[CentOS-virt] OpenVZ and SELinux?

Scott Dowdle

dowdle at montanalinux.org
Mon Oct 15 20:18:36 UTC 2007


----- "Daniel de Kok" <danieldk at pobox.com> wrote:
> According to their (OpenVZ) installation guide, you still need to
> turn off SELinux. If you will be using virtualization run net-facing
> daemons, I'd think twice before deploying OpenVZ.

I'm not trying to bash SELinux, but I have to wonder what percentage of CentOS/RHEL/Fedora users have SELinux on to begin with?  I'd like to use it myself, but I just haven't gotten around to it... nor have I made it a priority. :(

The vast majority of Linux distributions do not include SELinux and ARE being deployed with net-facing daemons.  One has to decide if it is an acceptable risk.  For me it is... knock on wood.

I do appreciate you bringing up the point though.  It would be one of the advantages of Xen over OpenVZ.  With both, there are a number of advantages and disadvantages that must be considered.

> Besides that it provides less isolation. Every virtual machine is running the same kernel, a kernel
> vulnerability may be enough to break out of a virtual machine.

While we must always be vigilant, I'm not aware of any cases where anyone has broken out of an OpenVZ nor Linux-VServer VPS and into the host node nor into other VPSes... and OpenVZ comes from Virtuozzo which has been around for about 7 years now... and Linux-VServer has been around for a long time too.  In fact, Xen is much newer. :)

I'm not saying it could never happen because anything is possible.  As you may know there was a Xen vulnerability reported recently where a grub configuration line could allow access to the hypervisor from the guest (or something like that).

The person I was addressing this to was talking about running CentOS on CentOS so I'm guessing that they'd run the same exact kernel inside every Xen Virtual Machine anyway.

> Besides that, as you already mentioned. With OpenVZ you are on your
> own, it's not CentOS anymore.

While I'd like to see CentOS sanctioned OpenVZ packages, I have to ask just how many people have third-party packages on their system?  I use DAG quite a bit.  I'd really like to see the CentOS team adopt OpenVZ and add it to the Addons or Extras repo (which would be more appropriate) but I'm not sure if they would be interested.  The OpenVZ make it darn easy to install with signed packages in their own repo.

I made the mistake of asking a kernel question in the #centos IRC channel... and when I revealed that I was running an OpenVZ kernel... I wasn't kicked but I was sternly told that it would be off topic and not tolerated. :(

Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]

More information about the CentOS-virt mailing list