pages tagged kvmyakkinghttp://yakking.branchable.com/tags/kvm/yakkingikiwiki2015-01-28T12:00:15ZVirtualised systemshttp://yakking.branchable.com/posts/virtualisation/Daniel Silverstone2015-01-28T12:00:15Z2015-01-28T12:00:09Z
<p><a href="http://en.wikipedia.org/wiki/Virtualization">Virtualisation</a>, when applied as
a term to full systems, is the process by which a full computer is emulated
such that an operating system can run as though it were on real hardware. That
is, of course, a simplification - though it holds. Virtualisation has been
around for a very long time in one form or another, but as it is used these
days, it tends only to apply to the above definition.</p>
<p>I must warn you now that this article will only be dealing with virtualisation
technologies which exist for Linux and I will only be touching on some of the
very many options out there. Linux has a number of built-in virtualisation
technologies already and more are being developed, and while many if not all of
them are available in some form on other *NIX operating systems (and indeed
Windows), I am only going to consider the forms they take on Linux.</p>
<p>At the "lightest" level of virtualisation are
<a href="http://linux.die.net/man/2/chroot">chroot</a>s. These are very simple and offer
very little in the way of protection but they are extremely lightweight and
allow you to have multiple operating systems present and run software in
effectively isolated instances of those operating systems with little effort.
In particular, chroots still share process trees, mount namespaces, file
descriptors etc, between themselves and as such are not a way to effectively
prevent attacks from code of unknown provenance in and of themselves.</p>
<p>The next level "up" in virtualisation are Linux containers where the various
aspects of the *NIX system such as PIDs, FDs, mount namespaces, etc can be
<a href="http://linux.die.net/man/2/unshare">unshare</a>d. These containers, managed by
tools such as <a href="http://www.docker.com/">Docker</a> are somewhat more isolated than
chroots, but they still share the same kernel and as such are still risky
endeavours since only the one piece of software (the kernel) stands between an
attacker and the rest of the system(s).</p>
<p>Beyond that we have already discussed, we get into "proper" system
virtualisation where a full computer is emulated in some fashion. This might
be partial or full virtualisation and there are a number of ways of achieving
it on a modern Linux system. There is a built-in virtualisation mechanism
called <a href="http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine">kvm</a> which
along with some user-land software allows a Linux kernel to be a
<a href="http://en.wikipedia.org/wiki/Hypervisor">hypervisor</a> for a theoretically only
resource-limited number of virtualised systems. KVM itself isn't particularly
friendly to use, but there is a project called <a href="http://libvirt.org/">libvirt</a>
which abstracts kvm (and other virtualisation mechanisms) which can help with
that. The kvm system supports a method of providing efficiently virtualised
emulated hardware to the guest systems called <em>virtio</em>. In this manner, kvm
can provide both partial or full virtualisation, although typically only other
Linux guests will use virtio.</p>
<p>If you require something a little more cross-platform (for example if
you want to run the same virtualisation system on your Linux systems as
your colleagues and friends could run on their Windows or Mac OS systems)
then there is Oracle's <a href="http://www.virtualbox.org/">VirtualBox</a>.
VirtualBox has a GUI to help you organise your systems a little like libvirt
can. It works on other platforms as well as Linux and it is consistent in its
behaviour across those platforms, in all of the features it offers to guests,
users, and command-line programs. VirtualBox has a feature called 'Guest
Additions' which provides partial virtualisation features where the guest and
host collude to provide features such as mounting parts of the host filesystem
into the guest, or accelerating video driver access. VirtualBox is, for the
most part, open source software.</p>
<p>If you are, however, interested in pay-for virtualisation solutions then the
one option which springs to most people's minds is
<a href="http://www.vmware.com/">VMWare</a> Workstation. VMWare is proprietary and costs
a non-trivial amount of money but perhaps offers the best results if you wish
to virtualise Windows to avoid having to run it natively.</p>
<p>And as if all the above wasn't enough, it's possible to nest these techniques
to form nested virtualisation at various levels. Some of the above techniques
can also be accelerated by hardware. Indeed if you have an <em>x86</em> system and
you wish to play with any of kvm, VirtualBox or VMWare then you should probably
pop into your BIOS (or whatever you have) and check that the <em>VT</em> bit is
enabled for your CPUs. (In theory there are attack vectors which can leak data
which take advantage of VT, and also it's a way to potentially fool you, so it
is usually turned off by default.)</p>
<hr />
<p>As you can tell, if you read up on the above software and the concepts and
technologies referenced in the very first link of this article, virtualisation
is a powerful technique which can be applied at various levels to provide
security or isolation to you and to software you wish to run. Nesting various
virtualisation mechanisms at various points in your software architecture can
result in it being significantly harder for an attacker to break out and do
harm to your systems.</p>