1 |
On Tue, 11 Aug 2009 16:55:18 +0100 |
2 |
Ed W <lists@××××××××××.com> wrote: |
3 |
|
4 |
> Yiannis wrote: |
5 |
> > Hello, |
6 |
> > |
7 |
> > I am running hardened gentoo with the toolchain provided by the |
8 |
> > xake-toolchain overlay. I am looking for a way to use virtualization |
9 |
> > with my current config. I am aware of linux-vserver project which |
10 |
> > has grsecurity integration, but as far as I remember does not play |
11 |
> > well with rbac. Anyone that has a similar working config? |
12 |
> > |
13 |
> |
14 |
> I use hardened host (2.6.29) with vserver. Under this I run hardened |
15 |
> guests. All of these are old style hardened (gcc 3.4.6, not the new |
16 |
> gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on |
17 |
> gcc4.4.1 + hardened, so I think it's about time we had a push to try |
18 |
> and get the hardened profile to shuffle along a bit...) |
19 |
> |
20 |
> I am not currently using the RBAC features of grsec, but I don't |
21 |
> immediately see a reason why they wouldn't work.... I guess it's |
22 |
> possible they would need to be implemented in the host rather than |
23 |
> the guest (which would feel a bit wierd), but it should still work I |
24 |
> guess... |
25 |
> |
26 |
> All other hardenings seem to work as advertised and generally |
27 |
> speaking vserver is a nice lightweight, pseudo virtualisation which |
28 |
> is often good enough for your needs... It's really just a slightly |
29 |
> more fancy chroot system with some scripts around it and some |
30 |
> additional hardening (and all the associated limitations). Xen, etc |
31 |
> are the way you want to go if you need full isolation. However, |
32 |
> vserver allows you to more neatly overcommit machine resources and |
33 |
> has a number of other advantages |
34 |
> |
35 |
> Good luck |
36 |
> |
37 |
> Ed W |
38 |
|
39 |
Hello Ed, |
40 |
|
41 |
I used to have a box with the same setup as yours. As far as I remember |
42 |
I had some difficulties on applying policies on guests from host. I |
43 |
think I have seen an old patch on linux-vserver.org site for gradm |
44 |
providing this functionality but it was posted some years ago. |
45 |
It was abandoned and at a primitive state so I didn't bother trying it. |
46 |
The past two days I have been trying out lguest(with no luck yet) as an |
47 |
alternative to kvm, since my pc's are not vt-x capable. The reason that |
48 |
I prefer lguest(if it finally works) and kvm is that they are both in |
49 |
mainline kernel, let alone the full isolation that you mentioned. While |
50 |
googling a bit I read an article on ibm's site about linux containers |
51 |
(LXC) which is supposed to finally land on the kernel. I think that this |
52 |
might be worth trying as opposed to linux-vserver. |