[mythtv-users] Virtualisation in the home network -- ready for mainstream?

Thu Sep 3 08:26:42 UTC 2009

Bill Williamson wrote:

>I am not the OP, and I think his list of virtualized stuff is a bit
>silly (why would you virtualize monowall, when it means packets are
>already in your network and on your machine before hitting your
>firewall????), but there are some very good specific uses for
>virtualization (although with xen it works great with pci sharing...).

Actually, running a firewall in a VM makes quite 
good sense, and it's what I have. My firewall is 
a minimal install (no unneccessary software 
installed, let alone running) in a Xen guest - 
it's outside interface is a network card 
presented directly to it (pciback.hide etc) so 
apart from passing across the PCI bus, the 
outside traffic doesn't hit Dom0 at all.

It means my firewall can be simple (basic 2 port 
setup), whereas doing the same thing in Dom0 is, 
to say the least, tricky.

>  > Another reason to do it is as an added measure of privilege separation.
>>  If one virtual machine is compromised it probably won't lead to compromise
>>  of the other VMs, barring security problems with the VM hypervisor.  In an
>>  ideal world you wouldn't run, say, a web server and an NIS master on the
>>  same machine, but running them in separate VMs provides almost the same
>>  level of security without the extra box.
>
>
>For home use?  If someone is compromising your linux boxes and ...
>deleting your tv shows? ... I guess it's good that they can't then
>make a phone call using asterisk?  Or something?

Lets get this straight, you are criticising 
someone for taking security seriously ? And as 
for "it's good that they can't then make a phone 
call using asterisk" - well that is a serious 
problem that actually costs money. There's 
nothing like having a few hundred (or even few 
thousand) $/£ added to your phone bill for you to 
take security seriously and it's happened to 
plenty of people (mostly businesses with badly 
configured PBXs, but coming to VoIP you can be 
sure) over the years.

But for me, one of the biggest reason is the 
separation of software - I can fiddle away with a 
setup as much as I like, and if I really screw it 
up I can just blow it away and start again. I 
don't have to worry, for example, about needing 
to run the very latest stuff to get my tuner 
working and that breaking my fairly old software 
running the mail server.

Oh yes, and it sounds cool when you describe it to non-geek friends :D

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.