[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
Great points from everyone concerning the topic of XCP security updates. To summarize: 

    1. The XCP project currently provides no update repo.

    2. Protect your management network via an non-public routable address
       space and you greatly reduce your dom0 attack surface to the kernel
       and open vSwitch.  While that's true, I don't think that hiding
       from security problems is the answer.

    3. Do not use the CentOS 5 repo to update XCP dom0.

       Some packages (lvm2, etc.) have been modified to work with
       Xenserver/XCP.  The XCP 1.1 source iso lists the following packages
       under the "guest-packages-dom0" directory:

       biosdevname-0.2.4-1.xs651.src.rpm
       device-mapper-multipath-0.4.7-34.xs651.src.rpm
       dhcp-3.0.5-23.el5.xs651.src.rpm
       directfb-1.0.1-xs651.src.rpm
       e2fsprogs-1.39-23.xs651.src.rpm
       ethtool-6+20090306-651.src.rpm
       fbi-1.31-xs651.src.rpm
       firmware-651-1.src.rpm
       kexec-tools-2.0.0-651.49.src.rpm
       lvm2-2.02.56-8.xs651.src.rpm
       md3000-rdac-09.03.0C00.0437-651.src.rpm
       md3000-rdac-tools-09.03.0C00.0437-651.src.rpm
       mercurial-0.9-0.src.rpm
       mkinitrd-5.1.19.6-61.xs651.src.rpm
       net-snmp-5.3.2.2-9.xs651.src.rpm
       open-iscsi-2.0.871-0.20.3.xs651.src.rpm
       pam-0.99.6.2-6.xs651.src.rpm
       PyPAM-0.4.2-3.xs651.src.rpm
       python-simplejson-2.0.9-3.1.xs651.src.rpm
       SDL-1.2.10-8.xs651.src.rpm
       splashy-0.3.9-xs651.src.rpm
       ssmtp-2.61-8.fc6.src.rpm
       stunnel-4.15-2.el5.1.xs651.src.rpm
       udhcp-r15050-651.src.rpm
       vastsky-2.1-3.src.rpm
       vhostmd-0.4-xs651.src.rpm
       vncsnapshot-1.2a-xs651.src.rpm
       xenserver-logos-1.0-xs651.src.rpm
       xenserver-lsb-3.1-12.3.EL.xs.src.rpm

       That's not a perfect list.  I compared that list with a base
       CentOS 5.7 repo and found these to be unique to the above list:

       PyPAM
       biosdevname
       directfb
       fbi
       firmware
       md3000-rdac
       md3000-rdac-tools
       mercurial
       open-iscsi
       splashy
       ssmtp
       udhcp-r15050
       vastsky
       vhostmd
       vncsnapshot
       xenserver-logos
       xenserver-lsb

       For completness here's the list of packages that appear to have
       been modified since they are list in both the CentOS and XCP lists:

       SDL
       device-mapper-multipath
       dhcp
       e2fsprogs
       ethtool
       kexec-tools
       lvm2
       mkinitrd
       net-snmp
       pam
       python-simplejson
       stunnel

       Add in the kernel, hypervisor, vswitch, and assorted utilities and
       you should be able to come up with a list of packages unique to XCP
       that could be used to build an exclude list if you wanted to pull
       updates from a CentOS 5 repo.
It's a great topic and I'd like to keep the discussion alive. I'd also like to hear from Mike given his insight and understanding of the project. Ideally I think we would all like to see a Citrix sponsored XCP updates repository. 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.