Virtual machines for curmudgeons

On pretending to have hardware using software

November 5, 2015 — August 15, 2023

computers are awful
diy
macos
MS Windows
POSIX
Figure 1

There are a few different virtual machine infrastructures now. Which one induces least tedium depends on your host OS and your purpose.

If you are running macOS, the somewhat-open-source VirtualBox is acceptable.

If you are running Linux on modern x86-64, IMHO the libvirt/QEMU-KVM system is more transparent, seems to be faster, and, surprisingly, easier than the commercial VirtualBox. (‘Surprisingly’ because it has ugly graphical design which is usually a signifier of other UI thoughtlessness.)

At the bottom, I mention some other VM-ish infrastructure which I don’t truly understand but might wish to explain to myself in the future. There are in fact many options, which relate in confusing ways. A list of ones not mentioned here, for the sake of my own future keyword searches:

Wikipedia lists many more.

1 Security

A common use of VMs is to sandbox untrusted code. This is better than not thinking about it, I guess, but in the era of frequent CPU-level security hole discovery (Foreshadow etc) provides only limited mitigation.

2 QEMU + KVM + virt-manager

What a remarkably tidy and easy collection of technologies, each with an obscure name and esoteric function. It exploits some hardware and kernel tricks to get simple and flexible machines for Linux hosts. I don’t pretend to understand ontology here, which part of the toolchain provides what etc. But these technologies have been the easiest for me with the stuff I am doing. If your host is also a Linux machine, use this. AFAICT the QEMU part will also run on Windows and macOS but I haven’t tried that myself.

Even the GUI, virt-manager, though of course awful as nearly all open source GUIs are, is barely worse than the other VM GUIs, even the ones with massive commercial backing, so there is nothing to lose.

On Ubuntu, install thusly:

sudo apt install virt-manager libvirt-bin qemu-kvm ## 18.04
sudo apt install virt-manager qemu-kvm  # modern times

Now everything magically works if you run virt-manager, which creates new KVM machines. Has AFAICT all the features I care about in VirtualBox with less overhead and less wasted time.

GOTCHA: permissions problems with install media are tricky. If I want a VM to access something, and also I want to access the thing as a normal user, I have to put things in places that the user libvirt-qemu and I can both access them. This does not, per default, include some removable media, or home dirs, or encrypted mounts.

On Ubuntu, I found I could solve some problems by joining the kvm group

sudo addgroup "$(whoami)" libvirt  #or maybe libvirtd
sudo addgroup "$(whoami)" kvm

Generally, storing the necessary media in /var/lib/libvirt/images seems least troublesome.

Also defaulting the network to up is useful for getting going quickly.

virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default

The virtual machine build tool is virt-builder.

To get clipboard sharing one must run, in the guest machine,

sudo apt install spice-vdagent

Mounting mapped shares is not so obvious.

mount -t 9p -o trans=virtio /sharepoint /share

I needed a magic version string for some reason:

mount -t 9p -o trans=virtio,version=9p2000.L /sharepoint /share

or, in fstab

/share   /sharepoint 9p trans=virtio,version=9p2000.L,rw 0 0

3 UTM

An open source QEMU frontend targeting Apple Silicon.

UTM employs Apple’s Hypervisor virtualization framework to run ARM64 operating systems on Apple Silicon at near native speeds. On Intel Macs, x86/x64 operating systems can be virtualized. In addition, lower performance emulation is available to run x86/x64 on Apple Silicon as well as ARM64 on Intel. For developers and enthusiasts, there are dozens of other emulated processors as well including: ARM32, MIPS, PPC, and RISC-V. Your Mac can now truly run anything.

4 Gnome boxes

GNOME Boxes is some kind of fork of QEMU with a funkier GUI but fewer features?

5 VirtualBox

VirtualBox is semi-open source and has a marketing budget. It is cross-platform and has many howtos, so it’s what people often end up using per default. However, I don’t recommend it if you have the KVM/QEMU option. Despite corporate backing, the UI is no less clunky than the competing options. It requires more time downloading stuff from Oracle and clicking through licence agreements. There are miscellaneous frictions with sharing host resources to the guest. Overall, it is not wonderful, but OK. It might be the least worst for macOS or Windows hosts.

Would you like to run VirtualBox to run a command on the guest? The command you are looking for is guestcontrol.

5.1 Ubuntu host

Everything is packaged and can be installed easily enough. If you are on Ubuntu, note that removing VirtualBox requires aggressive purging:

sudo apt --purge remove 'virtualbox-guest-*'

It will leave all kinds of stuff installed if you do the default purge.

5.2 macOS host

How to get a VirtualBox virtual machine hosted on your machine with the minimum of dicking around, on macOS.

NB This note is from 2016. Perhaps things have improved since then?

For the sake of argument, let’s assume Ubuntu/Debian/Mint or one of those other dpkg distributions as guest.

OK, we download VirtualBox. Ubuntu server is a sane default guest OS, I suppose, let’s try that.

Set up all the following things.

  1. Ubuntu as VM guest.
  2. VirtualBox extensions.
  3. VirtualBox USB.

What? Didn’t work for you? ’Course not. There are details.

  1. remote USB
  2. USB not working
  3. VirtualBox extensions need extra installation because why would you want things to just work by default? Your favourite thing to do is yak shaving right?
  4. Shared folders should now work.

Wait what? Integration is STILL flaky?

You still need to install the Guest additions, you duffer:

sudo apt install dkms

Didn’t work, eh? Maybe you don’t have the right sources in your package manager:

sudo bash
echo "deb http://download.virtualbox.org/virtualbox/debian wily contrib" \
    >> /etc/apt/sources.list.d/oracle.list # http doesn’t work because Oracle were too poor to spring for the right cert
wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- |  apt-key add -
apt update
apt install dkms

VirtualBox also ships with a virtual CD image with the right installers on, hidden in a submenu somewhere, which saves bandwidth.

You can skip some of these steps if you are happy to trust an unaccountable stranger to build your OS for you; osboxes hosts some prebuilt machines of unknown provenance.

On recent macOS (i.e. Catalina) there is a confusing bug that will cause guests to crash when they boot up if they try to use the microphone or camera. Workarounds include 1) disabling audio and 2) starting from terminal

virtualbox

6 Windows guest

Microsoft Edge VMs are VMs with a 90-day licence for testing browsers.

7 Microsoft Hyper-V

Built-in to Windows 10 Enterprise, Pro, and Education editions. Manages various VMs including certain Linux flavours AFAICT.

8 Vagrant

Virtual Machine as Version Manager.

9 Qubes

Want an OS that uses modern hardware virtualisation to run apps separately to improve your privacy?

Qubes, the VM-based OS, does that. Very tinfoil-hat and CPU wasting, but if you are going to insist on doing high-security things, maybe this is worthwhile? It looks like a huge expenditure of configuration time for the user though.

10 Xen

Xen is open source, but it’s some kind of monster OS-level hack designed to run VMs in datacentres (?) so probably out of scope for this blog.

11 Firecracker

Firecracker provides hardened minimalistic microVMs that try to be light like a container but robust against abuse. Used by Amazon for serverless stuff.

Firecracker microVMs use KVM-based virtualizations that provide enhanced security over traditional VMs. This ensures that workloads from different end customers can run safely on the same machine. Firecracker also implements a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the microVM.

mcrute says

Firecracker is solving the problem of multi-tenant container density while maintaining the security boundary of a VM. If you’re entirely running first-party trusted workloads and are satisfied with them all sharing a single kernel and using Linux security features like cgroups, selinux, and seccomp then Firecracker may not be the best answer. If you’re running workloads from customers similar to Lambda, desire stronger isolation than those technologies provide, or want defence in depth then Firecracker makes a lot of sense. It can also make sense if you need to run a mix of different Linux kernel versions for your containers and don’t want to spend a whole bare-metal host on each one.

By “sharing a single kernel” I think mcrute might also mean…

12 Containerized apps

Many of these. For practical purposes, people usually mean Docker when they say this. See containerized apps.