Lguest: a Linux virtualization alternative

:`Fml4D0 51Testing软件测试网cr%e~,Q^._
James Turnbull51Testing软件测试网%l/AY'e$z0k @6_:r7V3e
09.26.2007

pkp*f8p!Lp8x4G?0Rating: --- (out of 5)51Testing软件测试网$Gl:e%KZx,S;}[+k

 51Testing软件测试网$f7?_,A%R

YL$p^Zn&B1ZZ _0Much of the discussion within the open source community about Linux virtualization has revolved around the hypervisor, Xen. A hypervisor is a virtual machine monitor that allows you to run guest operating systems on top of your host. In simple terms this means that you can run a Windows virtual machine or NetBSD virtual machine on top of a Red Hat, Debian, or other Linux platform. But, the kernel mainline has been slow to adopt Xen (torturously slow) and the main Xen patches were only merged in the as yet unreleased 2.6.23 kernel.51Testing软件测试网,\3w tnT6gh

A/w/{q'vI L4c051Testing软件测试网][2}P1p}z
Recently, two new hypervisors, lguest and KVM, were introduced to the Linux kernel community. Both projects are in their infancy compared to Xen and occupy a small niche in the virtualization space. But rapid development is underway in both projects and this could mean some interesting diversification and developments in Linux virtualization. In this tip we'll take a closer look at lguest and see how it works.

iw`7xk`4`n0
t&w @)F-?};t\R0What is lguest?51Testing软件测试网+P)LjE~)l'Z

U&Ty6CQ ]
jR FX0The lguest project, developed by Rusty Russell of iptables fame, is a simple virtualization project. It allows the full virtualization of guest kernels. Currently only the Linux kernel itself is supported as a guest, on stock x86 hardware. Support for 64-bit and SMP is also planned. Like Xen, lguest will debut in the mainline kernel in release 2.6.23.

8~d+L[$K T051Testing软件测试网`h)NB r
At about 5000 lines of code, lguest is very compact but feature-poor when compared to Xen. Indeed, it is unlikely that lguest will ever rival the full feature set of Xen (or even KVM). But the upside of lguest could be its ease of use. When you want to add a new guest, just modprobe a kernel module. It also does not require any special hardware support to provide its full virtualization support.

[%Yr
ULx
O+p0b'K0
XA~ffQ,PJ.m0At present lguest is a little awkward to use and not yet production-ready. You can currently only guest Linux kernels with lguest support (so only 2.6.23+ kernels) and there are no fancy user-space tools to manage guests, let alone GUI-based management consoles.51Testing软件测试网I~&B;g3O

[_F0_7TJ%l;v0Launching lguest

`
kdw D8C4z7p~0Now, let's get lguest up and running. This assumes you understand how to re-compile your own kernel (thus I recommend you do this in a test environment rather than on a production system.)

?%}J\#v`051Testing软件测试网t-e&GU]7w
First, download the latest kernel source, which at the time of writing was 2.6.23-rc3. Then compile your kernel.51Testing软件测试网 {P fX]0`7bG\

/gRE+{7RK1l-[
U8X0 

y$P0{ |X"D0$ tar -zxf linux-2.6.23-rc3.tar.gz
^W,S pol*jV@X J0$ cd linux-2.6.23-rc3
1F+~H*_8M+g|?\nP0$ make mrproper51Testing软件测试网7jOH,["L T/\$D
$ make menuconfig

A _:M2v5X:R0 

Vx5w"}/s%b%}}5`0
OlJ-i;`|l$_N8l0You will need to ensure you set the following options:51Testing软件测试网c
J9cFp(u

2HC L9Xx t5cDQ0 51Testing软件测试网F?m:s"^o:C6p4RuD#EY

j*xj
UR;L5J"a;A0CONFIG_HIGHMEM64G=n ("High Memory Support" "64GB")
8z~b-| p9mx(Q0CONFIG_TUN=m ("Universal TUN/TAP device driver support")51Testing软件测试网2qd+uu-}%w.p
CONFIG_EXPERIMENTAL=y ("Prompt for development and/or incomplete code/drivers")
b)S&k(JK:e0CONFIG_PARAVIRT=y ("Paravirtualization support (EXPERIMENTAL)")
_B*l;hq9R0CONFIG_LGUEST=m ("Linux hypervisor example code")

:g,bT d,~3FB&j*N0 

oU#x5o`:X
W0And optionally:51Testing软件测试网 t])Q'Aiq&D

]0qJ5m@0f+@[0
KlB!h/b0CONFIG_HZ=100 ("Timer frequency")51Testing软件测试网!M.qxOBz

 51Testing软件测试网?km*Y\ [1C

51Testing软件测试网W@~,S/c4~
}Y8V
Make and install your kernel:51Testing软件测试网DGtlI${RfP*u

!@@.Ik'Z?wn2@0 

$ make51Testing软件测试网~-^D#@1T[*^T1J+gSL
$ sudo make modules_install install

A/FNjl*OS)h&n0 

NiW;mP7WaD3l9d/O5}0Install the new kernel, update your boot loader, and reboot.

!?g9l[/uow'LFk~051Testing软件测试网Z wZ'pn%U]&n
Or, rather than manually compile your kernel, you may alternatively wish to use your distribution's kernel installation mechanism (for example, make-kpkg on Debian and Ubuntu).51Testing软件测试网B-z.R2T?,yvM

qo
d]'[Ln051Testing软件测试网8w-y7`6Hv*~
J
Now you need to compile the user-space lguest tool. It comes with the kernel source package and is located in the Documentation/lguest directory.

$ cd linux-2.6.23-rc3/Documentation/lguest51Testing软件测试网!m
p6px4Q)ftb/B WSZh+?
$ make O=yourkernelbuildtree51Testing软件测试网!W G_&Tq/F)t hJ9r

 51Testing软件测试网*Jx8j;S&a,g+p/b,Y

51Testing软件测试网3o,Nru n%]fe0W*|
Install the lguest binary somewhere appropriate on your host.51Testing软件测试网S-Fo1Y_?X:RW[:Z Ez l

y}4l K(]^ W
KB051Testing软件测试网 Z&c#b7nf,O,}%B3fi
To enable lguest support you just need to modprobe the lg module:51Testing软件测试网+o Zx;Di

:c$R_l%@H wb0 

k2N3\6C2x(dn0# modprobe lg51Testing软件测试网1Py5bGw$wfb_#u%o ]

L,f'gL9F!|-}0You should see something like the following message in your syslog output indicating if the module has loaded correctly.51Testing软件测试网"[!_-W cb fEP

m"`VN/o$C(e[0 51Testing软件测试网V@Y8_*\H+W

b'd)r8}&EK"?5o0Aug 30 22:46:05 debian kernel: lguest: mapped switcher at ffc0000051Testing软件测试网D3Z+a |in6R0P

b4V)`4NO6s*Q di1S0 

51Testing软件测试网W5htD$[_
We next need to find a root disk image. It can be either download one likehttp://xm-test.xensource.com/ramdisks/initrd-1.1-i386.imgor made from a distribution ISO using a tool like debootstrap.

I$m,F$U.U;oWJ0
Ot2Gd#mc}@0Russell also suggests using a distribution ISO, installing it under QEMU, and cloning it to make suitable guests.

51Testing软件测试网\3xT~4vG]C
Now you can launch lguest using the lguest binary (running it as root):

N&ANd,syf2MU0 

# lguest 64m /boot/vmlinuz --tunnet=bridge:br0 --initrd=/boot/initrd.img-2.6.23-rc3 --block=rootfile root=/etc/lgba

 51Testing软件测试网q-h+d*`7L'U)i

$R+d!}F6O051Testing软件测试网\rf&ezb7XY j
Let's have a look at this command line. The first option, 64m, is the memory allocated for the guest. Then we specify the kernel itself, which is vmlinux. Next, we specify networking; in this case we've bridged an interface, br0 (you can read about bridging athttp://linux-net.osdl.org/index.php/Bridge.) You can use a variety of methods to get network access for guests. These are detailed in the lguest documentation.51Testing软件测试网S ~4@u hM T B

Q ZV%h@#wA"A}$WBFk0We've specified the initrd and the root file and the boot options. The initial ramdisk file is specified using the --initrd option and the root file using the --block option (the root file will become /dev/lgba in the guest). The root= specified provides the kernel boot options, in this case the instantiation of our root file, /etc/lgba.

/p#Sc
j^051Testing软件测试网u8I4`Xe g
And that's it! You've launched lguest and initiated your first guest.51Testing软件测试网kYzdI

Summary51Testing软件测试网3IvqD)|S.O

:GQiP6V2z0}0 51Testing软件测试网J/K m G;H~,bzL

Keep in mind that lguest is very new and you will probably stumble across one or two bugs. You may also find that some features are not available at the moment. But lguest is a very fast and easy way to get started with virtualization and you will be certain to see and hear more about it when the 2.6.23 kernel is released and more widely implemented.51Testing软件测试网:u@WO:Xn

N'de3`$x4Xh5zi[0You can read more about lguest, including some further documentation and a mailing list, athttp://lguest.ozlabs.org/lguest.txt.51Testing软件测试网DaOD)lV W@

51Testing软件测试网3}4? n`G&[
About the author: James Turnbull is the author of Hardening Linux and a security consultant at the Commonwealth Bank of Australia. He is also the resident security expert for SearchEnterpriseLinux.com.
,B_w&R3H)f3@0 51Testing软件测试网A7{Fh9x0N8D
51Testing软件测试网/{)fL rv:CL