|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] domU kernel
CentOS didn't do this! RedHat did it this way, CentOS is a rebuild of RHEL.
IDAGroup - R.W.Muller wrote:
Wow, if that is true then is CentOS making a big mistake.
When I installed CentOS with virtualization and started virt-install
according to there howto, I was guided to install another CentOS domU
but never asked to have a kernel outside the domU.
So, I just even realized that this is possible, when I was reading
this user list, before I thought the CentOS way is the only
possibility ...so clearly: kernel IN domU
Steve Wray wrote:
Christian Horn wrote:
On Fri, Oct 12, 2007 at 12:14:02AM -0400, IDAGroup - R.W.Muller wrote:
Hi, I found lots of threads where people talk about domU kernel
sitting in /boot of dom0.
The only kernel I can see there is the one the machine and dom0
booted from (vmlinuz-2.6.18-8.el5xen)
Two places are common:
- domU-kernel placed on dom0-filesystem directly, 'kernel' option in
xen-
config for the domU is used then. Only possible for paravirt-domU.
pros: - kernel is directly reachable from dom0
cons: - domU depends on files outside of its disc-image, so you
have to keep an eye of what domU uses what kernel-file
- on upgrading the domU-kernel is a bit more complicated, keep
kernel, maybe existing initrd and modules-directory in sync
- domU-kernel placed inside the domU-diskimage. Works for both HVM and
paravirt-domU. One sees mostly this nowadays. Kernel is
located/booted
by pygrub (or a script mounting the partition, making a copy of the
kernel inside to dom0, and starting it then)
pros: - easy updating, i.e. just 'yum update' from the domU
updates the
kernel, initrd, modules and kernel is booted on next
domU-boot
You forgot the con.
cons: Security. You now have a domU in which a local exploit could
result in code being executed in dom0 at the next boot of that domU.
By the way, this actually happened. See CVE-2007-4993
IMHO putting the kernel in domU and using pygrub was always asking
for trouble.
In my opinion it is completely crazy to expose dom0 to potential
exploits from domU.
So far as I am aware this is the *only* way to so expose dom0 to domU
security holes and I am deeply shocked if it is true that "One sees
mostly this nowadays"
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
------------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|