Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)

[Grant McWilliams <grantmasterflash@xxxxxxxxx>]

On Wed, Oct 26, 2011 at 6:20 PM, <brooks@xxxxxxxxxxx> wrote:

Great points from everyone concerning the topic of XCP security updates. To summarize:

   1. The XCP project currently provides no update repo.

   2. Protect your management network via an non-public routable address
      space and you greatly reduce your dom0 attack surface to the kernel
      and open vSwitch.  While that's true, I don't think that hiding
      from security problems is the answer.

Agreed. I don't want an exploited DomU trying to find exploits in openvswitch or the hypervisor.

 

   3. Do not use the CentOS 5 repo to update XCP dom0.

      Some packages (lvm2, etc.) have been modified to work with
      Xenserver/XCP.  The XCP 1.1 source iso lists the following packages
      under the "guest-packages-dom0" directory:

      biosdevname-0.2.4-1.xs651.src.rpm
      device-mapper-multipath-0.4.7-34.xs651.src.rpm
      dhcp-3.0.5-23.el5.xs651.src.rpm
      directfb-1.0.1-xs651.src.rpm
      e2fsprogs-1.39-23.xs651.src.rpm
      ethtool-6+20090306-651.src.rpm
      fbi-1.31-xs651.src.rpm
      firmware-651-1.src.rpm
      kexec-tools-2.0.0-651.49.src.rpm
      lvm2-2.02.56-8.xs651.src.rpm
      md3000-rdac-09.03.0C00.0437-651.src.rpm
      md3000-rdac-tools-09.03.0C00.0437-651.src.rpm
      mercurial-0.9-0.src.rpm
      mkinitrd-5.1.19.6-61.xs651.src.rpm
      net-snmp-5.3.2.2-9.xs651.src.rpm
      open-iscsi-2.0.871-0.20.3.xs651.src.rpm
      pam-0.99.6.2-6.xs651.src.rpm
      PyPAM-0.4.2-3.xs651.src.rpm
      python-simplejson-2.0.9-3.1.xs651.src.rpm
      SDL-1.2.10-8.xs651.src.rpm
      splashy-0.3.9-xs651.src.rpm
      ssmtp-2.61-8.fc6.src.rpm
      stunnel-4.15-2.el5.1.xs651.src.rpm
      udhcp-r15050-651.src.rpm
      vastsky-2.1-3.src.rpm
      vhostmd-0.4-xs651.src.rpm
      vncsnapshot-1.2a-xs651.src.rpm
      xenserver-logos-1.0-xs651.src.rpm
      xenserver-lsb-3.1-12.3.EL.xs.src.rpm

      That's not a perfect list.  I compared that list with a base
      CentOS 5.7 repo and found these to be unique to the above list:

      PyPAM
      biosdevname
      directfb
      fbi
      firmware
      md3000-rdac
      md3000-rdac-tools
      mercurial
      open-iscsi
      splashy
      ssmtp
      udhcp-r15050
      vastsky
      vhostmd
      vncsnapshot
      xenserver-logos
      xenserver-lsb

      For completness here's the list of packages that appear to have
      been modified since they are list in both the CentOS and XCP lists:

      SDL
      device-mapper-multipath
      dhcp
      e2fsprogs
      ethtool
      kexec-tools
      lvm2
      mkinitrd
      net-snmp
      pam
      python-simplejson
      stunnel

      Add in the kernel, hypervisor, vswitch, and assorted utilities and
      you should be able to come up with a list of packages unique to XCP
      that could be used to build an exclude list if you wanted to pull
      updates from a CentOS 5 repo.

It's a great topic and I'd like to keep the discussion alive.  I'd also like to hear from Mike given his insight and understanding of the project. Ideally I think we would all like to see a Citrix sponsored XCP updates repository.

Ideally yes the folks that know the most about it would be the best at putting together a repo. I also think that this shouldn't be a complete CentOS repo since the XCP hosts are not supposed to be complete Linux servers in any way. Keep it small, keep it solid, keep it secure. There are packages that could be considered optional too that won't get installed on every host that could be in the repo in case one needs them.

Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users