On Tue, Oct 16, 2012 at 07:45:25AM -0500, Ryan Harper wrote:
> * Dan Yasny <dya...@redhat.com> [2012-10-15 23:42]:
> > 
> 
> Hi Dan,
> 
> > 
> > > > Why? It really sounds like an easy path to me - provisioning of a
> > > > virtual appliance is supposed to be simple, upgrades not necessary
> > > > -
> > > > same as with ovirt-node, just a bit of config files preserved and
> > > > the
> > > > rest simply replaced, and HA is taken care of by the platform
> > > > 
> > > > On the other hand, maintaining this on multiple hypervisors means
> > > > they
> > > > should all be up to date, compliant and configured. Not to mention
> > > > the
> > > > security implications of maintaining an extra access point on lots
> > > > of
> > > > machines vs a single virtual appliance VM. Bandwidth can be an
> > > > issue,
> > > > but I doubt serial console traffic can be that heavy especially
> > > > since it's there for admin access and not routine work
> > > 
> > > So, we're replacing a single daemon with a complete operating system
> > > ?
> > 
> > a daemon on all hosts vs a single VM. It looks to me like a single
> > access point for consoles can provide less of an attack surface.
> 
> All of the hosts already run ssh, you're not turning that off, so the
> surface is the same.

That's not neccessarily true. I can well imagine that there would be
different access rules for admins SSH'ing to the host, vs users SSH'ing
to access a VM text console. eg host SSH access may be firewall restricted
to a special admin VLAN only, while VM console SSH can be open to the LAN
or WAN as a whole. So just because both use SSH does not imply the attack
surface is the same for both usages

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
_______________________________________________
vdsm-devel mailing list
vdsm-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/vdsm-devel

Reply via email to