Joined: 05 Feb 2006
|Posted: Sat Jan 31, 2015 3:46 am Post subject: Need help with Xen and patches.
This post is asking about what might need to be patched on Xen, or if it even needs to be patched.
I'm installing a hypervisor on an Intel c2758 board: http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm which has:
- 8-core Atom CPU http://ark.intel.com/products/77988/Intel-Atom-Processor-C2758-4M-Cache-2_40-GHz
- VT-x with extended page tables
- NO VT-d so no peripheral donation at kernel level!
- QuickAssist (QAT) support -- the main point of me using this hardware
- 16g registered ecc memory (expandable to 64g). I have 2 sticks and 4 slots, I may go to 32g if necessary.
- a 240g OCZ Vector 150 SSD
- a 512g spinning 2.5" disk, mostly for swap and noncritical storage. Not even sure I need it.
- A pretty recent version of IPMI with limited video support. It's pretty cool.
- 7x Intel gigabit NICs, 6 of which can be configured as passthrough pairs or normal NICs.
The primary purpose of the box is router/VPN/UTM and possibly more if it turns out to be underutilized. From reports it will be.
I'm more familiar with KVM and would have gone there but I've been told Xen has better stability and isolation with a lot of guests and also has better support for pfSense, which will be a guest. The hypervisor will be in contact with the Internet so security and isolation are paramount.
- Linux kernel: Yes.
- pfSense: No, but coming with lots of people waiting.
- Snort: Yes, I think.
- Suricata: Yes, I think.
- KVM: Yes, at least with patches. https://01.org/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches
- Xen: Zero mention of it in mailing lists or web page. So probably no, but does it even apply? I don't know. This is the reason for this post.
- Linux-based libraries: I think mostly yes where they matter.
The necessary security features will be:
- UTM (intrusion detection and prevention, possibly also antivirus and antispam) (benefits from QAT)
- OpenVPN which will need to have the QAT support, or maybe just AES-NI at first since I don't think QAT is supported yet.
- Internal router
Part of the point of this exercise is an easy-to-administer security appliance example for coworkers. So pfSense is preferred for that reason. But pfSense does not have QAT support yet. So anything that benefits from QAT and has support in its codebase or a known patch, I want to build on a Gentoo guest.
So the questions to people who understand how Xen works:
- Do I need to patch anything in Xen?
- How do I pass QAT features to a Xen guest?
- What's the best UI for Xen? It would be neat if there were an http or https interface, free is better but payware is OK as long as it's not outrageous.
In order to avoid some discussion which has happened before, here are some points about architecture:
- I'm using Gentoo as a host, or dom0 in Xen lingo.
- Basic layout will be based on NeddySeagoon's setup for KVM, I'll edit this post when I get the link.
- I'll also have other Linux guests, probably Gentoo, if the system has enough performance left in it.
- I will donate all the NICs to router guests, nothing will be 'owned' by dom0. Not exactly clear on how to do this yet.
- IPMI and all dom0 access will be on an internal network only, not accessible from the outside even from VPN.