publication croisée depuis : https://lemmy.world/post/16156662

To be completely open, this is not a question about XCP-ng vs Proxmox. I’m open to doing everything in the cli, comparing two platforms is not my intention here.

I’m very interested in the security benefits one has over the other though. AFAIK Xen has a dedicated for security? I’d like to think that both are reasonably secure by default, but I do not get many hits for “KVM hardening”, for example, only OS-level hardening advice.

Do both protect equally against attacks that try to escape the VM? Is there anything in terms of security that one has and the other doesn’t?

I know this is not the usual kind of question that is asked on this sub, any help is greatly appreciated!

  • MigratingtoLemmy@lemmy.worldOP
    1·
    6 months ago

    I’m just being a bit paranoid with my attempts, and yes just KVM on Debian would work perfectly fine for my purposes but I’d like to take the more secure alternative if possible. Another comment about kernel hardening was a good one for KVM, and unfortunately AMD SEV is not available on most of their consumer chips (especially the older generations).

    If I were to switch off multi-threading but assign vCPUs to my VM assuming multi-threaded capacity (I.e. assign 12 vCPUs to my lab cluster after switching of SMT for my 6 core CPU), would I face performance issues? I wonder

        • Skull giver@popplesburger.hilciferous.nl
          1·
          6 months ago

          Based on this Zen3 benchmark, I’d say somewhere between 40 and 77% for the most impacted workloads tested.

          Some tests also run faster without SMT (mostly graphics/AI-on-CPU ones I think) so it really depends on your workload.

          On a gaming computer, results seem to vary between -10% to +10% FPS for a Ryzen 9 chip, probably because very few games make good use of that many CPU threads.

          If you’re running a small home server or desktop, I’d expect you to throw out a bit less than half the CPU capacity. You do get some of that back in power savings, so if your server is overspecced for your workload, disabling SMT may be interesting regardless of the security aspects.