Virtualization: Securing Domain0

Click Here For Free Windows Downloads
mywindowsdownloads.blogspot.com

Click here for all Free Linux Downloads

mylinuxdownloads.blogspot.com

Blog address for Linux in Hindi

linuxinhindi.blogspot.com

Securing Domain0

When deploying Red Hat Virtualization on your corporate infrastructure, you must ensure that domain0 cannot be compromised. Domain0 is the privileged domain that handles system management. If domain0 is insecure, all other domains in the system are vulnerable. There are several ways to implement security you should know about when integrating Red Hat Virtualization into your systems. Together with other people in your organization,you should create a 'deployment plan' that contains the operating specifications and services that will run on Red Hat Virtualization, and what is needed to support these services. Here are some security issues to consider when putting together a deployment plan:

· Run the lowest number of necessary services. You do not want to include too many jobs and services in domain0. The less things running on domain0, the higher the level of security.

· Enable SeLINUX to help secure domain0.

· Use a firewall to restrict traffic to domain0. You can setup a firewall with default-reject rules that will help secure attacks on domain0. It is also important to limit network facing services.

· Do not allow normal users to access domain0. If you do permit normal users domain0 access, you run the risk of rendering domain0 vulnerable. Remember, domain0 is privileged, and granting unprivilged accounts may compromise the level of security.

Virtualization: Configuring for Use on a Network

Click Here For Free Windows Downloads
mywindowsdownloads.blogspot.com

Click here for all Free Linux Downloads

mylinuxdownloads.blogspot.com

Blog address for Linux in Hindi

linuxinhindi.blogspot.com

Configuring for Use on a Network

Integrating Red Hat Virtualization into your network architecture is a complicated process and depending upon your infrastructure, may require custom configuration to deploy multiple ethernet interfaces and setup bridging.

Each domain network interface is connected to a virtual network interface in dom0 by a point to point link. These devices are vif and . vif1.0 for the first interface in domain 1; vif3.1 for the second interface in domain 3.

Domain0 handles traffic on these virtual interfaces by using standard Linux conventions for bridging, routing, rate limiting, etc. The xend daemon employs two shell scripts to perform initial configuration of your network and new virtual interfaces. These scripts configure a single bridge for all virtual interfaces. You can configure additional routing and bridging by customizing these scripts.

Red Hat Virtualization's virtual networking is controlled by the two shell scripts, network-bridge and vif-bridge. xend calls these scripts when certain events occur. Arguments can be passed to the scripts to provide additional contextual information. These scripts are located in the /etc/xen/scripts directory. You can change script properties by modifying the xend-config.sxp configuration file located in the /etc/xen directory.

network-bridge — When xend is started or stopped, this script initializes or shuts down the virtual network. Then the configuration initialization creates the bridge xen—br0 and moves eth0 onto that bridge, modifying the routing accordingly. When xend finally exits, it deletes the bridge and removes eth0, thereby restoring the original IP and routing configuration.

vif-bridge is a script that is invoked for every virtual interface on the domain. It configures firewall rules and can add the vif to the appropriate bridge.

Virtualization: Migrating a Domain

Click Here For Free Windows Downloads
mywindowsdownloads.blogspot.com

Click here for all Free Linux Downloads

mylinuxdownloads.blogspot.com

Blog address for Linux in Hindi

linuxinhindi.blogspot.com

Migrating a Domain

When a domain migrates its MAC and IP addresses move with it. Only virtual machines with the same layer-2 network and subnets will successfully migrate. If the destination node is on a different subnet, the administrator must manually configure a suitable EtherIP or IP tunnel in the remote node of domain0. The xend daemon stops the domain and copies the job over to the new node and restarts it. The Red Hat Virtualization RPM does not enable migration from any other host except the localhost (see the /etc/xend-config.sxp file for information). To allow the migration target to accept incoming migration requests from remote hosts, you must modify the target's xen-relocation-hosts-allow parameter. Be sure to carefully restrict which hosts are allowed to migrate, since there is no authentication.

Since these domains have such large file allocations, this process can be time consuming. If you migrate a domain with open network connections, they will be preserved on the host destination, and SSH connections should still function. The default Red Hat Virtualization iptables rules will not permit incoming migration connections. To allow this, you must create explicit iptables rules.

You can use the xm migrate command to perform an offline migration :

xm migrate domain-id [destination domain]

You can use the xm migrate command to perform a live migration:

xm  migrate domain-id -l [destination domain]

You may need to reconnect to the domain's console on the new machine. You can use the xm console command to reconnect.

Virtulization:Managing CPUs

Click Here For Free Windows Downloads
mywindowsdownloads.blogspot.com

Click here for all Free Linux Downloads

mylinuxdownloads.blogspot.com

Blog address for Linux in Hindi

linuxinhindi.blogspot.com

Managing CPUs

Red Hat Virtualization allows a domain's virtual CPUs to associate with one or more host CPUs. This can be used to allocate real resources among one or more guests. This approach allows Red Hat Virtualization to make optimal use of processor resources when employing dual-core, hyperthreading, or other advanced CPU technologies. If you are running I/O intensive tasks, its typically better to dedicate either a hyperthread or entire core to run domain0. The Red Hat Virtualization credit scheduler automatically rebalances virtual cpus between physical ones, to maximize system use. The Red Hat Virtualization system allows the credit scheduler to move CPUs around as necessary, as long as the virtual CPU is pinned to a physical CPU.

Migrating a Domain

Migration is the transferal of a running virtual domain from one physical host to another. Red Hat Virtualization supports two varieties of migration — offline and live. Offline migration moves a virtual machine from one host to another by pausing it, transferring its memory, and then resuming it on the host destination. Live migration does the same thing, but does not directly affect the domain. When performing a live migration, the domain continues its usual activities, and from the user perspective is unnoticeable. To initiate a live migration, both hosts must be running Red Hat Virtualization and the xend daemon. The destinations host must have sufficient resources (such as memory capacity) to accommodate the domain bandwidth after the migration. Both the source and destination machines must have the same architecture and virtualization extensions (such as i386-VT, x86-64-VT, x86-64-SVM, etc.) and must be on the same L2 subnet.