On Wed, Mar 23, 2005 at 11:03:39AM -0600, Anthony Liguori wrote:
> >Note that NFS uses such ports without asking prior permission.
> >I chose 732 because it's unassigned indeed.
> I know. That's one of the reasons using this port worries me. There
> may be nfs related conflicts.
The NFS client just choses a free privileged source port as does xm.
Yes, the amount of NFS mounts is limited ...
And now xen competes with NFS, but neither should really tip over.
> >Before I start working on getting the consoles under control, I
> >wanted to see whether this approach is acceptable at all.
> How would you extend this to consoles? Each console can't have it's own
> privileged port :-)
Oh, that's what I was planning to do. The privileged ports are less
scarce than the 4GB of memory that Xen-2 supports ...
We'll hardly get running more than 64 virtual machines, I'd guess.
> >>5) you still have to deal with xfrd
> >It seems to listen on *:8002 ...
> >Is there no authentication either? Sigh.
> Nope. I think there are a few options. We could use hosts.allow or
> something similiar, we could restrict it to subnets, or we could try and
> implement some sort of authentication mechanism.
> Perhaps shutting it off by default and making it clear that it is
> insecure is enough.
We need to document it at least. Mazbe another setting in
> >And we probably need to look into the event channel (8001) as well.
Any insight what we could do there?
> >But for Xen-2, let's try to find a pragmatic way that enables desktop
> >users to install and test xen without raising too many security
> I full-heartedly agree. I'll gladly help out on this effort.
Kurt Garloff, Director SUSE Labs, Novell Inc.
Description: PGP signature