[zones-discuss] Zone Isolation Host Protection (vbox in a zone panics system)

2009-06-11 Thread Michael McKnight 
Hello everyone,

I recently took on a project to run a VirtualBox guest within a whole Solaris 
zone.  The idea was to protect the Solaris system from any crashes vbox might 
have.  I need to run vbox on a production system, but I didn't want to put the 
whole system at risk.

I was using Solaris 5/09 x86 with VirtualBox 2.2.2.  Vbox would run ok as long 
as I didn't try to power-off the virtual machine.  When I would power off a 
vbox guest, within just a few mins the Solaris host would panic with the 
following message in syslog:

[i]genunix: [ID 335743 kern.notice] BAD TRAP: type=e (#pf Page fault) 
rp=d55a3ccc addr=490070e4 occurred in module genunix due to an illegal access 
to a user address[/i]

This was easily repeatable... and in two cases even made the host OS unbootable 
-- device driver couldn't be loaded.  Without vbox running, the zone would 
function as expected and run indefinitely without issue.

As a result of this, I had to change the version of vbox I was using and run 
the vbox within the global zone (risky).  It seems to be running rock solid so 
far, but the whole experience has left me seriously questioning the safety of 
Solaris zones.  Plus, I don't have the option of isolating the vbox machines as 
I originally had hoped.

This is where I need help.  I may simply have a misunderstanding of what a zone 
can do.  My understanding was that applications (ie vbox) running within a zone 
would be completely isolated from the host system.  Bad software, security 
breaches, etc. would all be contained within the zone and the host system, and 
any other zones, would be protected from a problem zone.  As I have explained 
above, this was not the case.  

So, what should I expect from zones?  Since they are not fully isolated from 
the global zone and underlying host, what degree of confidence should I put 
into their resiliency and their security?  If, as I experienced, a rogue 
application can cause a system panic, wouldn't a potential intruder be able to 
do the same thing?

I really was falling in love with Zones and the potential I thought they would 
offer me, but this experience has really made me question my decision to use 
them and I need some help understanding exactly what went wrong.

If anyone can offer some insight, I'd be grateful.

Thanks to all in advance,
-Michael
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Zone Isolation Host Protection (vbox in a zone panics system)

2009-06-11 Thread Jeff Victor 
On Thu, Jun 11, 2009 at 2:06 AM, Michael
McKnightno-re...@opensolaris.org wrote:
 Hello everyone,

 I recently took on a project to run a VirtualBox guest within a whole Solaris 
 zone.  The idea was to protect the Solaris system from any crashes vbox might 
 have.  I need to run vbox on a production system, but I didn't want to put 
 the whole system at risk.

 I was using Solaris 5/09 x86 with VirtualBox 2.2.2.  Vbox would run ok as 
 long as I didn't try to power-off the virtual machine.  When I would power 
 off a vbox guest, within just a few mins the Solaris host would panic with 
 the following message in syslog:

 [i]genunix: [ID 335743 kern.notice] BAD TRAP: type=e (#pf Page fault) 
 rp=d55a3ccc addr=490070e4 occurred in module genunix due to an illegal 
 access to a user address[/i]

 This was easily repeatable... and in two cases even made the host OS 
 unbootable -- device driver couldn't be loaded.  Without vbox running, the 
 zone would function as expected and run indefinitely without issue.

 As a result of this, I had to change the version of vbox I was using and run 
 the vbox within the global zone (risky).  It seems to be running rock solid 
 so far, but the whole experience has left me seriously questioning the safety 
 of Solaris zones.  Plus, I don't have the option of isolating the vbox 
 machines as I originally had hoped.

 This is where I need help.  I may simply have a misunderstanding of what a 
 zone can do.  My understanding was that applications (ie vbox) running within 
 a zone would be completely isolated from the host system.  Bad software, 
 security breaches, etc. would all be contained within the zone and the host 
 system, and any other zones, would be protected from a problem zone.  As I 
 have explained above, this was not the case.

 So, what should I expect from zones?  Since they are not fully isolated from 
 the global zone and underlying host, what degree of confidence should I put 
 into their resiliency and their security?  If, as I experienced, a rogue 
 application can cause a system panic, wouldn't a potential intruder be able 
 to do the same thing?

 I really was falling in love with Zones and the potential I thought they 
 would offer me, but this experience has really made me question my decision 
 to use them and I need some help understanding exactly what went wrong.

 If anyone can offer some insight, I'd be grateful.

Michael,

Your experience shows that zones have a high degree of isolation for
user-level applications, but that the isolation can be significantly
reduced whenever the kernel is modified in some way.

I am assuming that when you installed VirtualBox, you installed the
SUNWvboxkern package in the global zone. That package adds a kernel
module to the kernel. That software runs independently of the zones
framework. If there is a bug in that software - or any other kernel
module - it has the potential to cause the kernel to panic. As you
have seen, this affects all zones on the system.

The same is true if you add a 3rd party file system which requires a
kernel module or device driver.

I suggest discussing the symptom experienced by your system at
http://forums.virtualbox.org/ , or reporting this as a bug at:
http://www.virtualbox.org/wiki/Bugtracker .


--JeffV
___
zones-discuss mailing list
zones-discuss@opensolaris.org