WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] XCP - untrusted domUs?

To: Matthew Law <matt@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] XCP - untrusted domUs?
From: Pasi Kärkkäinen <pasik@xxxxxx>
Date: Tue, 23 Feb 2010 11:50:56 +0200
Cc: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 23 Feb 2010 01:51:58 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4b69e77d3afcbdf5c0753af23725b8e4.squirrel@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4b69e77d3afcbdf5c0753af23725b8e4.squirrel@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)
On Mon, Feb 22, 2010 at 12:32:44PM -0000, Matthew Law wrote:
> 
> Our ongoing experiments with XCP have been encouraging - still struggling
> with debian Lenny install and my question from last week didn't get
> answered -hint, hint! ;-)
> 
> Anyway, does XCP have any native support for iptables and ebtables rules?
> - what I mean is, we currently use Xen 3.4.2 on CentOS and roll our own
> iptables and ebtables rules to prevent IP spoofing and also _try_ and
> prevent DHCP requests being answered by DHCP servers other than our own.
> 
> This has an overhead in that every time install and upgrade a dom0 we have
> to also clone the config and associated dependencies.  It would be really
> cool if this kind of thing 'just worked'.  It would be even cooler if it
> was configurable in the domU config file.  For us this kind of thing is
> very important when hosting untrusted domUs.  We also prefer pvgrub
> aswell, but that wouldn't be a deal breaker.
> 
> Does XCP support anything like this? - I know it is basically CentOS, so
> in theory one could roll their own config, but that would take away
> somewhat from the simplicity of it all.
> 

XCP uses Openvswitch now, so you should check the docs/mailinglist of it..
(for supported features and how it interacts with the kernel).

-- Pasi


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>