Xen Project Hypervisor 4.10 Focuses on Security, Improved User Experience, and Future Proofing



  • Rearchitecture and new user interface provide for cleaner and smaller codebase

    SAN FRANCISCO, December 14, 2017 – The Xen Project, hosted at The Linux Foundation, today announced the release of Xen Project Hypervisor 4.10. The latest release continues to take a security-first approach with improved architecture and more centralized documentation. The release is equipped with the latest hardware updates from Arm and a more intuitive user interface.

    The Xen Project hypervisor is used by more than 10 million users, and powers some of the largest clouds in production today, including Amazon Web Services, Tencent, Alibaba Cloud, Oracle Cloud and IBM SoftLayer. It is the base for commercial virtualization products from Citrix, Huawei, Inspur and Oracle, and security solutions from Qubes OS, Bromium vSentry, A1Logic, Bitdefender, Star Lab’s Crucible Hypervisor, Zentific and Dornerwork’s Virtuosity.

    As demand for embedded, automotive and security solutions continues to rise, the revamped Xen Project architecture provides a cleaner and smaller code base for better security and performance.

    “This release is a stepping stone for us to solidify a new architecture that uses hardware support for better performance for PV guests, reduces code size and maintenance burden, and provides a smaller TCB for better security,” said Lars Kurth, Chairperson of the Xen Project Advisory Board. “This provides value to traditional markets that the Xen Project is present and popular in, like the server and cloud space, but also continues to open the Xen Project up to new markets like embedded and automotive.”

    “The Xen Project Hypervisor already has a number of great security properties; Xen 4.10 builds on these by further reducing the size of the TCB, reducing the complexity of code within the TCB, and limiting additional components’ rights to the bare minimum necessary,” said James Bulpin, Senior Director of Technology, Citrix. “The re-architecting work done in Xen 4.10 will also make it easier to maintain and enhance, while preserving quality and security properties.”

    Rearchitecture Creates Smaller Attack Surface and Cleaner Code

    Since the introduction of Xen Project Hypervisor 4.8, the project has overhauled the x86 core of its technology. The intention is to create a cleaner architecture, less code and a smaller computing base for security and performance. As part of this re-architecture, Xen Project 4.10 supports PVHv2 DomU. PVHv2 guests have a smaller TCB and attack surface compared to PV and HVM guests.

    In Xen Project Hypervisor 4.9, the interface between Xen Project software and QEMU was completely reworked and consolidated via DMOP. For the Xen Project Hypervisor 4.10, the Xen Project community built on DMOP and added a Technology Preview for dm_restrict to constrain what device models, such as QEMU, can do after startup. This feature limits the impact of security vulnerabilities in QEMU. Any previous QEMU vulnerabilities that could normally be used for escalation privileges to the host cannot escape the sandbox.

    This work significantly reduces potential security vulnerabilities in the Xen Project software stack.

    Better User Experience through the Xen Project User Interface

    The Xen Project community also made significant changes to the hypervisor’s user interface. It is now possible to modify certain boot parameters without the need to reboot Xen. Guest types are now selected using the type option in the configuration file, where users can select a PV, PVH or HVM guest. The builder option is being depreciated in favor of the type option, the PVH option has been removed and a set of PVH specific options have been added.

    These changes allow the Xen Project to retain backward compatibility on new hardware without old PV code, providing the same functionality with a much smaller codebase. Additional user interface improvements are detailed in our blog post.

    Improved Support Documentation

    In Xen Project 4.10, a machine-readable file (support.md) was added to describe support related information in a single document. It defines support status and whether features are security supported and to which degree. For example, a feature may be security supported on x86, but not on Arm.

    This file will be back-ported to older Xen releases and will be used to generate support information for Xen Project releases and will be published on xenbits.xen.org/docs/. This effort will both allow users to better understand how they are impacted by security issues, and centralizing security support related information is a pre-condition to become a CVE Numbering authority.

    Contributions for this release of the Xen Project came from Amazon Web Services, AMD, Aporeto, Arm, BAE Systems, BitDefender, Cavium, Citrix, EPAM, GlobalLogic, Greenhost, Huawei Technologies, Intel, Invisible Things Lab, Linaro, Nokia, Oracle, Red Hat, Suse, US National Security Agency, and a number of universities and individuals. This was a shorter release cycle with a code quality and hardened security a key focus.
    <u>Additional Technical Features</u>

    Support for Latest System-on-chip (SoC) Technology: The Xen Project now supports SoCs based on the 64-bit Armv8-A architecture from Qualcomm Centriq 2400 and Cavium ThunderX.

    SBSA UART Emulation for Arm® CPUs: Implementation of SBSA UART emulation support in the Xen Project Hypervisor makes it accessible through the command line tools. This enables the guest OS to access the console when no PV console driver is present. In addition, the SBSA UART emulation is also required to be compliant with the VM System specification.

    ITS support for Arm CPUs: Xen Project 4.10 adds support for Arm’s Interrupt Translation Service (ITS), which accompanies the GICv3 interrupt controller such as the Arm CoreLink GIC-500. ITS support allows the Xen Project Hypervisor to harnesses all of the benefits of the GICv3 architecture, improving interrupt efficiency and allowing for greater virtualization on-chip for both those using the Xen Project for the server and embedded space. ITS support is essential to virtualize systems with large amounts of interrupts. In addition ITS increases isolation of virtual machines by providing interrupt remapping, enabling safe PCI passthrough on Arm.

    GRUB2 on 64-bit Armv8-A architecture: The GRUB community merged support to boot Xen on 64-bit Arm-based CPU platforms. GRUB2 support for Armv8-A improves the user experience when installing Xen via distribution package on UEFI platform.

    Credit 2 scheduler improvements: Soft-affinity support for the Credit 2 scheduler was added to allow those using the Xen Project in the cloud and server space to specify a preference for running a VM on a specific CPU. This enables NUMA aware scheduling for the Credit 2 scheduler. In addition we added cap support allowing users to set a the maximum amount of CPU a VM will be able to consume, even if the host system has idle CPU cycles.

    Null scheduler improvements: The recent updates to the “null” scheduler guarantee near zero scheduling overhead, significantly lower latency, and more predictable performance. Added tracing support enables users to optimize workloads and introduced soft-affinity. Soft affinity adds a flexible way to express placement preference of vcpus on processors, which improves cache and memory performance when configured appropriately.

    Virtual Machine Introspection improvements: Performance improvements have been made to VMI. A software page table walker was added to VMI on Arm, which lays the groundwork to alt2pm for Arm CPUs. For more information on alt2pm is available here.

    PV Calls Drivers in Linux: In Xen Project 4.9, the Xen Project introduced the PV Calls ABI, which allows forwarding POSIX requests across guests. This enables a new networking model that is a natural fit for cloud-native apps. The PV Calls backend driver was added to Linux 4.14.

    Additional Resources

    The post Xen Project Hypervisor 4.10 Focuses on Security, Improved User Experience, and Future Proofing appeared first on The Linux Foundation.

    https://www.linuxfoundation.org/press-release/xen-project-hypervisor-4-10-focuses-security-improved-user-experience-future-proofing/


Log in to reply
 



Tmux Commands

screen and tmux

A comparison of the features (or more-so just a table of notes for accessing some of those features) for GNU screen and BSD-licensed tmux.

The formatting here is simple enough to understand (I would hope). ^ means ctrl+, so ^x is ctrl+x. M- means meta (generally left-alt or escape)+, so M-x is left-alt+x

It should be noted that this is no where near a full feature-set of either group. This - being a cheat-sheet - is just to point out the most very basic features to get you on the road.

Trust the developers and manpage writers more than me. This document is originally from 2009 when tmux was still new - since then both of these programs have had many updates and features added (not all of which have been dutifully noted here).

Action tmux screen
start a new session tmux OR
tmux new OR
tmux new-session
screen
re-attach a detached session tmux attach OR
tmux attach-session
screen-r
re-attach an attached session (detaching it from elsewhere) tmux attach -d OR
tmux attach-session -d
screen -dr
re-attach an attached session (keeping it attached elsewhere) tmux attach OR
tmux attach-session
screen -x
detach from currently attached session ^b d OR
^b :detach
^a ^d OR
^a :detach
rename-window to newname ^b , <newname> OR
^b :rename-window <newn>
^a A <newname>
list windows ^b w ^a w
list windows in chooseable menu ^a "
go to window # ^b # ^a #
go to last-active window ^b l ^a ^a
go to next window ^b n ^a n
go to previous window ^b p ^a p
see keybindings ^b ? ^a ?
list sessions ^b s OR
tmux ls OR
tmux list-sessions
screen -ls
toggle visual bell ^a ^g
create another window ^b c ^a c
exit current shell/window ^d ^d
split window/pane horizontally ^b " ^a S
split window/pane vertically ^b % ^a |
switch to other pane ^b o ^a <tab>
kill the current pane ^b x OR (logout/^D)
collapse the current pane/split (but leave processes running) ^a X
cycle location of panes ^b ^o
swap current pane with previous ^b {
swap current pane with next ^b }
show time ^b t
show numeric values of panes ^b q
toggle zoom-state of current pane (maximize/return current pane) ^b z
break the current pane out of its window (to form new window) ^b !
re-arrange current panels within same window (different layouts) ^b [space]
Kill the current window (and all panes within) ^b killw [target-window]
  • Open Source Summit

    Join us in Edinburgh! Submit a proposal to speak by July 1 for Open Source Summit & ELC + OpenIoT Summit Europe.

    Submit a proposal to speak at Open Source Summit Europe & ELC + OpenIoT Summit Europe, taking place October 22-24, 2018, in Edinburgh, UK, and share your knowledge and expertise with 2,000+ open source technologists and community leaders. Proposals are being accepted through 11:59pm PDT, Sunday, July 1.

    This year’s tracks and content will cover the following areas at Open Source Summit Europe:

    Cloud Native Apps/Serverless/Microservices Infrastructure & Automation (Cloud/Cloud Native/DevOps) Linux Systems Artificial Intelligence & Data Analytics Emerging Technologies & Wildcard (Networking, Edge, IoT, Hardware, Blockchain) Community, Compliance, Governance, Culture, Open Source Program Management (Open Collaboration Conference track) Diversity & Inclusion (Diversity Empowerment Summit) Innovation at Apache/Apache Projects TODO / Open Source Program Management

    View the full list of suggested topics for Open Source Summit Europe.

    Suggested Embedded Linux Conference (ELC) Topics:

    Audio, Video, Streaming Media and Graphics Security System Size, Boot Speed Real-Time Linux – Performance, Tuning and Mainlining SDKs for Embedded Products Flash Memory Devices and Filesystems Build Systems, Embedded Distributions and Development Tools Linux in Devices such as Mobile Phones, DVRs, TVs, Cameras, etc Use of Linux in Automotive Drones and Robots Linux in the Internet of Things Practical Experiences and War Stories Standards Public Infrastructure Industrial Automation

    This year’s tracks and content will cover the following areas at ELC:

    Suggested OpenIoT Summit Topics:

    Real-Time OS (Zephyr, RIOT, MyNewt, FreeRTOS, NuttX, mbed and Others) Outside World Meets IoT (Sensor Interaction, Low Footprint, Connected Sensors, EMF/RFI Impact) Bootloaders, Firmware & Updates Containers Distributed Edge Application Technologies On-device Analytics Blockchain for Constrained Devices Device Management Power Management Configuration Management Developing for Security Safety Considerations Certifications – Lessons Learned Taking Devices to Product

    View the full list of suggested topics for ELC + OpenIoT Summit Europe.

    SUBMIT FOR OPEN SOURCE SUMMIT EUROPE »SUBMIT FOR ELC + OPENIOT SUMMIT EUROPE »

    Sign up to receive updates on Open Source Summit Europe and ELC + OpenIoT Summit Europe:

    Register & Save

    Not submitting, but plan to attend? Register before August 18 and save $300 with early bird pricing. One registration gets you access to both Open Source Summit Europe & ELC + OpenIoT Summit Europe.

    Interested in Sponsoring?

    Showcase your thought leadership among a vibrant open source community and connect with top influencers driving today’s technology purchasing decisions. Learn how to become a sponsor of Open Source Summit Europe or ELC + OpenIoT Summit Europe.

    The post Last Chance to Speak at Open Source Summit and ELC + OpenIoT Summit Europe – Submit by July 1 appeared first on The Linux Foundation.

    https://www.linuxfoundation.org/blog/last-chance-to-speak-at-open-source-summit-and-elc-openiot-summit-europe-submit-by-july-1/

    read more
  • Open Source Guides

    The Open Source Guides for the Enterprise are now available in Chinese.

    The popular Open Source Guides for the Enterprise, developed by The Linux Foundation in collaboration with the TODO Group, are now available in Chinese. This set of guides provides industry-proven best practices to help organizations successfully leverage open source.

    “Making these resources available to Chinese audiences in their native language will encourage even greater adoption of and participation with open source projects,” said Chris Aniszczyk, CTO of Cloud Native Computing Foundation and co-founder of the TODO Group. The guides span various stages of the open source project lifecycle, from initial planning and formation to winding down a project.

    The 10 guides now available in Mandarin include topics such as:

    Creating an Open Source Program by Chris Aniszczyk, Cloud Native Computing Foundation; Jeff McAffer, Microsoft; Will Norris, Google; and Andrew Spyker, Netflix Using Open Source Code by Ibrahim Haddad, Samsung Research America Participating in Open Source Communities by Stormy Peters, Red Hat; and Nithya Ruff, Comcast Recruiting Open Source Developers by Guy Martin, Autodesk; Jeff Osier-Mixon, Intel Corporation; Nithya Ruff; and Gil Yehuda, Oath Measuring Your Open Source Program’s Success by Christine Abernathy, Facebook; Chris Aniszczyk; Joe Beda, Heptio; Sarah Novotny, Google; and Gil Yehuda

    The translated guides were launched at the LinuxCon + ContainerCon + CloudOpen China conference in Beijing, where The Linux Foundation also welcomed Chinese Internet giant Tencent as a Platinum Member.

    The post Open Source Guides for the Enterprise Now Available in Chinese appeared first on The Linux Foundation.

    https://www.linuxfoundation.org/blog/open-source-guides-for-the-enterprise-now-available-in-chinese/

    read more
});