| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
[Xen-devel] Xen and updated kernels
I am enjoying playing with Xen. Kudos for this cool technology. We're
thinking hard about using Xen in production for our office.
My major concern is security in the kernel. The pre-built binaries of
the Xenised kernels are based on 2.6.12, which is old now (last released
in late August according to kernel.org).
Does this not put the domU guests at risk, if there are kernel exploits
that apply to 2.6.12? Granted, the damage is contained, but there's
still an 0wned (virtual) server that I've now got to deal with.
Between now and when Xen gets into the mainstream kernel, what's a good
mitigation for this risk? *Is* it a risk?
I would like to apply the Xen patch to a maintained kernel source, in my
case the latest Debian 2..6.12 tree (it has later patches backported to
it). I've tried applying it and ended up with heaps (50-ish)
rejections. From first glance, most of these rejections are because the
Debian source already contains the patch that Xen tries to apply, and so
are safe to ignore. Not all rejections are, though, and unless there's
a better idea (hence this email), my intent is to then go through these
by hand and fix things up.
Hopefully it'll be a one-off task. I can use the new tree and the
original to generate my own xen-3.0-to-debian-2.6.12-blah.patch. When a
new Debian 2.6.12 comes out, this patch should apply fairly cleanly.
Again, is this worth doing?
Tony Lewis
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-devel] Xen and updated kernels,
Tony and Robyn Lewis <=
|
|
|
| |
|
Home