Hello list,
I wanted to ask if anyone is using RHEV at all especially in an IC/DoD environment. Has it been approved? Secured? What issues are there?
Thanks,
Gabe
Hey Gabe,
I did a presentation on a RHEV system (RHEV 3.3, RHN Satellite 5.6, IdM 3.0 based on RHEL 6.5) that we are deploying at the Defence in Depth 2014 Conference here in Tyson's Corner, VA. I've posted the presentation here for everyone's convenience:
http://people.redhat.com/fcaviggi/KVM_security.pdf
I'm happy to say that we should have an ICD 503 (RMF Step 5) ATO early next week.
Regards,
Frank Caviggia
It is approved (Army). However, having worked with it I'd recommend using a different product.
On Wed, Oct 29, 2014 at 6:13 PM, Frank Caviggia fcaviggi@redhat.com wrote:
Hey Gabe,
I did a presentation on a RHEV system (RHEV 3.3, RHN Satellite 5.6, IdM 3.0 based on RHEL 6.5) that we are deploying at the Defence in Depth 2014 Conference here in Tyson's Corner, VA. I've posted the presentation here for everyone's convenience:
http://people.redhat.com/fcaviggi/KVM_security.pdfI'm happy to say that we should have an ICD 503 (RMF Step 5) ATO early next week.
Regards,
Frank Caviggia
-- Frank Caviggia Consultant, Red Hat fcaviggi@redhat.com (M) (571) 295-4560
----- Original Message ----- From: "Gabe Alford" redhatrises@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Wednesday, October 29, 2014 4:50:39 PM Subject: Use of RHEV
Hello list,
I wanted to ask if anyone is using RHEV at all especially in an IC/DoD environment. Has it been approved? Secured? What issues are there?
Thanks,
Gabe
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Leam,
Could you qualify that a bit more? It's hard to base a decision case on a recommendation without details and it might save Gabe some time.
Thanks,
Trevor
On Thu, Oct 30, 2014 at 11:16 AM, leam hall leamhall@gmail.com wrote:
It is approved (Army). However, having worked with it I'd recommend using a different product.
On Wed, Oct 29, 2014 at 6:13 PM, Frank Caviggia fcaviggi@redhat.com wrote:
Hey Gabe,
I did a presentation on a RHEV system (RHEV 3.3, RHN Satellite 5.6, IdM
3.0 based on RHEL 6.5) that we are deploying at the Defence in Depth 2014 Conference here in Tyson's Corner, VA. I've posted the presentation here for everyone's convenience:
http://people.redhat.com/fcaviggi/KVM_security.pdfI'm happy to say that we should have an ICD 503 (RMF Step 5) ATO early
next week.
Regards,
Frank Caviggia
-- Frank Caviggia Consultant, Red Hat fcaviggi@redhat.com (M) (571) 295-4560
----- Original Message ----- From: "Gabe Alford" redhatrises@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Wednesday, October 29, 2014 4:50:39 PM Subject: Use of RHEV
Hello list,
I wanted to ask if anyone is using RHEV at all especially in an IC/DoD
environment. Has it been approved? Secured? What issues are there?
Thanks,
Gabe
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Mind on a Mission -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On Thu, Oct 30, 2014 at 1:02 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
Leam,
Could you qualify that a bit more? It's hard to base a decision case on a recommendation without details and it might save Gabe some time.
Trevor,
Probably a good idea. Sometimes I type faster than I think. :)
Having used RHEV and VMWare, I strongly recommend VMWare.
In RHEV the management requirements are different; you have to use IE and Spice. I'm not fond of the former and the latter takes some integration.
Updating your template is a pain.
Shutdown for maintenance is a pain.
Moving stuff around is a pain.
"Click" time to response is slow.
From what I have seen RHEV is not as fully featured as VMWare.
Pretty much all the interactions I've had with RHEV have been slow and painful. I'm assuming there are positives to the product but I've not encountered any. All that said, please keep in mind that I'm not a RHEV wizard. So there may be a lot of things I don't know.
Leam
Classification: UNCLASSIFIED Caveats: NONE
In RHEV the management requirements are different; you have to use IE and Spice. I'm not fond of the former and the latter takes some integration.
When did you use RHEV? We're in the early stages of setting it up ourselves, and have been informed that IE used to be a requirement, but no longer is (we've been using Firefox from Linux and OS X). It sounds like the product has improved significantly over the past few years, in general.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
On Thu, Oct 30, 2014 at 2:38 PM, Shaw, Ray V CTR USARMY ARL (US) ray.v.shaw.ctr@mail.mil wrote:
Classification: UNCLASSIFIED Caveats: NONE
In RHEV the management requirements are different; you have to use IE and Spice. I'm not fond of the former and the latter takes some integration.
When did you use RHEV? We're in the early stages of setting it up ourselves, and have been informed that IE used to be a requirement, but no longer is (we've been using Firefox from Linux and OS X). It sounds like the product has improved significantly over the past few years, in general.
Hey Ray,
Currently. There may be newer versions out, but what is blessed by the DoD is not always the most current. Also, if you have an install of an older but supported version migration is seldom seamless and not resource impacting.
Leam
All,
IE is no longer a requirement (a Windows RHEV-M server was actually required in early 2.x versions of RHEV - a legacy of the Qumranet acquisition) - with RHEV 3.3+ both IE and Firefox (Linux, Windows) both work as the management interface - the standalone SPICE clients are the way to go as engineering is moving away from ActiveX support. RHEV includes the SPICE client on the install DVD and the Windows clients can be found under the installation:
Virt Viewer for 32-bit Windows:
RHEV 3.3 - https://%5BRHEV-M address]/ovirt-engine-files/spice/virt-viewer-x86.msi RHEV 3.4 - https://%5BRHEV-M address]/ovirt-engine/services/files/spice/virt-viewer-x86.msi
Virt Viewer for 64-bit Windows:
RHEV 3.3 - https://%5BRHEV-M address]/ovirt-engine-files/spice/virt-viewer-x86.msi RHEV 3.4 - https://%5BRHEV-M address]/ovirt-engine/services/files/spice/virt-viewer-x64.msi
I've been able to install the Windows SPICE client as a normal user, without additional administrative privileges, at my customer's site but I haven't tested it on other baselines.
As for other clients I've found for home experimentation:
OS X:
http://www.ovirt.org/SPICE_Remote-Viewer_on_OS_X
Android:
https://play.google.com/store/apps/details?id=com.iiordanov.aSPICE&hl=en
With all that being said, KVM is really progressing as a hypervisor - I've done GPU passthrough with RHEL 7 and there is plenty of work headed forward - especially in the area of 3D graphics:
My benchmarks using RHEL 7 KVM with Windows 8.1 Guest and nVIDIA Quadro K2000 (VT-d passthrough):
http://www.3dmark.com/3dm/3746572
Intel's work on GPU support:
http://www.phoronix.com/scan.php?page=news_item&px=MTgyMTE https://software.intel.com/en-us/blogs/2014/05/02/intel-graphics-virtualizat...
There are some exciting times ahead for RHEV, and I know there will be growing pains, but RHEV is only one piece of the puzzle - Openstack, Docker, CloudForms, RHSS integration has our competitors (VMware, Microsoft, and others) scrambling to build proprietary vendor-specific solutions to compete with those technologies - none of them open source. In summary, VMware is easy solution for the short term, but the vendor lock-in and price and support contracts can add up especially as the landscape for virtualization and cloud computing changes...
Anyway, all of the above is just my opinion on things moving forward, hope this helps somebody.
Regards,
Frank Caviggia
On 10/30/14 18:44, Frank Caviggia wrote:
[snip]
Anyway, all of the above is just my opinion on things moving forward, hope this helps somebody.
Don't get me wrong; RHEV shouldn't be consigned to the eternal flames. Well...the version I'm using probably should.
I think the potential is there given the brainpower available. If the right decisions are made it can become a viable contender and potentially market leader.
Leam
On 10/30/14, 7:25 PM, Leam Hall wrote:
On 10/30/14 18:44, Frank Caviggia wrote:
[snip]
Anyway, all of the above is just my opinion on things moving forward, hope this helps somebody.
Don't get me wrong; RHEV shouldn't be consigned to the eternal flames. Well...the version I'm using probably should.
Likely a legacy version issue. If running a RHEV version which requires Internet Explorer, that means:
- Deployment of RHEV 2.x, which was released on 3-NOV-2009 and EOL'd on 1-MAR-2013; or - Deployment of RHEV 3.0, which was released on 18-JAN-2012 and EOL'd on 5-DEC-2012
When measured against expectations of a modern hypervisor, either version above would fall laughably short. To get a sense of the releases...
RHEV 2.1 (released 3-NOV-2009) RHEV 2.2 (released 23-JUN-2010) RHEV 3.0 (released 18-JAN-2012) RHEV 3.1 (released 5-DEC-2012) <--- this is when Windows requirements were dropped RHEV 3.2 (released 11-JUN-2013) RHEV 3.3 (released 21-JAN-2014) RHEV 3.4 (released 16-JUN-2014) RHEV 3.5 in planning now
I think the potential is there given the brainpower available. If the right decisions are made it can become a viable contender and potentially market leader.
Thanks! Today RHEV /shines/ in security and performance. As time moves forward, many RHEV subsystems are being integrated with OpenStack services (e.g. neutron, glance in RHEV 3.4). The plan is to created spanned subsystems between RHEV and OpenStack environments -- allowing RHEV to participate in the development velocity of the OpenStack community.
All,
It took a bit longer than I'd would have liked to get the documentation reviewed, but I now have a full ICD 503 ATO (No POA&Ms) at MML (RMF levels) as of today for the system described in the presentation below that includes RHEV, IdM, and RHN Satellite.
For any further details, please contact me off list and I will do my best to put you in touch with the security group.
Regards,
Frank Caviggia
On 10/29/14, 4:50 PM, Gabe Alford wrote:
I wanted to ask if anyone is using RHEV at all especially inan IC/DoD environment. Has it been approved? Secured? What issues are there?
RHEV 3x has been dropped into a few JWICS environments. Formally on a few IC approved product baselines (I worked on a few of them). IIRC it's on Army's baseline too.... but I shouldn't be quoted on that (can check with those who are authoritative, if useful).
The Virtual Machine Manager STIG is still in draft: Website: http://iase.disa.mil/stigs/srgs/Pages/index.aspx Direct Link: http://iasecontent.disa.mil/stigs/zip/u_draft_vmm_srg_v1r01.zip
Once it's polished up, you'll likely see progress on a formal RHEV STIG (we need it for RHEV Manager).
Thanks all! Very helpful.
Gabe
On Thu, Oct 30, 2014 at 7:57 PM, Shawn Wells shawn@redhat.com wrote:
On 10/29/14, 4:50 PM, Gabe Alford wrote:
I wanted to ask if anyone is using RHEV at all especially inan IC/DoD environment. Has it been approved? Secured? What issues are there?
RHEV 3x has been dropped into a few JWICS environments. Formally on a few IC approved product baselines (I worked on a few of them). IIRC it's on Army's baseline too.... but I shouldn't be quoted on that (can check with those who are authoritative, if useful).
The Virtual Machine Manager STIG is still in draft: Website: http://iase.disa.mil/stigs/srgs/Pages/index.aspx Direct Link: http://iasecontent.disa.mil/stigs/zip/u_draft_vmm_srg_v1r01.zip
Once it's polished up, you'll likely see progress on a formal RHEV STIG (we need it for RHEV Manager). -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org
-
Frank Caviggia -
Gabe Alford -
leam hall -
Shaw, Ray V CTR USARMY RDECOM ARL (US) -
Shawn Wells -
Trevor Vaughan