[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen and updated kernels

I am enjoying playing with Xen. Kudos for this cool technology. We're thinking hard about using Xen in production for our office.

My major concern is security in the kernel. The pre-built binaries of the Xenised kernels are based on 2.6.12, which is old now (last released in late August according to kernel.org).

Does this not put the domU guests at risk, if there are kernel exploits that apply to 2.6.12? Granted, the damage is contained, but there's still an 0wned (virtual) server that I've now got to deal with.

Between now and when Xen gets into the mainstream kernel, what's a good mitigation for this risk? *Is* it a risk?

I would like to apply the Xen patch to a maintained kernel source, in my case the latest Debian 2..6.12 tree (it has later patches backported to it). I've tried applying it and ended up with heaps (50-ish) rejections. From first glance, most of these rejections are because the Debian source already contains the patch that Xen tries to apply, and so are safe to ignore. Not all rejections are, though, and unless there's a better idea (hence this email), my intent is to then go through these by hand and fix things up.

Hopefully it'll be a one-off task. I can use the new tree and the original to generate my own xen-3.0-to-debian-2.6.12-blah.patch. When a new Debian 2.6.12 comes out, this patch should apply fairly cleanly.

Again, is this worth doing?

Tony Lewis

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.