Mageia Bugzilla – Attachment 7126 Details for
Bug 16956
xen security issues...
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Notes from previous test of xen
xentest (text/plain), 3.27 KB, created by
Dave Hodgins
on 2015-10-14 20:29:55 CEST
(
hide
)
Description:
Notes from previous test of xen
Filename:
MIME Type:
Creator:
Dave Hodgins
Created:
2015-10-14 20:29:55 CEST
Size:
3.27 KB
patch
obsolete
> >Ensure the host system is using kernel-server-latest. >"uname -r" should show something like >3.8.13.3-server-2.mga3 > >urpmi xen > >chkconfig --list|grep 5:on >will show xencommons, xend, and xendomains are enabled. All three >need to be disabled. > ># systemctl disable xencommons.service ># systemctl disable xend.service ># systemctl disable xendomains.service > >The services xenconsoled and xenstored need to be enabled. > ># systemctl enable xenconsoled.service ># systemctl enable xenstored.service > >On my amd system, having xend enabled will cause a hard reboot, when >trying to boot into xen, forcing a full fsck on the the next boot, >so be sure to correct which services are enabled before trying to >boot into xen. > >Edit /boot/grub/menu.lst, copy the last boot stanza, which should >be something like > >title server 3.8.13.3-2.mga3 >kernel (hd0,6)/boot/vmlinuz-3.8.13.3-server-2.mga3 BOOT_IMAGE=server_3.8.13.3-2.mga3 root=UUID=5699901f-6700-4d51-9a61-58a4bda7567b nokmsboot resume=LABEL="a3swap" vga=794 >root (hd0,6) >initrd /boot/initrd-3.8.13.3-server-2.mga3.img > >Paste in a copy of the stanza, similar to the following > >title xen server 3.8.13.3-2.mga3 >kernel (hd0,7)/boot/xen.gz dom0_mem=4096MB >module (hd0,7)/boot/vmlinuz-3.8.13.3-server-2.mga3 BOOT_IMAGE=server_3.8.13.3-2.mga3 root=UUID=f795db69-1357-4269-b17b-335430a8cff8 resume=UUID=9af64cdc-a611-47c3-821e-94a9fd60251e vga=788 >root (hd0,7) >module /boot/initrd-3.8.13.3-server-2.mga3.img > >Note that the titile has been modified, to make it unique, the kernel >line now loads xen.gz, and what was the kernel line, is now a module line, >and the word initrd has also been replaced with the word module. > >Assuming eth0 is the network interface connecting to the internet, ># cd /etc/sysconfig/network-scripts/ ># mv ifcfg-eth0 ifcfg-xenbr >Edit ifcfg-xenbr >Change the device from DEVICE=eth0 to DEVICE=xenbr, and add a line with >TYPE=Bridge >Note that the case is important in the type. > >Edit ifcfg-eth0, and past in >DEVICE=eth0 >BRIDGE=xenbr >ONBOOT=yes > >Edit /etc/shorewall/interfaces, and add a line with >net xenbr detect > >Reboot, and select the xen stanza, from the grub menu. > >During the testing, 2 guest systems will be created. The first uses hvm >(ada full virtualization, similar to VirtualBox), the second using pv, >(aka partial virtualiztion), where the guest has direct access to more >of the hosts hardware. > >The guest using hvm will be used to install a guest system, and then >will be copied to create the starting point for the pv install. > >First create a sparse file, to contain the guests virtual hard drive. ># dd if=/dev/zero of=/opt/hvmtest.img count=1 bs=4M seek=4k >Note that that the sparse file will start with using 4M, but as >it's used, will grow, up to a max of 17GB, as shown by ... ># ls -lsh /opt/hvmtest.img >4.0M -rw-r--r-- 1 root root 17G Jun 27 21:28 /opt/hvmtest.img > >Create the config file used for installing the guest in the >directory /etc/xen > >edit hvmtest, and save it with ... >builder="hvm" >name="hvmtest" >vcpus=2 >memory=2048 >maxmem=4096 >vncviewer=1 >disk = [ 'file:/opt/hvmtest.img,sda,w', 'file:/s3/bkup/software/i3/boot-nonfree.iso,hdb:cdrom,r', ] >vif = [ 'type=ioemu, mac=00:1f:5a:71:ae:37, bridge=xenbr', ] # choose a random mac >boot="dc" > >Note that the mac address should be something unique for this guest, and >use the correct name and path for an install iso. > > >
Ensure the host system is using kernel-server-latest. "uname -r" should show something like 3.8.13.3-server-2.mga3 urpmi xen chkconfig --list|grep 5:on will show xencommons, xend, and xendomains are enabled. All three need to be disabled. # systemctl disable xencommons.service # systemctl disable xend.service # systemctl disable xendomains.service The services xenconsoled and xenstored need to be enabled. # systemctl enable xenconsoled.service # systemctl enable xenstored.service On my amd system, having xend enabled will cause a hard reboot, when trying to boot into xen, forcing a full fsck on the the next boot, so be sure to correct which services are enabled before trying to boot into xen. Edit /boot/grub/menu.lst, copy the last boot stanza, which should be something like title server 3.8.13.3-2.mga3 kernel (hd0,6)/boot/vmlinuz-3.8.13.3-server-2.mga3 BOOT_IMAGE=server_3.8.13.3-2.mga3 root=UUID=5699901f-6700-4d51-9a61-58a4bda7567b nokmsboot resume=LABEL="a3swap" vga=794 root (hd0,6) initrd /boot/initrd-3.8.13.3-server-2.mga3.img Paste in a copy of the stanza, similar to the following title xen server 3.8.13.3-2.mga3 kernel (hd0,7)/boot/xen.gz dom0_mem=4096MB module (hd0,7)/boot/vmlinuz-3.8.13.3-server-2.mga3 BOOT_IMAGE=server_3.8.13.3-2.mga3 root=UUID=f795db69-1357-4269-b17b-335430a8cff8 resume=UUID=9af64cdc-a611-47c3-821e-94a9fd60251e vga=788 root (hd0,7) module /boot/initrd-3.8.13.3-server-2.mga3.img Note that the titile has been modified, to make it unique, the kernel line now loads xen.gz, and what was the kernel line, is now a module line, and the word initrd has also been replaced with the word module. Assuming eth0 is the network interface connecting to the internet, # cd /etc/sysconfig/network-scripts/ # mv ifcfg-eth0 ifcfg-xenbr Edit ifcfg-xenbr Change the device from DEVICE=eth0 to DEVICE=xenbr, and add a line with TYPE=Bridge Note that the case is important in the type. Edit ifcfg-eth0, and past in DEVICE=eth0 BRIDGE=xenbr ONBOOT=yes Edit /etc/shorewall/interfaces, and add a line with net xenbr detect Reboot, and select the xen stanza, from the grub menu. During the testing, 2 guest systems will be created. The first uses hvm (ada full virtualization, similar to VirtualBox), the second using pv, (aka partial virtualiztion), where the guest has direct access to more of the hosts hardware. The guest using hvm will be used to install a guest system, and then will be copied to create the starting point for the pv install. First create a sparse file, to contain the guests virtual hard drive. # dd if=/dev/zero of=/opt/hvmtest.img count=1 bs=4M seek=4k Note that that the sparse file will start with using 4M, but as it's used, will grow, up to a max of 17GB, as shown by ... # ls -lsh /opt/hvmtest.img 4.0M -rw-r--r-- 1 root root 17G Jun 27 21:28 /opt/hvmtest.img Create the config file used for installing the guest in the directory /etc/xen edit hvmtest, and save it with ... builder="hvm" name="hvmtest" vcpus=2 memory=2048 maxmem=4096 vncviewer=1 disk = [ 'file:/opt/hvmtest.img,sda,w', 'file:/s3/bkup/software/i3/boot-nonfree.iso,hdb:cdrom,r', ] vif = [ 'type=ioemu, mac=00:1f:5a:71:ae:37, bridge=xenbr', ] # choose a random mac boot="dc" Note that the mac address should be something unique for this guest, and use the correct name and path for an install iso.
View Attachment As Raw
Actions:
View
Attachments on
bug 16956
: 7126 |
7164