Has anyone (or is anyone) setting up a LXR-style code browser (like http://lxr.linpro.no/source) for the different Xen trees? I sat down thinking it would be a 5-minute operation and after several hours I''ve finally gotten it running (albeit incorrectly) on my desktop development machine. Before I continue to bang my head on getting the cross-references correct and automatically downloading the nightly tarball update, I realized I should ask if anyone else has already gone through the process. Unfortunately, I can''t make my desktop machine visible outside IBM -- perhaps there''s a machine somewhere that could host this? Maybe the new coming-soon official Xen wiki/etc server? I can contribute my accumulated "hours of expertise" to getting this set up if a platform comes together. John ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Has anyone (or is anyone) setting up a LXR-style code browser (like > http://lxr.linpro.no/source) for the different Xen trees?Like you, we have an internal LXR server. I''ve never been very convinced about the security of LXR. Do you reckon we''d get away with running one on the public internet? Do you know whether lxr.linpro.no have had problems? We''re planning on setting up the wiki and bugzilla each in their own VM with snort running in domain 0 to scrutinize the traffic. I guess we could add lxr to the mix and see what happens... Ian> I sat down thinking it would be a 5-minute operation and > after several > hours I''ve finally gotten it running (albeit incorrectly) on > my desktop > development machine. Before I continue to bang my head on > getting the > cross-references correct and automatically downloading the > nightly tarball > update, I realized I should ask if anyone else has already > gone through > the process. > > Unfortunately, I can''t make my desktop machine visible outside IBM -- > perhaps there''s a machine somewhere that could host this? > Maybe the new > coming-soon official Xen wiki/etc server? I can contribute > my accumulated > "hours of expertise" to getting this set up if a platform > comes together. > > John > > > > ------------------------------------------------------- > The SF.Net email is sponsored by: Beat the post-holiday blues > Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. > It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel >------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
It would be nice to have one place to create LXR repository. It seems we are creating more and more copies of the same thing (there is one in the Computer Laboratory, one in Intel Research[maintained by me] and now yours). Any volunteer to host this (unfortunately it takes quite a lot of hard disk space - 6 crossreferenced kernels and sourcecode amounts to total of about 2Gb)? Cheers Gregor> Has anyone (or is anyone) setting up a LXR-style code browser (like > http://lxr.linpro.no/source) for the different Xen trees? > > I sat down thinking it would be a 5-minute operation and after several > hours I''ve finally gotten it running (albeit incorrectly) on my desktop > development machine. Before I continue to bang my head on getting the > cross-references correct and automatically downloading the nightly tarball > update, I realized I should ask if anyone else has already gone through > the process. > > Unfortunately, I can''t make my desktop machine visible outside IBM -- > perhaps there''s a machine somewhere that could host this? Maybe the new > coming-soon official Xen wiki/etc server? I can contribute my accumulated > "hours of expertise" to getting this set up if a platform comes together. > > John > > > > ------------------------------------------------------- > The SF.Net email is sponsored by: Beat the post-holiday blues > Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. > It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel-- Quidquid latine dictum sit, altum viditur --- Anon ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> I''ve never been very convinced about the security of LXR. Do you reckon > we''d get away with running one on the public internet? Do you know > whether lxr.linpro.no have had problems?Offhand I''m not aware of any, though they have occasionally pushed updates that remove vulnerabilities (i.e., version 0.3.1, Mar 2003). The lxr.linpro.no site replaced what used to be lxr.linux.no site [for what seems to be bandwidth-related reasons], and they have an LXR repository hosted at mozilla.org -- both are popular sites, so my guess is security problems would crop up more often if LXR was indeed prone to them. As you point out, Xen provides an ideal environment for opening access to a sandboxed LXR webserver. :-) What is the timeline for deploying the new server? Access to the LXR repository is something I would find immediately useful. JLG P.S. Is there a problem with the mail at sourceforge? My posts to xen-devel made it out immediately in December, but today the lag is 45 minutes or more. ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> What is the timeline for deploying the new server? Access to the LXR > repository is something I would find immediately useful.I hope we can get something fairly soon, I''ll let you know.> P.S. Is there a problem with the mail at sourceforge? My posts to > xen-devel made it out immediately in December, but today the > lag is 45 > minutes or more.Sourceforge lists are always pretty eratic -- as a list admin they''re a real hassle too. At least its been a couple of months since the list last broke completely. I sometimes think about moving the list onto our own majordomo setup, but it would be quite an upheaval for subscribers, particularly those that have mail filters set up. What do people think? Happy with sourceforge, or time to move? Ian ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Ian Pratt wrote:>I sometimes think about moving the list onto our own majordomo setup, >but it would be quite an upheaval for subscribers, particularly those >that have mail filters set up. What do people think? Happy with >sourceforge, or time to move? > > >I''ve noticed pretty bad lag on sourceforge for the past couple weeks. I get the direct CC''d response long before the mailing list message. It might break some peoples rules, but it also might be a good opportunity to introduce a xen-users list too. Might make searching for old answers a bit easier. Regards,>Ian > > >------------------------------------------------------- >The SF.Net email is sponsored by: Beat the post-holiday blues >Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. >It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt >_______________________________________________ >Xen-devel mailing list >Xen-devel@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/xen-devel > > >-- Anthony Liguori anthony@codemonkey.ws ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
John L Griffin wrote:>Has anyone (or is anyone) setting up a LXR-style code browser (like >http://lxr.linpro.no/source) for the different Xen trees? > >http://lxr2.linpro.no/source/ -- Per Andreas Buer ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Like you, we have an internal LXR server. > > I''ve never been very convinced about the security of LXR. Do you reckon > we''d get away with running one on the public internet? Do you know > whether lxr.linpro.no have had problems? > > We''re planning on setting up the wiki and bugzilla each in their own VM > with snort running in domain 0 to scrutinize the traffic. I guess we > could add lxr to the mix and see what happens... > > IanYour suggestion to use snort in dom0 sounds like a great way to keep track of what is going on in the other domains. It sparks my interest in taking part in the discussion, as I have been thinking through the best ways to use Xen to create a higher level of trust in my systems. Because security of dom0 seems of the upmost importance, I have been inclined to do less in dom0...rather than more. I have been thinking of making only ssh available from the outside, even protecting the ssh port with port knocking. I would use dom0 for compiling new xen/linux kernels, for managing the other domains (as with the xm command), and for running iptables, which would run in dom0 to protect all the other domains. I would also do filesystem integrity checking within dom0 and sending syslog to a remote server. Outside of those duties, I don''t think dom0 needs to do much for me. Given that approach to using dom0 in a more tightly controlled way, the only other vectors of attack upon dom0, as I see them, would be these scenarios: 1) network attack via iptables or on the tcp/ip stack itself (unlikely) 2) virtual machine attack on a vulnerability that allows access to dom0 (unlikely) 3) tcp session hijacking of an ssh session So, by using dom0 as a special-purpose domain, risk to compromising the entirely system would be minimized. Would it perhaps be even better to run snort in an unprivileged domain, using iptables to feed traffic to that domain? Incidentally, why isn''t iptables support built into the default xen/linux kernels? iptables seems a natural fit with a project that can do so much for system security. Thanks to everyone working on this wonderful project. Shane ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Would it perhaps be even better to run snort in an > unprivileged domain, using > iptables to feed traffic to that domain?Sure, this could be done, but it would be most efficient to run it in whichever domain has the bridge. The tools currently don''t make it easy to setup drivers in other domains.> Incidentally, why isn''t iptables support built into the > default xen/linux kernels? > iptables seems a natural fit with a project that can do so > much for system security.iptables is built as a module in the default 2.6 xen0 config. Ian ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It''s fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel