Linux virtualisation
From Gender and Tech Resources
Over the years, computers have become sufficiently powerful to use virtualisation to create the illusion of many smaller virtual machines, each running a separate operating system instance. There are several kinds of Virtual Machines (VMs) which provide similar features, but differ in the degree of abstraction and the techniques used for virtualisation.
OK, so virtualization is the latest hype. Why should I care? Computers are getting cheaper every day...
Contents
Why use virtualisation?
- Consolidation means combining multiple software workloads on one computer system. You can run various virtual machines in order to save money and power (electricity).
- Making moving workloads to a new server easy by installing a host OS onto your new server, then copying over a virtual machine. With virtual machine migration like xen live migration you can even move a virtual machine from one system to another while it is running.
- Testing configurations of new linux distros by creating less resource hungry and low priority virtual machines (VM). Afterwards you can throw the whole VM away instead of having a cluttered system.
- Learning new operating systems and programming languages/database without having to make changes to the base environment.
- Supposedly, if a mail server or any other app gets hacked, only that VM will be under control of the adversary.
- Misbehaving apps (e.g. memory leaks) cannot easily bring down the whole machine (handy for on servers).
- Magically running that old operating system on new hardware. No more critical applications tying us down to old hardware because it's running on a legacy operating system.
Types of virtualisation
The techniques used differ in complexity of implementation, breadth of OS support, performance in comparison with standalone server, and level of access to common resources. For example, VMs have wider scope of usage, but poorer performance. Para-VMs have better performance, but can support fewer OSs because one has to modify the original OS.
Virtualisation on the OS level provides the best performance and scalability compared to other approaches. Virtual environments are usually also much simpler to administer as all of them can be accessed and administered from the host system. Generally, such systems are the best choice for server consolidation.
Emulation
A software emulator allows computer programs to run on a platform (computer architecture and / or operating system) other than the one for which they were originally written. Unlike simulation, which only attempts to reproduce a program's behavior, emulation attempts to model to various degrees the state of the device being emulated. The virtual machine simulates the complete hardware, allowing an unmodified OS for a completely different CPU to be run. This is also known as Dynamic Recompilation.
Paravirtualisation
Paravirtualisation is a technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware. This requires operating systems to be explicitly ported to run on top of the virtual machine monitor (VMM) but may enable the VMM itself to be simpler and for the virtual machines that run on it to achieve higher performance. Meaning, this technique requires a VMM, but most of its work is performed in the guest OS code, which in turn is modified (ported) to support this VMM and avoid unnecessary use of privileged instructions. The paravirtualisation technique also enables running different OSs on a single server, but requires them to be ported to «know» they are running under the hypervisor. The paravirtualisation approach is used by Xen and UML (see below in virtualisation software).
Native Virtualisation
Native virtualisation is a technique where the virtual machine monitor or hypervisor only partially simulates enough hardware to allow an unmodified Operating System to be run in isolation, but the guest Operating System must be designed for the same type of CPU.
Operating System-Level Virtualisation
Most applications running on a server can easily share a machine with others, if they could be isolated and secured. In most server situations, different operating systems are not required, merely multiple instances of a single operating system. OS-level virtualisation systems have been designed to provide the required isolation and security to run multiple applications or copies of the same OS (but different distributions of the OS) on the same server.
Containers, also known as operating-system level virtualization, do not run virtual machines at all, but simply segregate multiple user space environments from each other, while everything runs under one kernel. Each such partition looks and feels like a real server, from the point of view of its owner. On Unix systems, this technology can be thought of as an advanced extension of the standard chroot mechanism. OpenVZ, Virtuozzo, Linux-VServer, Solaris Zones and FreeBSD Jails are examples of OS-level virtualisation.
Container technologies like Linux VServer, Virtuozzo/OpenVZ and Solaris Zones, typically have a lower degree of isolation, in exchange for lower overhead and more flexible resource use.
Virtualisation software
freebsd jail subsystem
2001: On most UNIX® systems, root
has omnipotent power. This promotes insecurity. If an attacker gained root on a system, he would have every function at his fingertips. In FreeBSD there are sysctls which dilute the power of root, in order to minimize the damage caused by an attacker. Specifically, one of these functions is called secure levels. Similarly, another function which is present from FreeBSD 4.0 and onward, is a utility called jail(8). Jail chroots an environment and sets certain restrictions on processes which are forked within the jail. For example, a jailed process cannot affect processes outside the jail, utilize certain system calls, or inflict any damage on the host environment https://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/jail.html.
uml
User Mode Linux (UML) was the first virtualization technology for Linux. User-mode Linux is generally considered to have lower performance than some competing technologies, such as Xen and OpenVZ.
openvz
OpenVZ is an operating system-level virtualization technology based on the Linux kernel and operating system. OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated Linux containers (otherwise known as VEs or VPSs) on a single physical server enabling better server utilization and ensuring that applications do not conflict http://openvz.org/Main_Page.
xen
Xen is a virtual machine monitor for 32 / 64 bit Intel / AMD (IA 64) and PowerPC 970 architectures. It allows several guest operating systems to be executed on the same computer hardware concurrently. XEN is included with most popular Linux distributions such as Debian, Ubuntu, CentOS, RHEL, Fedora and many others http://www.xenproject.org/.
kvm
Kernel-based Virtual Machine (KVM) is a Linux kernel virtualisation infrastructure. KVM currently supports native virtualization using Intel VT or AMD-V. A wide variety of guest operating systems work with KVM, including many flavours of Linux, BSD, Solaris, and Windows etc. KVM is included with Debian, OpenSuse and other Linux distributions http://www.linux-kvm.org/page/Main_Page.
qemu
QEMU is a generic and open source machine emulator and virtualiser. When used as a machine emulator, QEMU can run OSes and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC). By using dynamic translation, it achieves very good performance. When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. QEMU supports virtualisation when executing under the Xen hypervisor or using the KVM kernel module in Linux. When using KVM, QEMU can virtualize x86, server and embedded PowerPC, and S390 guests http://wiki.qemu.org/Index.html.
Qemu (GPL v2) emulates a full computer without relying on trap & emulate by scanning the instructions that the guest is about to run, making sure there are no privileged instructions on the page and replacing those instructions with alternatives if necessary. Because there may be a debugger running inside the guest, unchanged code pages need to be marked read-only and changed code pages need to be duplicated.
linux-vserver
Linux-VServer is a virtual private server implementation done by adding operating system-level virtualization capabilities to the Linux kernel. The Linux-VServer technology is a soft partitioning concept based on Security Contexts which permits the creation of many independent Virtual Private Servers (VPS) that run simultaneously on a single physical server at full speed, efficiently sharing hardware resources http://linux-vserver.org.
virtualbox
VirtualBox is an x86 virtualization software package, developed by Sun Microsystems as part of its Sun xVM virtualization platform. Supported host operating systems include Linux, Mac OS X, OS/2 Warp, Windows XP or Vista, and Solaris, while supported guest operating systems include FreeBSD, Linux, OpenBSD, OS/2 Warp, Windows and Solaris https://www.virtualbox.org/.
Installing
Usage
- Setting up a virtualbox VM for chaining for anonymising your traffic with linux.
- Testing devuan and voidlinux suitability for making our own linux images.
bochs
Bochs is a portable x86 and AMD64 PC emulator and debugger. Many guest operating systems can be run using the emulator including DOS, several versions of Microsoft Windows, BSDs, Linux, AmigaOS, Rhapsody and MorphOS. Bochs can run on many host operating systems, like Windows, Windows Mobile, Linux and Mac OS X.
Resources
- Table comparing the features and performance of the various virtualisation technologies available for Linux: http://virt.kernelnewbies.org/TechComparison