Hi,
On Wed, Mar 23, 2005 at 11:03:39AM -0600, Anthony Liguori wrote:
> >Note that NFS uses such ports without asking prior permission.
> >I chose 732 because it's unassigned indeed.
> >
> I know. That's one of the reasons using this port worries me. There
> may be nfs related conflicts.
The NFS client just choses a free privileged source port as does xm.
Yes, the amount of NFS mounts is limited ...
And now xen competes with NFS, but neither should really tip over.
> >Before I start working on getting the consoles under control, I
> >wanted to see whether this approach is acceptable at all.
> >
> >
> How would you extend this to consoles? Each console can't have it's own
> privileged port :-)
Oh, that's what I was planning to do. The privileged ports are less
scarce than the 4GB of memory that Xen-2 supports ...
We'll hardly get running more than 64 virtual machines, I'd guess.
> >>5) you still have to deal with xfrd
> >
> >It seems to listen on *:8002 ...
> >Is there no authentication either? Sigh.
> >
> Nope. I think there are a few options. We could use hosts.allow or
> something similiar, we could restrict it to subnets, or we could try and
> implement some sort of authentication mechanism.
>
> Perhaps shutting it off by default and making it clear that it is
> insecure is enough.
We need to document it at least. Mazbe another setting in
xend-config.sxp ...
> >And we probably need to look into the event channel (8001) as well.
> >
> Yeah.
Any insight what we could do there?
> >But for Xen-2, let's try to find a pragmatic way that enables desktop
> >users to install and test xen without raising too many security
> >concerns.
> >
> I full-heartedly agree. I'll gladly help out on this effort.
Thanks!
Regards,
--
Kurt Garloff, Director SUSE Labs, Novell Inc.
pgpxeI6718vYV.pgp
Description: PGP signature
|
Home