Xen? (was Re: [wellylug] Mailing List & Webserver)

Timothy Goddard interfecus at gmail.com
Mon Feb 27 14:01:59 NZDT 2006


michael at diaspora.gen.nz wrote:

>Ewen McNeill writes:
>  
>
>>I think we're getting quite close to the "mainframe" approach being
>>practical with "PCs" -- ie, one large highly redundant box, and lots of
>>virtual machines on it for most common tasks.
>>    
>>
>
>With the important proviso that mainframe style resource isolation is
>Just Not There Yet.
>
>Firstly, any Xen style guest instance granted access to a PCI device that
>can do DMA can take over the whole machine, given a kernel compromise.
>
>Secondly, while most of the solutions can perform resource management
>of CPU and memory, I believe the only one that can reasonably resource
>manage I/O and network bandwidth is Solaris Zones, courtesy of the quite
>well tested Solaris Resource Manager stuff.
>
>This can make things problematic for shared customer situations.
>
>    -- michael.
>
>
>  
>
I believe you may be mistaken here, but correct me if I'm wrong.

Under Xen only one domain at a time can have control of any given
physical device, whether that be a monitor, network card, or USB
interface. By default all devices are presented directly to domain 0,
which also runs the Xen daemon for communicating with the hypervisor to
control VM instances. A compromise in Dom0 should be treated as a
compromise of the complete system. Networking is accomplished by
bridging virtual interfaces created for the DomU (unprivileged) domains.
This bridging is as secure as the Dom0's normal networking drivers and
utilities.

Secondly it is very easy to add in an extra layer of security into the
system. If I wanted to cut Dom0 out of the network altogether or only
access it through an extra layer of security, I would simply use a boot
parameter to instruct Xen not to provide the network card to Dom0 and
could then provide it instead to an unprivileged domain which handled
all the network routing. This could easily be a small, slimmed down
distribution as found on a regular linux router.

>From what I've read, using Xen on a single server should provide almost
as effective resource partitioning as completely separate machines. An
attack on one machine cannot affect the others except through the way
networking and shared resources are configured, which is exactly the
same as for a router between physical hosts.

You also seem to be mistaken in saying that Xen cannot provide a
solution for managing network and IO bandwidth. Xen does not control
details of how devices are used directly, and depends on the Dom0 domain
to provide these resources. It is a fairly simple matter to configure
your 'router' VM, whether that be Dom0 or another domain, to restrict
network bandwidth to the virtual interfaces which the other domains are
connected to. Storage is more of an issue but by serving your VMs via
NFS you can gain as good control as for a physical network using a file
server. Running Solaris on Dom0 might be rather interesting as you might
be able to harness the resource manager to gain even finer control.

The VMs should not be set up to depend on a physical disk if at all
feasible as this ties them to a physical machine, preventing migration.
Only a single domain used as a file server (again, usually Dom0, which
is tied to the host anyway) needs to be physically tied to the machine.
With the Dom0 domain running as a file server and providing the network
interface, the VMs become almost completely host-agnostic, allowing you
to upgrade hardware and shuffle VMs between physical servers without
more than a few tens of milliseconds downtime for each migration. For
critical applications, a combination of Xen and redundant hardware
allows for almost instantaneous recovery from failure.

The main advantage of Xen is that it interacts with the virtual machins
via an extremely limited interface. It never attempts to handle,
interpret or recompile code directly, it doesn't depend on how any of
the VMs function (or fail to function) and it manages resources only at
the lowest level possible. When using Xen I can be sure that the weakest
link is not Xen itself but what I choose to run on it. Although far
newer, I would trust it much more completely than older technologies
such as UML, emulators such as VMware or QEMU, or OS-level controls such
as Solaris Zones simply because it has fewer avenues of possible attack.

In short, Xen does provide very effective resource isolation and is
perfectly ready for use in high-security server clusters. I thoroughly
recommend experimenting on a smaller machine to evaluate whether it
could be useful to your company.




More information about the wellylug mailing list