I've been toying with the idea of using a xen virtual machine to segment various at risk applications I run. Once I have some of the kinks worked out I may create a howto. The idea is to create a xen virtual machine that needs as little memory as possible, then run a single application within it. I've done my testing with firefox as the browser tends to be a glutton for punishment. I'm aware that is a bit paranoid, but anytime security is involved, being a little paranoid is good. Beyond the paranoia, if a security feature adds value without being a hinderance, it's a very good thing.
I've found that after installing FC5 and stripping out all services other than sshd, I can run firefox with little trouble in a xen domain allocated 64 MB of memory. It's not as snappy as it would be if I was running it on this desktop instance, but it's very usable. I imagine things would work better if I wasn't tunneling my X connection over ssh.
There are still a few issues I'm trying to work out.
- Sound. Right now I get no sound from things like flash. This is really only an issue when I'm wondering what Strong Bad is up to.
- Plugins and helper applications. I don't have any movie players configured (see my sound comment above). I also have the problems of viewing various documents. If I open a PDF viewer, my memory needs go up. Something like OpenOffice.org will raise them dramatically. With the price of memory, I can probably handle giving my xen instance 128 MB or 256 MB, but my goal is to be a memory miser.
- Downloads. If I download a file, it lives on my xen instance. This should be fairly easy to solve by enabling NFS.
I've also experimented with the idea of setting my / partition to read only via the xen configuration file. This would ensure that even if someone could become root and get past SELinux, they could only modify /home and /tmp. The other nifty thing with a read only / is that I can share that partition between two concurrent xen sessions without any ill effects (at least none I can see).
That leads into my plans to run firefox and gaim from their very own xen instances, but with a single shared /. That would mean I only have to run a yum update once, and update all my running instances, but there is much testing I still need to do regarding that.
Why not run the entire destop in a VM, to isolate it from the first level system? Similarly, separate at-risk services into VMs. The ideal way to run the system, given adequate resources, is to have the OS running only VMs for stability, security, and recoverability. See the configuration of IBM's VM/CMS (now z/VM) for a historical background. There's no need to re-invent the wheel - the optimal solution to this issue has already been determined.
Sounds like you need to try OpenVZ. Xen is exceptionally bloated when it comes to the task of applicaiton separation. I mean WHY run a separate copy of the OS just to isolate one service from another? Why run an additional kernel, kernel thread processes, and all of the other lower level processes you find on a stand alone system... just to run one server application?
Download OpenVZ (www.openvz.org) ASAP and give it a try. I think you'll like it.
There are some drawbacks in the kernel they supply... no sound support (doesn't sound like a problem considering where you are right now), and no GUI in the VPSes... but again, who needs a GUI for an isolated server application???
I HOPE the Fedora community will start to notice OpenVZ and make it an option in future releases. Supposedly OpenVZ will even work within Xen... but I don't know anyone who has done that yet.