1 |
On Thu, 2007-07-05 at 17:13 +0200, Marcel Meyer wrote: |
2 |
> Hello Natanael, |
3 |
> |
4 |
> Am Donnerstag, 5. Juli 2007 schrieb Natanael Copa: |
5 |
> > I have created a patch for linux-2.6.21-hardened-r3 that adds vserver |
6 |
> > support. |
7 |
> > ... |
8 |
> Thank you for your work. |
9 |
> |
10 |
> I'm thinking about getting some hardened servers online in a virtualised |
11 |
> environment. How will this work with vserver? |
12 |
|
13 |
vserver is not really virtualization. Its more process isolation and an |
14 |
advanced chroot. |
15 |
|
16 |
The mentioned patch will let the vserver host run a hardened kernel. |
17 |
AFAIK, there are no other (para?)virtualization tehonologies that work |
18 |
with grsec/pax - for the host. |
19 |
|
20 |
> Vserver uses one kernel for |
21 |
> all VMs, right? Doesn't that mean, the config for all VMs will be the same? |
22 |
|
23 |
Yes. Vserver runs only one single kernel instead of one for every guest |
24 |
(like vmware/xen/qemu/kvm) |
25 |
|
26 |
> I cannot choose to have one tighter and one less strict VM running on the |
27 |
> server? |
28 |
|
29 |
No. All will run the same kernel. |
30 |
|
31 |
> And all physical servers must have the same configuration so I can |
32 |
> move the VMs around? |
33 |
|
34 |
Yes. You can not move a VM live with vserver AFAIK. |
35 |
However, since all hardware related stuff (modules etc) needs to be |
36 |
loaded on the host, your vserver guests will not notice the hardware |
37 |
change. |
38 |
|
39 |
> My goal would be to have completely independant configs including netfilter |
40 |
> config for each VM (tighter configuration for exposed VMs and a loose one |
41 |
> for some special applications that make problems otherwise). |
42 |
|
43 |
Run non hardened on the host and then full virtualization (vmware, xen, |
44 |
qemu, kvm) and then you can run whatever you want on the guests/VM's. I |
45 |
actually run my hardened vserver host in vmware. |
46 |
|
47 |
> Thank you, |
48 |
> Marcel |
49 |
|
50 |
|
51 |
|
52 |
-- |
53 |
gentoo-hardened@g.o mailing list |