Red Hat announced several moves Tuesday to bring virtualization technology to the mainstream Linux market by the end of the year, a move that the company promises will dramatically increase server efficiency. The company already has promised to include a major virtualization component, the Xen hypervisor software, in its next premium product, Red Hat Enterprise Linux version 5, due by the end of the year.
Red Hat Works to Make Virtualization Into Reality
About The Author
Follow me on Twitter @thomholwerda
2006-03-16 3:23 pmjamesd
I know that Sun plans on integrating the older code from Trusted Solaris into OpenSolaris eventually, but I wonder how it will compare to SELinux + Xen in the future?
Well its nice to wonder about the future of ideas that will become production ready. Solaris 10 has zones today, that give you much of what Xen does and Solaris 10 also has features and benefits that Xen+SELinux does not. Much of what Trusted Solaris was is now embedded into Solaris 10 today, so much so that the new trusted Solaris will be little more than a set of config files to enable the right features and disable others.
In Zones you are limited to one kernel for all the zones, but there are good points to having one kernel. With zones I can create an environment for my ap in as little as 3 seconds. http://blogs.sun.com/roller/page/jclingan?entry=zone_creation_with_
Yet each zone is patched and upgraded at the same time as the global zone, if you have 10 zones, the system is patched and upgraded once and the changes are applied everywhere.
With Xen each guest OS needs to be patched independently. Each guest enviroment is its own little island, so if i want to monitor what is happening in the island you have to visit it. Each Xen guest also must have memory and diskspace allocated to it. Sure ram and diskspace is cheap but it isn’t unlimited.
With Zones, I can setup each one to run its service yet monitor them from the global zone. http://uadmin.blogspot.com/2005/05/finding-whats-broke-fast.html
For example I can run a webserver in zone1 and then run tripwire in the global zone. If someone hacks there way into the zone and changes any of the files we are watching with tripwire the admin is notified the yet the person inside the zone doesn’t even know tripwire is running. With Xen doing the same task, how long till you notice that someone has defaced a web page, probably hours when someone emails or calls the company, as an Admin i prefer to be paged by a machine than my boss with this news. Of course the system can be programmed to automaticly restore the changed files so normal users aren’t even aware of the violation.
If you are a hosting company you can give each client a zone, then they are free to setup there own machine they can’t disturb anyone else. Yet the administrator has total control and can monitor all the zones at the same time with standard tools and keep all of them patched. Does anyone want to patch and update a machine running 50 Xen guess OSes? With Zones its easy.
While looking up information on SELinux I found this little tidbit that should appear in bold flashing red type. http://www.nsa.gov/selinux/
“This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system.
SELinux does not have the logging/auditing features necessary to monitor each user/task to truely be secure. Yes SELinux makes it hard to break the rules but there is no proof that someone doesn’t over use the power they are given. With out checks and balances the people you give a little power can take control. Adding Xen to the mix only makes this worse since you can’t even monitor users inside the guest OS at all with out entering the guest OS. Solaris 10 has mature auditing and logging tools along with RBAC (Role Based Access Controls) basiclly applies policy to the OS to make these manatory.
thousand islands make a good a salad dressing but a sysadmin’s nightmare in the datacenter.
I’m sure Xenworks could use some money. It’s so typical in opensource to never buy anything – both customers and vendors of open source are such tigh-wads.
2006-03-15 8:42 pmSEJeff
I think you mean Xensource
Zenworks is a product by Novell. Xensource is the company formed around the open source virtualization product Xen.
2006-03-15 8:45 pmcybrjackle
Red Hat has bought several closed products and opened them up.
2006-03-15 11:45 pmstephanem
> Red Hat has bought several closed products and opened them up.
But they have never bought an open source product!
(why pay for something you can get for free – isn’t that how open source works?)
2006-03-16 11:56 amJohann Chua
Why would Red Hat need to buy an open source product? Hiring developers isn’t enough?
It’s very good to see that alot of the hard work that goes into Fedora Core Release linux by it’s developers and the open source users eventually see’s the light of day (when stabilised) in some shape or form in Red Hat Enterprise Linux.
This is good news, as Red Hat needs to sell RHEL and RHEL customers need more features. In addition this means that the Fedora Core Linux project will be around for a long time to come
Xen will bring unprecedented security and stability to “enterprise linux” in general.
Most everyone will agree that a machine with 0 running services is very difficult to hack and unless some obscure exploit is found in the kernel TCP/IP stack it’s very difficult. If the core operating system (ring 0 I believe in Xen talk) has no running services and the only open ports are from Xen guests, the server will be much less vulnerable to attack. If a Xen client is hacked, it’s easy to delete and create a new guest with a stripped down Linux install.
Redhat even plans on using SELinux to enforce controls limiting data that can pass between the different Xen instances on one machine. I know that Sun plans on integrating the older code from Trusted Solaris into OpenSolaris eventually, but I wonder how it will compare to SELinux + Xen in the future?Q