Maintaining Xen with FAI - Questions

Henning Sprang henning_sprang at gmx.de
Thu Nov 30 14:17:59 CET 2006


On 11/30/06, Mario Bischof <mbischof at gmx.net> wrote:
> [...]
> I always thought using custom xen kernels is  better for security?

Security is a process, not using a product - this also goes for choice
of kernels or configurations.
Custom kernels can only be more secure if you take care of it a lot
and have a lot of knowledge.

The Xen developers don't provide security updates and fixes, and don't
say a word if you ask them about it.  I get the impression they don't
see themselves as providers of software for end-users,  but see this
task on the side of the distribution developers - but thy did not
confirm this yet - no comments on xen-devel on questions about
security updates.
So, security-wise it's safer to use the Debian Xen Kernels, because
they do security releases, and bring the xen Linx patches to newer
Kernel versions.

Still, I build my own, but i use it mostly for FAI development and
experimental stuff.
In that case, it's good to have separate dom0 domU Kernels, cause when
I only change the domU Kernel, rebuilding it is a lot faster than
building the kernel with all modules for my machines.


>. Well, does the standard xen-kernel from
> debian also provide HVM support for using win xp?

The Xen Linux Kernel doesn't need or have hvm features - it's only in
Xen itself.
The xen packages from Debian support hvm, you need to install the
xen-iommu package as well. ( and some others, but this is excessively
handled in xen-users, no topic for this list.#

> does it include tun/
> tap device support for creating openVPN domains?

Not sure, look into the config file...

Henning



More information about the linux-fai mailing list