Xen PVH: Third time lucky #1159
Comments
|
Really nice work! Had a quick look at the Bootvar and Io_page API changes, and both look fine. It's lovely to see the MiniOS internals disappear from the bindings. |
|
Updated to reflect the current status, WIP branches and added a rough TODO list. This is now "almost" functionally complete barring some rough edges which I hope to have sorted soon, after which I will put out a call for wider testing while working on getting the WIP branches into shape for PR and actual review. |
|
I tried your branches / opam repo on my Qubes laptop. It does not work out of the box unfortunately (the start_info is version 0 here, not >= 1 -- Xen version: 4.8.5-14.fc25). The output of a unikernel (I added a log for the command line and moved the AFAICT, solo5 platform uses the start_info to figure out the memory size as well, which is not present in version 0 (used by QubesOS). Reading a bit of mini-os, it looks like it's possible to use a different path (https://github.com/mirage/mini-os/blob/48d3b31ce47156d92255a2fe98334dd15a42a097/arch/x86/mm.c#L127). Though, I'm not sure what the timeline of Xen updates in QubesOS are (maybe @marmarek has some comments here?) in order to get a newer start_info struct. A second issue outlined above is that it looks like QubesOS needs the boot parameter filters, since it's passing something along that won't work with cmdliner/functoria/mirage. The output of dmesg in the host system: (@mato: Edited to replace 700 lines of dmesg with an attachment) |
Already available:
Qubes 4.1 should be out in few months (rc1 probably next month, then 2-3 months until final release). This will have Xen 4.13. |
The goal of this work was to eliminate/replace as much legacy code as possible, with prejudice. Therefore, I wrote it to target the Xen PVHv2 ABIs only. Given that Xen only lists PVHv2 as "fully supported" from 4.10 onwards, I would strongly prefer not to try and support earlier versions. |
|
Fair enough. |
|
hi @marmarek ,
thanks, that works nicely.
NB this is part of
great, I'm looking forward to test this work on qubes with a more recent Xen. I'd be fine to test an early beta of 4.1, if there's documentation for how to upgrade from a Qubes 4.0 (or a binary usb stick release so I can reinstall my QubesOS). please let us know when there's such an upgrade path or beta release. |
Update mirage-block-xen to the interface changes in the new Xen core platform stack. Part of mirage/mirage#1159, depends on mirage/mirage-xen#23.
Update mirage-console-xen to the interface changes in the new Xen core platform stack. Part of mirage/mirage#1159, depends on mirage/mirage-xen#23.
Update mirage-net-xen to the interface changes in the new Xen core platform stack. Part of mirage/mirage#1159, depends on mirage/mirage-xen#23.
Update vchan-xen to the interface changes in the new Xen core platform stack. Part of mirage/mirage#1159, depends on mirage/mirage-xen#23.
This adapts the `mirage` front-end tool to the new Mirage/Xen platform stack (see mirage#1159). User-visible changes: - `.xe` (Xenserver) filegeneration has been removed, I have no way to test this. - "Unknown" argument filtering in `Bootvar` / `argv` has been removed, this was causing problems and I do not know of any users apart from Qubes OS where this can be solved differently, see comments in mirage#1159. Note that Xen unikernels now include a dummy Solo5 manifest to keep the rest of the build system and Solo5 layers happy; this does not contain any devices as they are not required and Xen device naming does not follow Solo5 requirements.
|
All components now have PRs ready for review; I've updated the description here with the current status. |
|
See #1184 for discussion / work in progress on supporting the Xen version shipped by the existing Qubes OS 4 release. |
This adapts the `mirage` front-end tool to the new Mirage/Xen platform stack (see mirage#1159). User-visible changes: - `.xe` (Xenserver) filegeneration has been removed, I have no way to test this. - "Unknown" argument filtering in `Bootvar` / `argv` has been removed, this was causing problems and I do not know of any users apart from Qubes OS where this can be solved differently, see comments in mirage#1159. Note that Xen unikernels now include a dummy Solo5 manifest to keep the rest of the build system and Solo5 layers happy; this does not contain any devices as they are not required and Xen device naming does not follow Solo5 requirements.
|
Status update: Qubes OS 4.0 support is now done (Solo5/solo5#480 and added to mirage/mirage-xen#23). Most of the discussion is in mirage/qubes-mirage-firewall#116. Further fixes to importing grant mappings from other Xen domains have landed in mirage/mirage-xen#23. I have updated the package universe (see description) to Mirage 3.8.1 and to include the above; you should be able to build Mirage/Xen unikernels for both Xen 4.10+ and Qubes OS 4+ from it with no problems. |
This adapts the `mirage` front-end tool to the new Mirage/Xen platform stack (see mirage#1159). User-visible changes: - `.xe` (Xenserver) filegeneration has been removed, I have no way to test this. - "Unknown" argument filtering in `Bootvar` / `argv` has been removed, this was causing problems and I do not know of any users apart from Qubes OS where this can be solved differently, see comments in mirage#1159. Note that Xen unikernels now include a dummy Solo5 manifest to keep the rest of the build system and Solo5 layers happy; this does not contain any devices as they are not required and Xen device naming does not follow Solo5 requirements.
* [Mirage 3.x] Port to new Mirage/Xen platform stack This adapts the `mirage` front-end tool to the new Mirage/Xen platform stack (see #1159). User-visible changes: - `.xe` (Xenserver) filegeneration has been removed, I have no way to test this. - "Unknown" argument filtering in `Bootvar` / `argv` has been removed, this was causing problems and I do not know of any users apart from Qubes OS where this can be solved differently, see comments in #1159. Note that Xen unikernels now include a dummy Solo5 manifest to keep the rest of the build system and Solo5 layers happy; this does not contain any devices as they are not required and Xen device naming does not follow Solo5 requirements. Other changes: - Checksum stubs are provided by mirage-xen, tcpip.xen is not needed to be linked anymore. - mirage-{net,bootvar,block,console}-xen, mirage-qubes{-ipv4}: adapt bounds for the upcoming release - opam: provide a dev-repo field to silence warnings Co-authored-by: Hannes Mehnert <hannes@mehnert.org>
|
Update: the dependencies have been merged into opam-repository, and mirage 3.9.0 is tagged and PRed to opam-repository. PR #1193 is a forward-port of the changes to master. We plan to announce the release on mailing lists etc. once mirage 3.9.0 is merged into opam-repository. |
|
All done here! |
After discussing the state of the Xen platform stack with @mirage/core last month, we decided to explore the option of replacing Mini-OS entirely using a hybrid approach with Solo5 providing the low-level "early boot" code and Mirage providing the rest of the stack.
This approach has the advantage of starting from scratch with a minimal and modern code-base, and gets the existing build system infrastructure and freestanding OCaml runtime provided by Solo5 "for free".
I'm happy to report that this is now past PoC stage and the general approach has been shown to work, and I'm opening this issue to track the remaining work in public. This is a replacement for both #998 (Unikraft) and #1007 (update to Mini-OS master).
Overall status: Unikernels from
mirage-skeletonbuild and run, vchan test unikernels fromocaml-vchanlikewise. Tested on Xen 4.11, should work on 4.10 or higher.Qubes OS status:
Qubes OS 4.0 ships with Xen 4.8 which we do not support. These changes need to be tested against the upcoming Qubes OS 4.1 release (#1159 (comment)).Support for Qubes OS custom Xen 4.8 version is now part of mirage/mirage-xen#23.Non-goals: The existing ARM32 support is removed, this is all x86_64 only for now. Only Xen PVH v2 is supported, available from Xen 4.10 onwards.
There is a package universe available in
mirage/mirage-dev, based on Mirage 3.x (currently 3.8.1):The following components make up this work. Anything below which does not yet have an active PR is liable to get re-based at any time:
The following dependencies need API updates, no functional changes intended:
Io_pageio-page-xenmato/io-page#xen-pvh-via-solo5Rough TODO list
OSmoduleThe text was updated successfully, but these errors were encountered: