The Living Thing / Notebooks :

Virtual machines for curmudgeons

On pretending you have hardware using software

Usefulness: 🔧
Novelty: 💡
Uncertainty: 🤪 🤪 🤪
Incompleteness: 🚧 🚧 🚧

There are a few different virtual machine infrastructures now. Which one induces least tedium depends on your host OS and your purpose.

If you are running macOS, the somewhat-open-source virtualbox is acceptable.

If you are running Linux on modern x86-64, IMHO the libvirt/QEMU-KVM system is more transparent, seems to be faster, and, surprisingly, easier than the commercial virtualbox. (‘surprisingly’ because it has ugly graphical design which is usually a signifier of other UI thoughtlessness.)

At the bottom I mention some other VM-ish infrastructure which I don’t truly understand but might wish to explain to myself in the future. There are in fact many options, which relate in confusing ways. A list of ones not mentioned here, for the sake of my own future keyword searches:

Wikipedia lists many more.

Security

A common use of VMs is to sandbox untrusted code. This is better than not thinking about it, I guess, but in the era of frequent CPU-level security hole discovery (foreshadow etc) provides only partial security.

QEMU + KVM + virt-manager

What a remarkably tidy and easy collection of technologies, each with an obscure name and esoteric function. It exploits some hardware and kernel tricks to get simple and very flexible machines for linux hosts. I don’t pretend to understand ontology here, which part of the toolchain provides what etc. But these technologies have been the easiest for me with the stuff I am doing. If your host is also a Linux machine, use this. AFAICT the QEMU part will also run on Windows and macOS but I haven’t tried that myself.

Even the GUI, virt-manager, though of course awful as nearly all open source GUIs are, is barely worse than the other VM GUIs, even the ones with with massive commercial backing, so there is nothing to lose.

On Ubuntu, install thusly:

sudo apt install virt-manager libvirt-bin qemu-kvm

Now everything magically works if you run virt-manager, which creates new KVM machines. Has AFAICT all the features I care about in Virtualbox with less overhead and less wasted time.

GOTCHA: permissions problems with install media are tricky. If I want a VM to access something, and also I want to access the thing as a normal user, I have to put things in places that the user libvirt-qemu and I can both access them. This does not, per default, include some removable media, or home dirs, or encrypted mounts.

On Ubuntu I found could solve some problems by joining the kvm group

sudo addgroup "$(whoami)" libvirt  #or maybe libvirtd
sudo addgroup "$(whoami)" kvm

Generally, storing the necessary media in /var/lib/libvirt/images seems least troublesome.

Also defaulting the network to up is useful for getting going quickly.

virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default

The virtual machine build tool is virt-builder.

To get clipboard sharing one must run, in the guest machine,

sudo apt install spice-vdagent

Mounting mapped shares is not so obvious.

mount -t 9p -o trans=virtio /sharepoint /share

I needed a magic version string for some reason:

mount -t 9p -o trans=virtio,version=9p2000.L /sharepoint /share

or, in fstab

/share   /sharepoint    9p  trans=virtio,version=9p2000.L,rw    0   0

Gnome boxes

GNOME Boxes is some kind of fork of QEMU with a funkier GUI but less features?

Virtualbox

Virtualbox is semi-open source and has a marketing budget. It is cross-platform and has many howtos, so it’s what people often end up using per default. I found it painful, however I don’t recommend it if you have the KVM option. (i.e. might be the least worst for macOS or Windows hosts.)

Ubuntu

Everything is packaged and can be installed easily enough. If you are on Ubuntu, note that removing virtual box requires aggressive purging:

sudo apt --purge remove 'virtualbox-guest-*'

It will leave all kinds of stuff installed if you do the default purge.

macOS

How to get a Virtualbox virtual machine running with the minimum of dicking around, on macOS.

NB This note is from 2016. Perhaps things have improved since then?

For the sake of argument, let’s assume Ubuntu/Debian/Mint or one of those other dpkg distributions as guest.

OK, we download Virtualbox. Ubuntu server is a sane default guest OS, I suppose, let’s try that.

Set up all the following things.

  1. Ubuntu as VM guest.
  2. Virtualbox extensions.
  3. Virtualbox USB.

What? Didn’t work for you? ’Course not. There are details.

  1. remote usb
  2. usb not working
  3. Virtualbox extensions need extra installation because why would you want things to just work by default? Your favourite thing to do is yak shaving right?
  4. Shared folders should now work.

Wait what? Integration is STILL flakey?

You still need to install the Guest additions, you duffer:

sudo apt install dkms

Didn’t work, eh? Maybe you don’t have the right sources in your package manager:

sudo bash
echo "deb http://download.virtualbox.org/virtualbox/debian wily contrib" \
    >> /etc/apt/sources.list.d/oracle.list # http doesn’t work because oracle were too poor to spring for the right cert
wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- |  apt-key add -
apt update
apt install dkms

Virtual box also ships with a virtual CD image with the right installers on, hidden in a submenu somewhere, which saves bandwidth.

You can skip some of these steps if you are happy to trust an unaccountable stranger to build your OS for you; osboxes hosts some prebuilt machines of unknown provenance.

Microsoft Hyper-V

Built-in to Windows 10 Enterprise, Pro, and Education editions. Manages various VMs including certain linux flavours AFAICT.

Vagrant

Don’t really know what vagrant is

If you are a developer, Vagrant will isolate dependencies and their configuration within a single disposable, consistent environment, without sacrificing any of the tools you are used to working with (editors, browsers, debuggers, etc.). Once you or someone else creates a single Vagrantfile, you just need to vagrant up and everything is installed and configured for you to work. Other members of your team create their development environments from the same configuration, so whether you are working on Linux, Mac OS X, or Windows, all your team members are running code in the same environment, against the same dependencies, all configured the same way

Qubes

Want an OS that uses modern hardware virtualisation to run apps separately to improve your privacy?

Qubes, the VM-based OS, does that. Very tinfoil-hat and CPU wasting, but if you are going to insist on doing high-security things, maybe this is worthwhile? It looks like a huge expenditure of configuration time for the user though.

Xen

Xen is open source, but it’s some kind of monster OS-level hack designed to run VMs in datacentres (?) so probably out of scope for this blog.

Firecracker

Firecracker provides hardened minimalistic microvms that try to be light like a container but robust against abuse. Used by Amazon for serverless stuff.

Firecracker microVMs use KVM-based virtualizations that provide enhanced security over traditional VMs. This ensures that workloads from different end customers can run safely on the same machine. Firecracker also implements a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the microVM.

mcrute says

Firecracker is solving the problem of multi-tenant container density while maintaining the security boundary of a VM. If you’re entirely running first-party trusted workloads and are satisfied with them all sharing a single kernel and using Linux security features like cgroups, selinux, and seccomp then Firecracker may not be the best answer. If you’re running workloads from customers similar to Lambda, desire stronger isolation than those technologies provide, or want defense in depth then Firecracker makes a lot of sense. It can also make sense if you need to run a mix of different Linux kernel versions for your containers and don’t want to spend a whole bare-metal host on each one.

By “sharing a single kernel” I think mcrute might also mean…

Containerized apps

Many of these. For practical purposes, people usually mean docker when they say this. See containerized apps.