[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-discuss] Starting without '-kernel'; isolating VMs
From: |
Jakob Bohm |
Subject: |
Re: [Qemu-discuss] Starting without '-kernel'; isolating VMs |
Date: |
Fri, 26 Jul 2013 20:28:18 +0200 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 |
On 25-07-2013 12:29, Nikita Karetnikov wrote:
I'd like to use multiple VMs to isolate various applications from each
other (see [1]).
I've never used QEMU, so I have a couple of questions:
1. I'm starting it like this (as suggested here [2]):
$ qemu-system-i386 -kernel /tmp/vmlinuz -initrd /tmp/initrd.img \
-hda test.img -append "root=/dev/sda"
Is there a way to use the kernel from the image? If I omit
everything except '-hda', it won't boot.
Make sure the virtual hard drive image includes a boot loader (such as
LILO, Grub or extlinux) with appropriate setup, then with options to boot
from "hda", the virtual machine will start running, then run the boot
code in sector 0 of hda, and proceed from there just like a real PC.
This is actually the most common way to use qemu, the external "-kernel"
option is an alternative which is sometimes useful, e.g. when
experimenting with different kernel versions etc.
2. Some say that VMs are not designed with security in mind. So what
should I do to make it harder to escape a VM? What are the best
practices?
Depends a lot on the VM, I think qemu is fairly solid in this area.
5 obvious techniques for qemu:
- Run qemu as a non-root user with very limited permissions to access
files other than test.img (read/write) and the qemu program etc. (read
only).
- Run qemu in a chroot jail (in addition to running it as a limited user).
- If you can figure out how to use it, enable a system such as "SELinux"
and give it very strict limitations for the qemu program.
- Set up tap networking as root and grant the specific user for each VM
access to that tap device.
- Don't enable features that give the VM access to the guest file system.
[1] http://wiki.lewman.is/blog/2012-11-23-a-week-with-qubes
[2] http://www.aurel32.net/info/debian_arm_qemu.php
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded