Using Xen to Segment Applications

Josh's Blog

Thursday, April 6. 2006

Using Xen to Segment Applications

I've been toying with the idea of using a xen virtual machine to segment various at risk applications I run. Once I have some of the kinks worked out I may create a howto. The idea is to create a xen virtual machine that needs as little memory as possible, then run a single application within it. I've done my testing with firefox as the browser tends to be a glutton for punishment. I'm aware that is a bit paranoid, but anytime security is involved, being a little paranoid is good. Beyond the paranoia, if a security feature adds value without being a hinderance, it's a very good thing.

I've found that after installing FC5 and stripping out all services other than sshd, I can run firefox with little trouble in a xen domain allocated 64 MB of memory. It's not as snappy as it would be if I was running it on this desktop instance, but it's very usable. I imagine things would work better if I wasn't tunneling my X connection over ssh.

There are still a few issues I'm trying to work out.

- Sound. Right now I get no sound from things like flash. This is really only an issue when I'm wondering what Strong Bad is up to.

- Plugins and helper applications. I don't have any movie players configured (see my sound comment above). I also have the problems of viewing various documents. If I open a PDF viewer, my memory needs go up. Something like OpenOffice.org will raise them dramatically. With the price of memory, I can probably handle giving my xen instance 128 MB or 256 MB, but my goal is to be a memory miser.

- Downloads. If I download a file, it lives on my xen instance. This should be fairly easy to solve by enabling NFS.

I've also experimented with the idea of setting my / partition to read only via the xen configuration file. This would ensure that even if someone could become root and get past SELinux, they could only modify /home and /tmp. The other nifty thing with a read only / is that I can share that partition between two concurrent xen sessions without any ill effects (at least none I can see).

That leads into my plans to run firefox and gaim from their very own xen instances, but with a single shared /. That would mean I only have to run a yum update once, and update all my running instances, but there is much testing I still need to do regarding that.
Posted by Josh Bressers in Linux at 22:05 | Comments (2) | Trackback (1)
Twitter Facebook Bookmark Using Xen to Segment Applications at reddit.com

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Why not run the entire destop in a VM, to isolate it from the first level system? Similarly, separate at-risk services into VMs. The ideal way to run the system, given adequate resources, is to have the OS running only VMs for stability, security, and recoverability. See the configuration of IBM's VM/CMS (now z/VM) for a historical background. There's no need to re-invent the wheel - the optimal solution to this issue has already been determined.
#1 Mace Moneta on 2006-04-07 11:08 (Reply)
Sounds like you need to try OpenVZ. Xen is exceptionally bloated when it comes to the task of applicaiton separation. I mean WHY run a separate copy of the OS just to isolate one service from another? Why run an additional kernel, kernel thread processes, and all of the other lower level processes you find on a stand alone system... just to run one server application?

Download OpenVZ (www.openvz.org) ASAP and give it a try. I think you'll like it.

There are some drawbacks in the kernel they supply... no sound support (doesn't sound like a problem considering where you are right now), and no GUI in the VPSes... but again, who needs a GUI for an isolated server application???

I HOPE the Fedora community will start to notice OpenVZ and make it an option in future releases. Supposedly OpenVZ will even work within Xen... but I don't know anyone who has done that yet.
#2 Scott Dowdle on 2006-04-07 15:12 (Reply)
Heh.

The real answer would lie in solving the shared memory issue across VM's. Most VM's (VMWare, Xen, VirtualIron) run as an application on an OS, so you end up layering an OS inside an OS.

Instead, what we clearly want to do is simply have the hardware, a Ring -1 multiplexer (port, cpu, memory), and plural Ring 0 OS's, applications with libraries, etc.

It would then be ideal to overcome shared memory and file spaces across OS's. As far as I'm aware, this hasn't been achieved yet. As far as I'm aware, it'll only be viable if it's open source.
#3 Dan on 2007-10-17 22:18 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 

Calendar

Back May '13
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Twitter


Quicksearch

Archives

Categories



All categories

Syndicate This Blog

Blog Administration

Open login screen

Powered by

Serendipity PHP Weblog