Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
Re: Mini Gentoo in VMWare
7v5w7go9ub0o at gmail
Nov 3, 2006, 10:04 AM
Post #1 of 5 (2481 views)
Permalink
>> Basically what I want to do is create a series of VERY tiny VMs that
>> are all independent of each other, which provide one service. For
>> instance, I might put apache on one VM, and tomcat on another, and so
>> on. Obviously, I would want their memory usage to be absolutely
>> minimized, seeing that I would like to run them all on one computer.
>> I would probably provide them 64M-128M of RAM each, for their specific
>> service. Perhaps a little more if really required.

Lots of interest in VMs lately - Is this to increase security (isolating
servers and components in case one is compromised)? Or perhaps you are
isolating components for the purpose of evaluating them?

<snip>

> Nick[1] made a post about minimizing Gentoo a while back.
> But that topic was mainly about the disk usage.
> I suppose you would benefit from a system that uses the -Os flag to

<snip>

> But do you think vmware is fit for such a task?
> vmware is a big strain on resources itself.
> You might want to have a look at xen[2] instead.
>
> [1] http://thread.gmane.org/gmane.linux.gentoo.user/160899/focus=160903
> [2] http://www.xensource.com/xen/xen/index.html

Presuming that one is seeking greater security, how does xen compare with
vmware in that regard?

Would a server in a VM actually be more secure than a server in a
"hardened" chroot jail?

(though I'd guess that a hardened system would be the best basis for a
server, VM or chroot; and the logical placement of a VM would be within a
chroot jail?).

TIA


--
gentoo-security@gentoo.org mailing list
Re: Re: Mini Gentoo in VMWare [ In reply to ]
antoine at nagafix
Nov 3, 2006, 10:20 AM
Post #2 of 5 (2411 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> <snip>
>
>> Nick[1] made a post about minimizing Gentoo a while back.
>> But that topic was mainly about the disk usage.
>> I suppose you would benefit from a system that uses the -Os flag to
Another useful approach is to use a custom disk image with just busybox
+ the software to run/test.

> Would a server in a VM actually be more secure than a server in a
> "hardened" chroot jail?
IMO yes, but since you can have both...

> (though I'd guess that a hardened system would be the best basis for a
> server, VM or chroot; and the logical placement of a VM would be within
> a chroot jail?).
A properly configured VM running in a hardened chroot is going to be
(almost) impossible to escape.

Note you can also contain your VMs with SELinux (both inside and out).
I've posted some pages on how to do this with UML here:
http://uml.nagafix.co.uk/SELinux/

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFS3pBrTBrLRG7eDcRAhCcAKCD/WOug/w7B+GN8TsmABB5UQA0LQCeOG04
MEZwfrAf9Ie/1WXWsU5gfeg=
=VVh9
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: [gentoo-hardened] Re: Re: Mini Gentoo in VMWare [ In reply to ]
vierito5 at gmail
Nov 3, 2006, 10:38 AM
Post #3 of 5 (2417 views)
Permalink
Running a chroot jailed service in a chroot jailed VM...cool xD

It's kind of redundant but I don't know if it's worthy.

On 11/3/06, Antoine Martin <antoine@nagafix.co.uk> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > <snip>
> >
> >> Nick[1] made a post about minimizing Gentoo a while back.
> >> But that topic was mainly about the disk usage.
> >> I suppose you would benefit from a system that uses the -Os flag to
> Another useful approach is to use a custom disk image with just busybox
> + the software to run/test.
>
> > Would a server in a VM actually be more secure than a server in a
> > "hardened" chroot jail?
> IMO yes, but since you can have both...
>
> > (though I'd guess that a hardened system would be the best basis for a
> > server, VM or chroot; and the logical placement of a VM would be within
> > a chroot jail?).
> A properly configured VM running in a hardened chroot is going to be
> (almost) impossible to escape.
>
> Note you can also contain your VMs with SELinux (both inside and out).
> I've posted some pages on how to do this with UML here:
> http://uml.nagafix.co.uk/SELinux/
>
> Antoine
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFS3pBrTBrLRG7eDcRAhCcAKCD/WOug/w7B+GN8TsmABB5UQA0LQCeOG04
> MEZwfrAf9Ie/1WXWsU5gfeg=
> =VVh9
> -----END PGP SIGNATURE-----
> --
> gentoo-hardened@gentoo.org mailing list
>
>
Re: Re: Mini Gentoo in VMWare [ In reply to ]
brian at braverock
Nov 3, 2006, 11:13 AM
Post #4 of 5 (2421 views)
Permalink
> Basically what I want to do is create a series of VERY tiny VMs that
> are all independent of each other, which provide one service.  For
> instance, I might put apache on one VM, and tomcat on another, and
> so on.  Obviously, I would want their memory usage to be absolutely
> minimized, seeing that I would like to run them all on one computer.
> I would probably provide them 64M-128M of RAM each, for their
> specific service.  Perhaps a little more if really required.

Take a look at the Gentoo Network Appliance Project. It can easily run in
64MB of RAM for most tasks. You can customize the image to take out
services you don't need. This has the added advantage of letting you
maintain the configurations in a way that makes for easy provisioning of
a new service/VM.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list
Re: Re: Mini Gentoo in VMWare [ In reply to ]
kevin at vanhaaren
Nov 4, 2006, 10:46 AM
Post #5 of 5 (2412 views)
Permalink
--On November 3, 2006 12:04:33 PM -0500 7v5w7go9ub0o
<7v5w7go9ub0o@gmail.com> wrote:

>
> Lots of interest in VMs lately - Is this to increase security (isolating
> servers and components in case one is compromised)? Or perhaps you are
> isolating components for the purpose of evaluating them?

there are additional benefits, mainly for enterprise use, such as being
able to move the virtual server to a new box in case of failure of the
first box. This is much cheaper than maintaining an identically configured
second box. VMWare's high-end (not free) product can do this automatically
if partnered with a SAN. Using SAN technology the second box could even be
off-site, providing a virtually instant disaster recovery plan (just not a
cheap one.)

You could even save the cost of redundant box by using Amazon's Elastic
Compute Cloud as your redundancy. Keep a copy of the image on Amazon S3
then fire up the image if the main one goes down. Might be a bit slower
but that beats being down.

Also snapshot technology is getting pretty cool, where you can take a
snapshot, upgrade a virtual box, and if the upgrade fails just roll back to
the snapshot. Beats a backup/restore cycle by a mile.

--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal