qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] Starting without '-kernel'; isolating VMs

From: Jakob Bohm
Subject: Re: [Qemu-discuss] Starting without '-kernel'; isolating VMs
Date: Fri, 26 Jul 2013 20:28:18 +0200
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 
On 25-07-2013 12:29, Nikita Karetnikov wrote:

I'd like to use multiple VMs to isolate various applications from each
other (see [1]).

I've never used QEMU, so I have a couple of questions:

1. I'm starting it like this (as suggested here [2]):

      $ qemu-system-i386 -kernel /tmp/vmlinuz -initrd /tmp/initrd.img \
                         -hda test.img -append "root=/dev/sda"

    Is there a way to use the kernel from the image?  If I omit
    everything except '-hda', it won't boot.

Make sure the virtual hard drive image includes a boot loader (such as
LILO, Grub or extlinux) with appropriate setup, then with options to boot
from "hda", the virtual machine will start running, then run the boot
code in sector 0 of hda, and proceed from there just like a real PC.

This is actually the most common way to use qemu, the external "-kernel"
option is an alternative which is sometimes useful, e.g. when
experimenting with different kernel versions etc.

2. Some say that VMs are not designed with security in mind.  So what
    should I do to make it harder to escape a VM?  What are the best
    practices?

Depends a lot on the VM, I think qemu is fairly solid in this area.

5 obvious techniques for qemu:

- Run qemu as a non-root user with very limited permissions to access
 files other than test.img (read/write) and the qemu program etc. (read
 only).
- Run qemu in a chroot jail (in addition to running it as a limited user).
- If you can figure out how to use it, enable a system such as "SELinux"
 and give it very strict limitations for the qemu program.
- Set up tap networking as root and grant the specific user for each VM
 access to that tap device.
- Don't enable features that give the VM access to the guest file system.

[1] http://wiki.lewman.is/blog/2012-11-23-a-week-with-qubes
[2] http://www.aurel32.net/info/debian_arm_qemu.php


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
reply via email to
[Prev in Thread] Current Thread [Next in Thread]