Much of the discussion within the open source community about Linux virtualization has revolved around the hypervisor, Xen. A hypervisor is a virtual machine monitor that allows you to run guest operating systems on top of your host. In simple terms this means that you can run a Windows virtual machine or NetBSD virtual machine on top of a Red Hat, Debian, or other Linux platform. But, the kernel mainline has been slow to adopt Xen (torturously slow) and the main Xen patches were only merged in the as yet unreleased 2.6.23 kernel.
Recently, two new hypervisors, lguest and KVM, were introduced to the Linux kernel community. Both projects are in their infancy compared to Xen and occupy a small niche in the virtualization space. But rapid development is underway in both projects and this could mean some interesting diversification and developments in Linux virtualization. In this tip we'll take a closer look at lguest and see how it works.
What is lguest?
The lguest project, developed by Rusty Russell of iptables fame, is a simple virtualization project. It allows the full virtualization of guest kernels. Currently only the Linux kernel itself is supported as a guest, on stock x86 hardware. Support for 64-bit and SMP is also planned. Like Xen, lguest will debut in the mainline kernel in release 2.6.23.
At about 5000 lines of code, lguest is very compact but feature-poor when compared to Xen. Indeed, it is unlikely that lguest will ever rival the full feature set of Xen (or even KVM). But the upside of lguest could be its ease of use. When you want to add a new guest, just modprobe a kernel module. It also does not require any special hardware support to provide its full virtualization support.
At present lguest is a little awkward to use and not yet production-ready. You can currently only guest Linux kernels with lguest support (so only 2.6.23+ kernels) and there are no fancy user-space tools to manage guests, let alone GUI-based management consoles.
Now, let's get lguest up and running. This assumes you understand how to re-compile your own kernel (thus I recommend you do this in a test environment rather than on a production system.)
First, download the latest kernel source, which at the time of writing was 2.6.23-rc3. Then compile your kernel.
$ tar -zxf linux-2.6.23-rc3.tar.gz $ cd linux-2.6.23-rc3 $ make mrproper $ make menuconfig
You will need to ensure you set the following options:
CONFIG_HIGHMEM64G=n ("High Memory Support" "64GB") CONFIG_TUN=m ("Universal TUN/TAP device driver support") CONFIG_EXPERIMENTAL=y ("Prompt for development and/or incomplete code/drivers") CONFIG_PARAVIRT=y ("Paravirtualization support (EXPERIMENTAL)") CONFIG_LGUEST=m ("Linux hypervisor example code")
CONFIG_HZ=100 ("Timer frequency")
Make and install your kernel:
$ make $ sudo make modules_install install
Install the new kernel, update your boot loader, and reboot.
Or, rather than manually compile your kernel, you may alternatively wish to use your distribution's kernel installation mechanism (for example, make-kpkg on Debian and Ubuntu).
Now you need to compile the user-space lguest tool. It comes with the kernel source package and is located in the Documentation/lguest directory.
$ cd linux-2.6.23-rc3/Documentation/lguest $ make O=yourkernelbuildtree
Install the lguest binary somewhere appropriate on your host.
To enable lguest support you just need to modprobe the lg module:
# modprobe lg
You should see something like the following message in your syslog output indicating if the module has loaded correctly.
Aug 30 22:46:05 debian kernel: lguest: mapped switcher at ffc00000
We next need to find a root disk image. It can be either download one like http://xm-test.xensource.com/ramdisks/initrd-1.1-i386.img or made from a distribution ISO using a tool like debootstrap.
Russell also suggests using a distribution ISO, installing it under QEMU, and cloning it to make suitable guests.
Now you can launch lguest using the lguest binary (running it as root):
# lguest 64m /boot/vmlinuz --tunnet=bridge:br0 --initrd=/boot/initrd.img-2.6.23-rc3 --block=rootfile root=/etc/lgba
Let's have a look at this command line. The first option, 64m, is the memory allocated for the guest. Then we specify the kernel itself, which is vmlinux. Next, we specify networking; in this case we've bridged an interface, br0 (you can read about bridging at http://linux-net.osdl.org/index.php/Bridge.) You can use a variety of methods to get network access for guests. These are detailed in the lguest documentation.
We've specified the initrd and the root file and the boot options. The initial ramdisk file is specified using the --initrd option and the root file using the --block option (the root file will become /dev/lgba in the guest). The root= specified provides the kernel boot options, in this case the instantiation of our root file, /etc/lgba.
And that's it! You've launched lguest and initiated your first guest.
Keep in mind that lguest is very new and you will probably stumble across one or two bugs. You may also find that some features are not available at the moment. But lguest is a very fast and easy way to get started with virtualization and you will be certain to see and hear more about it when the 2.6.23 kernel is released and more widely implemented.
You can read more about lguest, including some further documentation and a mailing list, at http://lguest.ozlabs.org/lguest.txt.
About the author: James Turnbull is the author of Hardening Linux and a security consultant at the Commonwealth Bank of Australia. He is also the resident security expert for SearchEnterpriseLinux.com.