On Thu, Jun 4, 2009 at 5:00 PM, <[email protected]> wrote: > Ok, what is Your opinion on qemu guest - does it offer more > protection/guarantee?
The differences are in how much is virtualised. Vserver does very little virtualisation and focuses on isolation. There is no virtual cpu, virtual network device or any such thing, and the virtual host doesn't boot its own kernel. Processes running one security context cannot see processes running in another. You cannot modify network interfaces and you cannot mount file systems. You cannot even use mknod (unless you override it to allow this), because access to mknod would allow me to for example create /dev/sda and just read in the entire thing, thereby accessing the host. Qemu, VirtualBox and VMWare is on the other end of the scale. They virtualise the cpu, video, network and disk hardware, and you boot a kernel on them. On the question of security, the options with more virtualisation should be safer, but vserver has a performance edge, see this: http://www.playingwithwire.com/2009/06/virtual-failure-yippiemove-switches-from-vmware-to-freebsd-jails/ On vserver, the danger lies in the attacker finding a way to break through to the host. On the virtualised options, the danger lies in the attacker finding a way to trick the process into overwriting some kind of memory/file it shouldn't, much like any other process. Because vmware, virtualbox and qemu usually have kernel modules to improve performance, these possibilities exist at least in theory. If you push me for an answer, I'll say qemu, virtualbox and/or vmware should be safer, but in practice I will likely choose vserver because there is way less complexity involved and much better performance. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
