[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)

On Wed, Oct 26, 2011 at 6:20 PM, <brooks@xxxxxxxxxxx> wrote:

Great points from everyone concerning the topic of XCP security updates. To summarize:

 Â1. The XCP project currently provides no update repo.

 Â2. Protect your management network via an non-public routable address
   space and you greatly reduce your dom0 attack surface to the kernel
   and open vSwitch. ÂWhile that's true, I don't think that hiding
   from security problems is the answer.

Agreed. I don't want an exploited DomU trying to find exploits in openvswitch or the hypervisor.

 Â3. Do not use the CentOS 5 repo to update XCP dom0.

   Some packages (lvm2, etc.) have been modified to work with
   Xenserver/XCP. ÂThe XCP 1.1 source iso lists the following packages
   under the "guest-packages-dom0" directory:


   That's not a perfect list. ÂI compared that list with a base
   CentOS 5.7 repo and found these to be unique to the above list:


   For completness here's the list of packages that appear to have
   been modified since they are list in both the CentOS and XCP lists:


   Add in the kernel, hypervisor, vswitch, and assorted utilities and
   you should be able to come up with a list of packages unique to XCP
   that could be used to build an exclude list if you wanted to pull
   updates from a CentOS 5 repo.

It's a great topic and I'd like to keep the discussion alive. ÂI'd also like to hear from Mike given his insight and understanding of the project. Ideally I think we would all like to see a Citrix sponsored XCP updates repository.

Ideally yes the folks that know the most about it would be the best at putting together a repo. I also think that this shouldn't be a complete CentOS repo since the XCP hosts are not supposed to be complete Linux servers in any way. Keep it small, keep it solid, keep it secure. There are packages that could be considered optional too that won't get installed on every host that could be in the repo in case one needs them.

Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.