yakking/ posts/ Virtualised systems by Daniel Silverstone
The role of Linux distributions | posts | Writing shell in any language
Apr 2024
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Blog

Contributors

Recent Comments

Archives

Suggestion box

Tags

Blogtrottr

Non-article content is copyrighted to the regular contributors. Articles are copyright to their authors. Comments on articles are copyright the comment's author.

By contributing a comment to the site you implicitly grant the same licence to your comment as is shared by the rest of the site.

Creative Commons Licence
Yakking Blog by Yakking Team is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Virtualisation, when applied as a term to full systems, is the process by which a full computer is emulated such that an operating system can run as though it were on real hardware. That is, of course, a simplification - though it holds. Virtualisation has been around for a very long time in one form or another, but as it is used these days, it tends only to apply to the above definition.

I must warn you now that this article will only be dealing with virtualisation technologies which exist for Linux and I will only be touching on some of the very many options out there. Linux has a number of built-in virtualisation technologies already and more are being developed, and while many if not all of them are available in some form on other *NIX operating systems (and indeed Windows), I am only going to consider the forms they take on Linux.

At the "lightest" level of virtualisation are chroots. These are very simple and offer very little in the way of protection but they are extremely lightweight and allow you to have multiple operating systems present and run software in effectively isolated instances of those operating systems with little effort. In particular, chroots still share process trees, mount namespaces, file descriptors etc, between themselves and as such are not a way to effectively prevent attacks from code of unknown provenance in and of themselves.

The next level "up" in virtualisation are Linux containers where the various aspects of the *NIX system such as PIDs, FDs, mount namespaces, etc can be unshared. These containers, managed by tools such as Docker are somewhat more isolated than chroots, but they still share the same kernel and as such are still risky endeavours since only the one piece of software (the kernel) stands between an attacker and the rest of the system(s).

Beyond that we have already discussed, we get into "proper" system virtualisation where a full computer is emulated in some fashion. This might be partial or full virtualisation and there are a number of ways of achieving it on a modern Linux system. There is a built-in virtualisation mechanism called kvm which along with some user-land software allows a Linux kernel to be a hypervisor for a theoretically only resource-limited number of virtualised systems. KVM itself isn't particularly friendly to use, but there is a project called libvirt which abstracts kvm (and other virtualisation mechanisms) which can help with that. The kvm system supports a method of providing efficiently virtualised emulated hardware to the guest systems called virtio. In this manner, kvm can provide both partial or full virtualisation, although typically only other Linux guests will use virtio.

If you require something a little more cross-platform (for example if you want to run the same virtualisation system on your Linux systems as your colleagues and friends could run on their Windows or Mac OS systems) then there is Oracle's VirtualBox. VirtualBox has a GUI to help you organise your systems a little like libvirt can. It works on other platforms as well as Linux and it is consistent in its behaviour across those platforms, in all of the features it offers to guests, users, and command-line programs. VirtualBox has a feature called 'Guest Additions' which provides partial virtualisation features where the guest and host collude to provide features such as mounting parts of the host filesystem into the guest, or accelerating video driver access. VirtualBox is, for the most part, open source software.

If you are, however, interested in pay-for virtualisation solutions then the one option which springs to most people's minds is VMWare Workstation. VMWare is proprietary and costs a non-trivial amount of money but perhaps offers the best results if you wish to virtualise Windows to avoid having to run it natively.

And as if all the above wasn't enough, it's possible to nest these techniques to form nested virtualisation at various levels. Some of the above techniques can also be accelerated by hardware. Indeed if you have an x86 system and you wish to play with any of kvm, VirtualBox or VMWare then you should probably pop into your BIOS (or whatever you have) and check that the VT bit is enabled for your CPUs. (In theory there are attack vectors which can leak data which take advantage of VT, and also it's a way to potentially fool you, so it is usually turned off by default.)

As you can tell, if you read up on the above software and the concepts and technologies referenced in the very first link of this article, virtualisation is a powerful technique which can be applied at various levels to provide security or isolation to you and to software you wish to run. Nesting various virtualisation mechanisms at various points in your software architecture can result in it being significantly harder for an attacker to break out and do harm to your systems.