The first stable OpenVZ release
Posted Dec 9, 2005 14:17 UTC (Fri) by PaXTeam
In reply to: The first stable OpenVZ release
Parent article: The first stable OpenVZ release
> For the truly paranoid, a virtualization model where each virtual machine has its own kernel (ie. Xen) probably makes more sense.
actually, exactly the opposite is true. think about it, a set of virtual machines is the equivalent of a set of (optionally networked) physical machines. the difference is that when you compromise a machine (virtual or physical, respectively) and want to escalate your access (within the given machine or across machines), under the virtual system you get an extra potential attack vector - the VM supervisor/hypervisor/whatever itself. so the VM model is *always* less secure than the equivalent set of physical machines. and that's why kernel security (and in particular, its resistance to exploits) is even more important than on 'normal' machines.
to post comments)