Monthly Archives: September 2014

Welcome to the Newly Revised (and Revived) Xen Project Blog

After several days offline, the Xen Project blog has returned!

Our blog had been subjected to malicious activities, so we had to take it down and remedy the situation. We’re back now, and although there are a few minor issues to address, we are ready to move forward.

A few things you may notice:

    • The appearance: We are using a different theme for the time being. It doesn’t have the look of the rest of our site, but we will take care of that before too long. In the meantime, we ask fr your patience while we work to put things in order.
    • The user accounts: For security reasons, we had to make sure that no unauthorized users have administrative access. As a result, we only moved over the accounts of people who have written blogs.  So, to login, you will need to do one of the following:

- If you wrote a blog, you will need to use the “I lost my password” system to set your password.  

- If you did not write a blog, you will need to create a new account.

  • The comments: We had to remove the existing comments because of the damage which was done. Older blog entries have their comments locked, but new blog entries will allow comments going forward.
  • Tags and Categories: We had to reset these as well. For now, please use the search function to find older posts.

There are also some differences (like the login area is in the lower right panel of the front page) which will take some adjustment, but we believe the key functionality is intact.  If you believe something is missing or lacking, please let a comment below or send me email.

Thanks!

Xen & Docker: Made for Each Other!

By Olivier Lambert

Containers and hypervisors are often seen as competing technologies – enemies even. But in reality the two technologies are complementary and increasingly used together by developers and admins. This recent Linux.com article talked about this supposed battle, noting however that developers are using Docker in traditional VMs to bolster security. Containers allow users to develop and deploy a variety of applications with incredible efficiency, while virtualization eliminates any constraints and/or exposure to outside attacks.

Uniting these technologies helps developers and system administrators be even more efficient. Let’s take a closer look at how to achieve this with Docker and Xen Project virtualization, and why we expect more and more organizations to use them together in the near future. This will also be a key topic at the September 15 Xen Project User Summit at the Lighthouse Executive Conference Center in New York City. Register today to learn more about enabling Docker in Xen environments for a truly open infrastructure.

xen-docker

Caption: Xen In Action: lifting Docker, which is lifting containers. I heard you like boats, so I put boats on your boat :).

Who’s Who: What is Xen Project Virtualization?

Xen Project Hypervisor is mature virtualization technology used by many of the world’s largest cloud providers like AWS, Verizon Terremark, Rackspace and many more. Founded in 2003, Xen Project virtualization is proven as a highly reliable, efficient and flexible hypervisor for a range of environments, running perfectly from x86 to ARM.

It’s now completely integrated in the Linux upstream and is hosted by the Linux Foundation. The same big cloud users mentioned above also contribute regularly to the project along with many of the world’s largest technology companies, including Citrix, Cavium, Intel, Oracle and more.

Feature updates and broader community collaboration are on the upswing too: more commits, more communication, better integration, new use cases and simpler and more powerful modes, such as PVHVM then PVH, as outlined in this recent blog.

The core Xen Project team takes security seriously. The technology has also been battle-tested by many in the defense industry including the NSA. Xen Project users have benefited from this for years, and developers building, shipping and running distributed applications will profit as well.

XenLogoBlackGreen

What is XenServer and Xen Orchestra?

XenServer is a packaged product consisting of the Xen Project Hypervisor and the Xen Project Management API (XAPI) toolstack within a performance tuned CentOS distribution. It’s free and can be installed in just a few minutes; click here to download it: http://xenserver.org/open-source-virtualization-download.html.

Xen Orchestra (XO) is a simple but powerful web interface working out-of-the-box with XenServer, or any host with Xen and XAPI (the most advanced API for Xen). Take a look on the project website to learn more. Both of these tool are of course free software.

What is Docker?

In its own words, Docker defines itself as an open platform for developers and sysadmins to build, ship, and run distributed applications. Consisting of Docker Engine, a portable, lightweight runtime and packaging tool, and Docker Hub, a cloud service for sharing applications and automating workflows, Docker enables apps to be quickly assembled from components and eliminates the friction between development, QA, and production environments.

docker-logo-370x290

Main Advantages:

  • fast (boot a container in milliseconds)
  • simple to use, even in complex workflows
  • light (same kernel)
  • container density on one host

The other side of the coin:

  • all containers rely on the same kernel (isolation, security)
  • less maturity than traditional hypervisor (Docker is still young)
  • containers are using the same OS on the host (less diversity than hypervisors)
  • some friction between developers and admins about its usage: not Docker’s fault, more a classical friction when you bring new toys to your devs. :) We’ll see why and how to cope with just that below.

Best of Both Worlds

An ideal world would:

  • Let admins do their admin stuff without constraints and/or exposure to dangerous things.
  • Let developers do their developer stuff without constraints and/or exposure to dangerous things.

Fluid Workflow

In other words, they’d be able to create really cool workflows. For example:

  • An admin should be able to easily create a Docker ready VM running in a hypervisor, with the exact amount of resources needed at a given point in time (he knows the total amount of resources, e.g a VM with 2 CPUs and 4GB of RAM.
  • He should delegate (with the same simplicity) this Docker-ready VM to the dev team.
  • Developers can use it and play with their new toy, without any chance of breaking stuff other than the VM itself. The VM is actually a sandbox, not a jail; developers can create their containers as they need in this scenario.

Now you can easily imagine other exciting things such as:

  • An admin can delegate rollback snapshot control to a developer. If he breaks the VM, he can rollback to the “clean” snapshot — without bothering the admin staff. Live, die, repeat!
  • Need to clone the same container for other tests? One click in a web interface.
  • Need to extend the resources of this current VM? One click, in live.
  • Ideally, let a developer create its container from the same web interface.

Xen Orchestra: A Bridge Between Docker and Xen Project Hypervisor 

So how do we do all this without creating a brand new tool? As you may guess, the answer is Xen Orchestra, which today achieves much of this. Updates planned for later this year and 2015 will deliver even more efficiencies between the two technologies.

What XO Does Today

  • Adjust Resources In Live: You can reduce/raise number of CPUs, RAM, etc., while the VM is running! Doing this, you can grow or reduce the footprint of your Docker VM, without interrupting the service. Check it out in this short video.
  • Snapshots and Rollback: Snapshots and rollback in XO are totally operational since XO 3.3. Check out how this works in this feature presentation. Coupled with Docker, this is very helpful. When your fresh Dockerized VM is ready, take a snapshot. Then you can rollback when you want to retrieve this clean state. All with just a few clicks and in a few seconds.

Coming Soon

  • Docker-Ready Templates in One Click: This feature will be released this year. In a few words, you can request our template directly from your XO interface, it will be downloaded and operational in your own infrastructure with a Docker listening and ready for action,Iin the resources you choose to allocate (CPU, RAM, Disk). No installation: It works out of the box. Read more in this article.
  • ACL and Delegation: The perfect workflow rest upon integration of ACLs in Xen Orchestra is our current priority. In our case, it allows VM delegation for your team using Docker; the VM can be rollbacked or rebooted without asking you. More info. here.
  • Docker Control from XO: Because we can get the IP of a VM thanks to its Xen tools, we should be able to send command to the Docker API directly through XO. In this way, you’ll just have to use one interface for Docker AND Xen (at least, for simple Docker operations). And take the best of XO for both: ACLs, visualization etc. This last feature is not in our current roadmap, but will probably pop up early in 2015!

We-need-to-go-deeper_inception

Caption: Coming soon — deeper integration between Docker and Xen.

Conclusion

Docker is a really promising and growing technology. With Docker and Xen on the same team, the two technologies work in tandem to create an extremely efficient, best-of-breed infrastructure. Finally uniting them in one interface is a big leap ahead!

Any questions or comments? Go ahead!

By Olivier Lambert, Creator of Xen Orchestra Project

 

Save 50%: Learn About The Next Wave of Virtualization at Xen Project User Summit, Sept 15 in New York City

[Originally post on Linux.com]

Some claim that the age of virtualization is now past.  However, nothing could be farther from the truth.  And this year’s Xen Project User Summit will highlight many of the newest advances in virtualization.  If you use the Xen Project Hypervisor — or if you are simply evaluating your virtualization alternatives — join us in New York on September 15 at the Lighthouse Executive Conference Center!

Readers of the Xen Project blog can now register at 50% off the original $79 price.  Just use code XenUser50off when you register!

This year’s event focuses on a number timely topics, including:

The New World of Unikernels

Some of the hottest technologies in the world of virtualization are the unikernels.  Small, lightweight, and secure, unikernels will power a new type of cloud.  Allowing for hundreds, or even thousands, of VMs per host, unikernels will allow us to develop exciting new visions of the cloud.  Hear from the creators of such notable entries like OSv and HaLVM.

The Latest about Xen Project in OpenStack and SUSE Cloud

Many organizations are making plans for clouds based on OpenStack.  Now is an excellent time to see how SUSE Cloud can leverage Xen Project software to make those plans become a reality.

New Features Coming in Xen Project 4.5

Some mature projects slow down development as they age.  But not Xen Project!  Our upcoming release has the longest list of new features we’ve seen in years!  Get the lowdown on what changes are coming, so you can start making plans.  Plus, we’ll hear about the latest news from the Board of Advisors.

Improving Security

You can’t get serious about the cloud without addressing security.  Learn about the Advanced Security features of Xen Project as well as the Zazen security architecture.  And hear about the case study describing the deployment of Xen Project-powered security devices.

Upcoming From the XenServer Project

Last summer marked the birth of the Open Source XenServer project.  For years, XenServer has been a very popular commercial product which leverages Xen Project software.  Now learn what’s planned in the next iteration of XenServer.

The Newest From Xen Orchestra

There are a number of other software projects in the Xen Project ecosystem.  One of the most exciting is Xen Orchestra, a web-based GUI for XAPI and XenServer.

The Latest from Xen4CentOS

Last year, Xen Project was re-integrated into CentOS 6 via the Xen4CentOS effort.  Learn how to use Xen4CentOS and hear what’s coming in the new CentOS Virtualization SIG.

And the Future Development for High Availability

There’s plenty more in development at Xen Project.  Still under development is COLO, an effort to bring high availability to VMs using lock-step failover.  Hear about the status of this project while it is still cooking.

All From the Mouths of Industry Leaders and Innovators

Many of our presenters are from industry leaders like Oracle, Intel, Citrix, Red Hat, and SUSE.  But we also have people from up-and-coming organizations like Cloudius Systems, Galois, Vates, Zentific, and Sound Linux Training.

For the schedule and registration information, please visit the Linux Foundation Events website.  And don’t forget the code XenUser50off  when you register!

We hope to see you in New York!

Xen Project Maintenance Releases Available (Versions 4.4.1, 4.3.3, 4.2.5)

I am pleased to announce the release of Xen 4.4.1, 4.3.3 and 4.2.5. We recommend that all users of the 4.4, 4.3 and 4.2 stable series update to the latest point release.

Xen 4.4.1

Xen 4.4.1 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4
(tag RELEASE-4.4.1) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-44-series/xen-441.html

This release fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible
  • CVE-2014-3125 / XSA-91: Hardware timer context is not properly context switched on ARM
  • CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-2915 / XSA-93: Hardware features unintentionally exposed to guests on ARM
  • CVE-2014-2986 / XSA-94: ARM hypervisor crash on guest interrupt controller access
  • CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95: input handling vulnerabilities loading guest kernel on ARM
  • CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI injection
  • CVE-2014-3969 / XSA-98: insufficient permissions checks accessing guest memory on ARM
  • CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests
  • CVE-2014-4022 / XSA-101: information leak via gnttab_setup_table on ARM
  • CVE-2014-5147 / XSA-102: Flaws in handling traps from 32-bit userspace on 64-bit ARM
  • CVE-2014-5148 / XSA-103: Flaw in handling unknown system register access from 64-bit userspace on ARM

Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) has been put in place. However, at this point we can’t guarantee that all affected chipsets are being covered; Intel is working diligently on providing us with a complete list.

Apart from those there are many further bug fixes and improvements.

Xen 4.3.3

Xen 4.3.3 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.3) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-433.html

This fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible
  • CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI injection
  • CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests

Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) has been put in place. However, at this point we can’t guarantee that all affected chipsets are being covered; Intel is working diligently on providing us with a complete list.

Apart from those there are many further bug fixes and improvements.

Xen 4.2.5

Xen 4.2.5 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2
(tag RELEASE-4.2.5) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-425.html

Note that this is expected to be the last release of the 4.2 stable series. The tree will be switched to security only maintenance mode after this release.

This fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible
  • CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI injection
  • CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests

Apart from those there are many further bug fixes and improvements.