[grsec] virtualisation with grsecurity

Marcel Meyer meyerm at fs.tum.de
Sat Aug 26 15:40:06 EDT 2006 

Hello John,

thank you for answering my questions.

Am Freitag, 25. August 2006 04:09 schrieb John Anderson:
> Marcel Meyer wrote:
> >[..]
> >As far as I understood the ML-archive/forums, there was already someone 
> >working on getting xen and grsecurity to work but only on AMD64 and 
> >finally stopped until xen gets into the kernel (whenever that will 
> >be ;-) ).   
>
> I've worked on it on an off, but I still can't seem to get i386 working
> w/ Xen.  I'm running GRSecurity 2.1.9 and Xen 3.0.2-testing in production
> and they are doing quite well and are stable.
Considering your job I expect your servers beeing really acute tested and 
running well when you are satisfied. That's a good reference ;-). Oh, and 
let me say thank you for your work.

So I can ignore the statements from the redhat guys concerning the readiness 
for production of xen?


> > [sticking with old kernels]
>
> Locking yourself into an oh-so-soon antiquated kernel could hurt future
> flexibility.  Things like clustered file systems, new breeds of device
> drivers, etc may not be available in the ol' faithful stable kernel for
> quite some time. Not to mention some features that might be quite useful
> and cost saving but have yet to be thought up.
That is an interesting point to consider. To be honest, I only thought about 
updating the kernel because of security problems. But you're right - when 
I'm using virtualisation successfully, I'm no longer bound to a specific 
machine or setup (ok, I'm already flexible, but then it will be really 
easy ;-) ).


The concept of xen with a kernel for each domain seems quite nice 
considering I could use different security settings in each of them. But 
the problems with x86 makes me wonder if the combination of xen and 
grsecurity will be successful in the future and continued to be developed. 
Are you currently still active here? Or do you want to wait until xen hits 
the kernel tree?

Thank you for your time,

Marcel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20060826/74f05f01/attachment.pgp

More information about the grsecurity mailing list