WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: Live Migration Config

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Live Migration Config
From: Tom Brown <tbrown@xxxxxxxxxxxxx>
Date: Sun, 30 Oct 2005 22:44:02 -0800 (PST)
Delivery-date: Mon, 31 Oct 2005 06:42:02 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <000e01c5dddf$9c2b0e00$6e01a8c0@green2>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Mon, 31 Oct 2005, Alan Greenspan wrote:

> For Xen to go mainstream, I think this needs to be easier for the average
> user.

I'd like to know what kind of mainstream average user needs live
migration? :-)

I know I'm repeating myself, but it really should use ordinary config
> file settings like virtually all other inet services.  Also, in whatever
> config file this is going to appear in, the default setting for migration
> should be "all hosts denied".
>
> Alan

Right, and how many major internet applications have _NOT_ had problems
with their built in security mechanisms? The list of applications that
HAVE had issues is very long and quite thorough. Setting up a basic first
line of defense at the IP layer is _extremely good_ security practice, and
anyone worried about security should already be doing this. XENs control
ports do not need to be accessible to the wild internet, it would be a
risk with zero benefit to leave them wide open.

If you trust your local network segment enough to assume there are no
eavesdroppers and you assume the the router you talk to hasn't been
compromised, IP based access control can be sufficient. And if you've got
folks walking around plugging machines into your network, you are already
in trouble... I don't currently have time to be that paranoid.

XEN is quite useful without _any_ migration capabilities. ... thus my
suggestion that a good first step is to know what it is we need to control
access to.

You're welcome to sit back and wait for the developers to implement your
chosen features... All I need to do is block a couple of ports to make
my xen servers secure. If live migration isn't secure, fine, I won't use
it.... but then I haven't managed to build a filesystem that could be
migrated and allows high performance... so it isn't much of a loss :)

[nfs works, but performance bites when compared to a fully cached local
block device... anyone wanna start a new thread?]

-Tom




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users