IBM Offers Support for Xen

Open source server virtualization got a boost this week with a new release
from the Xen project and a new IBM commitment to help “harden” it.

Xen is a virtual machine application that allows users to run multiple operating
systems concurrently on the same physical box. Each OS gets its resource and
partition allocation from Xen, which claims to have a low overhead by virtue
of its “para-virtualization” technique.

The 2.0.3 release is mostly a bug fix
and stability point release, the third one since the 2.x branch was officially
released in November 2004. The 2.x series introduced new flexibility in how
the guest OS virtual Input/Output devices were configured, as well as a live
migration feature that permits running operating systems to move between different nodes on
a cluster without stopping them.

Reiner Sailer, a member of the Secure Systems Department at IBM’s TJ Watson Research
Center, announced in a posting to the Xen developers’ list this week
that IBM plans to harden Xen in a number of different ways to allow
it to support enterprise-class applications and security requirements.

The first step Sailer detailed was the merging of IBM’s sHype security architecture for
hypervisors into Xen. Sailer noted that IBM currently implements sHype on an
x86 IBM research hypervisor.

“We now plan to contribute this to Xen by integrating our security architecture
into it,” Sailer wrote.

SHype allows for a formal policy that helps control the flow of
information between domains, as well as the sharing of virtual resources. Sailer
explained the Xen port of IBM’s sHype would leverage the existing Xen interdomain
communication mechanism.

According to Sailer’s post, IBM plans to add strong security/isolation
guarantees and enhancing Xen to support secure resource metering,
verification and control. IBM will also apply its experience in automated
security analysis in an effort to make Xen more robust. Lastly Sailer’s list of
IBM contribution notes said the company wants to make Xen suitable for Common Criteria
evaluation.

“We are confident that our work will significantly contribute to Xen in the
security space and that it is a good fit with the Xen roadmap,” Sailer wrote.

Ian Pratt founder of the Xen project and currently a leader and chief
architect of the Xen project, responded favorably to the IBM offer to contribute.

“It’ll be great to have IBM contributing to Xen security,” Pratt wrote on a
reply posted on the list.


Other Xen users, however, weren’t so sure that IBM’s sHype would necessarily make
Xen more secure. Xen user Peter Varga’s said sHype is more about accounting
and auditing than hardening.


“Xen was designed from the beginning to provide strong isolation between domains,”
Varga told internetnews.com. “IBM’s sHype would add accounting, which is
important for production systems.”

IBM isn’t the only group pushing Xen virtualization further
into the enterprise. Just last week, XenSource announced that it had received $6 million
in funding from Kleiner Perkins Caufield & Byers and Sevin Rosen Funds.

Despite the backing, though, Xen is not currently part of the offerings from
mainstream Linux distribution vendors Red Hat, Novell or Mandrake. Not yet at
least.

“It’s likely that Mandrakesoft will integrate Xen in a release,” Mandrakelinux
founder Gakl Duval told internetnews.com. “We are also evaluating it for a
customer.”

Novell also plans to include virtualization at some
point soon, though it may not necessarily be Xen.

“We haven’t said we’ll include Xen,” Novell spokesperson Bruce Lowry told
internetnews.com. “We’ve said that We do plan to include virtualization technology
in the future in our Linux offering, but we haven’t specified what technology.
We’ve also said we’ve looked at and are impressed with XEN technology,” he added.

Red Hat doesn’t currently provide virtualization
capability in its Red Hat Enterprise Linux products. According to a Red Hat spokesperson,
this is because currently available open source virtualization technologies are
not yet mature enough for mission-critical deployment. That said, the spokesperson
explained that Red Hat has been working with several open source projects,
including UML, CKRM and XEN, to identify which technology to use.

Though the spokesperson was unable to reveal the details of Red Hat’s development
plans, Red Hat is impressed with Xen.

“We are very impressed with Xen technology and believe that it shows tremendous
promise,” the Red Hat spokesperson told internetnews.com. “Given the
increasing demand for server virtualization from our Red Hat Enterprise Linux
customers, and the rapidly maturing open source code base, Red Hat is committed to
providing a complete, enterprise-strength solution in the near future.”

Though Red Hat may not yet officially include Xen, another IBM contribution to
the open source project may make it easier for Red Hat’s community project Fedora
Core users to utilize the technology.

In a Jan. 14 developers’ list posting, Jerone Young of IBM’s Linux Technology Center
posted a guide
on setting up Fedora Core 3 with Xen.

Xen is licensed under the GPL open source license
and provides support for Linux 2.4.x and 2.6.x, as well as NetBSD running on x86.

News Around the Web