| 1 |
On Tue, 11 Aug 2009 16:55:18 +0100 |
| 2 |
Ed W <lists@××××××××××.com> wrote: |
| 3 |
|
| 4 |
> Yiannis wrote: |
| 5 |
> > Hello, |
| 6 |
> > |
| 7 |
> > I am running hardened gentoo with the toolchain provided by the |
| 8 |
> > xake-toolchain overlay. I am looking for a way to use virtualization |
| 9 |
> > with my current config. I am aware of linux-vserver project which |
| 10 |
> > has grsecurity integration, but as far as I remember does not play |
| 11 |
> > well with rbac. Anyone that has a similar working config? |
| 12 |
> > |
| 13 |
> |
| 14 |
> I use hardened host (2.6.29) with vserver. Under this I run hardened |
| 15 |
> guests. All of these are old style hardened (gcc 3.4.6, not the new |
| 16 |
> gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on |
| 17 |
> gcc4.4.1 + hardened, so I think it's about time we had a push to try |
| 18 |
> and get the hardened profile to shuffle along a bit...) |
| 19 |
> |
| 20 |
> I am not currently using the RBAC features of grsec, but I don't |
| 21 |
> immediately see a reason why they wouldn't work.... I guess it's |
| 22 |
> possible they would need to be implemented in the host rather than |
| 23 |
> the guest (which would feel a bit wierd), but it should still work I |
| 24 |
> guess... |
| 25 |
> |
| 26 |
> All other hardenings seem to work as advertised and generally |
| 27 |
> speaking vserver is a nice lightweight, pseudo virtualisation which |
| 28 |
> is often good enough for your needs... It's really just a slightly |
| 29 |
> more fancy chroot system with some scripts around it and some |
| 30 |
> additional hardening (and all the associated limitations). Xen, etc |
| 31 |
> are the way you want to go if you need full isolation. However, |
| 32 |
> vserver allows you to more neatly overcommit machine resources and |
| 33 |
> has a number of other advantages |
| 34 |
> |
| 35 |
> Good luck |
| 36 |
> |
| 37 |
> Ed W |
| 38 |
|
| 39 |
Hello Ed, |
| 40 |
|
| 41 |
I used to have a box with the same setup as yours. As far as I remember |
| 42 |
I had some difficulties on applying policies on guests from host. I |
| 43 |
think I have seen an old patch on linux-vserver.org site for gradm |
| 44 |
providing this functionality but it was posted some years ago. |
| 45 |
It was abandoned and at a primitive state so I didn't bother trying it. |
| 46 |
The past two days I have been trying out lguest(with no luck yet) as an |
| 47 |
alternative to kvm, since my pc's are not vt-x capable. The reason that |
| 48 |
I prefer lguest(if it finally works) and kvm is that they are both in |
| 49 |
mainline kernel, let alone the full isolation that you mentioned. While |
| 50 |
googling a bit I read an article on ibm's site about linux containers |
| 51 |
(LXC) which is supposed to finally land on the kernel. I think that this |
| 52 |
might be worth trying as opposed to linux-vserver. |
Archives