RealTime IT News

IBM Offers Support for Xen

Open source server virtualization got a boost this week with a new release from the Xen project and a new IBM commitment to help "harden" it.

Xen is a virtual machine application that allows users to run multiple operating systems concurrently on the same physical box. Each OS gets its resource and partition allocation from Xen, which claims to have a low overhead by virtue of its "para-virtualization" technique.

The 2.0.3 release is mostly a bug fix and stability point release, the third one since the 2.x branch was officially released in November 2004. The 2.x series introduced new flexibility in how the guest OS virtual Input/Output devices were configured, as well as a live migration feature that permits running operating systems to move between different nodes on a cluster without stopping them.

Reiner Sailer, a member of the Secure Systems Department at IBM's TJ Watson Research Center, announced in a posting to the Xen developers' list this week that IBM plans to harden Xen in a number of different ways to allow it to support enterprise-class applications and security requirements.

The first step Sailer detailed was the merging of IBM's sHype security architecture for hypervisors into Xen. Sailer noted that IBM currently implements sHype on an x86 IBM research hypervisor.

"We now plan to contribute this to Xen by integrating our security architecture into it," Sailer wrote.

SHype allows for a formal policy that helps control the flow of information between domains, as well as the sharing of virtual resources. Sailer explained the Xen port of IBM's sHype would leverage the existing Xen interdomain communication mechanism.

According to Sailer's post, IBM plans to add strong security/isolation guarantees and enhancing Xen to support secure resource metering, verification and control. IBM will also apply its experience in automated security analysis in an effort to make Xen more robust. Lastly Sailer's list of IBM contribution notes said the company wants to make Xen suitable for Common Criteria evaluation.

"We are confident that our work will significantly contribute to Xen in the security space and that it is a good fit with the Xen roadmap," Sailer wrote.

Ian Pratt founder of the Xen project and currently a leader and chief architect of the Xen project, responded favorably to the IBM offer to contribute.

"It'll be great to have IBM contributing to Xen security," Pratt wrote on a reply posted on the list.

Other Xen users, however, weren't so sure that IBM's sHype would necessarily make Xen more secure. Xen user Peter Varga's said sHype is more about accounting and auditing than hardening.

"Xen was designed from the beginning to provide strong isolation between domains," Varga told internetnews.com. "IBM's sHype would add accounting, which is important for production systems."

IBM isn't the only group pushing Xen virtualization further into the enterprise. Just last week, XenSource announced that it had received $6 million in funding from Kleiner Perkins Caufield & Byers and Sevin Rosen Funds.

Despite the backing, though, Xen is not currently part of the offerings from mainstream Linux distribution vendors Red Hat, Novell or Mandrake. Not yet at least.

"It's likely that Mandrakesoft will integrate Xen in a release," Mandrakelinux founder Gakl Duval told internetnews.com. "We are also evaluating it for a customer."

Novell also plans to include virtualization at some point soon, though it may not necessarily be Xen.

"We haven't said we'll include Xen," Novell spokesperson Bruce Lowry told internetnews.com. "We've said that We do plan to include virtualization technology in the future in our Linux offering, but we haven't specified what technology. We've also said we've looked at and are impressed with XEN technology," he added.

Red Hat doesn't currently provide virtualization capability in its Red Hat Enterprise Linux products. According to a Red Hat spokesperson, this is because currently available open source virtualization technologies are not yet mature enough for mission-critical deployment. That said, the spokesperson explained that Red Hat has been working with several open source projects, including UML, CKRM and XEN, to identify which technology to use.

Though the spokesperson was unable to reveal the details of Red Hat's development plans, Red Hat is impressed with Xen.

"We are very impressed with Xen technology and believe that it shows tremendous promise," the Red Hat spokesperson told internetnews.com. "Given the increasing demand for server virtualization from our Red Hat Enterprise Linux customers, and the rapidly maturing open source code base, Red Hat is committed to providing a complete, enterprise-strength solution in the near future."

Though Red Hat may not yet officially include Xen, another IBM contribution to the open source project may make it easier for Red Hat's community project Fedora Core users to utilize the technology.

In a Jan. 14 developers' list posting, Jerone Young of IBM's Linux Technology Center posted a guide on setting up Fedora Core 3 with Xen.

Xen is licensed under the GPL open source license and provides support for Linux 2.4.x and 2.6.x, as well as NetBSD running on x86.