WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Xen Newbie queries

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Xen Newbie queries
From: "Sanjay Arora" <sanjay.k.arora@xxxxxxxxx>
Date: Sun, 19 Feb 2006 19:15:56 +0530
Delivery-date: Sun, 19 Feb 2006 13:59:02 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=J/D03QNqWT9vc+1D9wQIPBqwi3OdZPBsCKkyEqIaEpBrShJooaHLJA3c0mZsMOOy1p9yHSS32I4zUEubPNIbbVSJouEKaQ32R6U/FawU5QG+nlZHAUOlt4PQu6Qz/Dkdvg8Yd6SIQd7flXWK/xLt3OtZE2oeD+mzi24bWUR9nFE=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hello List

Newbie Xen Lurker surfacing for some queries ;-)

I  have a small network with an IPtables firewall with a DMZ and a Lan Server subnets. There are four servers on Lan & one on the DMZ.

DMZ uses centos 4.2, PIII 550 MHz, 256 MB RAM, no X/GUI, is connected to a 512 kbps adsl broadband & provides name based apache, mail server based on qmailtoaster.com, djbdns server, yum for upgrading, php, perl, mysql & postgresql etc. The DMZ server is having a private ip address and services are port-forwarded/natted from the main iptables firewall. It has a single 40 GB HDD using LVM2.

What I want to do is to virtualise each of the services into a seperate Xen OS instance, with iptables firewalling of its own. Two outcomes are wanted...1. in case of a compromise of a server through any of the services, the penetration is limited to that instance of the OS/Service and 2. I want to put another server on the same subnet in the DMZ and want to implement an expeditious failover using rsync (not instantaneous...as I don't think I have  the either the budget or the expertise to do that...or maybe I am just plain scared to attempt it).

Later, I want to do the same to services on the LAN.

My questions are:

1. Is Xen virtualization good from the point of security, if I do not expose any services except for ssh and that too from the internal network, on the host OS. The guest OS will again be firewalled and will expose only one service which it is providing, in addition to ssh for management. In some cases apache may be needed for management, in that case the apache access will be restricted from one or two management computers. What are the issues I need to study? Various Pros & Cons?

2. If I get Xen hosting from a hosting provider on a fast network, can I simply migrate my guestOS (domU...I think you guys call it?) to them...this can relieve me of management every time I implement changes/upgrades? Any issues in this?

3. Is Xen production ready? From various Xen Hostings now available, it seems so...my needs are secure small biz intranet/extranet/mail server & database usage.

4. What are pen-tester's views of Xen? Tried to search but could not find much in first few minutes. Maybe Xen is too new or I need to search better & I intend doing so.

5. My readings conflict about one issue...Xen Host kernel needs to be patched. What about the guest kernel. One post I read suggested it need not be patched because of some code borrowed from qemu and improved upon thereafter...some seem to say guest kernel needs to be patched.

6. I plan on exclusively using Centos...both as a host OS & a guest OS, but I don't want to go in for custom kernal compilation, every time Xen updates or CentOS kernel updates. Any packaged rpms available anywhere? that I can simply use with yum from my local yum repository?

Any other issues I need to look into, given my above use-case scenario?  Budget: Shoe String/ Expertise: Medium..can compile softwares if instructions are there but no programming/patch creation capability. Understand technical issues and administer my own linuses though am a business person.

Please help...criticism, advise, warnings from pros & oracles wanted/welcome ;-)

With best regards.
Sanjay.



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Xen Newbie queries, Sanjay Arora <=