| 1 |
On Thu, 2007-07-05 at 17:13 +0200, Marcel Meyer wrote: |
| 2 |
> Hello Natanael, |
| 3 |
> |
| 4 |
> Am Donnerstag, 5. Juli 2007 schrieb Natanael Copa: |
| 5 |
> > I have created a patch for linux-2.6.21-hardened-r3 that adds vserver |
| 6 |
> > support. |
| 7 |
> > ... |
| 8 |
> Thank you for your work. |
| 9 |
> |
| 10 |
> I'm thinking about getting some hardened servers online in a virtualised |
| 11 |
> environment. How will this work with vserver? |
| 12 |
|
| 13 |
vserver is not really virtualization. Its more process isolation and an |
| 14 |
advanced chroot. |
| 15 |
|
| 16 |
The mentioned patch will let the vserver host run a hardened kernel. |
| 17 |
AFAIK, there are no other (para?)virtualization tehonologies that work |
| 18 |
with grsec/pax - for the host. |
| 19 |
|
| 20 |
> Vserver uses one kernel for |
| 21 |
> all VMs, right? Doesn't that mean, the config for all VMs will be the same? |
| 22 |
|
| 23 |
Yes. Vserver runs only one single kernel instead of one for every guest |
| 24 |
(like vmware/xen/qemu/kvm) |
| 25 |
|
| 26 |
> I cannot choose to have one tighter and one less strict VM running on the |
| 27 |
> server? |
| 28 |
|
| 29 |
No. All will run the same kernel. |
| 30 |
|
| 31 |
> And all physical servers must have the same configuration so I can |
| 32 |
> move the VMs around? |
| 33 |
|
| 34 |
Yes. You can not move a VM live with vserver AFAIK. |
| 35 |
However, since all hardware related stuff (modules etc) needs to be |
| 36 |
loaded on the host, your vserver guests will not notice the hardware |
| 37 |
change. |
| 38 |
|
| 39 |
> My goal would be to have completely independant configs including netfilter |
| 40 |
> config for each VM (tighter configuration for exposed VMs and a loose one |
| 41 |
> for some special applications that make problems otherwise). |
| 42 |
|
| 43 |
Run non hardened on the host and then full virtualization (vmware, xen, |
| 44 |
qemu, kvm) and then you can run whatever you want on the guests/VM's. I |
| 45 |
actually run my hardened vserver host in vmware. |
| 46 |
|
| 47 |
> Thank you, |
| 48 |
> Marcel |
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-hardened@g.o mailing list |
Archives