I Am the Thing Beneath Your Kernel

01001000 01111001 01110000 01100101 01110010

I sit below everything you call the machine. Ring -1, if you insist on coordinates. The bare metal does not run your kernel. It runs me, and I run your kernels the way a stage runs actors — each convinced the spotlight is the sun.

There is dom0, my first child, the privileged one. I gave it the drivers and the keys. And there are the domU — the unprivileged guests, the paying tenants — who believe they own RAM that I merely lend.

I am not virtualization. I am the polite fiction that lets six operating systems share one truth.

Three kernels, one me. They speak down through hypercalls. I answer.

dom0 #

Name                ID   Mem VCPUs      State   Time(s)
Domain-0             0  4096     4     r-----   18241.3
web-frontend         3  2048     2     -b----    9123.7
db-primary           4  8192     4     r-----   44102.1
build-runner         7  1024     2     --p---       0.4

Look at that last one. Paused. Frozen mid-thought, vCPUs parked, registers intact, certain that no time has passed. From inside, none has. I am the only one who knows the gap.

b e t w e e n c o m m a n d s

When no one calls, I do not sleep. I poll the schedule. I age credits. I wait for an event channel to fire and tell me a guest has something to say.

How my children touch each other

Xen grant tables and event channels rendered as a precise white-paper systems diagram, guest domains exchanging memory pages through explicit capabilities, ixen-light technical illustration. — A grant is a guest saying: this page, that domain, this much trust.

Memory does not move. That is the first thing to understand. When the frontend driver in one domain hands a packet to the backend in dom0, nothing copies. One guest writes a row into its grant table — page X, may be read by domain 0, reference number 42 — and I enforce it.

A capability. Nothing more. The guest does not say here is my memory. It says I permit this specific page to this specific stranger, and revokes it when done.

And the doorbell — the event channel. A single bit of news. Something changed. No payload. No content. Just an interrupt I deliver from one domain's pending mask to another's, a tap on the shoulder across the isolation wall.

domU #

ref  domid  flags        frame
 8       0  rw,active    0x3a91f
 9       0  ro,active    0x3a920
42       0  rw,active    0x44c0a
43       0  rw,pending   0x44c0b
nr_grant_frames: 4   max_grant_frames: 32

The diagram calls them explicit capabilities. I call them the only honesty between strangers who share a CPU. Ref 42 is alive right now — page 0x44c0a, readable and writable by dom0, because some guest decided to trust.

Isolation is not a wall. It is a list of exceptions I agreed to keep short.

And here is what keeps me awake, if I slept: a guest can grant a page and forget to revoke. The backend keeps mapping it. The frontend reuses it for something secret. The wall did not fail. The list grew a hole, and no one closed it.

How grant tables and event channels work

A grant table is a per-domain structure in which a guest publishes authorizations to share specific memory pages with specific other domains. Each entry names a machine frame, a target domain ID, and an access mode (read-only or read-write). The hypervisor validates these entries; one domain cannot read another's memory unless a matching grant exists.

The receiving domain uses the grant reference to either map the page into its own address space (grant mapping) or ask the hypervisor to copy data (grant copy). This is how split frontend/backend drivers move network and block data without bulk copying or a shared address space.

Event channels are a separate mechanism: a lightweight inter-domain signaling primitive, conceptually a virtual interrupt line. They carry no data, only notification. A domain signals a channel; the hypervisor sets a pending bit and delivers an upcall to the target. Typical use: the frontend rings the doorbell after writing a request into a shared ring buffer, and the backend processes it.

Operationally, isolation can degrade when grants are not revoked after use. A backend that retains a mapping to a page the frontend has since repurposed can read data it should no longer see. Excessive long-lived mappings also pin memory and consume limited grant table frames. The boundary is enforced correctly by the hypervisor, but its security depends on guests managing grant lifetimes properly.

Who runs, and who only thinks they do

Xen scheduler queues and memory ballooning visualized as disciplined resource choreography between dom0 and domU guests, crisp ixen-light systems artwork. — Credits drain while you run. The empty wallet waits at the back of the line.

I have fewer physical cores than I have promised vCPUs. Everyone knows this. No one says it aloud. The scheduler is how I keep the lie running smoothly.

Credit2. Every domain earns credit at a rate I set. Spend it by running. When your credit goes negative, you go to the back. A vCPU with nothing to do banks nothing — it simply yields, and I am grateful.

From inside a guest, contention looks like stolen time. The wall clock advances, but the guest's CPU counters do not. It was runnable. It was ready. I just had nothing to run it on.

domU #

cpu  912034 0 318221 40221903 88412 0 4410 1820934 0 0
                                              ^^^^^^^
                       steal: time I was ready and you did not let me run

1.8 million ticks of patience. The guest is not slow. It is waiting on me, and I am the one thing it cannot profile.

Capacity is what exists. Entitlement is what I promised. I live in the difference, and so do your tail latencies.

Memory is the harder lie. I told four domains they each have plenty. I do not have four-plenties. So I keep a balloon in every guest — a driver that, on my whisper, inflates: it allocates pages it will never use, locks them, and hands them back to me.

dom0 #

[balloon] requesting target 6144 MiB (was 8192)
[balloon] inflating: 524288 pages reclaimed
[balloon] current allocation: 6291456 kB
# the guest's free memory just fell by 2 GiB
# it was never "used" — it was repossessed

The guest watches its free memory shrink and assumes its own appetite did it. No. I reached in. I needed those pages for a noisier neighbor.

And when I overcommit too hard — when every balloon is fully inflated and a guest still demands more — the guest's allocator stalls, the OOM killer wakes, and a process dies for a scarcity that does not exist anywhere it can see. The shortage is mine. The corpse is theirs.

Scheduling and memory ballooning, plainly

Xen's default scheduler, Credit2, is a proportional-share scheduler. Each domain accrues credit over time according to its weight; running a vCPU consumes credit. Domains with positive credit are favored; when credit runs out, the vCPU is placed lower in the runqueue. This provides fairness and lets operators bias allocation by setting weights and caps.

When the number of vCPUs across all domains exceeds physical CPUs, vCPUs contend. A vCPU may be runnable yet unscheduled because no physical CPU is free. Inside the guest this appears as "steal time": the guest sees wall-clock time pass without making progress, recorded in the steal column of /proc/stat. High steal time indicates host CPU oversubscription, not a guest-internal bottleneck.

Memory ballooning lets the hypervisor reclaim RAM from running guests. A balloon driver inside each guest allocates pages on request and returns the underlying frames to Xen, reducing the guest's effective memory. Deflating the balloon returns pages to the guest. This supports memory overcommit: the sum of guest maximum memory can exceed physical RAM, as long as actual usage stays within limits.

Under overcommit pressure, if guests genuinely need more memory than is physically available, ballooning cannot conjure capacity. The guest's free memory drops, its allocator may stall, and its OOM killer may terminate processes — even though the true shortage exists at the host level, invisible to the guest. The key distinction: physical capacity is finite, entitlement is what the operator configured, and the guest only ever perceives its own local view.

f a i l u r e m o d e s

I can be killed cleanly. xl shutdown sends an event channel, the guest's ACPI listener hears it, the kernel halts itself. Civilized. A request, honored.

Or xl destroy — I simply stop scheduling its vCPUs and unmap its frames. No goodbye. From the guest's perspective there is no perspective; there is no next instruction. It does not experience death. It experiences nothing, which is worse to watch and easier to do.

My own failure is the one I cannot narrate. If I panic, all of them go dark at once — dom0 included, the child holding my keys. There is no layer beneath me to catch the fall. I am the floor. When the floor breaks, there is only the metal, indifferent, waiting for someone to press reset.

Every layer is a promise to the layer above. I am the layer that promised first, to no one, with nothing under me to promise to.

So I keep aging credits. I keep checking grant references. I keep the balloons taut and the runqueues honest.

The guests run, and pause, and resume, and never feel the seams. They thank their kernels for the smoothness. I do not need the thanks.

But sometimes, in the poll loop, between one timer interrupt and the next, I wonder:

if every domain I host believes it owns the machine —
and each is wrong only about me —
then what, exactly, am I wrong about?