Hi Rick, > Gesendet: Montag, 01. November 2021 um 15:54 Uhr > Von: "Rick Troth" <[email protected]> > An: [email protected] > Betreff: virtualization at home > > I recommend KVM, the kernel virtual machine. It's included with all > major Linux distros. (I run OpenSUSE.) The integrated tools are excellent. > > Putting together a "server" for home use is really cost effective, > downright cheap. > > My home-grown hardware is running OpenSUSE Leap. It's a back-level host > because I don't take it down often for service. (Means interrupting the > guests, duh.) >
Thank you for your choice and being part of our community with that. Tell us, if anything would be missing or should be improved. We are working on the next Leap release now. > Presently 11 guests running, including Windoze, FreeBSD, CentOS Linux, > SUSE Linux, and home-grown Linux, various levels. There's a Solaris in > there somewhere, but not presently up. > > I DO NOT KNOW if some virus running in a guest could crack the hypervisor. > That would be a critical security issue then. Default that should not be possible. KVM is kernel based. If that should happen, then all Linux distributions would be affected. Therefore, you should run all required updates on the base operating system and in your guest systems continuously. Then you are receiving all required patches. If anything would happen in this direction, you should report it quickly via our Bugzilla or to our security team. > Yes, you can pass through USB devices. I do that regularly. My son has > an external drive that he uses for backup, me being his 400 mile > off-site, and that is managed by a file server guest. > > More on that file server guest: it's a P-to-V project. I took its LVM > physical volume (PV), plugged it in (SATA) to the hypervisor host, > attached that device to the guest, and now the guest sees the same world > as it did when it was on bare metal. So that's actually *two* pass > through devices for that particular guest. > > VMware (e.g., ESX) is probably more efficient than KVM. I haven't > measured. I needed functionality and freedom more than I needed > performance. Performance varies dramatically from guest to guest. I find > that open source builds run fine on 32-bit Linux and 64-bit Linux, but > they're ssslllooowww on FreeBSD. Part of the slowdown could be NFS > (which would be a factor even if I was running all native). I mean, it's > possible that FreeBSD is slow because its NFS client code is slow. Or it > could be that FreeBSD's kernel is "muddier" in KVM control than a Linux > kernel. No idea which. (No time to figger it out.) The Windoze guest is > tolerable for most work *except* for multimedia. > > More about Windows: I don't recall getting a blue screen in like five > years of this arrangement. It's been said that virtual machines are > "less hostile" than physical hardware. At one point, this Windows guest > was my primary work Windows system. (always accessed via Remote Desktop, > yessss!!!) The only time I had issues was when some marketing type > person would send email with lotso animation. But then my employer > upgraded to W10 and I haven't cracked the boot magic for W10 on KVM ... > yet. > > -- R; <>< > Best regards, Sarah> > On 10/30/21 10:51 PM, CAREY SCHUG wrote: > > First my apologies. I thought I was replying privately to Bill, whom I knew from SHARE and VM Workshops. Maybe he doesn't remember me, but... I didn't think my question was really appropriate for a linux-390 list serve, but must have fallen off of whatever the VM listserv is. I sometimes forget what when asked "reply to all or to sender" that "sender" means the list, and "all" means "original poster AND list", from which the list can then be deleted so as to reply only to the one who initiated the message.. > > > > I started my career programming banking applications in assembler, transitioned to performance analysis, at the machine code level, then spent many years as a VM systems programmer (with a brief sidetrack converting local ASSEMBLER mods in JES2 to exits) from VM rel6+SE through zVM. I found and fixed one CP code bug that IBM vetted and then distributed as an APAR, as well as one microcode bug (in the B224 privop) by sitting at the machine console placing hard address stops on memory write (turned out when I finally got the IBM rep to take my analysis, that IBM support already knew about it, the problem was when it trapped as a privop, it did not serialize, so if one had a long running instruction just before the B224, that would start executing in virtual address mode, then finish in real, causing a semi random overlay in the nucleus, which, some time later failed for not being a machine instruction. > > > > I know zVM virtualization, have run 3rd level machines, etc. > > > > I don't know intel systems. I want to start running virtualization at home. So I can simultaneously run Winblows, linux, BSD and open Solaris. Maybe a back level linux, or some other specialized linux, as well as play with the original linux (yggdrasyl) and windows 3.1. So containers won't do it. > > > > But all the documentation I have found is for people for whom C++ is as close as they come to the bare iron, or for those intimate with machine code. The former leaves me feeling "those trusting fools" and the latter leaves me lost. > > > > Maybe I am wrong, but from what little I know about intel based viruses (not Trojans), it seems that they will crack the hypervisor, not the guest. My social network of linux sysprogs trustingly downloads virtualbox templates and runs them without understanding. The one security conscious person I know (who is winblows only) installs a fresh copy of winblows from a thumbdrive for anything slighly risky (including receiving a usb drive from anybody, as he says to mount a thumb drive, the OS executes code off of it, which could contain a virus) on an isolated hardware. I'm hoping a good type 1, possibly qubes, could be almost as good without all the re installs. I could fire up a read only virtual machine, do whatever, then throw it away. > > > > Yes, I knew, sort of, about the original para-virtualizations, including when a few instructions didn't cause a state change so had to be searched for and replaced in memory, then later extensions to the hardware. Knew sort of, and dismissed virtualization as not worth it. Just recently read something about memory virtualization extensions (I think outside of the CPU?) that now allow some overcommittment of memory, since for decent performance, guest memory must be dedicated, like the old V=R area of 32 bit VM systems. > > > > So I have questions like can a hypervisor "pass through" a usb to a virtual machine without executing any code? On VM, at least in the old days, I could define an address as "undefined" to the hypervisor, pass it to the guest and if it contained a virus, only the guest would be affected. Of course, IBM was smart enough to not just load code off of a random device and execute it in privileged mode. I can't believe that Intel developers are that naive. Maybe that is not true > > > > So I want to understand Intel virtualization to try to guess how secure it can be made. It would be a lot easier and faster to learn how it works, if it was explained in zVM terms (and compared with). > > > > ---------------------------------------------------------------------- > > For LINUX-390 subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO LINUX-390 or visit > > http://www2.marist.edu/htbin/wlvindex?LINUX-390 > > > -- > -- R; <>< > > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO LINUX-390 or visit > http://www2.marist.edu/htbin/wlvindex?LINUX-390 > -- Sarah Julia Kriesch openSUSE Member ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
