[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] libxc: don't fail domain creation when unpacking initrd fails



Andrew Cooper writes ("Re: [Xen-devel] [PATCH] libxc: don't fail domain 
creation when unpacking initrd fails"):
> IMO, the toolstack should not be making assumptions about the initrd,
> and shouldn't be touching it.  It is the users responsibility to provide
> an initrd which its kernel can read.
> 
> Furthermore, leaving the decompression to the kernel reduces the dom0
> attack surface.

If we expect that only very old or very odd kernels can't do the
decompression themselves, then perhaps we could have an option to
enable initrd decompression and have it off by default.

Your point about the attack surface is well-made.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.