|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Re: Live Migration Config
On Mon, 31 Oct 2005, Alan Greenspan wrote:
> For Xen to go mainstream, I think this needs to be easier for the average
> user.
I'd like to know what kind of mainstream average user needs live
migration? :-)
I know I'm repeating myself, but it really should use ordinary config
> file settings like virtually all other inet services. Also, in whatever
> config file this is going to appear in, the default setting for migration
> should be "all hosts denied".
>
> Alan
Right, and how many major internet applications have _NOT_ had problems
with their built in security mechanisms? The list of applications that
HAVE had issues is very long and quite thorough. Setting up a basic first
line of defense at the IP layer is _extremely good_ security practice, and
anyone worried about security should already be doing this. XENs control
ports do not need to be accessible to the wild internet, it would be a
risk with zero benefit to leave them wide open.
If you trust your local network segment enough to assume there are no
eavesdroppers and you assume the the router you talk to hasn't been
compromised, IP based access control can be sufficient. And if you've got
folks walking around plugging machines into your network, you are already
in trouble... I don't currently have time to be that paranoid.
XEN is quite useful without _any_ migration capabilities. ... thus my
suggestion that a good first step is to know what it is we need to control
access to.
You're welcome to sit back and wait for the developers to implement your
chosen features... All I need to do is block a couple of ports to make
my xen servers secure. If live migration isn't secure, fine, I won't use
it.... but then I haven't managed to build a filesystem that could be
migrated and allows high performance... so it isn't much of a loss :)
[nfs works, but performance bites when compared to a fully cached local
block device... anyone wanna start a new thread?]
-Tom
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|