[grsec] virtualisation with grsecurity
Rik Bobbaers
Rik.Bobbaers at cc.kuleuven.be
Mon Aug 28 08:18:14 EDT 2006
Marcel Meyer wrote:
> Thank you for your suggestion. I already looked at vserver before. However,
> I read about many problems getting vserver and grsecurity to work
> peacefully together (you see, I _did_ use google before asking ;-) ). I
> have to admit that many of them dated back to 2005.
true, there were some problems... and you have to watch out what you're
doing... since vserver uses capabilities, you can't enable capability
restrictions in grsec (du'uh). but there are config examples on the
site. those work perfectly ;)
> I'm chicken-hearted using non-"standard" kernel-versions on a productive
> server ;-). Not because I don't trust the guys whose website you mentioned,
> but because of stability (but you say, you use it on "a lot" of servers, so
> I may assume everything works stable?) and even more because of the future
> of the patchset.
the guys who's website i mentioned... is me ;)
anyway... we have a couple of servers here running on those kernels
(it's the standard kernel for all our machines btw. wether we use
vserver or not... it's allways possible to run it ;))
if you use grsec, it's a patchset for the kernel, so you have to trust
that party... if you use vserver, you have to trust that patchset too...
i merely merge the 2, and fix the failed patches so that they stay
correct (rest asured... i really look into them, never had any problems
that were my own fault... ahum... </bragging> ;))
> Do you thin this combination keep up with the kernel- and
> grsecurity-development? Because I simply don't dare doing the patchwork of
> such huge and complex patches for myself when they need adjusting to get to
> work...
well... i write those patches when important security fixes come around,
or when there are real feature updates. it's been a while now, because
of the recent developments in the linux kernel and grsecurity. there are
also new vserver patches, so in the next week or so, i'll update the
patch to the latest linux kernel, grsec and vserver
> May I ask you, if you already tried openvz or sth. similar and can explain
> to me (very short!) why vserver should be prefered? If you don't have any
> further experience with other virtualisation techniques that's perfectly
> ok.
i haven't tried openvz myself. reason?: it's not all open source. the
virtualisation is, but not everything (virtuozo?). plus: they use an old
kernel. vserver is allways patched to the latest kernel version, so
better for hardware support/feature updates in
multipathing/scsi/raid/network stuff,... another advantage: the vserver
guys i know truely rock and imho, they are great programmers :)
I also tried vmware (which we are running too): no problems there, but
performance is just... well... allmost uncomparable
Xen: hard to patch kernels in your xen VM's with grsec (as i heard from
Andrew Griffiths. And if he can't do it, i won't even begin doing it
myself ;))
don't really have experience with other virtualisation tools...
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaers at cc.kuleuven.be -=- http://harry.ulyssis.org
"Work hard and do your best, it'll make it easier for the rest"
-- Garfield
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
More information about the grsecurity
mailing list