On Mon, 2007-10-15 at 16:18 -0400, Scott Dowdle wrote:
I'm not trying to bash SELinux, but I have to wonder what percentage of CentOS/RHEL/Fedora users have SELinux on to begin with? I'd like to use it myself, but I just haven't gotten around to it... nor have I made it a priority. :(
The vast majority of Linux distributions do not include SELinux and ARE being deployed with net-facing daemons. One has to decide if it is an acceptable risk. For me it is... knock on wood.
It's a matter or diving in it, just like we all had to dive into UNIX/Linux once. I can really recommend "SELinux by example" for getting into SELinux.
I do appreciate you bringing up the point though. It would be one of the advantages of Xen over OpenVZ. With both, there are a number of advantages and disadvantages that must be considered.
Agreed.
I'm not saying it could never happen because anything is possible. As you may know there was a Xen vulnerability reported recently where a grub configuration line could allow access to the hypervisor from the guest (or something like that).
That was a vulnerability in pygrub. Just for clarity's sake: pygrub runs in dom0, and is used to retrieve the kernel and initrd images from the domU machine being booted based on its GRUB configuration (this is needed to bootstrap the VM). It was not a vulnerability where some program can break out of a domU and do stuff in dom0.
Doing such a thing is far easier when the virtual machine is running under the same kernel as the host.
While I'd like to see CentOS sanctioned OpenVZ packages, I have to ask just how many people have third-party packages on their system? I use DAG quite a bit.
For that exact reason we advise people to use the yum-priorities plugin. It prevents that the package manager replaces CentOS packages with packages from a third-party repo.
I'd really like to see the CentOS team adopt OpenVZ and add it to the Addons or Extras repo (which would be more appropriate) but I'm not sure if they would be interested.
I think we'd be interested in including OS-level virtualization as an option when:
- There are patches for the kernel versions that CentOS uses, and it doesn't change the kernel too much besides implementing that technology (so that it is easy to maintain it for future kernel updates). - It is feasible to support it for a few years on the kernels that CentOS uses, and someone is willing to maintain it for such periods. - The solution should be stable, secure, and performant. - The solution allows system administrators to keep on SELinux on the host system, and not restrict SELinux usage on guest systems.
Remember that we potentially have to support new additions for years, ideally until 2014 for CentOS 5. If someone thinks one solution can fulfill these requirements, please feel free to discuss it on this list.
I made the mistake of asking a kernel question in the #centos IRC channel... and when I revealed that I was running an OpenVZ kernel... I wasn't kicked but I was sternly told that it would be off topic and not tolerated. :(
We can't support what we don't provide, and you would be amazed how often people ask questions on #centos about stuff that we don't provide ;).
-- Daniel