On Wed, Oct 26, 2011 at 6:20 PM,
<brooks@xxxxxxxxxxx> wrote:
Great points from everyone concerning the topic of XCP security updates. To summarize:
 Â1. The XCP project currently provides no update repo.
 Â2. Protect your management network via an non-public routable address
   space and you greatly reduce your dom0 attack surface to the kernel
   and open vSwitch. ÂWhile that's true, I don't think that hiding
   from security problems is the answer.
Agreed. I don't want an exploited DomU trying to find exploits in openvswitch or the hypervisor.
Â
 Â3. Do not use the CentOS 5 repo to update XCP dom0.
   Some packages (lvm2, etc.) have been modified to work with
   Xenserver/XCP. ÂThe XCP 1.1 source iso lists the following packages
   under the "guest-packages-dom0" directory:
   biosdevname-0.2.4-1.xs651.src.rpm
   device-mapper-multipath-0.4.7-34.xs651.src.rpm
   dhcp-3.0.5-23.el5.xs651.src.rpm
   directfb-1.0.1-xs651.src.rpm
   e2fsprogs-1.39-23.xs651.src.rpm
   ethtool-6+20090306-651.src.rpm
   fbi-1.31-xs651.src.rpm
   firmware-651-1.src.rpm
   kexec-tools-2.0.0-651.49.src.rpm
   lvm2-2.02.56-8.xs651.src.rpm
   md3000-rdac-09.03.0C00.0437-651.src.rpm
   md3000-rdac-tools-09.03.0C00.0437-651.src.rpm
   mercurial-0.9-0.src.rpm
   mkinitrd-5.1.19.6-61.xs651.src.rpm
   net-snmp-5.3.2.2-9.xs651.src.rpm
   open-iscsi-2.0.871-0.20.3.xs651.src.rpm
   pam-0.99.6.2-6.xs651.src.rpm
   PyPAM-0.4.2-3.xs651.src.rpm
   python-simplejson-2.0.9-3.1.xs651.src.rpm
   SDL-1.2.10-8.xs651.src.rpm
   splashy-0.3.9-xs651.src.rpm
   ssmtp-2.61-8.fc6.src.rpm
   stunnel-4.15-2.el5.1.xs651.src.rpm
   udhcp-r15050-651.src.rpm
   vastsky-2.1-3.src.rpm
   vhostmd-0.4-xs651.src.rpm
   vncsnapshot-1.2a-xs651.src.rpm
   xenserver-logos-1.0-xs651.src.rpm
   xenserver-lsb-3.1-12.3.EL.xs.src.rpm
   That's not a perfect list. ÂI compared that list with a base
   CentOS 5.7 repo and found these to be unique to the above list:
   PyPAM
   biosdevname
   directfb
   fbi
   firmware
   md3000-rdac
   md3000-rdac-tools
   mercurial
   open-iscsi
   splashy
   ssmtp
   udhcp-r15050
   vastsky
   vhostmd
   vncsnapshot
   xenserver-logos
   xenserver-lsb
   For completness here's the list of packages that appear to have
   been modified since they are list in both the CentOS and XCP lists:
   SDL
   device-mapper-multipath
   dhcp
   e2fsprogs
   ethtool
   kexec-tools
   lvm2
   mkinitrd
   net-snmp
   pam
   python-simplejson
   stunnel
   Add in the kernel, hypervisor, vswitch, and assorted utilities and
   you should be able to come up with a list of packages unique to XCP
   that could be used to build an exclude list if you wanted to pull
   updates from a CentOS 5 repo.
It's a great topic and I'd like to keep the discussion alive. ÂI'd also like to hear from Mike given his insight and understanding of the project. Ideally I think we would all like to see a Citrix sponsored XCP updates repository.
Ideally yes the folks that know the most about it would be the best at putting together a repo. I also think that this shouldn't be a complete CentOS repo since the XCP hosts are not supposed to be complete Linux servers in any way. Keep it small, keep it solid, keep it secure. There are packages that could be considered optional too that won't get installed on every host that could be in the repo in case one needs them.
Grant McWilliams
http://grantmcwilliams.com/Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
Â