>> Again, if anyone else is doing this, please let me know so we do not
> >>>> duplicate efforts.
> >>>>
> >>>> Rod
> >>>
> >>> I am not writing docs on doing so* but I have been running Ipfire in a
> >>> VM under KVM on Scientific Linux 6.x for a couple of years now. I think
> >>> setting up Ipfire was easier than getting the KVM set up right.
> >>>
> >>> The VM host box has 2 onboard NICs, but I'm using a dual-NIC card in the
> >>> box which is dedicated to the Ipfire VM. The tricky part was figuring
> >>> out how to give Ipfire exclusive access to the WAN NIC without it being
> >>> accessible to the KVM host and the other VM guests.
> >>>
> >>>
> >>> * Although I should do it at least for myself - had to redo my
> >>> installation a while back after moving and had left no notes for myself.
> >>> Which of course resulted in re-inventing my own wheel! ;)
> >>>
> >>>
> >>> _______________________________________________
> >>> Documentation mailing list
> >>> Documentation(a)lists.ipfire.org
> >>> http://lists.ipfire.org/mailman/listinfo/documentation
> >>
>=20

--===============4801240909942197953==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC
Q2dBR0JRSlU1b2crQUFvSkVJQjU4UDl2a0FrSEpyWVFBSXpSVW14b1ZKcWIwaWxiZWtqU2ZaaXQK
TlBmQkZYaEFSK1ZpbHE0dm5jUTRBNlNMOGg1WjhNNVg5UHNHemxKWFRVTkRnL0tsNHovZERtNE1j
cDgyNkp3RApDZk5DRTgyVXM5c2xUUEJya2J6VUxnczF6SlRmSHNVWitmNmF5MUkzMktoaGRyb0VG
RW5KRVptbjJacG5JeVIyCkhBVWM2ZVU0cExVQ2hzSE5sMWRiWUVoaWF6VytLVUNvT0xPSlFPcDFl
MGpKOXVHcGgxQ1pncDhjMHV3MkRNWnoKb0VnOHk2aHg2U0xCSHh5TitxNlZ4d0NMdlRHLzA2OWRa
dlNQL3B3V3FTVSswNStNellZRklGaHRLYWFURTgxWApVbEVyQkEyRWFRZWNsbDlnQ0lqdzNxMFBV
SG5ScDV3WUtYaDljeHVZbE9NcEZqSTZ2SjVvZXAwVUN1OFdZMnpKClEzbHFpdTFTUWhiTU0rZWRu
R0VBN3FDdVlBVlIwbmhJVUJFTXpUYXdsZ2RWMTBDejlJcU5mTDkvcFQ5c2FpdngKKzJsajlXUXpi
bmQvdDQrT0VWeWpES3lZVTYwZEhCUWhiU2l3KzRCZUdHRzlDa2o2bjdTYTk5dXhjeWZMRTd4QQpp
aDhJbFVDa1ErWkQ2UW11QmdjVWgwczhya0tZT2F6Y1I4TmM1STlkbTQ4UVQ2K284eCsxZ0haS1Vz
Y2pSUk16Ck0rb05MZEZQeU0wRDFjVXBZU2l4dFRjbVpkdVkvNHgxalZycUVJaGNOQi9ReldGT2NN
STEzZ0ZlbDlGeTJhRjYKWVp0N3ZSK2JUZUJ6MGVwRUo3K2kyMmo5YlFwRU1KMTdlbEpadUZMclpS
bmpJOHVqbjRHYm83RkZKL0pZUmNaegpiV0J6cHpBYVZBUU5aa1lacllINAo9VTQ4NAotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============4801240909942197953==--