How to use current KVM with non-modular kernel

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

* How to use current KVM with non-modular kernel
@ 2008-09-03  7:50 Felix Leimbach
  2008-09-03  9:35 ` Avi Kivity
  2008-09-03 17:39 ` Charles Duffy
  0 siblings, 2 replies; 6+ messages in thread
From: Felix Leimbach @ 2008-09-03  7:50 UTC (permalink / raw)
  To: kvm

Hello list,

due to security concerns I have kvm hosts which have non-modular 
kernels, i.e. CONFIG_MODULES is not set.
I'd like to use the latest KVM kernel code with those, but cannot not 
always upgrade to the latest kernel.org kernel.

Is it possible to update kernel sources to include the latest and 
greatest kvm?
For example to have 2.6.25.16 kernel with the kvm-74 module *compiled in*.

-Felix

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How to use current KVM with non-modular kernel
  2008-09-03  7:50 How to use current KVM with non-modular kernel Felix Leimbach
@ 2008-09-03  9:35 ` Avi Kivity
  2008-09-03 17:39 ` Charles Duffy
  1 sibling, 0 replies; 6+ messages in thread
From: Avi Kivity @ 2008-09-03  9:35 UTC (permalink / raw)
  To: Felix Leimbach; +Cc: kvm

Felix Leimbach wrote:
> Hello list,
>
> due to security concerns I have kvm hosts which have non-modular 
> kernels, i.e. CONFIG_MODULES is not set.
> I'd like to use the latest KVM kernel code with those, but cannot not 
> always upgrade to the latest kernel.org kernel.
>
> Is it possible to update kernel sources to include the latest and 
> greatest kvm?
> For example to have 2.6.25.16 kernel with the kvm-74 module *compiled 
> in*.

You could copy the kernel files in the kvm-74 distribution into a new 
directory in the Linux source tree, add '#include 
"external-module-compat.h" to the top of all of them, and hack a Kbuild 
for them.  It would take some effort, but should work.

-- 
error compiling committee.c: too many arguments to function


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How to use current KVM with non-modular kernel
  2008-09-03  7:50 How to use current KVM with non-modular kernel Felix Leimbach
  2008-09-03  9:35 ` Avi Kivity
@ 2008-09-03 17:39 ` Charles Duffy
  2008-09-03 21:27   ` Thomas Lockney
  1 sibling, 1 reply; 6+ messages in thread
From: Charles Duffy @ 2008-09-03 17:39 UTC (permalink / raw)
  To: kvm

Would it not address your security concerns to build a modular kernel, 
load the current kvm module, and then drop CAP_SYS_MODULE as part of 
your boot scripts?


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How to use current KVM with non-modular kernel
  2008-09-03 17:39 ` Charles Duffy
@ 2008-09-03 21:27   ` Thomas Lockney
  2008-09-03 21:41     ` Javier Guerra
  0 siblings, 1 reply; 6+ messages in thread
From: Thomas Lockney @ 2008-09-03 21:27 UTC (permalink / raw)
  To: kvm

On Wed, 2008-09-03 at 12:39 -0500, Charles Duffy wrote:
> Would it not address your security concerns to build a modular kernel, 
> load the current kvm module, and then drop CAP_SYS_MODULE as part of 
> your boot scripts?

Seems that this could be less than ideal if you're providing the VMs as
hosts for clients (perhaps in a VPS-type situation). 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How to use current KVM with non-modular kernel
  2008-09-03 21:27   ` Thomas Lockney
@ 2008-09-03 21:41     ` Javier Guerra
  2008-09-03 22:27       ` Thomas Lockney
  0 siblings, 1 reply; 6+ messages in thread
From: Javier Guerra @ 2008-09-03 21:41 UTC (permalink / raw)
  To: Thomas Lockney; +Cc: kvm

On Wed, Sep 3, 2008 at 4:27 PM, Thomas Lockney <tlockney@gmail.com> wrote:
> On Wed, 2008-09-03 at 12:39 -0500, Charles Duffy wrote:
>> Would it not address your security concerns to build a modular kernel,
>> load the current kvm module, and then drop CAP_SYS_MODULE as part of
>> your boot scripts?
>
> Seems that this could be less than ideal if you're providing the VMs as
> hosts for clients (perhaps in a VPS-type situation).

the module loading and capability dropping would be done at host boot,
not guests



-- 
Javier

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How to use current KVM with non-modular kernel
  2008-09-03 21:41     ` Javier Guerra
@ 2008-09-03 22:27       ` Thomas Lockney
  0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lockney @ 2008-09-03 22:27 UTC (permalink / raw)
  To: kvm

On Wed, 2008-09-03 at 16:41 -0500, Javier Guerra wrote:
> the module loading and capability dropping would be done at host boot,
> not guests

Ah, right, momentary lapse of reason there. Thanks for pointing out the
correction. ;~)



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-09-03 22:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-03  7:50 How to use current KVM with non-modular kernel Felix Leimbach
2008-09-03  9:35 ` Avi Kivity
2008-09-03 17:39 ` Charles Duffy
2008-09-03 21:27   ` Thomas Lockney
2008-09-03 21:41     ` Javier Guerra
2008-09-03 22:27       ` Thomas Lockney

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox