On Mon, 2007-10-15 at 18:36 -0400, Scott Dowdle wrote: > Understood... that is a logical assumption... but also take into > account that OpenVZ (including and its commercial sibling, SWsoft's > Virtuozzo) has been deployed by tens of thousands of users and is the > #2 virtualization technology in use today... according to the OpenVZ > project manager. I don't have any hard data I can point you to to > prove that but that is my understanding. #1 would be VMware of > course. My point is that it has been tested, audited, and revised > over its history with regards to security... but it is obviously and > ongoing process. That doesn't really matter. Even if OpenVZ was proven to be exactly correct, it is still used as a part of the kernel, which every now and then has vulnerabilities. > > - The solution allows system administrators to keep on SELinux on the > > host system, and not restrict SELinux usage on guest systems. > > I'm not sure if there is a technical reason that OpenVZ won't work > with SELinux. I'm guessing that it is like so many other third-party > packages that say to turn off SELinux... simply because they want to > avoid the support complexity of figuring out how to make it work and > writing policies. I see more obstacles: how would you modify/add policy from a virtual machine, without affecting that of other VMs or the host machine? What about security context collisions between virtual machines? > As long as SWsoft has Virtuozzo customers using RHEL4 and RHEL5, I'm > assuming it will be supported by them and also available in OpenVZ but > I don't think I can find anything in writing that promises that. We need to be sure that patches can be maintained for a longer period. So, ideally a maintainer of such packages has understanding of the code/patches. In the worst case, the maintainer could update patches to ensure that it continues to work with our kernels. > I think OS Virtualization / Containers will be less of an issue with > upcoming major releases as I'm very sure that container features will > be a stock part of the mainline kernel by that time. In fact, Andrew > Morton says in his kernel speeches that the only thing he can predict > that is coming over the next year or two is container features... but > who knows how that will pan out? I guess that we have to wait and see :). -- Daniel