> This is not good. I'm going to have a devil of a time selling this into
> enterprises of any size. Are there any plans to provide filtering rules,
> authentication, authorization facilities in the works? Any bolt-ons?
Talking about Xen 3.0:
It's been talked about for some time. For now the solution is to use vlans
for your dom0s, or (equivalently) physically separate networks. dom0s are
your management infrastructure, and they really need protecting from
interference.
You can't have dom0s on a hostile network if you want to prevent these "rogue
migrations". Note that you can't force an outgoing migration from a node, so
nobody can "steal" your running domUs. However, if someone gets on a segment
of network that can reach your dom0s they could send you some domUs of their
own - shouldn't be a security issue (the domUs will still be isolated by Xen)
but could get quite annoying ;-)
> looking at a serious show-stopper in organizations large enough to have an
> information protection department, or even security-minded clueful
> personnel. As long as I can fire up the Xen Live CD on my laptop and shoot
> domU missiles at a production Xen instance and have them happily migrate
> we're at a standstill.
Only if the laptop is on your management network...
> The security people will demand, at a minimum, that
> we do not run xfrd on the production node. There goes a monster selling
> point and my entire position against VM-Ware.
:-(
If you're running Xen 2.0, it's even more important to run dom0 on a separate
network - the management interface is also exported over TCP. By default, it
only accepts connections from localhost but it does mean you must trust all
local users on the system.
IIRC, the Xensource public servers just use a separate management network for
the dom0s.
> I am a professional C/Unix coder. Can I help provide this functionality? It
> seems fairly trivial.
Something using SSL certificates would probably do what you want. There are
probably other ways to do this stuff, too. Patches to provide this
functionality would be very welcome, although I guess we'd prefer them to be
against Xen 3.0.
HTH,
Mark
> On 10/27/05, Mark Williamson <mark.williamson@xxxxxxxxxxxx> wrote:
> > > How does one configure the live migration facility? Is there a
> > > configuration file to allow a foreign dom0 to migrate a domU to the
> >
> > local
> >
> > > dom0? Or can any dom0 migrate a domU to any other dom0?
> >
> > It's pretty much free for all as far as dom0s are concerned ;-) Basically
> > if
> > one dom0 can reach another over a network, it can migrate stuff there!
> > Right
> > now, it's more or less expected that an organisation's dom0s are isolated
> > on
> > a vlan (or separate ethernet).
> >
> > Cheers,
> > Mark
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home