Re: [Vserver] Hosts and Guests and NTP; oh my.

From: Corey Wright <undefined_at_pobox.com>
Date: Wed 04 Jul 2007 - 05:33:35 BST
Message-Id: <20070703233335.e3a85aa5.undefined@pobox.com>

On Tue, 03 Jul 2007 17:29:34 -0700
"Roderick A. Anderson" <raanders@acm.org> wrote:

> Chuck wrote:
> > On Tuesday 03 July 2007 19:07, Roderick A. Anderson wrote:
> >> I'm pretty sure a guest normally can't change the system clock
> >> so I plan on having the host run ntpd for setting the "system" time
> >> and the guest provide the service to the network.
> >>
> >> Is this a disaster waiting to happen? Are there any other/better ways
> >> to do this?
> >
> > we run several time servers and to be honest i wouldn't even consider
> > making a vserver guest a time server. let the host do it all. it takes
> > literally no resources and is easy to configure. our 3 host machines
> > each is a time server as well, offering ntp service to different
> > portions of our networks.
> >
> > the time spent in massaging configurations to allow a vserver to serve
> > time, if it can even be done properly, is better spent in having a
> > nice dinner :)
> >
> > i have found vservers answer 99.9999% of my needs, but ntp is one
> > service i would not even consider for virtualizing.
> >
> > my 2 cents anyway :)
>
> A very excellent two penny's worth. The plan developed before I
> remembered there might be an issue. Not wanting to admit to others at
> work it might not be so great I forged on. Thanks for the clue-stick.

see Novell's AppArmor (though they got it when they bought some
security-focused linux distribution whose name i can't currently remember
and am too lazy too look up ;-). it allows SELinux like MAC (mandatory
access control), but better suited to securing particular applications
instead of the overhead/hassle of the entire system.

there are already policy files/descriptions/configurations for several
applications distributed with AppArmor, one of them being NTPd, but they
usually end up being distro specific, but it's easy to create your own by
running NTPd under the control of a monitor (actually it creates a warn-all
policy that logs all exercised permissions to syslog) and when finished the
monitor asks you what permissions to allow based on the permissions NTPd
exercised while being monitored.

there's even a recorded video presentation of it from the 2006 FOSDEM (see
FOSDEM website).

this is what i'm about to implement (done all the preliminary research and
tried it on qemu as ubuntu already has packages, but i need to rebuild/port
it to debian) for services (NTP, SNMP) that require too many capabilities
to securely contain with Vserver in a guest and are easier to restrain with
AppArmor.

corey

-- 
undefined@pobox.com
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Wed Jul 4 05:56:08 2007
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 04 Jul 2007 - 05:56:10 BST by hypermail 2.1.8