bhyve Management group available for bhyve admins ?

bojinov

bojinov

Hello,

I am attempting to get an API service running for VM management with bhyve and v13.2

Wondering if I should go root or is there a smarter option ?

Momchil
 
I'd very strongly suggest running bhyve in jail for multi-tenancy - either one jail for every tenant or even a dedicated one for each jail and tying them together per-tenant in the backend you will most likely create/run on top.

With bhyve in jails you can keep the host as vanilla as possible and put all your special configuration and all you need to connect your backend in a (very stripped and locked down) jail template which is just cloned and spun up for every instance. Additionally *if* there should ever be any bug in bhyve that allows breaking out of the hypervisor, an attacker would only find himself in a heavily restricted jail...
The same approach is done by e.g. smartOS with bhyve and KVM running in zones and IIRC ClonOS is also running bhyve in jails.
 
bhyve can only be run as root at the moment, but that doesn't mean your API needs to run as root. See how it's done in CBSD: API ( /usr/ports/sysutils/cbsd-mq-api ) can run from unprivileges user's, but executor ( /usr/ports/sysutils/cbsd-mq-router ) must have 'root' privileges). I still plan to integrate this API into ClonOS.
As for bhyve in jail + ClonOS: CBSD (used by ClonOS) had this option, but I'll change that to chroot(1) soon.
 
I get your point and the idea for the zones is something I am going to think about
usability over security I always say. and I work security
not a fan of patching all those jails with VMs running on top
here is the plan:
github.com

GitHub - bozhinov/bHype: bHype will (eventually) turn a fresh installation of FreeBSD 13.1+ into a standalone virtual machine host that can be maintained within a corporate environment.

bHype will (eventually) turn a fresh installation of FreeBSD 13.1+ into a standalone virtual machine host that can be maintained within a corporate environment. - GitHub - bozhinov/bHype: bHype wil...
github.com github.com

Please don't laugh.
 
  • Like
Reactions: Ole
Hey Ole, long time. Thank you for the link. I have already thoroughly explored CBSD and ClonOS. I am a fan as you know.
I may need your help with OS packaging later on. I see FreeBSD provides several options and as always none of them are properly documented.
 
bojinov said:
Hey Ole, long time. Thank you for the link. I have already thoroughly explored CBSD and ClonOS. I am a fan as you know.
I may need your help with OS packaging later on. I see FreeBSD provides several options and as always none of them are properly documented.
Click to expand...
No problem 🤝! But i'm still trying to fix what you broke in ClonOS, haha! But I like the initiative.
 
Ole said:
No problem 🤝! But i'm still trying to fix what you broke in ClonOS, haha! But I like the initiative.
Click to expand...
Yep, I did break a bit but that code needed a rewrite. Always available to troubleshoot. Cheers :)
 
You must log in or register to reply here.
Back
Top