a newbie question [message #46808] |
Sun, 17 June 2012 10:25 |
cheetah
Messages: 7 Registered: June 2012
|
Junior Member |
|
|
Hi guys,
I am a newbie to openvz and preparing to deploy it in my production
environment to give each user a container. I have the following concerns
now.
1. Can user load kernel modules in the guest container without influencing
the host kernel or other container's kernel? As far as I understand, all
the containers share the same kernel of the host. So I am wondering if this
is possible?
2. Or how is the container's security isolation? Can I give user root
access in the container? Is there any hack that he/she can use root in the
container to attack the host or other containers?
3. Does openvz kernel support kvm?
4. What is recommended distro of Linux to install openvz? I am now using
CentOS 6.2. How about Debian?
Thanks a lot for answering my stupid questions.
Regards,
Peter
|
|
|
|
Re: a newbie question [message #46812 is a reply to message #46810] |
Sun, 17 June 2012 11:10 |
cheetah
Messages: 7 Registered: June 2012
|
Junior Member |
|
|
Thanks a lot for the info, Martin.
Nice to know Openvz kernel is based on RHEL6. I am wondering how fast it is
released after a new release of RHEL?
Thanks.
Peter
On Sun, Jun 17, 2012 at 6:56 PM, Martin Dobrev <martin@dobrev.eu> wrote:
>
>
> Martin Dobrev
>
> Sent from iPhonespam SPAMSPAM 4
>
> On 17.06.2012, at 13:25, cheetah <xuwh06@gmail.com> wrote:
>
> > Hi guys,
> >
>
> Hi Peter,
>
> > I am a newbie to openvz and preparing to deploy it in my production
> environment to give each user a container. I have the following concerns
> now.
> >
> > 1. Can user load kernel modules in the guest container without
> influencing the host kernel or other container's kernel? As far as I
> understand, all the containers share the same kernel of the host. So I am
> wondering if this is possible?
> >
>
> Some modules can be shared from the host sytem to the containers. More
> info in the vzctl man page.
>
> > 2. Or how is the container's security isolation? Can I give user root
> access in the container? Is there any hack that he/she can use root in the
> container to attack the host or other containers?
> >
> It's impossible to gain host system access using a kernel bug as far as I
> know. Some kernel exploits are still able to crash the hole system. Giving
> root in the container will be considered as secure as giving root on
> physical server.
> > 3. Does openvz kernel support kvm?
> >
> It's possible to have Xen and KVM compiled in the OVZ kernel but you'll
> need to compile it yourself.
> > 4. What is recommended distro of Linux to install openvz? I am now using
> CentOS 6.2. How about Debian?
> >
> Mainstream kernel development follows the RHEL kernel branches, so best
> for you will be CentOS. I have some production systems on it too.
> > Thanks a lot for answering my stupid questions.
> >
> I hope my info helps.
> > Regards,
> > Peter
> P.S. There is no need to write to the devel list directly for user
> questions.
|
|
|
Re: a newbie question [message #46813 is a reply to message #46812] |
Sun, 17 June 2012 11:20 |
Christian Blaich
Messages: 6 Registered: June 2012
|
Junior Member |
|
|
Check proxmox, ovz kvm modules already loaded in the Kernel. Easy to handle via console and also via Web. Based on debian. Good howtos!
-----
Mobil verfasst
Am 17.06.2012 um 13:10 schrieb cheetah <xuwh06@gmail.com>:
> Thanks a lot for the info, Martin.
>
> Nice to know Openvz kernel is based on RHEL6. I am wondering how fast it is released after a new release of RHEL?
>
> Thanks.
> Peter
>
> On Sun, Jun 17, 2012 at 6:56 PM, Martin Dobrev <martin@dobrev.eu> wrote:
>
>
> Martin Dobrev
>
> Sent from iPhonespam SPAMSPAM 4
>
> On 17.06.2012, at 13:25, cheetah <xuwh06@gmail.com> wrote:
>
> > Hi guys,
> >
>
> Hi Peter,
>
> > I am a newbie to openvz and preparing to deploy it in my production environment to give each user a container. I have the following concerns now.
> >
> > 1. Can user load kernel modules in the guest container without influencing the host kernel or other container's kernel? As far as I understand, all the containers share the same kernel of the host. So I am wondering if this is possible?
> >
>
> Some modules can be shared from the host sytem to the containers. More info in the vzctl man page.
>
> > 2. Or how is the container's security isolation? Can I give user root access in the container? Is there any hack that he/she can use root in the container to attack the host or other containers?
> >
> It's impossible to gain host system access using a kernel bug as far as I know. Some kernel exploits are still able to crash the hole system. Giving root in the container will be considered as secure as giving root on physical server.
> > 3. Does openvz kernel support kvm?
> >
> It's possible to have Xen and KVM compiled in the OVZ kernel but you'll need to compile it yourself.
> > 4. What is recommended distro of Linux to install openvz? I am now using CentOS 6.2. How about Debian?
> >
> Mainstream kernel development follows the RHEL kernel branches, so best for you will be CentOS. I have some production systems on it too.
> > Thanks a lot for answering my stupid questions.
> >
> I hope my info helps.
> > Regards,
> > Peter
> P.S. There is no need to write to the devel list directly for user questions.
|
|
|
Re: a newbie question [message #46814 is a reply to message #46810] |
Sun, 17 June 2012 13:03 |
LightDot
Messages: 8 Registered: October 2011
|
Junior Member |
|
|
Hello Martin and Peter,
On Sun, Jun 17, 2012 at 12:56 PM, Martin Dobrev <martin@dobrev.eu> wrote:
>
>
> Martin Dobrev
>
> Sent from iPhonespam SPAMSPAM 4
>
> On 17.06.2012, at 13:25, cheetah <xuwh06@gmail.com> wrote:
>
>> Hi guys,
>>
>
> Hi Peter,
>
>> I am a newbie to openvz and preparing to deploy it in my production environment to give each user a container. I have the following concerns now.
>>
>> 1. Can user load kernel modules in the guest container without influencing the host kernel or other container's kernel? As far as I understand, all the containers share the same kernel of the host. So I am wondering if this is possible?
>>
>
> Some modules can be shared from the host sytem to the containers. More info in the vzctl man page.
>
Users can't load modules from within the guest containers. Modules can
be loaded on the hardware node and they will be available to all
containers. Usability depends on the specific module, guest containers
might not be able to use some of them.
>> 2. Or how is the container's security isolation? Can I give user root access in the container? Is there any hack that he/she can use root in the container to attack the host or other containers?
>>
> It's impossible to gain host system access using a kernel bug as far as I know. Some kernel exploits are still able to crash the hole system. Giving root in the container will be considered as secure as giving root on physical server.
I would say giving your customers root access to a container is pretty
safe. In case of kernel exploits or bugs, there might be a certain
risk. For example, recent watchdog kernel bug enabled container users
to reboot the node. In my experience, such bugs are quickly dealt with
and few and far between. I haven't been bitten by any yet.
>> 3. Does openvz kernel support kvm?
>>
> It's possible to have Xen and KVM compiled in the OVZ kernel but you'll need to compile it yourself.
I don't think this is true, perhaps I'm misunderstanding what you're
saying. KVM is a part of the mainline kernel and a part of Red Hat
kernels, I don't think openvz is in any way stripping it out. KVM
should work sam as it works on a regular Red hat kernel, shouldn't it?
>> 4. What is recommended distro of Linux to install openvz? I am now using CentOS 6.2. How about Debian?
>>
> Mainstream kernel development follows the RHEL kernel branches, so best for you will be CentOS. I have some production systems on it too.
I'd recommend CentOS or Scientific Linux 6.x. If you'd like to use
Debian, I'd recommend using Red Hat version of openvz kernel with it
too.
>> Thanks a lot for answering my stupid questions.
>>
> I hope my info helps.
>> Regards,
>> Peter
> P.S. There is no need to write to the devel list directly for user questions.
Regards to all...
|
|
|
|