Isolating guest VMs from each other (not just the host)
Hello Everyone,
I've been playing around with visualization for a long time, but largely for testing and educational purposes.
For the first time I'm thinking of actually running some production systems in virtual machines instead of on physical hardware which which raises some new concerns for me that weren't really relevant previously, namely, security. In particular, I've been thinking about how to isolate the guest VM processes from each other.
It's decades-old best practice to isolate different server services to different machines to help prevent, say, security problems with your web server also comprising your mysql server. When you start virtualizing your infrastructure, you lose this benefit to a degree, if someone manages to compromise one of your VM servers and manages to exploit a vulnerability in your hypervisor to gain access to the host, it's no big leap to assume that they may be able to get access to your other virtual machines running on that host.
It seems to me, that if you want to improve your resilience to this kind-of exploit that you want to increase the isolation of your VM processes from each other. You could, say, run them as different users. If you're careful about permissions, then you gain back some of the security of running your servers on seperate physical hardware. An attacker could still exploit a local privilege escalation bug, but it at least provides another line of defense.
This sort of thing seems to be possible with qemu virtual machines, though it does require some work to get anything besides user mode networking working.
On the other hand, this sort of thing seems to be largely impossible with libvirt. It's possible to run as qemu vms as different users using 'qemu://session' but the documentation seems to suggest that this limits you to using the qemu user mode networking, which isn't practical for running publicly accessible servers. Since, as far as I can tell, all of the visualization management products around are based off of libvirt, this surprises me. It seems to me that someone would have wanted to try and do something like this before, but nobody has (as far as I can tell).
Indeed, there seems to be very little documentation out there about using qemu with tun/tap networking when running as non-root user. There is some documentation out there about using VDE (mostly via the deprecated vdeq wrapper), but alot of qemu write-ups skip over it. There's enough out there to suggest it's possible, it just doesn't seem to be written up anywhere (yet, maybe I'll write it up myself someday).
So, this makes me wonder, 'why not?'. Are there other things people are doing to isolate guest VMs from each other?
What are people running production services in VMs doing?
I suppose this is also something to think about, but I don't think I'd be that worried about it for my use-case. The majority of systems I plan to run could run completely headless and the physical security for the host computers should be pretty good. I'm more concerned remote code exploits in one particular VM allowing an attacker to execute on the host or in other guest VMs.
Similar Messages
-
How to hide different Viual Studio Projects from each other in one TFS Team Project with areas?
Hi,
at the moment I try to set up a "good" architecture for projects in TFS for our company.
As often mentioned in TFS documentation we try to reduce the number of Team projects in our company which is organized in different business units (BUs).
One great Team project shall contain a number of different Visual Studio projects, each one belonging to a separate BU.
The grouping is as follows:
Global Team project
Business Unit A
Visual Studio Project A1
Visual Studio Project A2
Business Unit B
Visual Studio Project B1
Visual Studio Project B2
The programmers in business unit A must not see the Visual Studio projects of Business Unit B, but both groups (A an B) use the same process model (that is the reason why we try to group them in on team project).
I try to put all the projects from both BUs in one TFS team project and separate them logically by an Area hierarchy like mentioned above.
But areas only separate work items from each other, not Visual Studio projects.
In Source Control Explorer I can only assign security issues on team project level (Global Team Project), not on business unit level.
So every developer in BU A can see the Visual Studio projects in BU B...
How can I model these dependencies?
Regards and thanks
LotharHi Lothar,
Thanks for your post.
What’s the version of your TFS and VS?
In Source Control Explorer, you can right-click on Business Unit A folder and select
Advanced>>Security… to deny other group(s)’ access permissions on this folder. Then use the same way to set permissions on Business Unit B folder too.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
I'd like firefox to remember the 3 most recently used applications per file type, not just the most recent 2.
On my Windows 7, with any browser, all downloaded files go into the Downloads folder.
If you can't find your downloaded PDF docs, try a search for *.pdf -
Distribution channels deviate from each other.70 /or 10 (reference), Message no. V2011
I have a problem when create the "Credit memo request" doc. type CR, reference doc. is billing doc. and my sales doc. that i did the billing doc. sales area is 2100/10/71 and i have to create cr doc with reference to billing doc. and sales area should be 2100/70/99 but while i creating cr doc. with reference to billing doc. system gives error distribution channel deviate from each other 70./or 10 (reference).
I have seen the early post but there where no proper solution on it.
please provide me solution i have to create cr doc. with reference to billing doc. and simply meaning with different distribution channel and division from preceding doc.
Thanks
Regards,
AbhijeetHi man,
The thing is that the credit memo with reference is precisely affect the balance of the Customer - Sales Area, imagine a Report by Sales Area saying the total Sales Amount of the Sales Area is 1 million, but then you turn to another sales area and discover that the same customers have credit notes for 1.5 million, insane. The purpose of referencing the credit/debit memos is that, not to lose track, including Sales Areas. Otherwise make no sense to create it with reference, just create a Credit Memo with the customer you want to affect in the sales area you want to affect, no reference. For audit purposes justify the document based on REASON FIELDS and approvals, let me explain this a little more:
One single person CANNOT create Credit Memos, cos this could lead to wrong ethical behavior, to avoid this some companies recommend to have more than one person involved in the process of Credit notes creation, what I've done on this situation is: provide access to one person to CREATE Credit/Debit memos using the standard transaction VA01, in the settings of the Sales Order Type I customize that the document will be created automatically blocked for billing (can use a UserExt to always have this field populated on the creation). This person WONT have access to modify Credit/Debit notes (VA02) but his supervisor will and this supervisor is responsible to approve and modify the blocking field to release the doc for billing. Yes, he can also change the amount but you will already have the log of changes in place for audit purposes.
This is more than a technical issue, a process issue. My kind suggestion is to challenge the business and get clearly why they want to have a referenced Credit Memo without using the Sales Area of the based Billing Doc.
Hope it helps...
Saludos!
Ricardo -
When my husband and I try to import from each other's libraries, using Home Sharing, we are intructed to look for the "Show" menu at the bottom of the screen. Neither of us has anything like this on our screens. How and where do we locate it? We both have the latest itunes running.
Hey fantail163,
If you are not seeing the button to show menu, try out the troubleshooting steps for Home Sharing.
Troubleshooting Home Sharing
http://support.apple.com/kb/ts2972
Thanks for using Apple Support Communities.
Regards,
-Norm G. -
How can i get my items to stay in place and not cross over each other when readjusting the browser s
How can i get my items to stay in place and not cross over each other when readjusting the browser size.
Basically on my site when i go from a small screen to a big screen everything doesn't adjust to the screen size. I don't know what im missing
Here's the link to the page all the pages & they all do it
http://theatricalworkslive.com/
Thanks in advancePlease read this whole message before doing anything.
This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login, or by a peripheral device.
Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode and log in to the account with the problem. Note: If FileVault is enabled, or if a firmware password is set, or if the boot volume is a software RAID, you can’t do this. Post for further instructions.
Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs. The next normal boot may also be somewhat slow.
The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin. Test while in safe mode. Same problem? After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test. -
ITunes no longer has any of my music in my music library. How do I transfer all of my music ( not just the purchased music from ITunes) from my IPod Touch to Itunes library on my computer for syncing to other devices.
Recovering your iTunes library from your iPod or iOS device: Apple Support Communities
-
My I-Phone has music on it that was synced from an I-Tunes library from a previous computer (which is no longer in use) AND purchases from the I-Tunes store. I would now like to transfer ALL of that music (not just the purchases from the I-Tunes store) into the I-Tunes library that I've established on a new computer.
Can that be done, and how (I've attempted without any success)?
Any assistance would be GREATLY appreciated!!Contact iTunes support and explain your situation to them. They may let you redownload it at no cost.
http://www.apple.com/support/itunes/contact.html
If they don't, I'm afraid you'll have to purchase it again. Sorry.
B-rock -
My laptop was stolen that had my itunes installed and was synced with my ipod classic. I now have a new laptop. Is there any way I can transfer ALL the music from my ipod to itunes on the new laptop, not just the purchases? I don't have access to all the CD's etc that I originally downloaded onto my ipod.
See Recover your iTunes library from your iPod or iOS device.
tt2 -
How can i design square signal which having a positive and negative values equal to each other and separated from each other by controlled time or distance, As it is shown in the figure below. and enter this signal in a daq.
Solved!
Go to Solution.By the time you spend for the nice diadram you might have done the vi
Your DAQ like to have a waveform (array of values and dt ak 1/samplerate)
If you set the samplerate you know the array length , create a array of zeros, and set the values of both amplitudes ...
Since I don't want to wire others homework here are some pictures
And there are some drawbacks is room for improvement in my solution, just think of rounding errors ... and what might happen if the arrays get bigger ....
Spoiler (Highlight to read)
Greetings from Germany
Henrik
LV since v3.1
“ground” is a convenient fantasy
'˙˙˙˙uıɐƃɐ lɐıp puɐ °06 ǝuoɥd ɹnoʎ uɹnʇ ǝsɐǝld 'ʎɹɐuıƃɐɯı sı pǝlɐıp ǝʌɐɥ noʎ ɹǝqɯnu ǝɥʇ' -
Can the 12 Ports of the PCI 6508 set independent from each other to I and O?
Hello,
can the 12 Ports of the PCI 6508 set independent from each other to I and O?
Or are they configured in groups like A, B and C ports?
Thanks,
BFutziHello,
I am upgrading from Traditional DAQ to DAQmx on an old installation with a PXI-6508 board.
I struggle with this reset problem.
I read the post from NI "Archived: PCI DIO-96/PXI 6508/PCI 6503 Digital Ports cannot be Controlled Independently".
This post states:
"NI-DAQmx is expected to work around this issue by resetting the other ports of the 8255 to the last known state.This means that the other ports may momentarily be reset, but will return to their previously set values."
Does anyone can confirm that this is true?
I notice that e.a. port 11 is reset when I write to port 10, but the values of port 11 are not set to the last value I had written to it.
Herwig.
-
I have 2 different MacBooks (owned by 2 people) connected to the same Time Capsule over a wifi network. I want to use the Time Capsule to back up both MacBooks separately from each other. Can one person access the hard drive of the other person, on the same Time Capsule? Is there a way to ensure that the files on the 2 laptops are kept private from each other? Thanks!
If someone really wants to do something, it won't take them long to find out how to do it.
http://pondini.org/TM/17.html
Security on a Time Capsule is a bit like installing a lock on a tent. It will keep the honest folks out, but probably not the others. -
Is Two Classes that call methods from each other possible?
I have a class lets call it
gui and it has a method called addMessage that appends a string onto a text field
i also have a method called JNIinterface that has a method called
sendAlong Takes a string and sends it along which does alot of stuff
K the gui also has a text field and when a button is pushed it needs to call sendAlong
the JNIinterface randomly recieves messages and when it does it has to call AddMessage so they can be displayed
any way to do this??Is Two Classes that call methods from each other possible?Do you mean like this?
class A
static void doB() { B.fromA(); }
static void fromB() {}
class B
static void doA() { A.fromB(); }
static void fromA() {}
.I doubt there is anyway to do exactly that. You can use an interface however.
Interface IB
void fromA();
class A
IB b;
A(IB instance) {b = instance;}
void doB() { b.fromA(); }
void fromB() {}
class B implements IB
static void doA() { A.fromB(); }
void fromA() {}
.Note that you might want to re-examine your design if you have circular references. There is probably something wrong with it. -
How do a really delete books from iBook store (not just hide them)?
How do a really delete books from iBook store (not just hide them)?
What do you mean? They do show in the Purchased items in iTunes. Click on the three little dots ... to the right of the last icon showing in the top left to get the list of other iTunes categories (like books). Click on Books, and then on Purchased:
Cheers,
GB -
Question about garageband: I have 3 short original songs that i wanted to merge ala "Bohemian Rhapsody". Is that possible in garageband? their tempos are all different from each other. Advance thanks.
First of all, GarageBand iOS allows for only one tempo and there is no Merge Song feature.
What you can do.
Switch between the songs and copy-paste the individual Tracks. You can also Merge Tracks if you run into the 8 Track limitation.
Hope that helps
Edgar Rothermich
http://DingDingMusic.com/Manuals
'I may receive some form of compensation, financial or otherwise, from my recommendation or link.'
Maybe you are looking for
-
Can overrides from SCOM 2007 R2 be used in a new SCOM 2012 R2 installation?
Hi All, I'm wondering if we can "easily" use our overrides/configuration from our current SCOM 2007 R2 implementation and use them in a new SCOM 2012 R2 environment that we plan on standing up. We are using SCOM to monitor approx. 400 servers (physi
-
How to scan legal size document with Adobe Acrobat 6.0?
How do you scan legal (8.5 x 14.0) size documents with Adobe Acrobat 6.0.0 ? There is no option for that size paper in the scan menu. And I can't find the answer in either my help file or on-line with Adobe.com. Can anyone help me?
-
Captivate 7 course published to html5 not working
I recently created an elearning course and published to both SWF and HTML5 for SCORM 1.2. However, in doing so, I could not get it to play on my iphone, and on the Mac only some browsers worked. I separated the two outputs in two different versions a
-
ADOBE UPDATER _ DOWNLOAD ERROR
Extension Manager 6.0.8 Update Installation failed. Error Code: U44M1P7 Can anyone help?
-
Quicktime Pro - Can mp4 be converted to mpeg-2
Subject says it all. Before I upgrade to QT Pro, I'd like to know if I could load up an .MP4 file and convert it to /save it as MPEG-2. I'm posting this in the Windows QT forum because curiously enough Apple doesn't have one for Mac users. Thanks for