[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] protecting xen startup



On Tue, Nov 23, 2004 at 09:03:39PM +0000, Ian Pratt wrote:
> > > >is the port 8000 stuff actually running in the xen boot-up stuff?
> > > 
> > > Xend starts its HTTP interface when it starts up and will do anything the 
> > > HTTP interface tells it to do.  If Xend isn't running then the HTTP 
> > > interface is not accessible (but you can't do a lot without Xend).
> >  
> >  ... but there's nothing to prevent the merging of the xend and the xm
> >  programs, bypassing the use of HTTP, right?
> 
> You might want to think twice before doing that, or at least have
> some alternative story about how you'd do administration of a
> pool of VMs running over a cluster of nodes. 
> 
> I guess you're probably thinking of multi-level secure VMs on a
> single host (e.g. a laptop), 

 yes (see below for details).

> but the cluster side is important
> too.

 ah, so.
 
 even inside a guest OS is it possible to access the HTTP
 interface?
 
> I guess it might be possible to weld xm and xend directly to each
> other in the single machine case.
 
 perhaps i should explain: i am looking to use xen to implement
 a new level of paranoid security.
 
 i aim to run single applications, such as firefox and
 openoffice, in their own dedicated virtual machines, a
 localised file server in one (or more if i can get GFS or OCFS2
 to work) virtual machine(s), and for the applications to each
 connect to the xen master running an x-server [nomachine isn't
 quite suitable, i may have to write my own ssh-based x-proxy].

 allowing a compromised guest OS to fire up another virtual
 machine, connect to the x-server and spoof "please enter your
 password" dialog boxes is therefore to be avoided!!!


 i am so pleased and relieved that xm is written in python.
 i grok python.

 l.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.