[openstack-dev] [Security] (moved post from OpenStack-ML) Re: Security concern VMs isolation (Damedeu Eric)

McPeak, Travis travis.mcpeak at hp.com
Fri Aug 14 14:07:22 UTC 2015


Hi Eric,

First off welcome to OpenStack!  Generally for security related
questions we use the OpenStack-dev mailing list and preface the
subject with a [Security] tag.

One of the functions of a hypervisor is to ensure proper isolation of
tenant VMs.  That being said I highly recommend deploying some kind of
mandatory access control system as a fail-safe.  Two leading MAC
solutions with good QEMU support are AppArmor and SELinux.

The MAC controls that apply specifically to the hypervisor are known
as sVirt.  When QEMU launches a virutal machine it does so in a
separate process.  sVirt ensures that each process is only allowed to
access its own resources.

The net result is that if a hypervisor breakout occurs (code within
the virutal machine process is able to access resources on the host
system) it is still only able to access a limited set of resources on
the host system.

I will also add this thread on OpenStack-dev so that others can chime
in if they have any good pointers.

Thanks,
 -Travis


>Hi all,
>I'm a new guy using Openstack and want to know how to well isolate VMs
>when
>it instanced by the hypervisor. This is avoid attack by  covert channel.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2751 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150814/6f88a85a/attachment.bin>


More information about the OpenStack-dev mailing list