cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <Chiradeep.Vit...@citrix.com>
Subject Re: Building SystemVM template appliance
Date Wed, 13 Feb 2013 06:14:03 GMT

>> Figured it out: the dhcp server in vbox hands out the dns server of the
>> host (in my case my corporate dns server). Dhclient reverse looks up
>> 10.0.2.15 (the address of the vm) and gets a valid response from the
>> corporate dns server. Annoyingly this is used to name the volume group
>> during partitioning. The only foolproof way may be to write a custom
>> partman recipe in preseed.cfg.
>
>Okay this is the issue :) I'll fix in preseed.cfg so we'll have only
>one root partition (and maybe a small swap but not required I think?)
>like the present systemvm which too has only one / partition, unless
>you want a different scheme.

Actually prefer different partitions for securing against local attacks.
The CIS 
Benchmark [http://benchmarks.cisecurity.org/downloads/benchmarks/]
recommends the following:
"Minimally, the following conditions should must exist:
* user writable directories (i.e /tmp) should have their own partitions to
prevent hardlink attacks
* /var and /opt should should not share a partition with the system root
'/'"


>
>>
>> I've left a few FIXME in cloudstack-packages.sh, please take a look.
>
>Except for the signature creator I fixed other ones. How do you
>propose we create the signature, use latest git SHA?

Currently it is the md5 of the patches/systemvm/debian/config and
patches/systemvm/debian/vpn tar gzip.

>
>Regards.
>
>>
>> --
>> Chiradeep
>>


Mime
View raw message