| 1 |
Yiannis wrote: |
| 2 |
> On Sat, 08 Aug 2009 15:28:10 -0400 |
| 3 |
> Michael Orlitzky <michael@××××××××.com> wrote: |
| 4 |
> |
| 5 |
>> Yiannis wrote: |
| 6 |
>>> Hello, |
| 7 |
>>> |
| 8 |
>>> I am running hardened gentoo with the toolchain provided by the |
| 9 |
>>> xake-toolchain overlay. I am looking for a way to use virtualization |
| 10 |
>>> with my current config. I am aware of linux-vserver project which |
| 11 |
>>> has grsecurity integration, but as far as I remember does not play |
| 12 |
>>> well with rbac. Anyone that has a similar working config? |
| 13 |
>> I'm using KVM here under a similar setup with few issues. |
| 14 |
>> Occasionally the modules that ship with KVM will get out of sync with |
| 15 |
>> the ones provided by the hardened kernel, but that hasn't caused me |
| 16 |
>> any trouble in a while. And you can always use the modules that ship |
| 17 |
>> with KVM. |
| 18 |
> |
| 19 |
> Can you plz elaborate on your setup? Is host & guest os |
| 20 |
> both using grsec+pax? Are you using the xake-toolchain? Any |
| 21 |
> drawbacks? This seems (to me) that is the most secure solution, and |
| 22 |
> maybe I should consider upgrading my pc. |
| 23 |
> |
| 24 |
|
| 25 |
My hosts (mostly development machines, and a couple of servers) are all |
| 26 |
using grsec/PAX. The guests vary, but I do keep several hardened server |
| 27 |
images around for testing purposes which seem to work just as well as if |
| 28 |
they were running on bare metal. |
| 29 |
|
| 30 |
The development machines all use the Xake toolchain, although I've never |
| 31 |
tried it in a guest. I don't imagine it would make much difference. |
| 32 |
|
| 33 |
The management tools for KVM are fairly spartan -- I suppose that could |
| 34 |
be either a pro or a con. Personally, I just need to be able to create |
| 35 |
images, snapshot them, and run them. KVM does that well, and doesn't |
| 36 |
require me to jump through hoops to do it (e.g. running a web server for |
| 37 |
the user interface). |
Archives