Or should Dom0 be lightweight with guest o/s''s be doing that? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy
2010-Aug-17 19:34 UTC
RE: [Xen-users] Should applications be running on Dom0
Depends on what your Xen setup is being used for. If it''s strictly lab/testing/internal things, then it really doesn''t matter If you''re hosting stuff to the outside world, then the only thing that should be running on the Dom0 (apart from the Xen Guests), is iptables to firewall the guests. ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Brent Bolin Sent: Tue 17/08/2010 20:27 To: Xen-users Subject: [Xen-users] Should applications be running on Dom0 Or should Dom0 be lightweight with guest o/s''s be doing that? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Nathan Eisenberg
2010-Aug-17 19:47 UTC
RE: [Xen-users] Should applications be running on Dom0
I hear this often, but I have yet to hear a satisfactory and technical explanation as to why. I''m not sure I agree that it is true. Why is this the case? -Nathan From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Tuesday, August 17, 2010 12:35 PM To: Brent Bolin; Xen-users@lists.xensource.com Subject: RE: [Xen-users] Should applications be running on Dom0 Depends on what your Xen setup is being used for. If it''s strictly lab/testing/internal things, then it really doesn''t matter If you''re hosting stuff to the outside world, then the only thing that should be running on the Dom0 (apart from the Xen Guests), is iptables to firewall the guests. ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Brent Bolin Sent: Tue 17/08/2010 20:27 To: Xen-users Subject: [Xen-users] Should applications be running on Dom0 Or should Dom0 be lightweight with guest o/s''s be doing that? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com<mailto:Xen-users@lists.xensource.com> http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy
2010-Aug-17 19:55 UTC
Re: [Xen-users] Should applications be running on Dom0
Hi Nathan, Well, the bottom line is that if there is nothing running then there is nothing to hack. Xen is a very secure hypervisor. Infact, there are no known open exploits. So, "breaking out" of a guest is extremely unlikely. It''s all about reducing your chances and determining what risks are acceptable to you. The only way to be 100% safe and secure is to not own any servers at all - but then many of us would be out of jobs! So, to answer your question, there isn''t a specific example I can give - it''s all about reducing risk. On 17/08/10 20:47, Nathan Eisenberg wrote:> > I hear this often, but I have yet to hear a satisfactory and technical > explanation as to why. I''m not sure I agree that it is true. > > Why is this the case? > > -Nathan > > *From:* xen-users-bounces@lists.xensource.com > [mailto:xen-users-bounces@lists.xensource.com] *On Behalf Of *Jonathan > Tripathy > *Sent:* Tuesday, August 17, 2010 12:35 PM > *To:* Brent Bolin; Xen-users@lists.xensource.com > *Subject:* RE: [Xen-users] Should applications be running on Dom0 > > Depends on what your Xen setup is being used for. > > If it''s strictly lab/testing/internal things, then it really doesn''t > matter > > If you''re hosting stuff to the outside world, then the only thing that > should be running on the Dom0 (apart from the Xen Guests), is iptables > to firewall the guests. > > ------------------------------------------------------------------------ > > *From:* xen-users-bounces@lists.xensource.com on behalf of Brent Bolin > *Sent:* Tue 17/08/2010 20:27 > *To:* Xen-users > *Subject:* [Xen-users] Should applications be running on Dom0 > > Or should Dom0 be lightweight with guest o/s''s be doing that? > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com <mailto:Xen-users@lists.xensource.com> > http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Joseph M. Deming
2010-Aug-17 20:20 UTC
RE: [Xen-users] Should applications be running on Dom0
From a casual xen user''s point of view (ie i''m not a certified professional or dev). Xen dom0 (using my setup in debian as an example) is really just another domU loaded under the Xen hypervisor itself. It is ''privileged'' in a sense of controlling the other DomU''s and the hardware/virtual device connections between them, but it is also really just another running kernel/installation of a Debian OS in my case. So... apt-get installing packages, running services, etc, etc is really independent of the responsibilities of the Xen virtualization. So, there should be no reason other apps can''t run alongside the Xen application in the Dom0. However, I assume the general recommendation that apps should NOT be run alongside Xen in the main Dom0 (especially in production environment) would stem from two primary thought-processes (maybe more, but these are the 2 I think about). 1) Applications running on DomO could, theoretically, compromise security between the Dom0 boxes and the DomU''s by providing further handles that could be leveraged if a security loophole is exploited in Xen. In other words, by keeping the DomO as a nice clean, minimal install you minimize the vector of attacks possible that would be possible by gaining access to the Dom0 kernel or communication between Dom0''s and DomU devices. 2) Applications running on Dom0, I assume, bypass some of the resource management that comes on the DomU virtual (and even passthrough) devices. Meaning, if you install an application on Dom0 that is io-intensive on any bus (disk, network, memory, CPU) you can drag the performance of possibly all your DomU''s because the DomO is somewhat in control and dominating disk read/write for example. I am writing this with a lack of fundamental understanding of the exact technical design of the Xen system, but I think that the 2 concepts listed here apply in a general sense even if my wording or technical terms are somewhat incorrect. Hope maybe this helps shed a little light. - jmd On Tue, 2010-08-17 at 19:47 +0000, Nathan Eisenberg wrote:> I hear this often, but I have yet to hear a satisfactory and technical > explanation as to why. I’m not sure I agree that it is true. > > > > Why is this the case? > > > > -Nathan > > > > From: xen-users-bounces@lists.xensource.com > [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan > Tripathy > Sent: Tuesday, August 17, 2010 12:35 PM > To: Brent Bolin; Xen-users@lists.xensource.com > Subject: RE: [Xen-users] Should applications be running on Dom0 > > > > > Depends on what your Xen setup is being used for. > > > > > > If it''s strictly lab/testing/internal things, then it really doesn''t > matter > > > > > > If you''re hosting stuff to the outside world, then the only thing that > should be running on the Dom0 (apart from the Xen Guests), is iptables > to firewall the guests. > > > > > > ______________________________________________________________________ > From: xen-users-bounces@lists.xensource.com on behalf of Brent Bolin > Sent: Tue 17/08/2010 20:27 > To: Xen-users > Subject: [Xen-users] Should applications be running on Dom0 > > > Or should Dom0 be lightweight with guest o/s''s be doing that? > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users-- Joseph M. Deming System Administrator MATRIX/History 415 Nat Sci Bldg East Lansing, MI 48824 (517) 884-2472 joseph.deming@matrix.msu.edu _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy
2010-Aug-17 21:05 UTC
Re: [Xen-users] Should applications be running on Dom0
Much more simple: Dom0 has access to all disks of all DomUs - no exploits required :) On 17/08/10 21:20, Joseph M. Deming wrote:> From a casual xen user''s point of view (ie i''m not a certified > professional or dev). > > Xen dom0 (using my setup in debian as an example) is really just another > domU loaded under the Xen hypervisor itself. It is ''privileged'' in a > sense of controlling the other DomU''s and the hardware/virtual device > connections between them, but it is also really just another running > kernel/installation of a Debian OS in my case. > > So... apt-get installing packages, running services, etc, etc is really > independent of the responsibilities of the Xen virtualization. So, > there should be no reason other apps can''t run alongside the Xen > application in the Dom0. > > However, I assume the general recommendation that apps should NOT be run > alongside Xen in the main Dom0 (especially in production environment) > would stem from two primary thought-processes (maybe more, but these are > the 2 I think about). > > > 1) Applications running on DomO could, theoretically, compromise > security between the Dom0 boxes and the DomU''s by providing further > handles that could be leveraged if a security loophole is exploited in > Xen. In other words, by keeping the DomO as a nice clean, minimal > install you minimize the vector of attacks possible that would be > possible by gaining access to the Dom0 kernel or communication between > Dom0''s and DomU devices. > > 2) Applications running on Dom0, I assume, bypass some of the resource > management that comes on the DomU virtual (and even passthrough) > devices. Meaning, if you install an application on Dom0 that is > io-intensive on any bus (disk, network, memory, CPU) you can drag the > performance of possibly all your DomU''s because the DomO is somewhat in > control and dominating disk read/write for example. > > I am writing this with a lack of fundamental understanding of the exact > technical design of the Xen system, but I think that the 2 concepts > listed here apply in a general sense even if my wording or technical > terms are somewhat incorrect. Hope maybe this helps shed a little > light. > > - jmd > > On Tue, 2010-08-17 at 19:47 +0000, Nathan Eisenberg wrote: > >> I hear this often, but I have yet to hear a satisfactory and technical >> explanation as to why. I’m not sure I agree that it is true. >> >> >> >> Why is this the case? >> >> >> >> -Nathan >> >> >> >> From: xen-users-bounces@lists.xensource.com >> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan >> Tripathy >> Sent: Tuesday, August 17, 2010 12:35 PM >> To: Brent Bolin; Xen-users@lists.xensource.com >> Subject: RE: [Xen-users] Should applications be running on Dom0 >> >> >> >> >> Depends on what your Xen setup is being used for. >> >> >> >> >> >> If it''s strictly lab/testing/internal things, then it really doesn''t >> matter >> >> >> >> >> >> If you''re hosting stuff to the outside world, then the only thing that >> should be running on the Dom0 (apart from the Xen Guests), is iptables >> to firewall the guests. >> >> >> >> >> >> ______________________________________________________________________ >> From: xen-users-bounces@lists.xensource.com on behalf of Brent Bolin >> Sent: Tue 17/08/2010 20:27 >> To: Xen-users >> Subject: [Xen-users] Should applications be running on Dom0 >> >> >> Or should Dom0 be lightweight with guest o/s''s be doing that? >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Joseph M. Deming wrote:>>1) Applications running on DomO could, theoretically, compromise >>security between the Dom0 boxes and the DomU''s by providing further >>handles that could be leveraged if a security loophole is exploited in >>Xen. In other words, by keeping the DomO as a nice clean, minimal >>install you minimize the vector of attacks possible that would be >>possible by gaining access to the Dom0 kernel or communication between >>Dom0''s and DomU devices.At 22:05 +0100 17/8/10, Jonathan Tripathy wrote:>Much more simple: Dom0 has access to all disks of all DomUs - no >exploits required :)Indeed, there is no "theoretically" involved. Anything running on Dom0 has access to everything - it can shut down a DomU, it can alter the contents of their disks as well as read them. So in a way the argument is the same as for running services chroot''d on a single server - if they get compromised then it limits the damage they can do. It''s not something you **must** do, it''s something you as administrator decide to do or not depending on what you believe the risks to be, and what your tolerance for risk is. The difference with Dom0 is that you are giving someone the opportunity to compromise not just the one ''machine'', but potentially a whole virtual rack of machines. I''m with the other, for a production machine exposed to the big bad internet, then it makes sense to keep Dom0 lean and clean. For education purposes and experimentation, I''d see nothing wrong with running your desktop in Dom0. Just remember, there is no such thing as "no risk" or "safe". You just have to assess the risks and minimise them as far as is reasonable/practical for **your** application. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I have two reasons, neither based on theory, but pragmatism. One is to keep dom0 stable. A domU crash, due to a badly behaved application (i.e. OOM) can be handled easily with "xm destroy" if nothing else works. There is no "xm destroy" for dom0, and a dom0 recovery sometimes involves switching power to the physical host. (Losing all guests in the process.) Another is simply to give as much memory to the guests as possible. We run many applications that benefit from disk caching or application buffers, both of which are limited to the memory assigned to the domU. The dom0 on the other hand can run efficiently in a very small memory footprint (512MB or less). From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Nathan Eisenberg Sent: Tuesday, August 17, 2010 3:47 PM To: Xen-users@lists.xensource.com Subject: RE: [Xen-users] Should applications be running on Dom0 I hear this often, but I have yet to hear a satisfactory and technical explanation as to why. I''m not sure I agree that it is true. Why is this the case? -Nathan From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Tuesday, August 17, 2010 12:35 PM To: Brent Bolin; Xen-users@lists.xensource.com Subject: RE: [Xen-users] Should applications be running on Dom0 Depends on what your Xen setup is being used for. If it''s strictly lab/testing/internal things, then it really doesn''t matter If you''re hosting stuff to the outside world, then the only thing that should be running on the Dom0 (apart from the Xen Guests), is iptables to firewall the guests. ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Brent Bolin Sent: Tue 17/08/2010 20:27 To: Xen-users Subject: [Xen-users] Should applications be running on Dom0 Or should Dom0 be lightweight with guest o/s''s be doing that? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users