Daniel, ----- "Daniel de Kok" <daniel at centos.org> wrote: > It's a matter or diving in it, just like we all had to dive into > UNIX/Linux once. I can really recommend "SELinux by example" for > getting into SELinux. Ok, I'll look into when I get a chance. > Doing such a thing is far easier when the virtual machine is running > under the same kernel as the host. Understood... that is a logical assumption... but also take into account that OpenVZ (including and its commercial sibling, SWsoft's Virtuozzo) has been deployed by tens of thousands of users and is the #2 virtualization technology in use today... according to the OpenVZ project manager. I don't have any hard data I can point you to to prove that but that is my understanding. #1 would be VMware of course. My point is that it has been tested, audited, and revised over its history with regards to security... but it is obviously and ongoing process. Linux-VServer was adopted by the OLPC developers and is the key component of the Bitfrost Security Framework... and as a result will be deployed in millions upon millions of laptops. > I think we'd be interested in including OS-level virtualization as an > option when: > > - There are patches for the kernel versions that CentOS uses, and it > doesn't change the kernel too much besides implementing that > technology (so that it is easy to maintain it for future kernel > updates). The OpenVZ project provides kernels patched against the RHEL4 and RHEL5 kernel source... so I think what they are doing is pretty darn close to what you are asking... and I believe they plan on maintaining those kernels for the life of RHEL4 and RHEL5?!? (see more below) > - The solution allows system administrators to keep on SELinux on the > host system, and not restrict SELinux usage on guest systems. I'm not sure if there is a technical reason that OpenVZ won't work with SELinux. I'm guessing that it is like so many other third-party packages that say to turn off SELinux... simply because they want to avoid the support complexity of figuring out how to make it work and writing policies. > Remember that we potentially have to support new additions for years, > ideally until 2014 for CentOS 5. If someone thinks one solution can > fulfill these requirements, please feel free to discuss it on this > list. As long as SWsoft has Virtuozzo customers using RHEL4 and RHEL5, I'm assuming it will be supported by them and also available in OpenVZ but I don't think I can find anything in writing that promises that. SWsoft also holds controlling interest in Parallels company. I think OS Virtualization / Containers will be less of an issue with upcoming major releases as I'm very sure that container features will be a stock part of the mainline kernel by that time. In fact, Andrew Morton says in his kernel speeches that the only thing he can predict that is coming over the next year or two is container features... but who knows how that will pan out? I'd like to see Red Hat officially add OpenVZ support to RHEL 5 Update X but the only statements I've seen by Red Hat executives is that they do plan to have some form of container based virtualization as a option for RHEL6. > We can't support what we don't provide, and you would be amazed how > often people ask questions on #centos about stuff that we don't > provide ;). Yeah, understood. I was just asking about kernel modules and I doubt the question was specific to my OpenVZ kernel... but since I had mentioned that I was using an OpenVZ kernel, the topic police kicked in. :) I find #centos-social much more friendly... but I don't hang out there much because I don't run into CentOS problems very often. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work]