[Vserver] Hosts and Guests and NTP; oh my.
I need to provide time services for the local network (less than 50 servers, workstations and Windows boxes) and since that is pretty lite weight I'm thinking of putting it into the guest that will be handling DNS queries. But ... I'm pretty sure a guest normally can't change the system clock so I plan on having the host run ntpd for setting the "system" time and the guest provide the service to the network. Is this a disaster waiting to happen? Are there any other/better ways to do this? Thanks, Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Hosts and Guests and NTP; oh my.
On Tuesday 03 July 2007 19:07, Roderick A. Anderson wrote: > I need to provide time services for the local network (less than 50 > servers, workstations and Windows boxes) and since that is pretty lite > weight I'm thinking of putting it into the guest that will be handling > DNS queries. > > But ... I'm pretty sure a guest normally can't change the system clock > so I plan on having the host run ntpd for setting the "system" time and > the guest provide the service to the network. > > Is this a disaster waiting to happen? Are there any other/better ways > to do this? we run several time servers and to be honest i wouldn't even consider making a vserver guest a time server. let the host do it all. it takes literally no resources and is easy to configure. our 3 host machines each is a time server as well, offering ntp service to different portions of our networks. the time spent in massaging configurations to allow a vserver to serve time, if it can even be done properly, is better spent in having a nice dinner :) i have found vservers answer 99.% of my needs, but ntp is one service i would not even consider for virtualizing. my 2 cents anyway :) > > > Thanks, > Rod > -- > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver > -- Chuck ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Hosts and Guests and NTP; oh my.
Chuck wrote: On Tuesday 03 July 2007 19:07, Roderick A. Anderson wrote: I need to provide time services for the local network (less than 50 servers, workstations and Windows boxes) and since that is pretty lite weight I'm thinking of putting it into the guest that will be handling DNS queries. But ... I'm pretty sure a guest normally can't change the system clock so I plan on having the host run ntpd for setting the "system" time and the guest provide the service to the network. Is this a disaster waiting to happen? Are there any other/better ways to do this? we run several time servers and to be honest i wouldn't even consider making a vserver guest a time server. let the host do it all. it takes literally no resources and is easy to configure. our 3 host machines each is a time server as well, offering ntp service to different portions of our networks. the time spent in massaging configurations to allow a vserver to serve time, if it can even be done properly, is better spent in having a nice dinner :) i have found vservers answer 99.% of my needs, but ntp is one service i would not even consider for virtualizing. my 2 cents anyway :) A very excellent two penny's worth. The plan developed before I remembered there might be an issue. Not wanting to admit to others at work it might not be so great I forged on. Thanks for the clue-stick. Rod -- Thanks, Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Hosts and Guests and NTP; oh my.
On Tue, 03 Jul 2007 17:29:34 -0700 "Roderick A. Anderson" <[EMAIL PROTECTED]> wrote: > Chuck wrote: > > On Tuesday 03 July 2007 19:07, Roderick A. Anderson wrote: > >> I'm pretty sure a guest normally can't change the system clock > >> so I plan on having the host run ntpd for setting the "system" time > >> and the guest provide the service to the network. > >> > >> Is this a disaster waiting to happen? Are there any other/better ways > >> to do this? > > > > we run several time servers and to be honest i wouldn't even consider > > making a vserver guest a time server. let the host do it all. it takes > > literally no resources and is easy to configure. our 3 host machines > > each is a time server as well, offering ntp service to different > > portions of our networks. > > > > the time spent in massaging configurations to allow a vserver to serve > > time, if it can even be done properly, is better spent in having a > > nice dinner :) > > > > i have found vservers answer 99.% of my needs, but ntp is one > > service i would not even consider for virtualizing. > > > > my 2 cents anyway :) > > A very excellent two penny's worth. The plan developed before I > remembered there might be an issue. Not wanting to admit to others at > work it might not be so great I forged on. Thanks for the clue-stick. see Novell's AppArmor (though they got it when they bought some security-focused linux distribution whose name i can't currently remember and am too lazy too look up ;-). it allows SELinux like MAC (mandatory access control), but better suited to securing particular applications instead of the overhead/hassle of the entire system. there are already policy files/descriptions/configurations for several applications distributed with AppArmor, one of them being NTPd, but they usually end up being distro specific, but it's easy to create your own by running NTPd under the control of a monitor (actually it creates a warn-all policy that logs all exercised permissions to syslog) and when finished the monitor asks you what permissions to allow based on the permissions NTPd exercised while being monitored. there's even a recorded video presentation of it from the 2006 FOSDEM (see FOSDEM website). this is what i'm about to implement (done all the preliminary research and tried it on qemu as ubuntu already has packages, but i need to rebuild/port it to debian) for services (NTP, SNMP) that require too many capabilities to securely contain with Vserver in a guest and are easier to restrain with AppArmor. corey -- [EMAIL PROTECTED] ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
