Re: obsd as domU?
On Wed, Jan 13, 2010 at 10:10:16AM -0700, Diana Eichert wrote: Chuckle, try to troubleshoot a network issue when it is in a virtual network. Lots of fun, not. diana Better yet, get told by management NOT to troubleshoot but let the outsourcers do it. While your whole hospital is down for 7 hours. Not that that would really happen. Ken
Re: obsd as domU?
2010/1/13 Ciprian Dorin, Craciun ciprian.crac...@gmail.com: 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); http://taviso.decsystem.org/virtsec.pdf No virtual machine tested was robust enough to withstand the testing procedure used, and multiple exploitable flaws were presented that could allow an attacker restricted to a virtualised environment to reliably escape onto the host system. http://www.vmware.com/security/advisories/VMSA-2009-0006.html A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host. http://www.vmware.com/security/advisories/VMSA-2008-0019.html A memory corruption condition may occur in the virtual machine hardware. A malicious request sent from the guest operating system to the virtual hardware may cause the virtual hardware to write to uncontrolled physical memory. Shane
Re: obsd as domU?
On Wed, Jan 13, 2010 at 2:08 AM, Eric Furman ericfur...@fastmail.net wrote: On Wed, 13 Jan 2010 08:31 +0200, Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you have the disposition to trust in others?) How did you guys... have proved that you can trust the skills turn into we can trust virtualization developers. Since when have the virtualization developers demonstrated that tust? 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. Agree. This is the same as with software: if software runs perfectly on one version of OpenBSD, but not on another it does not mean that its the fault of the new version. (But Xen is not all about emulation, it cooperates with the guest kernel, so in this case the blame could be on both sides.) Wrong. If it works on real hardware and fails in virtualization the virtualization software is *always* to blame. I think he's thinking of para virtualization, which open bsd doesn't do, iirc. 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); BWHAHHAHAHAHAHH. Have you ever actually worked with any virtualization software? There have been many documented security bugs in every virtualization software. Try Securityfocus or your favorite search engine. I just finished sans 560 pen testing class. We had some discussions about day 0 exploits of guest-host bugs. Highly improbably should be changed to it's out there -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: obsd as domU?
On Wed, Jan 13, 2010 at 08:31:14AM +0200, Ciprian Dorin, Craciun wrote: Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers viz., precisely those developers that are telling you to not trust the virtualization hype/crap. So, why not trust those developers? .. we have trust in you, but why don't you have the disposition to trust in others?) These developers have _earned_ (through careful hard work and meticulously accurate documentation) the trust accorded them. With respect to the others, this remains to be seen (and current indications are not promising).
Re: obsd as domU?
On Wed, Jan 13, 2010 at 08:55:33AM +0200, Ciprian Dorin, Craciun wrote: On Wed, Jan 13, 2010 at 8:43 AM, Bret S. Lambert bret.lamb...@gmail.com wrote: How did lazy internet denizen gets told he's lazy turn into anything worth spending this much time on? I would like to personally apologize for criticizing you, Bret, of lmgtfy the other guy (which I didn't knew he also posted another question about OpenBSD and dom0, and he was also responded). But I wouldn't say that the discussion has turned into something not-worth discussing. I myself have learned a lot about the position of the OpenBSD developers regarding the possibility of ever using OpenBSD ontop of virtualization (not emulation) platforms (like Xen). (I had my hopes, but not any more... :) ) Virtualization is a toy sold as an enterprise solution. The argument goes like this: you need a domain controller and sequel server so you need 2 machines. So instead of paying for 2 machines you virtualize them! OMGZOMG1ONe What Mr. dingle berry insultant forgets to point out is that both tasks will run like ass in a virtualized environment AND can be easily combined on the same box. Usually lost in the same conversation is that you need both machines to be up at the same time too to be useful. I have seen people virtualize a file server and domain controller on a single machine. Which is awesome because now you get free 30% loss of IO performance. You know it keeps bandwidth use lower and latency higher. Exactly what lusers like. Virtualization is great to develop kernel code and get an idea if it'd work before moving on to real hardware (and fixing real bugs on real hardware because virtualization failed to run right). I like to play with old OS' as well so its neat for that but usually doesn't work. This really is in the toy section though. Thanks again for all the time and effort spent, Ciprian. P.S.: Maybe an entry in the FAQ about this topic will cut down all these questions about virtualization? What's next? Pokemon on OpenBSD FAQ entry?
Re: obsd as domU?
Marco Peereboom sl...@peereboom.us writes: I have seen people virtualize a file server and domain controller on a single machine. Which is awesome because now you get free 30% loss of IO performance. You know it keeps bandwidth use lower and latency higher. Exactly what lusers like. Oh, try what a medium sized educational institution not too far from here did: put several file servers on the same physical rig (sharing one gigabit ethernet interface), then start whining when backups to $elsewhere don't complete overhight. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: obsd as domU?
Of course it didn't! What they should have done was put the backup server on the same VM!!! Problem solved! On 1/13/10, Peter N. M. Hansteen pe...@bsdly.net wrote: Marco Peereboom sl...@peereboom.us writes: I have seen people virtualize a file server and domain controller on a single machine. Which is awesome because now you get free 30% loss of IO performance. You know it keeps bandwidth use lower and latency higher. Exactly what lusers like. Oh, try what a medium sized educational institution not too far from here did: put several file servers on the same physical rig (sharing one gigabit ethernet interface), then start whining when backups to $elsewhere don't complete overhight. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: obsd as domU?
On Tue, Jan 12, 2010 at 10:41:15AM +0200, Ciprian Dorin, Craciun wrote: * any other options??? (anyone???) If you are looking at OpenBSD in a production environment as a firewall, ssl accelerator, or for protection from OS privilege escalation when someone else finds and uses an exploit in your apps, run it on bare metal. If you are looking at virtualization to maximize hardware utilization, look at the operating systems officially supported by the virtualization software you choose. If you are looking at Xen for virtualization because paravirtualization might give a lower impact on performance, I would suggest checking the performance impact between paravirtualization and VT extension assisted virtualization on real workloads. But look on the bright side... odds are whatever you are trying to do is probably so full of holes at the application layer even with all of OpenBSD's protections you'll still get sufficiently maliciously pwned through several application exploits. -- Chris Dukes
Re: obsd as domU?
On Wed, Jan 13, 2010 at 07:54:46AM -0600, Marco Peereboom wrote: Virtualization is a toy sold as an enterprise solution. The argument goes like this: you need a domain controller and sequel server so you need 2 machines. So instead of paying for 2 machines you virtualize them! OMGZOMG1ONe What Mr. dingle berry insultant forgets to point out is that both tasks will run like ass in a virtualized environment AND can be easily combined on the same box. Usually lost in the same conversation is that you need both machines to be up at the same time too to be useful. Ah, but the dingle berry insultant was probably brought in because management finally listened when they were told 1) The machines with the most compute power and memory are nearly completely idle file and backup servers. 2) The key compute heavy apps are running on 7 year old hardware for which replacement parts are becoming nearly non-existant. So the insultant picks the virtualization topology best suited to bring a second insulting contract for performance detuning... I have seen people virtualize a file server and domain controller on a single machine. Which is awesome because now you get free 30% loss of IO performance. You know it keeps bandwidth use lower and latency higher. Exactly what lusers like. We intentionally did this for an environment for application developers so they would find the performance issues with their applications sooner. Virtualization is great to develop kernel code and get an idea if it'd work before moving on to real hardware (and fixing real bugs on real hardware because virtualization failed to run right). It also works rather well testlabs for software applications. Faster reinstall turnarounds. Smaller budget required for chairs and displays and KVM switches and work surfaces. Higher homicide rates as 5 app developers pile into a cube that isn't large enough for one person all looking at one tiny display for a problem involving 6 different virtual machines and start accusing each other loudly (Previously they had enough space to run and scatter). I like to play with old OS' as well so its neat for that but usually doesn't work. This really is in the toy section though. I find that it's useful to validating procedures before applied to production and for working out a load balanced configuration. -- Chris Dukes
Re: obsd as domU?
Chuckle, try to troubleshoot a network issue when it is in a virtual network. Lots of fun, not. diana
Re: obsd as domU?
On Wed, Jan 13, 2010 at 1:31 AM, Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you have the disposition to trust in others?) A lot of OpenBSD's security comes from a model of bad things can and will happen and trying to mitigate the damage, ala privilege separation. We don't assume the code is perfect, we assume it's NOT. Combining virtual servers onto a single physical machine is the exact opposite of that philosophy.
obsd as domU?
Can I run obsd as a xen guest?
Re: obsd as domU?
On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com wrote: Can I run obsd as a xen guest? http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest The internet: you're doing it wrong.
Re: obsd as domU?
On Tue, Jan 12, 2010 at 10:10 AM, Bret Lambert bret.lamb...@gmail.com wrote: On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com wrote: Can I run obsd as a xen guest? http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest The internet: you're doing it wrong. Hello all! (I'm a very new OpenBSD user (tested only on Qemu, but would like to put OpenBSD in production).) And I just want to say that I had the same question a couple a days ago: Is it really possible (as in tried in a quasi-production environment) to run OpenBSD as a Xen domU? And if so are there some guidelines, documentation, etc.? If not is there any disponibility to implement such a feature? I've searched a little on the net and I've reached to the following two possibilities: * Yes but under Xen with HVM support, with the drawback of (greater) CPU overhead and with some networking problems; * And also yes as direct DomU, but based on the work of Christoph Egger but which is not available on the net anymore; * any other options??? (anyone???) So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) Sorry, Ciprian.
Re: obsd as domU?
On Tue, Jan 12, 2010 at 9:41 AM, Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: [snipz0rz] So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) When both of his questions were, verbatim: OpenBSD as Dom0: Is it possible? and Can I run obsd as a xen guest? it's unclear to me, since he's unwilling to document what he's found in order to help others to help him, whether or not he's willing to do the work required in finding those answers to begin with.
Re: obsd as domU?
On 08:59, Tue 12 Jan 10, Vadkan Jozsef wrote: Can I run obsd as a xen guest? under 'full' virtualisation, yes. under para-virtualisation, no. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: obsd as domU?
On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. 4.) Most Virtualization Software fails to emulate hardware perfectly. 5.) Most Virtualization Software expects the host operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the host operating system, then the host operating systems is not able to do it's job. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! If you're too lazy to do the weeks or months of research work on your own, then you really should not use virtualization. Unfortunately, most people just believe the constant bullshit from the virtualization vendors, or ask irrelevant questions on various mailing lists. Lastly, Bret Lambert is one of the OpenBSD developers, so you can consider his lmgtfy reply as authoritative --He's humorously telling you to do your own work. There is no other way. -- J.C. Roberts
Re: obsd as domU?
On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts list-...@designtools.org wrote: On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: B B So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Sorry didn't knew... (I should have checked the mailing list...) Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you have the disposition to trust in others?) 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. Agree. This is the same as with software: if software runs perfectly on one version of OpenBSD, but not on another it does not mean that its the fault of the new version. (But Xen is not all about emulation, it cooperates with the guest kernel, so in this case the blame could be on both sides.) 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); * you let the host operating system front the Internet; (but you could just filter out all the traffic from the exterior to the host, and use one of the guests (OpenBSD) as a gateway); 4.) Most Virtualization Software fails to emulate hardware perfectly. (Again we are not speaking of emulation, we are speaking of cooperation between the hypervisor and the guest kernel.) 5.) Most Virtualization Software expects the host operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the host operating system, then the host operating systems is not able to do it's job. No, (in general) the requirement of virtualization is not to bypass the restrictions imposed by OS to hardware. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! One important use of virtualization software (like Xen for example), is to allow experimentation. For example I don't have 4 pieces of hardware to be able to also host a Linux server (for personal stuff), experiment with OpenBSD or Plan9, and also give one of my friends a small VPN and download host. So I use Xen and turn one computer into many. (As you see it's not the security aspect I'm interested but the consolidation aspect...) (Yes very lame I know, but sometimes money does beat security...) If you're too lazy to do the weeks or months of research work on your own, then you really should not use virtualization. Unfortunately, most people just believe the constant bullshit from the virtualization vendors, or ask irrelevant questions on various mailing lists. (I hope I've touched this subject above.) Lastly, Bret Lambert is one of the OpenBSD developers, so you can consider his lmgtfy reply as authoritative --He's humorously telling you to do your own work. There is no other way. -- J.C. Roberts Thanks for the time and the responses, Ciprian.
Re: obsd as domU?
How did lazy internet denizen gets told he's lazy turn into anything worth spending this much time on?
Re: obsd as domU?
On Wed, Jan 13, 2010 at 8:43 AM, Bret S. Lambert bret.lamb...@gmail.com wrote: How did lazy internet denizen gets told he's lazy turn into anything worth spending this much time on? I would like to personally apologize for criticizing you, Bret, of lmgtfy the other guy (which I didn't knew he also posted another question about OpenBSD and dom0, and he was also responded). But I wouldn't say that the discussion has turned into something not-worth discussing. I myself have learned a lot about the position of the OpenBSD developers regarding the possibility of ever using OpenBSD ontop of virtualization (not emulation) platforms (like Xen). (I had my hopes, but not any more... :) ) Thanks again for all the time and effort spent, Ciprian. P.S.: Maybe an entry in the FAQ about this topic will cut down all these questions about virtualization?
Re: obsd as domU?
* Ciprian Dorin, Craciun ciprian.crac...@gmail.com [2010-01-13 07:37]: This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); i owuld pee my pants (or maybe bob's instead) laughing if it wasn't so sad. it is this mindset that gets this industry in shit every other day. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: obsd as domU?
On Wed, 13 Jan 2010 08:31 +0200, Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts list-...@designtools.org wrote: On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: B B So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Sorry didn't knew... (I should have checked the mailing list...) Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you have the disposition to trust in others?) Very few have demonstrated that they can be trusted. BTW, *any* virtualization software written for i386 is always going to have the potential for compromise because of the inherent flaws in that architecture. It was *not* designed with virtualization in mind. 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. Agree. This is the same as with software: if software runs perfectly on one version of OpenBSD, but not on another it does not mean that its the fault of the new version. (But Xen is not all about emulation, it cooperates with the guest kernel, so in this case the blame could be on both sides.) Wrong. If it works on real hardware and fails in virtualization the virtualization software is *always* to blame. 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); BWHAHHAHAHAHAHH. Have you ever actually worked with any virtualization software? There have been many documented security bugs in every virtualization software. Try Securityfocus or your favorite search engine. * you let the host operating system front the Internet; (but you could just filter out all the traffic from the exterior to the host, and use one of the guests (OpenBSD) as a gateway); 4.) Most Virtualization Software fails to emulate hardware perfectly. (Again we are not speaking of emulation, we are speaking of cooperation between the hypervisor and the guest kernel.) 5.) Most Virtualization Software expects the host operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the host operating system, then the host operating systems is not able to do it's job. No, (in general) the requirement of virtualization is not to bypass the restrictions imposed by OS to hardware. BWAAAHAHAHAHAHAH! It *should* be a requirement, but rarely *is*. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! One important use of virtualization software (like Xen for example), is to allow experimentation. For example I don't have 4 pieces of hardware to be able to also host a Linux server (for personal stuff), experiment with OpenBSD or Plan9, and also give one of my friends a small VPN and download host. So I use Xen and turn one computer into many. (As you see it's not the security aspect I'm interested but the consolidation aspect...) (Yes very lame I know, but sometimes money does beat security...) This is actually very true. But you need to be very aware of where it does and where it doesn't.
