On Mon, 2007-10-15 at 18:36 -0400, Scott Dowdle wrote:
Understood... that is a logical assumption... but also take into account that OpenVZ (including and its commercial sibling, SWsoft's Virtuozzo) has been deployed by tens of thousands of users and is the #2 virtualization technology in use today... according to the OpenVZ project manager. I don't have any hard data I can point you to to prove that but that is my understanding. #1 would be VMware of course. My point is that it has been tested, audited, and revised over its history with regards to security... but it is obviously and ongoing process.
That doesn't really matter. Even if OpenVZ was proven to be exactly correct, it is still used as a part of the kernel, which every now and then has vulnerabilities.
- The solution allows system administrators to keep on SELinux on the host system, and not restrict SELinux usage on guest systems.
I'm not sure if there is a technical reason that OpenVZ won't work with SELinux. I'm guessing that it is like so many other third-party packages that say to turn off SELinux... simply because they want to avoid the support complexity of figuring out how to make it work and writing policies.
I see more obstacles: how would you modify/add policy from a virtual machine, without affecting that of other VMs or the host machine? What about security context collisions between virtual machines?
As long as SWsoft has Virtuozzo customers using RHEL4 and RHEL5, I'm assuming it will be supported by them and also available in OpenVZ but I don't think I can find anything in writing that promises that.
We need to be sure that patches can be maintained for a longer period. So, ideally a maintainer of such packages has understanding of the code/patches. In the worst case, the maintainer could update patches to ensure that it continues to work with our kernels.
I think OS Virtualization / Containers will be less of an issue with upcoming major releases as I'm very sure that container features will be a stock part of the mainline kernel by that time. In fact, Andrew Morton says in his kernel speeches that the only thing he can predict that is coming over the next year or two is container features... but who knows how that will pan out?
I guess that we have to wait and see :).
-- Daniel