1 |
Yiannis wrote: |
2 |
> On Sat, 08 Aug 2009 15:28:10 -0400 |
3 |
> Michael Orlitzky <michael@××××××××.com> wrote: |
4 |
> |
5 |
>> Yiannis wrote: |
6 |
>>> Hello, |
7 |
>>> |
8 |
>>> I am running hardened gentoo with the toolchain provided by the |
9 |
>>> xake-toolchain overlay. I am looking for a way to use virtualization |
10 |
>>> with my current config. I am aware of linux-vserver project which |
11 |
>>> has grsecurity integration, but as far as I remember does not play |
12 |
>>> well with rbac. Anyone that has a similar working config? |
13 |
>> I'm using KVM here under a similar setup with few issues. |
14 |
>> Occasionally the modules that ship with KVM will get out of sync with |
15 |
>> the ones provided by the hardened kernel, but that hasn't caused me |
16 |
>> any trouble in a while. And you can always use the modules that ship |
17 |
>> with KVM. |
18 |
> |
19 |
> Can you plz elaborate on your setup? Is host & guest os |
20 |
> both using grsec+pax? Are you using the xake-toolchain? Any |
21 |
> drawbacks? This seems (to me) that is the most secure solution, and |
22 |
> maybe I should consider upgrading my pc. |
23 |
> |
24 |
|
25 |
My hosts (mostly development machines, and a couple of servers) are all |
26 |
using grsec/PAX. The guests vary, but I do keep several hardened server |
27 |
images around for testing purposes which seem to work just as well as if |
28 |
they were running on bare metal. |
29 |
|
30 |
The development machines all use the Xake toolchain, although I've never |
31 |
tried it in a guest. I don't imagine it would make much difference. |
32 |
|
33 |
The management tools for KVM are fairly spartan -- I suppose that could |
34 |
be either a pro or a con. Personally, I just need to be able to create |
35 |
images, snapshot them, and run them. KVM does that well, and doesn't |
36 |
require me to jump through hoops to do it (e.g. running a web server for |
37 |
the user interface). |