I recommend KVM, the kernel virtual machine. It's included with all major Linux distros. (I run OpenSUSE.) The integrated tools are excellent.
Putting together a "server" for home use is really cost effective, downright cheap. My home-grown hardware is running OpenSUSE Leap. It's a back-level host because I don't take it down often for service. (Means interrupting the guests, duh.) Presently 11 guests running, including Windoze, FreeBSD, CentOS Linux, SUSE Linux, and home-grown Linux, various levels. There's a Solaris in there somewhere, but not presently up. I DO NOT KNOW if some virus running in a guest could crack the hypervisor. Yes, you can pass through USB devices. I do that regularly. My son has an external drive that he uses for backup, me being his 400 mile off-site, and that is managed by a file server guest. More on that file server guest: it's a P-to-V project. I took its LVM physical volume (PV), plugged it in (SATA) to the hypervisor host, attached that device to the guest, and now the guest sees the same world as it did when it was on bare metal. So that's actually *two* pass through devices for that particular guest. VMware (e.g., ESX) is probably more efficient than KVM. I haven't measured. I needed functionality and freedom more than I needed performance. Performance varies dramatically from guest to guest. I find that open source builds run fine on 32-bit Linux and 64-bit Linux, but they're ssslllooowww on FreeBSD. Part of the slowdown could be NFS (which would be a factor even if I was running all native). I mean, it's possible that FreeBSD is slow because its NFS client code is slow. Or it could be that FreeBSD's kernel is "muddier" in KVM control than a Linux kernel. No idea which. (No time to figger it out.) The Windoze guest is tolerable for most work *except* for multimedia. More about Windows: I don't recall getting a blue screen in like five years of this arrangement. It's been said that virtual machines are "less hostile" than physical hardware. At one point, this Windows guest was my primary work Windows system. (always accessed via Remote Desktop, yessss!!!) The only time I had issues was when some marketing type person would send email with lotso animation. But then my employer upgraded to W10 and I haven't cracked the boot magic for W10 on KVM ... yet. -- R; <>< On 10/30/21 10:51 PM, CAREY SCHUG wrote: > First my apologies. I thought I was replying privately to Bill, whom I knew > from SHARE and VM Workshops. Maybe he doesn't remember me, but... I didn't > think my question was really appropriate for a linux-390 list serve, but must > have fallen off of whatever the VM listserv is. I sometimes forget what when > asked "reply to all or to sender" that "sender" means the list, and "all" > means "original poster AND list", from which the list can then be deleted so > as to reply only to the one who initiated the message.. > > I started my career programming banking applications in assembler, > transitioned to performance analysis, at the machine code level, then spent > many years as a VM systems programmer (with a brief sidetrack converting > local ASSEMBLER mods in JES2 to exits) from VM rel6+SE through zVM. I found > and fixed one CP code bug that IBM vetted and then distributed as an APAR, as > well as one microcode bug (in the B224 privop) by sitting at the machine > console placing hard address stops on memory write (turned out when I > finally got the IBM rep to take my analysis, that IBM support already knew > about it, the problem was when it trapped as a privop, it did not serialize, > so if one had a long running instruction just before the B224, that would > start executing in virtual address mode, then finish in real, causing a semi > random overlay in the nucleus, which, some time later failed for not being a > machine instruction. > > I know zVM virtualization, have run 3rd level machines, etc. > > I don't know intel systems. I want to start running virtualization at home. > So I can simultaneously run Winblows, linux, BSD and open Solaris. Maybe a > back level linux, or some other specialized linux, as well as play with the > original linux (yggdrasyl) and windows 3.1. So containers won't do it. > > But all the documentation I have found is for people for whom C++ is as close > as they come to the bare iron, or for those intimate with machine code. The > former leaves me feeling "those trusting fools" and the latter leaves me lost. > > Maybe I am wrong, but from what little I know about intel based viruses (not > Trojans), it seems that they will crack the hypervisor, not the guest. My > social network of linux sysprogs trustingly downloads virtualbox templates > and runs them without understanding. The one security conscious person I > know (who is winblows only) installs a fresh copy of winblows from a > thumbdrive for anything slighly risky (including receiving a usb drive from > anybody, as he says to mount a thumb drive, the OS executes code off of it, > which could contain a virus) on an isolated hardware. I'm hoping a good type > 1, possibly qubes, could be almost as good without all the re installs. I > could fire up a read only virtual machine, do whatever, then throw it away. > > Yes, I knew, sort of, about the original para-virtualizations, including when > a few instructions didn't cause a state change so had to be searched for and > replaced in memory, then later extensions to the hardware. Knew sort of, and > dismissed virtualization as not worth it. Just recently read something about > memory virtualization extensions (I think outside of the CPU?) that now allow > some overcommittment of memory, since for decent performance, guest memory > must be dedicated, like the old V=R area of 32 bit VM systems. > > So I have questions like can a hypervisor "pass through" a usb to a virtual > machine without executing any code? On VM, at least in the old days, I could > define an address as "undefined" to the hypervisor, pass it to the guest and > if it contained a virus, only the guest would be affected. Of course, IBM > was smart enough to not just load code off of a random device and execute it > in privileged mode. I can't believe that Intel developers are that naive. > Maybe that is not true > > So I want to understand Intel virtualization to try to guess how secure it > can be made. It would be a lot easier and faster to learn how it works, if it > was explained in zVM terms (and compared with). > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www2.marist.edu/htbin/wlvindex?LINUX-390 -- -- R; <>< ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
