On Tue, 03 Jul 2007 17:29:34 -0700 "Roderick A. Anderson" <[EMAIL PROTECTED]> wrote:
> Chuck wrote: > > On Tuesday 03 July 2007 19:07, Roderick A. Anderson wrote: > >> I'm pretty sure a guest normally can't change the system clock > >> so I plan on having the host run ntpd for setting the "system" time > >> and the guest provide the service to the network. > >> > >> Is this a disaster waiting to happen? Are there any other/better ways > >> to do this? > > > > we run several time servers and to be honest i wouldn't even consider > > making a vserver guest a time server. let the host do it all. it takes > > literally no resources and is easy to configure. our 3 host machines > > each is a time server as well, offering ntp service to different > > portions of our networks. > > > > the time spent in massaging configurations to allow a vserver to serve > > time, if it can even be done properly, is better spent in having a > > nice dinner :) > > > > i have found vservers answer 99.9999% of my needs, but ntp is one > > service i would not even consider for virtualizing. > > > > my 2 cents anyway :) > > A very excellent two penny's worth. The plan developed before I > remembered there might be an issue. Not wanting to admit to others at > work it might not be so great I forged on. Thanks for the clue-stick. see Novell's AppArmor (though they got it when they bought some security-focused linux distribution whose name i can't currently remember and am too lazy too look up ;-). it allows SELinux like MAC (mandatory access control), but better suited to securing particular applications instead of the overhead/hassle of the entire system. there are already policy files/descriptions/configurations for several applications distributed with AppArmor, one of them being NTPd, but they usually end up being distro specific, but it's easy to create your own by running NTPd under the control of a monitor (actually it creates a warn-all policy that logs all exercised permissions to syslog) and when finished the monitor asks you what permissions to allow based on the permissions NTPd exercised while being monitored. there's even a recorded video presentation of it from the 2006 FOSDEM (see FOSDEM website). this is what i'm about to implement (done all the preliminary research and tried it on qemu as ubuntu already has packages, but i need to rebuild/port it to debian) for services (NTP, SNMP) that require too many capabilities to securely contain with Vserver in a guest and are easier to restrain with AppArmor. corey -- [EMAIL PROTECTED] _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
