# Virtual machines for curmudgeons

### On pretending you have hardware using software

There are a few different virtual machine infrastructures now. Which one induces least tedium depends on your host OS and your purpose.

If you are running OSX, the mostly-open-source virtualbox is acceptable.

If you are running linux on modern x86-64, IMHO the libvirt/QEMU-KVM system is more transparent, seems to be faster, and, surprisingly, easier. (surprisingly because it has ugly graphical design which is usually a signifier of other terrible things, and because it's a nerdy unix thing, which usually means bad UX for non-unix obsessives.)

At the bottom I mention some other VM-ish infrastructure which I don't truly understand but might wish to explain to myself in the future. There are in fact various options, which relate in confusing ways. A list of ones not mentioned here, for the sake of my own future keyword searches:

## QEMU + KVM + virt-manager

What a disaster of naming! What a remarkably tidy and easy collection of technologies, each with a stupid and annoying name and vague explanations. It exploits some hardware+kernel tricks to get simple and very flexible machines for linux hosts. I don't really pretend to understand ontology here, whcih part of the toolchain provides what etc. But this has been the easiest for me with the stuff I am doing. If your host is a linux machine, use this. AFAICT the QEMU part will also run on Windows and macOS but I haven't tried that myself.

Even the GUI, virt-manager, though of course awful as nearly all open source GUIs are, is barely worse than the other VM GUIs, even the ones with with massive commercial backing.

On ubuntu, do this

sudo apt install virt-manager libvirt-bin qemu-kvm


Now everything magically works if you run virt-manager, which creates new KVM machines for you. Has AFAICT all the features I care about in Virtualbox with less overhead and less wasted time.

The virtual machine build tool is virt-builder.

## Gnome boxes

GNOME Boxes is some kind of fork of QEMU with a funkier GUI but less features?

## Virtualbox

Virtualbox is semi-open source and has a marketing budget. It is cross-platform and has many howtos, so it's what you end up using per default. But actually, it's a pain in the arse and I don't recommend it if you have the KVM option, above. (i.e. might be acceptable for OSX or Windows hosts.)

### Ubuntu

Everything is packaged and can be installed easily enough. If you are on Ubuntu, note that removing virtual box requires aggressive purging:

sudo apt --purge remove 'virtualbox-guest-*'


### macOS

How to get a Virtualbox virtual machine running with the minimum of dicking around, on macOS.

NB This note is from 2016. Perhaps things have improved since then?

For the sake of argument, let's assume Ubuntu/Debian/Mint or one of those other dpkg distributions.

OK, we download Virtualbox. Ubuntu server is a sane default guest OS, I suppose, let's try that.

Set up all the following things.

What? Didn't work for you? 'Course not. There are details.

1. remote usb
2. usb not working
3. Virtualbox extensions need extra installation because why would you want things to just work by default? Your favourite thing to do is dick around with yak shaving right?
4. Shared folders should now work.

Wait what? Integration is STILL flakey?

You still need to install the Guest additions, you duffer:

sudo apt-get install dkms


Didn't work, eh? Maybe you don't have the right sources in your package manager:

sudo bash
>> /etc/apt/sources.list.d/oracle.list # http doesn't work because oracle were too poor to spring for the right cert
apt-get update
apt-get install dkms


Virtual box also ships with a virtual CD image with the right installers on, hidden in a submenu somewhere, which saves bandwidth.

You can skip some of these steps if you are happy to trust an unaccountable stranger to build your OS for you; osboxes hosts some prebuilt machines of suspect provenance.

## Vagrant

Don't really know what vagrant is

If you are a developer, Vagrant will isolate dependencies and their
configuration within a single disposable, consistent environment, without
sacrificing any of the tools you are used to working with (editors, browsers,
debuggers, etc.). Once you or someone else creates a single Vagrantfile, you
just need to vagrant up and everything is installed and configured for you to
work. Other members of your team create their development environments from
the same configuration, so whether you are working on Linux, Mac OS X, or
Windows, all your team members are running code in the same environment,
against the same dependencies, all configured the same way


## Qubes

Want an OS that uses modern hardware virtualisation to run apps separately to improve your privacy?

Qubes, the VM-based OS, does that. Very tinfoil-hat and CPU wasting, but if you are going to insist on doing high-security things, probably worthwhile.

Not sure how this weathers meltdown and spectre Intel CPU bugs, but possibly badly.

Maybe you want to run Qubes on an AMD CPU, eh?

## Xen

Xen is open source, but it's some kind of monster OS-level hack designed to run VMs in datacetnres, which makes it out of scope for this blog.

## Firecracker

Firecracker provides hardened minimalistic microvms that try to be light like a container but robust against abuse. Used by Amazon for serverless stuff

Firecracker microVMs use KVM-based virtualizations that provide enhanced security over traditional VMs. This ensures that workloads from different end customers can run safely on the same machine. Firecracker also implements a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the microVM.

mcrute says

Firecracker is solving the problem of multi-tenant container density while maintaining the security boundary of a VM. If you’re entirely running first-party trusted workloads and are satisfied with them all sharing a single kernel and using Linux security features like cgroups, selinux, and seccomp then Firecracker may not be the best answer. If you’re running workloads from customers similar to Lambda, desire stronger isolation than those technologies provide, or want defense in depth then Firecracker makes a lot of sense. It can also make sense if you need to run a mix of different Linux kernel versions for your containers and don’t want to spend a whole bare-metal host on each one.

By “sharing a single kernel” i think mcrute means…

## Containerized apps

Many of these. For practical purposes, people usually mean docker when they say this. See containerized apps.