[CentOS] Xen on Centos 4.2....anyone on the list?

Wed Feb 22 23:14:18 UTC 2006
Sanjay Arora <sanjay.k.arora at gmail.com>

On 2/23/06, Michael Best <mbest at pendragon.org> wrote:
> I documented the experiences I had with Xen-unstable (pre-3.x) at:
> http://www.pendragon.org/mywiki/Xen
> It's mostly the same for Xen 3.x
> There is also this page where we did a bit of work and recompiled glibc
> for Centos 4.2.
> http://www.karan.org/blog/index.php/2005/12/06/xen3_on_centos4

Thanks, will study these and get back.

Feel free to ask me any questions, I will try to answer what I know.

My query to the Xen List was:

I  have a small network with an IPtables firewall with a DMZ and a Lan
Server subnets. There are four servers on Lan & one on the DMZ.

DMZ uses centos 4.2, PIII 550 MHz, 256 MB RAM, no X/GUI, is connected to a
512 kbps adsl broadband & provides name based apache, mail server based on
qmailtoaster.com, djbdns server, yum for upgrading, php, perl, mysql &
postgresql etc. The DMZ server is having a private ip address and services
are port-forwarded/natted from the main iptables firewall. It has a single
40 GB HDD using LVM2.

What I want to do is to virtualise each of the services into a seperate Xen
OS instance, with iptables firewalling of its own. Two outcomes are
wanted...1. in case of a compromise of a server through any of the services,
the penetration is limited to that instance of the OS/Service and 2. I want
to put another server on the same subnet in the DMZ and want to implement an
expeditious failover using rsync (not instantaneous...as I don't think I
have  the either the budget or the expertise to do that...or maybe I am just
plain scared to attempt it).

Later, I want to do the same to services on the LAN.

My questions are:

Most Important: Is Xen ready for Production deployments? Availability of
many Xen hostings seem to be positive but nerthless...what's the situation?
Pros/Cons? Would that require a very experienced Sysadmin who can patch &
test kernel umpteen times?

1. Is Xen virtualization good from the point of security, if I do not expose
any services except for ssh and that too from the internal network, on the
host OS. The guest OS will again be firewalled and will expose only one
service which it is providing, in addition to ssh for management. In some
cases apache may be needed for management, in that case the apache access
will be restricted from one or two management computers. What are the issues
I need to study? Various Pros & Cons?

2. If I get Xen hosting from a hosting provider on a fast network, can I
simply migrate my guestOS (domU...I think you guys call it?) to them...this
can relieve me of management every time I implement changes/upgrades? Any
issues in this?

3. My needs are secure small biz intranet/extranet/mail/dns/ftp server &
database usage, all in seperate Xen Guest OS & firewalled from even each
other, except for web-server, which would require one port to access the
database Any issues on this? Would PIII 550 MHz with 256 or 512 MB Ram be

4. What are pen-tester's views of Xen? Tried to search but could not find
much in first few minutes. Maybe Xen is too new or I need to search better &
I intend doing so.

5. My readings conflict about one issue...Xen Host kernel needs to be
patched. What about the guest kernel. One post I read suggested it need not
be patched because of some code borrowed from qemu and improved upon
thereafter...some seem to say guest kernel needs to be patched.

6. I plan on exclusively using Centos...both as a host OS & a guest OS, but
I don't want to go in for custom kernal compilation, every time Xen updates
or CentOS kernel updates. Any packaged rpms available anywhere? that I can
simply use with yum from my local yum repository?

Any other issues I need to look into, given my above use-case scenario?
Budget: Shoe String/ Expertise: Medium..can compile softwares if
instructions are there but no programming/patch creation capability.
Understand technical issues and administer my own linuses though am a
business person.

Please help...criticism, advise, warnings from pros & oracles wanted/welcome

With best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060223/05d681c1/attachment-0002.html>