Running Network Services under User-Mode Linux, Part I
First, you need to make sure you've got the right kind of kernel on your host system. You very likely may need to compile a new kernel.
On the one hand, some Linux distributions already have User-Mode Linux compiled into their default kernels. On the other hand, your distribution of choice may or may not also have the skas (separate kernel address space) patch compiled in as well. It is, in fact, somewhat unlikely that your default kernel has skas support. Although the Linux kernel source code has included UML support since version 2.6.9, the skas patch is still maintained separately (and Linus has resisted its inclusion).
The skas patch is important. It greatly improves UML performance and security by running the guest system's kernel in separate address space from its other processes (just like the host's kernel does). The User-Mode Linux Web site's skas page on SourceForge provides a more detailed explanation of why you need skas (see the on-line Resources).
Keeping Your Kernels and Guests Straight
In the contexts of User-Mode Linux, VMware and other virtualization systems, we use the words host and guest in a very specific way. Your host is the system that runs the virtualization environment—that is, it acts as a host to one or more virtual machines. Guests are virtual machine instances that live on top of the host.
Therefore, when we speak of the host kernel and guest kernels, remember that guest kernels run on top of the host kernel. In User-Mode Linux, your host kernel is a normal Linux kernel, compiled for your particular hardware platform (Intel x86, IBM PowerPC and so on), with User-Mode Linux features (including the optional skas patch) compiled in as well.
Your guest kernel, on the other hand, must be compiled to run on virtual hardware: the um architecture. Other than that, it does not need the skas patch or User-Mode Linux support enabled. Unless, that is, you want to run other guest kernels on top of it. Running guests within guests is possible (this is called nesting), but well beyond the scope of this article.
Each UML virtual machine instance consists of a guest kernel, a guest root filesystem and a COW (Copy On Write) file. The root filesystem is a disk image file; it contains every file in your virtual machine except the kernel itself. When you execute a guest kernel, the root filesystem file is mounted in precisely the same way you'd mount any other disk image, for example, a CD ISO file. Like a CD-ROM, it's used in read-only mode. Any changes you make to the virtual filesystem in the course of a UML session, including new files and file deletions, are stored in a COW file.
Thanks to the magic of COWs, it's therefore possible to run the same guest kernel and root filesystem combination multiple times, by defining a unique COW file per instance.
To obtain kernel source code, your best bet may be simply to install your Linux distribution's kernel-source package. Take care, however, that your distribution provides a kernel version of 2.6.9 or higher, because UML support is included from 2.6.9 onward, and prior UML patches had security vulnerabilities.
Because Debian 3.1 still uses kernel version 2.6.8, I decided not to use the official Debian kernel packages and instead downloaded the 2.6.17 kernel from kernel.org. I did, however, install the kernel-package package, which provides tools for generating Debian packages from official kernel source.
Besides kernel source code, you need the skas patch, the latest version of which is available on Blaisorblade's site (see Resources). Be sure to download the patch version that corresponds to the kernel source code you're about to patch.
On my Debian host, I unpacked my official source code to /usr/src/linux-18.104.22.168, renamed the source code directory to /usr/src/linux-22.214.171.124-host and copied the skas patch tarball (skas-2.6.17-rc5-v9-pre9.patch.bz2) to /usr/src. I then changed ownership of the directory /usr/src/linux-126.96.36.199-host to a nonroot account. (Adhering to the principle of never being root unless you really need to, we're going to do most of this kernel build as an unprivileged user.)
Here are the commands I executed as root:
host:/usr/src/# tar -xjvf ./linux-188.8.131.52.tar.bz host:/usr/src/# mv ./linux-184.108.40.206 ./linux-220.127.116.11-host host:/usr/src/# chown mick ./linux-18.104.22.168 host:/usr/src/# su - mick
To apply the skas patch, I then navigated, as my nonroot user, to /usr/src/linux-22.214.171.124-host and ran the following command:
host:/usr/src/linux-126.96.36.199-host$ bunzip2 -c ↪../skas-2.6.17-rc5-v9 -pre9.patch.bz2 | patch -p1
Next, from the same directory, I issued the command make menuconfig. When setting up the kernel configuration for User-Mode Linux, the defaults generally are fine, though you should ensure that the configuration matches your host's hardware. In addition, it's probably prudent to double-check the following settings:
Under Processor type and features, make sure /proc/mm is enabled.
Under Networking options, make sure IP: tunneling and 802.1d Ethernet Bridging are enabled. If you intend to restrict guest system behavior with iptables, you also may want to check the Network packet filtering section to ensure that Core Netfilter Configuration, IP: Netfilter Configuration and Bridged IP/ARP packets filtering are set up.
Under Network device support, enable Universal TUN/TAP device driver support.
And, by all means, make sure to hard-compile (into the kernel, not as a module) the filesystem in which your system's root partition is formatted (for example, ext3 or ReiserFS).
From this point on, the process is the same with any other kernel build: issue the commands make bzImage and make modules;. Then, become root and issue the commands make modules, make modules_install and make install. (Or in the case of Debian, use the make-kpkg command to achieve the same thing, and run dpkg to install the resulting kernel package.)
Once your new host kernel is installed, reboot your system. Your host system is now capable of running User-Mode Linux guest systems.
|NTPsec: a Secure, Hardened NTP Implementation||Mar 30, 2017|
|SUSE Linux Enterprise High Availability Extension||Mar 29, 2017|
|Hybrid Cloud Storage Delivers Performance and Value||Mar 29, 2017|
|smbclient Security for Windows Printing and File Transfer||Mar 28, 2017|
|How to Calculate Flash Storage TCO||Mar 27, 2017|
|Non-Linux FOSS: Don't Drink the Apple Kool-Aid; Brew Your Own!||Mar 27, 2017|
- NTPsec: a Secure, Hardened NTP Implementation
- smbclient Security for Windows Printing and File Transfer
- Hybrid Cloud Storage Delivers Performance and Value
- SUSE Linux Enterprise High Availability Extension
- Returning Values from Bash Functions
- Non-Linux FOSS: Don't Drink the Apple Kool-Aid; Brew Your Own!
- William Rothwell and Nick Garner's Certified Ethical Hacker Complete Video Course (Pearson IT Certification)
- HOSTING Monitoring Insights
- Hodge Podge
- Three EU Industries That Need HPC Now