Category Archives: Uncategorized

PIÑATA

Why Unikernels Can Improve Internet Security

This is a reprint of a 3-part unikernel series published on Linux.com. In this post, Xen Project Advisory Board Chairman Lars Kurth explains how unikernels address security and allow for the careful management of particularly critical portions of an organization’s data and processing needs. (See part one, 7 Unikernel Projects to Take On Docker in 2015.)

Many industries are rapidly moving toward networked, scale-out designs with new and varying workloads and data types. Yet, pick any industry —  retail, banking, health care, social networking or entertainment —  and you’ll find security risks and vulnerabilities are highly problematic, costly and dangerous.

Adam Wick, creator of the The Haskell Lightweight Virtual Machine (HaLVM) and a research lead at Galois Inc., which counts the U.S. Department of Defense and DARPA as clients, says 2015 is already turning out to be a break-out year for security.

“Cloud computing has been a hot topic for several years now, and we’ve seen a wealth of projects and technologies that take advantage of the flexibility the cloud offers,” said Wick. “At the same time though, we’ve seen record-breaking security breach after record-breaking security breach.”

The names are more evocative and well-known thanks to online news and social media, but low-level bugs have always plagued network services, Wick said. So, why is security more important today than ever before?

Improving Security

The creator of MirageOS, Anil Madhavapeddy, says it’s “simply irresponsible to continue to knowingly provision code that is potentially unsafe, and especially so as we head into a year full of promise about smart cities and ubiquitous Internet of Things. We wouldn’t build a bridge on top of quicksand, and should treat our online infrastructure with the same level of respect and attention as we give our physical structures.”

In the hopes of improving security, performance and scalability, there’s a flurry of interesting work taking place around blocking out functionality into containers and lighter-weight unikernel alternatives. Galois, which specializes in R&D for new technologies, says enterprises are increasingly interested in the ability to cleanly separate functionality to limit the effect of a breach to just the component affected, rather than infecting the whole system.

For next-generation clouds and in-house clouds, unikernels make it possible to run thousands of small VMs per host. Galois, for example, uses this capability in their CyberChaff project, which uses minimal VMs to improve intrusion detection on sensitive networks, while others have used similar mechanisms to save considerable cost in hardware, electricity, and cooling; all while reducing the attack surface exposed to malicious hackers. These are welcome developments for anyone concerned with system and network security and help to explain why traditional hypervisors will remain relevant for a wide range of customers well into the future.

Madhavapeddy goes as far to say that certain unikernel architectures would have directly tackled last year’s Heartbleed and Shellshock bugs.

“For example, end-to-end memory safety prevents Heartbleed-style attacks in MirageOS and the HaLVM. And an emphasis on compile-time specialization eliminates complex runtime code such as Unix shells from the images that are deployed onto the cloud,” he said.

The MirageOS team has also put their stack to the test by releasing a “Bitcoin pinata,” which is a unikernel that guards a collection of Bitcoins.  The Bitcoins can only be claimed by breaking through the unikernel security (for example, by compromising the SSL/TLS stack) and then moving the coins.  If the Bitcoins are indeed transferred away, then the public transaction record will reflect that there is a security hole to be fixed.  The contest has been running since February 2015 and the Bitcoins have not yet been taken.

PIÑATA

Linux container vs. unikernel security

Linux, as well as Linux containers and Docker images, rely on a fairly heavyweight core OS to provide critical services. Because of this, a vulnerability in the Linux kernel affects every Linux container, Wick said. Instead, using an approach similar to a la carte menus, unikernels only include the minimal functionality and systems needed to run an application or service, all of which makes writing an exploit to attack them much more difficult.

Cloudius Systems, which is running a private beta of OSv, which it tags as the operating system for the cloud, recognizes that progress is being made on this front.

“Rocket is indeed an improvement over Docker, but containers aren’t a multi-tenant solution by design,” said CEO Dor Laor. “No matter how many SELinux Linux policies you throw on containers, the attack surface will still span all aspects of the kernel.”

Martin Lucina, who is working on the Rump Kernel software stack, which enables running existing unmodified POSIX software without an operating system on various platforms, including bare metal embedded systems and unikernels on Xen, explains that unikernels running on the Xen Project hypervisor benefit from the strong isolation guarantees of hardware virtualization and a trusted computing base that is orders of magnitude smaller than that of container technologies.

“There is no shell, you cannot exec() a new process, and in some cases you don’t even need to include a full TCP stack. So there is very little exploit code can do to gain a permanent foothold in the system,” Lucina said.

The key takeaway for organizations worried about security is that they should treat their infrastructure in a less monolithic way. Unikernels allow for the careful management of particularly critical portions of an organization’s data and processing needs. While it does take some extra work, it’s getting easier every day as more developers work on solving challenges with orchestration, logging and monitoring. This means unikernels are coming of age just as many developers are getting serious about security as they begin to build scale-out, distributed systems.

For those interested in learning more about unikernels, the entire series is available as a white paper titled “The Next Generation Cloud: The Rise of the Unikernel.”

Read part 1: 7 Unikernel Projects to Take On Docker in 2015

Future of Xen Project: Video Spotlight Interview with Cavium’s Larry Wikelius

With several companies introducing ARM servers recently, cloud providers and enterprise datacenters are excited to see new alternatives for reducing costs and power use come to market. Cavium, a semiconductor leader with a long heritage in security and wireless/ networking, entered the race with the introduction of ThunderX™ the industry’s first 48-core and 96-core family of ARMv8 workload optimized processors. To get to this point, numerous companies, developers and organizations, including Cavium, put great effort into the development of server software, standards and products to make ARM based SoCs a viable option in these environments. For Cavium, joining the Xen Project was a critical part of its work to advance the evolving ARM ecosystem. According to Larry Wikelius, Xen Project Advisory Board member and Cavium’s Director of Ecosystems and Partner Enablement, it has also been crucial to competing in this evolving market.

In our latest “Future of Xen” video, Larry says working with Xen Project hypervisor is an important requirement for certain customers. With many Cavium customers and partners already using the open source hypervisor, the company needs to not only support Xen, but commit to optimizing the hypervisor for private and public clouds as well as corporate datacenters. Cavium joined the Xen Project community last year and is pleased to see the Project dedicate significant resources and development cycles to ensuring full support, peak performance and efficiencies for ARM-based servers and SoCs. As a board member, Cavium is also able to shape the Project’s roadmap, ensuring it protects Xen deployments and a scale-out strategy to support cloud, telecommunications, Internet of Things devices, big data analytics and more. While the Project’s early commitment for ARM support is relevant, what’s equally important is the hypervior’s small footprint and the growing number of silicon vendors, software companies and end users investing in the Project.

So beyond scale out Data Center and Cloud deployments, what else is ahead for ARM-based servers and SoCs? Larry already sees the networking and carrier space mobilizing behind network function virtualization (NFV). Versions of its ThunderX chip aimed at (NFV) workloads as well as telecommunication, media, and gaming systems offer more I/O in general and security accelerators. Larry recently spoke about this topic at The Linux Foundation’s Collaboration Summit 2015 last month. Be sure to watch his video and check out slides from his talk to learn more. 

 

Future of Xen Project: Video Spotlight Interview with Intel’s Donald Dugger

Intel’s Virtualization Architect Donald Dugger started working on Xen Project software eight years ago. We recently interviewed Don to find out why Intel continues to support, contribute and invest in the Xen Project. One of the first companies to contribute to hardware-assisted virtualization, today Intel remains equally focused on actively promoting open source virtualization. The company continually adds new virtualization features in its CPUs and is constantly evolving its virtualization support. Improved cache monitoring technology, which provides faster processing and better utilization to resolve the “noisy neighbor” dilemma when hosting large, resource-hungry data sets, is the latest contribution from the world’s largest chip company. Don spoke to eWeek about this new feature last week for the release of Xen Project Hypervisor version 4.5.

In this video, Don discusses the pressure data centers face today to reduce costs and achieve more efficient use of hardware. Open source Xen provides a very secure, efficient and cost-effective way to solve these problems and allows organizations to do more with less. Don also talks about the key role open source virtualization plays in cloud computing, which is poised for continued growth as datacenters struggle with capacity and resource availability. Don says Intel remains deeply committed to the Project to best service customers running a cloud environment based on Xen virtualization and utilizing Intel hardware.

Xen Project 4.5 Release Candidate 4 Test Day on December 17, 2014

Our Last Scheduled 4.5 Release Candidate Testing is on Wednesday

TestDay

The Test Day for 4.5 RC4 has been set for this Wednesday, December 17, 2014.

Test Days insure that the upcoming release is ready for production. It also allows all users to test out the upcoming release in their own environment.

This Test Day is the last one currently scheduled for the 4.5 release cycle, so if you have questions or issues with the 4.5 release candidate, this is the time to test and speak up!  The RC4 software is now ready for installation.

General Information about Test Days, including the planned date for the release, can be found here:
http://wiki.xenproject.org/wiki/Xen_Project_Test_Days

and specific instructions for this Test Day are located here:
http://wiki.xenproject.org/wiki/Xen_4.5_RC4_test_instructions

Join us this Wednesday in #xentest on Freenode IRC!

Xen & Docker: Made for Each Other!

By Olivier Lambert

Containers and hypervisors are often seen as competing technologies – enemies even. But in reality the two technologies are complementary and increasingly used together by developers and admins. This recent Linux.com article talked about this supposed battle, noting however that developers are using Docker in traditional VMs to bolster security. Containers allow users to develop and deploy a variety of applications with incredible efficiency, while virtualization eliminates any constraints and/or exposure to outside attacks.

Uniting these technologies helps developers and system administrators be even more efficient. Let’s take a closer look at how to achieve this with Docker and Xen Project virtualization, and why we expect more and more organizations to use them together in the near future. This will also be a key topic at the September 15 Xen Project User Summit at the Lighthouse Executive Conference Center in New York City. Register today to learn more about enabling Docker in Xen environments for a truly open infrastructure.

xen-docker

Caption: Xen In Action: lifting Docker, which is lifting containers. I heard you like boats, so I put boats on your boat :).

Who’s Who: What is Xen Project Virtualization?

Xen Project Hypervisor is mature virtualization technology used by many of the world’s largest cloud providers like AWS, Verizon Terremark, Rackspace and many more. Founded in 2003, Xen Project virtualization is proven as a highly reliable, efficient and flexible hypervisor for a range of environments, running perfectly from x86 to ARM.

It’s now completely integrated in the Linux upstream and is hosted by the Linux Foundation. The same big cloud users mentioned above also contribute regularly to the project along with many of the world’s largest technology companies, including Citrix, Cavium, Intel, Oracle and more.

Feature updates and broader community collaboration are on the upswing too: more commits, more communication, better integration, new use cases and simpler and more powerful modes, such as PVHVM then PVH, as outlined in this recent blog.

The core Xen Project team takes security seriously. The technology has also been battle-tested by many in the defense industry including the NSA. Xen Project users have benefited from this for years, and developers building, shipping and running distributed applications will profit as well.

XenLogoBlackGreen

What is XenServer and Xen Orchestra?

XenServer is a packaged product consisting of the Xen Project Hypervisor and the Xen Project Management API (XAPI) toolstack within a performance tuned CentOS distribution. It’s free and can be installed in just a few minutes; click here to download it: http://xenserver.org/open-source-virtualization-download.html.

Xen Orchestra (XO) is a simple but powerful web interface working out-of-the-box with XenServer, or any host with Xen and XAPI (the most advanced API for Xen). Take a look on the project website to learn more. Both of these tool are of course free software.

What is Docker?

In its own words, Docker defines itself as an open platform for developers and sysadmins to build, ship, and run distributed applications. Consisting of Docker Engine, a portable, lightweight runtime and packaging tool, and Docker Hub, a cloud service for sharing applications and automating workflows, Docker enables apps to be quickly assembled from components and eliminates the friction between development, QA, and production environments.

docker-logo-370x290

Main Advantages:

  • fast (boot a container in milliseconds)
  • simple to use, even in complex workflows
  • light (same kernel)
  • container density on one host

The other side of the coin:

  • all containers rely on the same kernel (isolation, security)
  • less maturity than traditional hypervisor (Docker is still young)
  • containers are using the same OS on the host (less diversity than hypervisors)
  • some friction between developers and admins about its usage: not Docker’s fault, more a classical friction when you bring new toys to your devs. :) We’ll see why and how to cope with just that below.

Best of Both Worlds

An ideal world would:

  • Let admins do their admin stuff without constraints and/or exposure to dangerous things.
  • Let developers do their developer stuff without constraints and/or exposure to dangerous things.

Fluid Workflow

In other words, they’d be able to create really cool workflows. For example:

  • An admin should be able to easily create a Docker ready VM running in a hypervisor, with the exact amount of resources needed at a given point in time (he knows the total amount of resources, e.g a VM with 2 CPUs and 4GB of RAM.
  • He should delegate (with the same simplicity) this Docker-ready VM to the dev team.
  • Developers can use it and play with their new toy, without any chance of breaking stuff other than the VM itself. The VM is actually a sandbox, not a jail; developers can create their containers as they need in this scenario.

Now you can easily imagine other exciting things such as:

  • An admin can delegate rollback snapshot control to a developer. If he breaks the VM, he can rollback to the “clean” snapshot — without bothering the admin staff. Live, die, repeat!
  • Need to clone the same container for other tests? One click in a web interface.
  • Need to extend the resources of this current VM? One click, in live.
  • Ideally, let a developer create its container from the same web interface.

Xen Orchestra: A Bridge Between Docker and Xen Project Hypervisor 

So how do we do all this without creating a brand new tool? As you may guess, the answer is Xen Orchestra, which today achieves much of this. Updates planned for later this year and 2015 will deliver even more efficiencies between the two technologies.

What XO Does Today

  • Adjust Resources In Live: You can reduce/raise number of CPUs, RAM, etc., while the VM is running! Doing this, you can grow or reduce the footprint of your Docker VM, without interrupting the service. Check it out in this short video.
  • Snapshots and Rollback: Snapshots and rollback in XO are totally operational since XO 3.3. Check out how this works in this feature presentation. Coupled with Docker, this is very helpful. When your fresh Dockerized VM is ready, take a snapshot. Then you can rollback when you want to retrieve this clean state. All with just a few clicks and in a few seconds.

Coming Soon

  • Docker-Ready Templates in One Click: This feature will be released this year. In a few words, you can request our template directly from your XO interface, it will be downloaded and operational in your own infrastructure with a Docker listening and ready for action,Iin the resources you choose to allocate (CPU, RAM, Disk). No installation: It works out of the box. Read more in this article.
  • ACL and Delegation: The perfect workflow rest upon integration of ACLs in Xen Orchestra is our current priority. In our case, it allows VM delegation for your team using Docker; the VM can be rollbacked or rebooted without asking you. More info. here.
  • Docker Control from XO: Because we can get the IP of a VM thanks to its Xen tools, we should be able to send command to the Docker API directly through XO. In this way, you’ll just have to use one interface for Docker AND Xen (at least, for simple Docker operations). And take the best of XO for both: ACLs, visualization etc. This last feature is not in our current roadmap, but will probably pop up early in 2015!

We-need-to-go-deeper_inception

Caption: Coming soon — deeper integration between Docker and Xen.

Conclusion

Docker is a really promising and growing technology. With Docker and Xen on the same team, the two technologies work in tandem to create an extremely efficient, best-of-breed infrastructure. Finally uniting them in one interface is a big leap ahead!

Any questions or comments? Go ahead!

By Olivier Lambert, Creator of Xen Orchestra Project

 

Developer Summit Line-up Announced

I am pleased to announce the schedule of the Xen Project Developer Summit. The event will take place in Chicago on August 18-19, 2014.

The Project’s second annual developer event highlights best practices, user testimonials and advancements with the industry-leading open source hypervisor. Powering many of the world’s largest clouds in production today, Xen Project developers are also leading the way in server density, million-node data centers, graphic-intensive workloads, cloud operating systems and sophisticated enterprise security.

This year’s summit will present the most relevant topics to Xen Project developers and users who are pushing the limits on virtualization, ranging from typical server virtualization and cloud computing on x86 servers to new developments with ARM servers, networking, automotive, cloud operating systems, enterprise security and mobility.

Following is a sampling of confirmed speakers and presentations to be discussed in Chicago:

  • James Bielman, Research and Engineering at Galois, XenStore Mandatory Access Control — proposes additional security access features for Xen Project software;
  • Mihai Donțu, Technical Project Manager at Bitdefender, Zero-Footprint Guest Memory Introspection from Xen — discusses how the introspection API in the Xen Project hypervisor can be used to detect, prevent and take action on several categories of malware attacks;
  • James Fehlig, Software Engineer at SUSE Linux, libvirt support for libxenlight – covers the status of Xen Project libvirt integration and outlines planned improvements;
  • Lars Kurth, Xen Project Advisory Board Chairman, State of Xen Project Software – gives an overview of the Xen Project development community and community at large;
  • Jun Nakajima, Principal Engineer at Intel Open Source Technology Center, Xen as a High-Performance Network Functions Virtualization (NFV) Platform – introduces Xen as a NFV platform and outlines solutions to remove challenges for deploying the Xen Project hypervisor for NFV applications as well as shares best practices;
  • Nathan Studer, Technical Lead at DornerWorks, Xen and The Art of Certification – gives an overview of certification requirements in emerging use-cases such as automotive, medical, and avionics and lays out a path toward certifying Xen Project technology in these industries;
  • Don Slutz, Software Architect at Verizon Terremark, Overview of Verizon Cloud Architecture – presents Verizon Cloud’s architecture, design goals and planned contributions to the Xen Project community; and
  • Stefano Stabellini, Senior Principal Software Engineer at Citrix and Xen Project Contributor, Xen on ARM Status Update and Performance Benchmarks — gives the latest developments with the Xen Project hypervisor on ARM architecture.

Birds of a Feather session and Discussions

Besides presentations, the developer summit will also provide an opportunity for in-depth interactive discussions (Birds of a Feather sessions), which allow deep interaction and collaboration between Xen Project developers and community members. These will happen in a second track alongside the main event. To submit a BoF, please go to the BoF submission page.

For more information about Xen Project Developer Summit 2014, including how to register and to view the complete schedule, visit: events.linuxfoundation.org/events/xen-project-developer-summit.