Can I run obsd as a xen guest?
http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest The internet: you're doing it wrong.
Hello all! (I'm a very new OpenBSD user (tested only on Qemu, but would like to put OpenBSD in production).) And I just want to say that I had the same question a couple a days ago: <<Is it really possible (as in tried in a quasi-production environment) to run OpenBSD as a Xen domU? And if so are there some guidelines, documentation, etc.? If not is there any disponibility to implement such a feature?>> I've searched a little on the net and I've reached to the following two possibilities: * Yes but under Xen with HVM support, with the drawback of (greater) CPU overhead and with some networking problems; * And also yes as direct DomU, but based on the work of <<Christoph Egger>> but which is not available on the net anymore; * any other options??? (anyone???) So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) Sorry, Ciprian.
On Tue, Jan 12, 2010 at 9:41 AM, Ciprian Dorin, Craciun <email@example.com> wrote: When both of his questions were, verbatim: OpenBSD as Dom0: Is it possible? and Can I run obsd as a xen guest? it's unclear to me, since he's unwilling to document what he's found in order to help others to help him, whether or not he's willing to do the work required in finding those answers to begin with.
On Tue, 12 Jan 2010 10:41:15 +0200 "Ciprian Dorin, Craciun" You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a "guest" on top of some other insecure "host" operating system. 4.) Most Virtualization Software fails to emulate hardware perfectly. 5.) Most Virtualization Software expects the "host" operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the "host" operating system, then the "host" operating systems is not able to do it's job. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! If you're too lazy to do the weeks or months of research work on your own, then you really should not use virtualization. Unfortunately, most people just believe the constant bullshit from the virtualization vendors, or ask irrelevant questions on various mailing lists. Lastly, Bret Lambert is one of the OpenBSD ...
On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts <firstname.lastname@example.org> Sorry, but you guys from OpenBSD have proved that you <<can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system>>, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you Agree. This is the same as with software: if software runs perfectly on one version of OpenBSD, but not on another it does not mean that its the fault of the new version. (But Xen is not all about emulation, it cooperates with the guest kernel, so in this case the This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); * you let the host operating system front the Internet; (but you could just filter out all the traffic from the exterior to the host, (Again we are not speaking of emulation, we are speaking of No, (in general) the requirement of virtualization is not to One important use of virtualization software (like Xen for example), is to allow experimentation. For example I don't have 4 pieces of hardware to be able to also host a Linux server (for personal stuff), experiment with OpenBSD or Plan9, and also give one of my friends a small VPN and download host. So I use Xen and turn one computer into many. (As you see it's not the security aspect I'm interested but the consolidation aspect...) (Yes very lame I know, but Thanks for the time and the responses, Ciprian.
How did "lazy internet denizen gets told he's lazy" turn into anything worth spending this much time on?
I would like to personally apologize for criticizing you, Bret, of "lmgtfy" the other guy (which I didn't knew he also posted another question about OpenBSD and dom0, and he was also responded). But I wouldn't say that the discussion has turned into something "not-worth" discussing. I myself have learned a lot about the position of the OpenBSD developers regarding the possibility of ever using OpenBSD ontop of virtualization (not emulation) platforms (like Xen). (I had my hopes, but not any more... :) ) Thanks again for all the time and effort spent, Ciprian. P.S.: Maybe an entry in the FAQ about this topic will cut down all these questions about virtualization?
Virtualization is a toy sold as an enterprise solution. The argument goes like this: you need a domain controller and sequel server so you need 2 machines. So instead of paying for 2 machines you virtualize them!!!!! OMGZOMG!!!!11111ONe What Mr. dingle berry insultant forgets to point out is that both tasks will run like ass in a virtualized environment AND can be easily combined on the same box. Usually lost in the same conversation is that you need both machines to be up at the same time too to be useful. I have seen people virtualize a file server and domain controller on a single machine. Which is awesome because now you get free >30% loss of IO performance. You know it keeps bandwidth use lower and latency higher. Exactly what lusers like. Virtualization is great to develop kernel code and get an idea if it'd work before moving on to real hardware (and fixing real bugs on real hardware because virtualization failed to run right). I like to play with old OS' as well so its neat for that but usually What's next? Pokemon on OpenBSD FAQ entry?
Oh, try what a medium sized educational institution not too far from here did: put several file servers on the same physical rig (sharing one gigabit ethernet interface), then start whining when backups to $elsewhere don't complete overhight. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd: 22.214.171.124: disconnected after 42673 seconds.
Of course it didn't! What they should have done was put the backup server on the same VM!!! Problem solved! -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Chuckle, try to troubleshoot a network issue when it is in a virtual network. Lots of fun, not. diana
Better yet, get told by management NOT to troubleshoot but let the outsourcers do it. While your whole hospital is down for 7 hours. Not that that would really happen. .... Ken
Ah, but the dingle berry insultant was probably brought in because management finally listened when they were told 1) The machines with the most compute power and memory are nearly completely idle file and backup servers. 2) The key compute heavy apps are running on 7 year old hardware for which replacement parts are becoming nearly non-existant. So the insultant picks the virtualization topology best suited We intentionally did this for an environment for application developers It also works rather well testlabs for software applications. Faster reinstall turnarounds. Smaller budget required for chairs and displays and KVM switches and work surfaces. Higher homicide rates as 5 app developers pile into a cube that isn't large enough for one person all looking at one tiny display for a problem involving 6 different virtual machines and start accusing each other loudly (Previously I find that it's useful to validating procedures before applied to production and for working out a load balanced configuration. -- Chris Dukes
i owuld pee my pants (or maybe bob's instead) laughing if it wasn't so sad. it is this mindset that gets this industry in shit every other day. -- Henning Brauer, email@example.com, firstname.lastname@example.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
On Wed, 13 Jan 2010 08:31 +0200, "Ciprian Dorin, Craciun" Very few have demonstrated that they can be trusted. BTW, *any* virtualization software written for i386 is always going to have the potential for compromise because of the inherent flaws Wrong. If it works on real hardware and fails in virtualization BWAAAAHAHHAHAHAHAHH. Have you ever actually worked with any virtualization software? There have been many documented security bugs in every virtualization software. This is actually very true. But you need to be very aware of where it does and where it doesn't.
How did "you guys... have proved that you can trust the skills" turn into "we can trust virtualization developers". Since when have the I think he's thinking of para virtualization, which open bsd doesn't do, I just finished sans 560 pen testing class. We had some discussions about day 0 exploits of guest->host bugs. "Highly improbably" should be changed to "it's out there" -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
viz., precisely those developers that are telling you to not trust These developers have _earned_ (through careful hard work and meticulously accurate documentation) the trust accorded them. With respect to the others, this remains to be seen (and current indications are not promising).
On Wed, Jan 13, 2010 at 1:31 AM, Ciprian Dorin, Craciun A lot of OpenBSD's security comes from a model of "bad things can and will happen" and trying to mitigate the damage, ala privilege separation. We don't assume the code is perfect, we assume it's NOT. Combining virtual servers onto a single physical machine is the exact opposite of that philosophy.
http://taviso.decsystem.org/virtsec.pdf "No virtual machine tested was robust enough to withstand the testing procedure used, and multiple exploitable flaws were presented that could allow an attacker restricted to a virtualised environment to reliably escape onto the host system." http://www.vmware.com/security/advisories/VMSA-2009-0006.html "A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host." http://www.vmware.com/security/advisories/VMSA-2008-0019.html "A memory corruption condition may occur in the virtual machine hardware. A malicious request sent from the guest operating system to the virtual hardware may cause the virtual hardware to write to uncontrolled physical memory." Shane
If you are looking at OpenBSD in a production environment as a firewall, ssl accelerator, or for protection from OS privilege escalation when someone else finds and uses an exploit in your apps, run it on bare metal. If you are looking at virtualization to maximize hardware utilization, look at the operating systems officially supported by the virtualization software you choose. If you are looking at Xen for virtualization because paravirtualization might give a lower impact on performance, I would suggest checking the performance impact between paravirtualization and VT extension assisted virtualization on real workloads. But look on the bright side... odds are whatever you are trying to do is probably so full of holes at the application layer even with all of OpenBSD's protections you'll still get sufficiently maliciously pwned through several application exploits. -- Chris Dukes
under 'full' virtualisation, yes. under para-virtualisation, no. -- Michiel van Baak email@example.com http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
|David Howells||[PATCH] KEYS: Use the variable 'key' in keyctl_describe_key()|
|Dave Jones||Re: OT: character encodings (was: Linux 2.6.20-rc4)|
|Greg Kroah-Hartman||[PATCH 17/36] sysdev: detect multiple driver registrations|
|Sam Ravnborg||Re: [PATCH] kbuild: fix make V=1|
|Nick Piggin||Re: [PATCH 0/24] make atomic_read() behave consistently across all architectures|
|Stephen R. van den Berg||Re: [RFC] origin link for cherry-pick and revert|
|Junio C Hamano||Re: [PATCH 1/2] Teach git-describe to display distances from tags.|
|Johannes Schindelin||Re: [PATCH 2/2] git-svn: support fetch with autocrlf on|
|Junio C Hamano||Re: [PATCH 6/6] Teach core object handling functions about gitlinks|
|Michael S. Tsirkin||git-kill: rewrite history removing a commit|
|Jarek Poplawski||Re: [PATCH] flush_work_sync vs. flush_scheduled_work Re: [PATCH] PHYLIB: IRQ event...|
|Lennert Buytenhek||Re: Distributed Switch Architecture(DSA)|
|Daniel Schaffrath||Re: tcp bw in 2.6|
|Matt Mackall||Re: [regression] nf_iterate(), BUG: unable to handle kernel NULL pointer dereference|
|Guo-Fu Tseng||Re: jme: UDP checksum error, and lots of them|
|Claudio Jeker||Re: Vlan Tag on Vlan Tag (l2tunneling)|
|Josh Grosse||ssh/sshd challenge-response seems to have stopped working in -current|
|Pieter Verberne||File collision while using pkg_add|
|Tomas Bodzar||bsd: uvm_mapent_alloc: out of static map entries|
|Community First Financial||Teacher A+ Loan|
|Linux Kernel Mailing List||ath9k: Added get_survey callback in order to get channel noise|
|Linux Kernel Mailing List||tracing: protect reader of cmdline output|
|Linux Kernel Mailing List||kconfig: recalc symbol value before showing search results|
|Linux Kernel Mailing List||KVM: VMX: Clear CR4.VMXE in hardware_disable|
|Linux Kernel Mailing List||USB: set correct configuration in probe of ti_usb_3410_5052|