Xen Project Maintenance Releases Available (Versions 4.6.5 and 4.7.2)

I am pleased to announce the release of Xen 4.6.5 and 4.7.2. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.6 and 4.7 stable series update to the latest point release.

Xen 4.6.5

Xen 4.6.5 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6
(tag RELEASE-4.6.5) or from the Xen Project download page http://www.xenproject.org/downloads/xen-archives/supported-xen-46-series/xen-465.html

Xen 4.7.2

Xen 4.7.2 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7
(tag RELEASE-4.7.2) or from the Xen Project download page http://www.xenproject.org/downloads/xen-archives/supported-xen-47-series/xen-472.html

These releases contain many bug fixes and improvements. For a complete list of changes, please check the lists of changes on the download pages.

Xen Project Participates in Google Summer of Code and Outreachy

This is a quick announcement that the Xen Project is again participating in Google Summer of Code (GSoC), a program that awards three-month paid stipends to University students to work on open source projects, with the goal to get open source experience. The Xen Project will also again participate in Outreachy, which is an internship program that organises three-month paid internships with free and open-source software projects for people who are typically underrepresented in the technology industry. Outreachy has been helping women (cis and trans), trans men, genderqueer people and people from other discriminated backgrounds get involved in free and open source software for several years. The Xen Project is proud that it has participated continually in Outreachy (and its predecessor OPW) for 4 years.

I want to participate, how do I get started?

If you are not at all familiar with programs such as GSoC and Outreachy, have a quick look at our introduction. In a nutshell, both programs go through several stages:

  • Check eligibility requirements.
  • Now until application period: Preparation by working on small tasks (also called micro-tasks) within our community to identify a suitable project and to familiarise yourself with the technology.
  • Application Period (aka paperwork): For GSoC, the application system is open from March 20 to Apr 3, 2017; however you should work on micro-tasks before and prepare your application together with a mentor as early as possible. For Outreachy, the application system is already open and will close March 30, 2017 (but you can edit and modify proposals submitted in agreement with your mentor until April 28th).
  • Selection Period: After applying to participate, our mentors will chose the most promising candidates. Successful candidates will be announced on the following dates: April 28 (Outreachy), May 4 (GSoC).
  • Internship Duration: May 30 to August 29 (GSoC) and August 30 (Outreachy).

For a list of projects for participants and more information on how to apply, check our Xen Project 2017 Summer Internship Portal. We have many different projects in many different areas: from Hypervisor work, projects in Mirage OS, to tools and test related tasks. Note that we will be adding extra projects to this page in the coming weeks and that applicants can suggest projects on their own.

You may also want to check out the pages of GSoC mentoring organisations which we collaborate with. Sometimes, you will find Xen related projects there: FreeBSD (currently 2 projects), QEMU, Libvirt.

Learn about the Experience of past Participants

At a past Xen Project Developer Summit, we ran a panel discussion that included Outreachy interns, GSoC students as well as mentors.

You may also want to read Women interns rocking open source at Xen Project.

How To Shrink Attack Surfaces with a Hypervisor

A software environment’s attack surface is defined as the sum of points in which an unauthorized user or malicious adversary can enter or extract data. The smaller the attack surface, the better. Linux.com recently sat down with Doug Goldstein (https://github.com/cardoe or @doug_goldstein) to discuss how companies can use hypervisors to reduce attack surfaces and why the Xen Project hypervisor is a perfect choice for security-first environments. Doug is a principal software engineer at Star Lab, a company focused on providing software protection and integrity solutions for embedded systems.

You can read the full interview here.

Request for Comment: Scope of Vulnerabilities for which XSAs are issued

Issuing advisories has a cost: It costs the security team significant amounts of time to craft and send the advisories; it costs many of our downstreams time to apply, build, and test patches; and it costs many of our users time to decide whether to do an update, and if so, to test and deploy it.

Given this, the Xen Project Security Team wants to clarify when they should issue an advisory or not: the Xen Security Response Process only mentions “‘vulnerabilities”, without specifying what constitutes a vulnerability.

We would like guidelines from the community about what sorts of issues should be considered security issues (and thus will have advisories issued). I have posted the second version a draft of a section I am proposing to be added to the Xen Security Policy to xen-devel; a copy is included below for your convenience. There are only minor modifications from the first draft, so barring major feedback from the wider community it will likely achieve consensus. If you want input, now is the time to speak up.

Most of it is just encoding long-established practice. But there are two key changes and / or clarifications that deserve attention and discussion:

    Criteria 2c: Leaking of mundane information from Xen or dom0 will not be considered a security issue unless it may contain sensitive guest or user data

Criteria 4: If no operating systems are vulnerable to a bug, no advisory will be issued.

If you want to weigh in on the question, please join the discussion on xen-devel before 28 February. The title of the thread is “RFC v2: Scope of Vulnerabilities for which XSAs are issued”.

Continue reading

Tips and Tricks for Making VM Migration More Secure

A challenge for any cloud installation is the constant tradeoff of availability versus security. In general, the more fluid your cloud system (i.e., making virtualized resources available on demand more quickly and easily), the more your system becomes open to certain cyberattacks. This tradeoff is perhaps most acute during active virtual machine (VM) migration, when a VM is moved from one physical host to another transparently, without disruption of the VM’s operations. Live virtual machine migration is a crucial operation in the day-to-day management of modern cloud environment.

Linux.com recently published an article from John Shackleton of Adventium Labs that focuses on how to recognize and avoid common attacks with VM migration. Read the full article here.


FOSDEM Here We Come!

It’s that time of the year again – FOSDEM is coming to Brussels February 4 – 5 and the Xen Project team will be attending again.

We’ll be at a booth with Citrix, Oracle, both Xen Project members, and Vates. Xen Orchestra, which offers a complete web UI for controlling a XenServer and Xen infrastructure, will be demoed at the booth. You can find us in section K, level 1, group C, booth 5 or to make it easier between TOR/TAILS and OpenStack.

If you want to learn more about Xen Project technology, FOSS licenses and unikernels, then we recommend you come by the booth and/or head to the following presentations:

Live patching the Xen Project hypervisor
*Happening Saturday from 11:30 – 11:55
Live patching is the process of updating software while it is running, i.e. no more reboots. This type of technology is particularly important for cloud providers who need to keep themselves up and running 24/7. This talk covers everything from the design and implementation of live patching for Xen Project software to how it differs from live patching for Linux.

Mixed License FOSS Projects
*Happening Saturday from 11:35 – 12:20
Many projects start out with the intention of staying a single license FOSS project, but as your project grows there are some different licenses that you may not have anticipated. This talk will explore unintended consequences, risks and best practices through Xen Project examples on license issues. If you are an open source project that is growing fast, this is definitely a talk you don’t want to miss.

Adventures in Building Unikernel Clouds
*Happening Saturday from 14:45 to 15:25
Unikernels are a great approach to building the next generation of cloud infrastructure – they are performant and have a small attack surface. Even though the concept of a unikernel is not new, there has not been a ton of work done in building them for the infrastructure today. This talk provides a deep dive into the various layers of infrastructure that one needs to build out their own infrastructure of unikernels.

Towards a HVM-like Dom0 for Xen: Reducing the OS burden while taking advantage of new hardware features
*Happening Saturday from 18:45 to 19:00
Xen Project hypervisor uses a microkernel design that allows multiple concurrent operating systems to run on the same hardware. One of the key features of Xen Project software is that it is OS agnostic, meaning that any OS (with proper support) can be used as a host. This talk provides an overview on the different kind of guests supported by Xen Project software and how these new hardware features are used in order to improve and evolve them. It also describes the design and implementation of a new guest type, called PVHv2, and how it can be used as a control domain (Dom0).

We look forward to seeing you there. For those who can’t attend, follow our Twitter feed for FOSDEM updates and to stay up-to-date  on what’s happening with the project.