OpenVZ is doing fine as well ;) [LWN.net]

OpenVZ is doing fine as well ;)

Posted Dec 7, 2005 12:47 UTC (Wed) by nnnn (guest, #34393)
In reply to: OpenVZ is doing fine as well ;) by kolyshkin
Parent article: The first stable OpenVZ release

Are you saying that when these "top-notch security people" find new
bugs you are keeping the patches private and not send them back
to the upstream maintainers?

That would be the only way for your offering to be more secure
than a vanilla kernel or other package. And it would be quite
bad if true.

(Log in to post comments)

OpenVZ is doing fine as well ;)

Posted Dec 7, 2005 14:37 UTC (Wed) by kolyshkin (subscriber, #34342) [Link]

First of all, we do always send fixes we have upstream, and external people who do security audit for us are also sending their relevant findings upstream.

Second, as I have already tried to explain by my first comment here, our security can indeed be better than that of vanilla kernel. We achieve this by sticking to older (=more stable) kernel and backporting all the relevant fixes from vanilla and RHEL kernels (currently there are about 200 such patches, not counting driver updates).

So, we fix bugs and security holes, but do not introduce any new ones, that _might_ be coming with newer kernels. This is essentially the same model used by Red Hat Enterprise Linux.

OpenVZ is doing fine as well ;)

Posted Dec 16, 2005 18:02 UTC (Fri) by dev (guest, #34359) [Link]

No, we are not hiding security fixes and participate in security@kernel.org.
But as you can see both OpenVZ and vserver add additional layer inside the kernel and to some extent actually introduce a new security model. And this security model should be review/checked/thinked over. For example, when you have a kernel bug which allows 'root' user to crash your node it is usually ok, since root is a priviledges and trusted user. In OpenVZ/vserver model root is untrusted user. See the difference? Just an example...