# virtualization options under hardened-sources

## cach0rr0

KIA ORA!

I've been doing a bit of reading on this, have yet to come to any concrete conclusion. 

I've done the whole 'hardened' route, inclusive of enabling the bulk of the grsec/pax options in the kernel (using hardened-sources 'server' profile), as well the hardened toolchain, etc. 

Is there any virtualization route I can go without crippling some of the features provided by grsec/pax? 

*without* the hardened stuff in the picture, I'd considered these as options:

-Xen

-OpenVZ

-KVM (+Qemu)

I've found the guides for all three, but I'd imagine special consideration would have to be given under hardened-sources. Has anyone gotten any of the above to work, how painful was it, how much pax/grsec functionality did you have to disable, etc? 

I'm not necessarily asking for detailed info on how you did it, just which route you may have taken, and how painful it is, before I decide if it's feasible for me to pursue any of these routes. Other virtualization technologies welcome (NOT vmware or virtualbox), just these are the ones I'm most familiar with in a non-hardened setting. 

As it's no doubt relevant, snips from /proc/cpuinfo:

```

model name   : AMD Phenom(tm) 9950 Quad-Core Processor

flags      : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good pni monitor cx16 lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs

```

----------

## prometheanfire

I am currently installing KVM over the weekend on gentoo-hardened with grsec/pax (no-selinux)

I will let you know how it goes.

----------

## cach0rr0

same setup here. 

Pax/GRSec/SSP/PIE

no SELinux, no RBAC

Will definitely be curious to know how you get on. The one thing with KVM that concerned me was the requirement of X, and the amount of items that have to be switched off with paxctl to get X semi-functional under hardened. 

If I could do it without any X deps, that'd own

----------

## pelelademadera

sory for the off, but what are hardended sources, whats the difference with vanilla, gentoo or git?

thanks

----------

## cach0rr0

 *pelelademadera wrote:*   

> sory for the off, but what are hardended sources, whats the difference with vanilla, gentoo or git?
> 
> thanks

 

a set of patches for PaX, GRSecurity, and the like

http://www.gentoo.org/proj/en/hardened/primer.xml

http://www.gentoo.org/proj/en/hardened/grsecurity.xml

http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml

----------

## Mad Merlin

KVM doesn't require X, try -sdl.

----------

## cach0rr0

 *Mad Merlin wrote:*   

> KVM doesn't require X, try -sdl.

 

hrmmm...neat. I just may - I have this box that's so ridiculously capable, uses *maybe* 2GB of its 8GB of memory *including* cache

I've fiddled with xen/openvz on machines dedicated to that task, hopefully kvm isn't a huge learning curve - the technology itself looks brilliant

----------

## prometheanfire

well, everything works except networking, the vm just doesn't want to talk to the host network.

I followed the guide on the gentoo-wiki for "Enabling the access to Internet" and it failed miserably

my only recomendation is to get something that works.

I have been using linux for about 10 years now and I have not seen something fail as miserably as this has failed with networking.

you can start the vm just fine but you cannot network.

----------

## Hu

KVM networking should not be affected by hardening patches.  Which method did you choose for granting the guest access to the network?  What happens when you try to use the network?  How are you starting the VM?

----------

## prometheanfire

 *Hu wrote:*   

> KVM networking should not be affected by hardening patches.  Which method did you choose for granting the guest access to the network?  What happens when you try to use the network?  How are you starting the VM?

 

I am using the hub method mentioned in the gentoo-wiki http://en.gentoo-wiki.com/wiki/KVM#Networking specifically under "Enabling the access to Internet"

I am not using 

```
echo "1" > /proc/sys/net/ipv4/ip_forward 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```

the command line is 

```
kvm -net nic,macaddr=52:54:00:12:34:12 -net tap,ifname=tap0,script=no,downscript=no -cdrom isos/gentoo-current.iso -hda /dev/mapper/raid-vmtest -curses
```

----------

## Hu

Bridged guests should work.  What is the output of brctl show?  Did you change /etc/conf.d/net or prepare the bridge by hand?  Posting the output of nl /etc/conf.d/net ; ip addr show could be helpful.  Feel free to blur out the IP address of your real NIC.  It does not matter here.

----------

## prometheanfire

I am doing a reinstall, I think I messed something up in sysctl. (I was using multiple guides)

----------

## Hu

A reinstall is a bit extreme.  As far as I know, all sysctl settings are forgotten on shutdown.  On boot, /etc/sysctl.conf is used to load any custom sysctl settings.  Reverting that file to default values and then rebooting should be sufficient to undo any damage done by incorrect sysctl configuration.

----------

## prometheanfire

I have it working on arch linux so I am going to set that HD aside and try agian with hardened, I know people have gotten it to work it is just networking that messes me up.

----------

