jerome at hub
Mar 22, 2005, 11:24 AM
Post #3 of 4
(104 views)
Permalink
|
|
Re: vserver vs. xen concerning security with gentoo
[In reply to]
|
|
Marcel Meyer wrote:
> Concerning Xen and vserver: which one suites better for average systems -
> let's start with Linux only - concerning security? (I don't ask which one
> is better - even though they are different, one can "just be enough". F.ex.
> the migration features of Xen are really nice, but aren't sooo interessting
> with security in mind.)
>
> Xen loads its own kernel and then runs ontop different kernels, f.ex. Linux.
> They are completly seperated from each other - so a compromise or "going
> mad" of one system shouldn't take the others down. But how good can the
> ressources be controlled?
Xen completely seperates the VM's from eachother. As you say, each
domain runs it's own copy of the kernel, and the Xen Hypervisor controls
the resource allocation between each. Therefore, should one domain play
up, the most effect it could have is to completely hang it's own slice
of the time, while all the other domains are unaffected.
> VServer does (almost) everything in user-space - so a kernel is shared. Is
> that correct? If yes, isn't it dangerous concerning kernel bugs? A malicous
> program or user could bring down the whole physical machine.
I don't know so much about Vserver and it's topology. If all the running
servers share the same kernel then I suppose that theoretically a kernel
problem could bring all the instances down, however this is no more an
issue than a standard linux box, or Xen really, as with Xen people tend
to use the same kernel image for each of the unprivileged domains (you
can have completely seperate kernels for each, but most people use a
common kernel) so therefore a kernel bug can potentially effect all the
domains that utilise that image.
> Are my assumptions correct? What would you suggest for running several
> domains/virtual servers with just a single service on each to protect the
> processes and users from each other? How would that integrate into
> gentoo-hardened? (The better solution would be useless if I can just use it
> with SuSE & Co ;-) )
Both require patching the kernel, and a learning curve. Which you would
rather use probably depends on what you are wanting. Evidently the
performance of Vservers is similar to native linux (as I said I am not
so familiar with Vservers), whereas the Xen Hypervisor runs completely
under all the OS's, thereby adding a little overhead. If you are looking
to deploy the technology into production, my instinct is to consider
Xen, as there is work to adapt it to run on Intel's Vanderpool
Technology and AMD's Pacifica. These technologies allow the Hypervisor
to be moved further up the heiracy and will theoretically allow you to
run unmodified guest OS's under it, (think VMware without the
overhead!!!) Have a look at http://xen.sf.net/ for some (albeit old)
benchmarks, if you haven't already.
As to integrating into Gentoo-Hardened, how are you wanting to integrate
it? The hardened toolchain should work out of the box (there were some
issues with compiling the Xen code with SSP & PIE but from memory they
have been fixed now), and as PAX, GRSecurity, SELinux etc are kernel
features, ensuring that you compile them into your unprivileged kernel,
and set them up correctly, there should be no issues with getting it to
run. You may also be interested to check out the sHype paper on the IBM
website - IBM are investing time and effort to make Xen even more
secure. One of the things this will do is add Mandatory Access Controls
(MAC) to the Xen hypervisor.
Following is a post to the xen-devel mailing list that addresses the
question you ask - hope it helps
Regards
Jerome
-------- Original Message --------
Subject: Re: [Xen-devel] xen vs. vserver
Date: Tue, 22 Feb 2005 13:43:04 +0000
To: xen-devel [at] lists
> In your faq and performance comparisons I don't see anything about the
> differences between xen & vserver. What is the difference. What will I
> get using xen?
I would expect the performance difference between vserver and native
Linux to be virtually nil, so imagine all the Linux bars in the
benchmarks were for vservers. Xen offers a whole load of other
features, over vservers:
* Stronger resource isolation between VMs (last I heard, some of this
was available for vservers with additional patching but I think Xen's
approach is more comprehensive)
- VMs are scheduled pre-emptively
- there are strict controls on VM memory usage
- processes in one VM can't use all the file descriptors on the system
and thus deny service to processes in another VM
- etc, etc.
* Stronger security guarantees
- kernel exploits in one virtual machine do not compromise the other
virtual machines on the system
* Live migration of virtual machines
- move running virtual machines to another host without stopping them
* Suspend / resume of virtual machines
- pickle a virtual machine's state to disk and resume it later
* Run a different (user-specified, if you want) kernel in each virtual
machine. These may be different versions of the Linux kernel, or other
OSs such as FreeBSD, NetBSD, Plan9. This does not imply any extra trust
of the user concerned.
* Give a single virtual machine multiple IP addresses on multiple
virtual interfaces
* A couple of less commonly used features that we hope to expand upon are:
- vnets (secure virtual link-layer networks that may involve multiple
virtual machines on multiple hosts)
- driver domains (sandboxed, restartable device drivers so that driver
faults won't bring down the machine)
> I know several who are using vserver and have also tried it myself. I
> probably also try xen ;-)
Personally I really like both Xen and vservers. I think they're
complimentary
technologies - it should be possible (with a bit of patching) to run
vservers
within a Xen virtual machine.
HTH,
Mark
_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
https://lists.sourceforge.net/lists/listinfo/xen-devel
--
Jerome Brown
Technology Architect
Hub.Net
P: +64 3 961-5116
M: +64 29 453 7663
F: +64 3 961-5129
E: jerome [at] hub
W: http://www.hub.net.nz/
O: Level 4, 818 Colombo St, Christchurch, New Zealand
S: PO Box 1879, Christchurch, New Zealand
--
Jerome Brown
Technology Architect
Hub.Net
P: +64 3 961-5116
M: +64 29 453 7663
F: +64 3 961-5129
E: jerome [at] hub
W: http://www.hub.net.nz/
O: Level 4, 818 Colombo St, Christchurch, New Zealand
S: PO Box 1879, Christchurch, New Zealand
--
gentoo-hardened [at] gentoo mailing list
|
