Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2011

    Question OpenVZ Is the Kernal Safe?

    I recently read somewhere that in OpenVZ:

    "If a VPS inside an OpenVZ instance takes out the kernel, the entire machine goes down"

    Is this a true statement? If so is OpenVZ not safe to use? This sounds really bad. Anyone have any comments on this?

  2. #2
    Join Date
    Jan 2011
    Varna, Bulgaria
    Yes it is true. It is as true as "if a user on any multiuser system takes out the kernel, the whole system is out". This shouldn't happen, unless there are serious bugs in the kernel.

  3. #3
    Join Date
    Jan 2011
    Thanks for the reply. just wondering what are the odds of this happening?

  4. #4
    Join Date
    Apr 2007
    Quote Originally Posted by captain_squash View Post
    Thanks for the reply. just wondering what are the odds of this happening?
    If your running the most up to date version of the kernel I would say it's very unlikely this is going to happen.

    There is always the chance of a zeroday exploit, however a targeted attack against you would be unlikely unless your some kind of multibillion dollar company/government...

    So I would say it's fairly safe to use, however worth remembering that ALL software has flaws if you look hard enough...
    - Buying up websites, side-projects and companies - PM Me! -

  5. #5
    Join Date
    Jan 2011
    Okay thanks, yeah we are a small company I doubt anyone would target us like that

  6. #6
    Join Date
    Jan 2011
    Just wondering, would Xen be immune to these types of attacks?

  7. #7
    To protect your kernel, you need to run the latest version.
    Install this on your server node:
    It will automatically upgrade the kernel for you when the update available and ksplice does not required server reboot after the upgrade

  8. #8
    Join Date
    Mar 2010
    1. highest risk in xen is when assigning pci devices to a vm, especially dma capable ones. there's no defence against a VM attacking any vm including the "privileged" dom0. but this is something that needs skill and mostly something discussed at hacker conferences and most people dont do pci in vm's anyway.

    2. second highest is attacks on the xenstore - i don't know of any documented exploit, but it's a vague area at best. the linux vmsplice attack in a paravirt domU could hang debian dom0s. the xen hypervisor itself seems tokeep running OK, and normally you'll also find that other domUs aren't even affected if dom0 dies. Getting less relevant too.
    So ok, this can happen, I've seen it once in 6 years, and the host was not compromised.

    3. attacks on the hypervisor itself (not very likely. about as much as someone digging a tunnel into your basement. both is possible but i figure it's not happened yet

    note xen also knows security labels that can enforce what a VM can access. I figure when using those there's not much chance of any attack left.

    So, as a summary I'd say "yes". Paravirtualized domUs and drivers bring in a little risk, but much lower than running the same kernel for your host as for the VMs.
    Check out my SSD guides for Samsung, HGST (Hitachi Global Storage) and Intel!

Similar Threads

  1. Kernal OpenVZ
    By SrvisLLC in forum Dedicated Server
    Replies: 2
    Last Post: 03-05-2011, 12:02 AM
  2. Replies: 2
    Last Post: 03-27-2009, 08:44 PM
  3. Openvz Kernel vs Dedicated Kernal
    By beingdefined in forum Dedicated Server
    Replies: 10
    Last Post: 08-19-2008, 10:29 PM
  4. are kernal 2.6.9-34.EL is good
    By aymax in forum Hosting Security and Technology
    Replies: 5
    Last Post: 04-27-2007, 07:48 AM
  5. Kernal Panic
    By express8 in forum Dedicated Server
    Replies: 1
    Last Post: 01-17-2007, 07:12 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts