Difference between revisions of "ASL 3.2 Virtualization Notes"

From Atomicorp Wiki
Jump to: navigation, search
m (Latest kernel not supported)
m (Kernel-less environments)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Supported Virtualization Technologies =
 
= Supported Virtualization Technologies =
  
ASL 3.0 is designed to work with the following Virtualization technologies:
+
ASL 3.2 is designed to work with the following Virtualization technologies:
  
 
   [http://linux-vserver.org vserver]
 
   [http://linux-vserver.org vserver]
Line 31: Line 31:
 
You can install ASL and the ASL kernel '''inside''' virtualized guests using these technologies, and all the features will work.
 
You can install ASL and the ASL kernel '''inside''' virtualized guests using these technologies, and all the features will work.
  
== Latest kernel not supported ==
+
=== KVM ===
  
All Features work.  Xen does not support the latest kernel security enhancements. (Please see the note below, you can use a slightly older ASL kernel with Xen)
+
Older versions of KVM that were included with RHEL 5 and Centos 5 do not support the newer 3.x kernels with Centos 5 and RHEL 5 virtual machines, therefore if you experience issues booting with these older KVM technologies and Centos 5 and RHEL 5 virtual machines use the 2.6.32.x ASL kernel instead.
  
  [http://www.xen.org/ Xen]
+
Newer versions of KVM, such as those that come with RHEL 5 and Centos 6 work fine with 3.x kernels. We highly recommend you use the 3.x kernels for those platforms.
 +
 
 +
== Xen ==
 +
 
 +
All Features work, with the special Xen kernel (see below for important notes about Xen vulnerabilities).
 +
 
 +
You must use the ASL xen kernels from the tortix-kernel-xen channel with Xen. During installation ensure you have selected the xen configuration option, or manually set KERNEL_CHANNEL to tortix-kernel-xen through ASL Web.
  
The latest ASL kernels, 2.6.32.60-35 and up, contain new protections against attacks on the kernel itself.  Xen does not support these enhancements.  This is a design choice of Xen, and not something we can address.  Therefore, you can not use the latest ASL kernels with Xen.    '''We will be releasing a xen only kernel that does not include these enhancements at the end of Q1 2013.  For now, Xen users should continue to use the 2.6.32.59-28 kernel.'''
+
=== Xen and vulnerabilities ===
  
'''Version 2.6.32.59-28, and older, of the ASL kernel does not contain these new kernel protections, and should work with Xen.''' Please see the [[kernel]] page for instructions about how to configure your system to use a different kernel.
+
All of the kernel security enhancements in the ASL kernel do work with Xen, except for two new security enhancements to the kernel.  Specifically, Xen does not support KERNEXEC and UDREF explained in more detail below, and ASL will report these are vulnerabilities when using Xen. '''This is a design choice of Xen, and neither a weakness in ASL nor is it something we can, unfortunately, address.''' 
  
Specifically, Xen does not support these kernel enhancements
+
With that said, its important to recognize that all kernels on Xen contain at least these two weakness, and non-ASL kernels contain a lot more fundamental flaws and weaknesses that can not be fixed with patches, they are fundamental design flaws.  The ASL kernel, however, does not contain these design flaws, and even on the Xen platform is significantly more resistent to attacks than any other Linux kernel.  If these vulnerabilities are too risky for your needs, then we recommend you use a different virtualization technology.  Using a non-ASL kernel with Xen, or any virtualization technology will leave your system extremely vulnerable to attack.
  
 
'''KERNEXEC'''
 
'''KERNEXEC'''
Line 67: Line 73:
 
== Kernel-less environments ==
 
== Kernel-less environments ==
  
All ASL features work, however '''these technologies do not allow the installation of a kernel as a guest.'''
+
Supported with ASL.  All ASL features work, however '''these technologies do not allow the installation of any kernel as a guest.'''
  
Therefore, you can not install the ASL kernel inside one of these virtual servers, as these technologies do not allow the installation of any kernel inside a VPS.  Specifically, these technologies do not have kernels inside the VPS itself and instead, virtual machines/servers share one kernel provided by the host:
+
Therefore, you can not install the optional secure ASL kernel inside one of these virtual servers, as these technologies do not allow the installation of any kernel inside a VPS.  Specifically, these technologies do not have kernels inside the VPS itself and instead, virtual machines/servers share one kernel provided by the host:
  
 
   [http://www.parallels.com/products/pvc45/ Virtuozzo]
 
   [http://www.parallels.com/products/pvc45/ Virtuozzo]
 
   [http://wiki.openvz.org OpenVZ]
 
   [http://wiki.openvz.org OpenVZ]
  
On these systems you should expect ASL to report various vulnerabilities in the kernel.  VPS users share one kernel, the hosts kernel.  If the host has not installed ASL on the host system you will see vulnerabilities in the kernel.  These are not false positives but are in fact vulnerabilities in those kernels.  When using a virtualized machine with these technologies various other behaviours will occur, and they are covered in the article [[ASL#ASL_inside_a_VPS]].
+
On these systems you should expect ASL to report various vulnerabilities in the non-ASL kernel.  VPS users share one kernel, the hosts kernel.  If the host has not installed ASL on the host system you will see vulnerabilities in the kernel.  These are not false positives but are in fact vulnerabilities in those kernels.   
  
 
We recommend you encourage your hosting provider to install ASL on the host system too.
 
We recommend you encourage your hosting provider to install ASL on the host system too.

Latest revision as of 15:14, 25 May 2015

Contents

[edit] Supported Virtualization Technologies

ASL 3.2 is designed to work with the following Virtualization technologies:

 vserver
 kvm/qemu
 lguest
 VMWare(TM)
 Xen
 Virtuozzo
 OpenVZ

This means that you can run ASL on a virtualized machines using these technologies. The following article defines the levels of feature support as follows:

  • Full Support: All ASL features will work
  • Built in Virtualization: All ASL features will work, plus ASL can act as a virtualization host.
  • Supported and works with: All ASL features will work, except for features in the ASL kernel. These technologies either do not allow the replacement of the kernel (VPS) or do not work with the ASL kernel (Xen). You can not install or use the ASL kernel with these technologies.
  • Beta Support: All ASL features should work, however this should be consider a beta. These features are in testing, and following testing will be rolled into the supported builds.

[edit] Full Support

All Features work.

ASL has full support for the following virtualization technologies:

 vserver
 kvm/qemu
 lguest
 VMWare(TM)

You can install ASL and the ASL kernel inside virtualized guests using these technologies, and all the features will work.

[edit] KVM

Older versions of KVM that were included with RHEL 5 and Centos 5 do not support the newer 3.x kernels with Centos 5 and RHEL 5 virtual machines, therefore if you experience issues booting with these older KVM technologies and Centos 5 and RHEL 5 virtual machines use the 2.6.32.x ASL kernel instead.

Newer versions of KVM, such as those that come with RHEL 5 and Centos 6 work fine with 3.x kernels. We highly recommend you use the 3.x kernels for those platforms.

[edit] Xen

All Features work, with the special Xen kernel (see below for important notes about Xen vulnerabilities).

You must use the ASL xen kernels from the tortix-kernel-xen channel with Xen. During installation ensure you have selected the xen configuration option, or manually set KERNEL_CHANNEL to tortix-kernel-xen through ASL Web.

[edit] Xen and vulnerabilities

All of the kernel security enhancements in the ASL kernel do work with Xen, except for two new security enhancements to the kernel. Specifically, Xen does not support KERNEXEC and UDREF explained in more detail below, and ASL will report these are vulnerabilities when using Xen. This is a design choice of Xen, and neither a weakness in ASL nor is it something we can, unfortunately, address.

With that said, its important to recognize that all kernels on Xen contain at least these two weakness, and non-ASL kernels contain a lot more fundamental flaws and weaknesses that can not be fixed with patches, they are fundamental design flaws. The ASL kernel, however, does not contain these design flaws, and even on the Xen platform is significantly more resistent to attacks than any other Linux kernel. If these vulnerabilities are too risky for your needs, then we recommend you use a different virtualization technology. Using a non-ASL kernel with Xen, or any virtualization technology will leave your system extremely vulnerable to attack.

KERNEXEC

KERNEXEC is the kernel land equivalent of PAGEEXEC and MPROTECT, that is, this enhancement makes it harder for an attacker to inject and execute "foreign" code in kernel memory itself. Xen does not support this enhancement, although other virtualization technologies do support these enhancements (e.g. kvm, VMWare). This is a limitation of Xen, not of the ASL kernel. This enhancement is simply not possibly with Xen.

UDEREF

This ensures that userland and kernel address spaces are properly separated. This addresses NULL dereference based exploits, for example. This feature makes sure that data segments for userland and the kernel are properly limited, either upwards (userland) or downwards (kernel). Xen does not support this enhancements, although other virtualization technologies do support these enhancements (e.g. kvm, VMWare). This is a limitation of Xen, not of the ASL kernel. This enhancement is simply not possibly with Xen.

Additional information about UDEREF is provided here.

[edit] Built in Virtualization

All ASL Features work. You can also use ASL to create virtual machines using these technologies.

 vserver
 kvm/qemu
 lguest

This means you can use ASL for your virtualization needs if you use the above virtualization technologies for your virtual machines.

You can install ASL and the ASL kernel inside virtualized guests using these technologies.

[edit] Kernel-less environments

Supported with ASL. All ASL features work, however these technologies do not allow the installation of any kernel as a guest.

Therefore, you can not install the optional secure ASL kernel inside one of these virtual servers, as these technologies do not allow the installation of any kernel inside a VPS. Specifically, these technologies do not have kernels inside the VPS itself and instead, virtual machines/servers share one kernel provided by the host:

 Virtuozzo
 OpenVZ

On these systems you should expect ASL to report various vulnerabilities in the non-ASL kernel. VPS users share one kernel, the hosts kernel. If the host has not installed ASL on the host system you will see vulnerabilities in the kernel. These are not false positives but are in fact vulnerabilities in those kernels.

We recommend you encourage your hosting provider to install ASL on the host system too.

[edit] In Development

  • Xen Server: We are currently exploring support for native Xen support in the ASL kernel, where the ASL kernel will act as the Xen server. ASL is supported as a guest inside a Xen master server.
Personal tools