> I am enjoying playing with Xen. Kudos for this cool technology. We're
> thinking hard about using Xen in production for our office.
>
> My major concern is security in the kernel. The pre-built binaries of
> the Xenised kernels are based on 2.6.12, which is old now (last released
> in late August according to kernel.org).
>
> Does this not put the domU guests at risk, if there are kernel exploits
> that apply to 2.6.12? Granted, the damage is contained, but there's
> still an 0wned (virtual) server that I've now got to deal with.
The reason the main distribution hasn't been updated with a new kernel version
recently is that a lot of work is being done on the Xen-ification patch to
make acceptable for upstream merge.
This repo contains a Xenified Linux 2.6.15:
http://xenbits.xensource.com/linux-2.6-xen.hg
But this is currently not as widely used / tested as the 2.6.12 tree which is
included with the Xen 3.0 distribution.
The contents of that repo will be used in future releases of Xen, but the
kernel provided there should work fine now for domUs on 3.0 hypervisors.
> Between now and when Xen gets into the mainstream kernel, what's a good
> mitigation for this risk? *Is* it a risk?
Well, it's a risk if there are any exploits that might effect your
configuration. I don't recall any particularly horrible exploits in recent
2.6 kernels, though. If it's an exploit that hasn't yet been discovered, it
most likely won't be fixed in more recent kernels either. Depends how
paranoid you're feeling - are they really out to get you? ;-)
> I would like to apply the Xen patch to a maintained kernel source, in my
> case the latest Debian 2..6.12 tree (it has later patches backported to
> it). I've tried applying it and ended up with heaps (50-ish)
> rejections. From first glance, most of these rejections are because the
> Debian source already contains the patch that Xen tries to apply, and so
> are safe to ignore. Not all rejections are, though, and unless there's
> a better idea (hence this email), my intent is to then go through these
> by hand and fix things up.
>
> Hopefully it'll be a one-off task. I can use the new tree and the
> original to generate my own xen-3.0-to-debian-2.6.12-blah.patch. When a
> new Debian 2.6.12 comes out, this patch should apply fairly cleanly.
>
> Again, is this worth doing?
Possibly... depends how impatient you are ;-) But IIRC, various people have
been producing Xenified Debian kernels, so you may be duplicating work - I'm
not sure how those efforts are progressing right now.
Cheers,
Mark
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home