

Ask HN: tiny VMs - willvarfar

I've searched in vain, so I ask you folks:<p>Is there a tiny Linux distro aimed at running in a VM (i.e. not buckets of drivers in there for all the things the VM doesn't have; rather a very thin light kernel because its all backed by the VM)?  Perhaps even set up for an external x running on the host?  Ideally with a packaging system built around single-shot apps?  So I can have a VM for a browser, and another for a mail app and so on, each with a tiny footprint?<p>Host would be Windows or Linux.
======
TY
You might want to check out TinyCore Lunux. In 10Mb ISO you get a functional
image with GUI and thousands of apps in the repository including Chromium and
Firefox that can run in as little as 39mb of RAM.

I run multiple TinyCore VMs in VirtualBox for safe browsing in the darker
corners of the Net.

~~~
TY
Sorry for the typo - blaming my fat fingers on the iPhone and I'm past the
edit time window to fix it.

------
onenine
<http://wiki.rpath.com/wiki/Conary>

rPath's build system and rbuilder were made for this purpose.

<http://susestudio.com/>

You can spin iso's and vm images all in a web interface. (rbuilder has a flash
interface. It's more powerful from teh command line but susestudio is really
fast).

Red Hat/Fedora is suppose to have something (probably more than one) that's
new and slick.

------
froseph
Ubuntu Server edition has JeOS option (
<http://en.wikipedia.org/wiki/Ubuntu_JeOS> ) which is a minimal install
optimized for virtualized environments.

~~~
mwexler
That is a good start, but the original poster appeared to want graphical apps
to run in the VM; JeOS is console only (as one would expect for a
server/appliance distro). It would be interesting if there was something
between "full Ubuntu with lots of widgets" and the console-only JeOS.

Yes, one could add the gui afterwards, but something minimally configured
already would be a timesaver...

~~~
froseph
There are images of VMs floating of base installs of various linux distros. If
this is too big, just configure JeOS with your basics and clone that image as
needed.

If the original poster is looking for a VM to distribute an application, JeOS
is a reasonable place to start.

On the other hand if the original poster wants to run a VM for every
application he will (likely) want to look for a VM platform that dedups
memory, a la ESX (though that's a bare metal server hypervisor)

If the original poster just wants a secure enivornment to run apps, something
like VMware ACE may work better which allows you to lock down/filter access to
USB storage, network, etc.

Disclaimer: Former VMware employee.

------
al3xbio
I'm not sure I've understood what you are requesting, but your description
reminded me of Qubes OS <http://qubes-os.org/> (based on Linux and Xen).

From the "Architecture" page:

<blockquote>Qubes lets the user define many security domains implemented as
lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have
“personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the
applications from within those VMs just like if they were executing on the
local machine, but at the same time they are well isolated from each other.
Qubes supports secure copy-and-paste and file sharing between the AppVMs, of
course.</blockquote>

(I've never used it myself though, so I can't help any further).

~~~
alcuadrado
I was going to reply the same

------
EmmEff
I used to hand roll my own tiny VMware VMs using Busybox and uclibc. It was
very tedious and time consuming, but I was able to create VMs that were less
than 10MB when compressed and virtual disks of whatever desired size when
uncompressed.

Gentoo Linux (if it's still around?) might be a good start since you can
compile the entire world yourself and decide which features you do and do not
want.

~~~
exDM69
There is a tool called buildroot that builds a kernel and a root file system
with uClibc and Busybox. The result size for x86_64 using default settings is
a few megabytes. You can trim this down a lot by leaving out features. Using
uClibc instead of glibc may affect using virtual machines (like JVM), tho.

Gentoo is still alive and kicking. It's not that difficult to use and the
documentation might be the best docs I've seen in any distribution. It's also
worth mentioning that with a modern CPU, the time it takes to build software
is not that long.

In fact, installing a "medium sized" application (e.g. not libreoffice) is
faster with Gentoo's emerge than installing a standard Windows app. It takes
about as long to download the source, compile and install with automation it
as it does to navigate a web browser to a software's home page, locate
download link and click "Next ->" 15 times in the installer manually.

------
unshift
your kernel is already thin and light. if you're using a modular kernel, as
most distros default to, you're only loading the modules you need and can use.

as for apps and packages, i don't care for most distros' dependency systems,
but the only downside is more files on disk -- and who really cares if there's
an extra 25MB of stuff you never use on there, assuming you have the space.

~~~
forgotusername
That's true for all practical purposes, but technically it's incorrect. For a
start, statically linked modules can be packed more tightly into sections by
the linker, whereas dynamically loaded modules will always have as much as 4kb
of slack at the end of theirs.

There are a bunch more differences like this. If it's like userspace, in many
cases the dynamically loaded symbols also involve a level of indirection in
order to access them since they have no fixed address at link time, which
results in a small performance hit.

Modules also include metadata which remains for as long as it is loaded, but I
think this is negligible.

------
littledanehren
Why do you want to do this, anyway? Linux already isolates processes' memory
from each other. With cgroups you can ensure that resources are allocated
fairly, and with chroot and namespaces you can ensure that they're securely
isolated from each other. Why run a whole bunch of kernels on top of other
kernels? It just adds inefficiency.

~~~
aidenn0
It may be due to the fact that any exploited process that is also an X11
client can become a keylogger...

~~~
pflanze
A couple ways to prevent X11 keylogging/screenshots/actions:

* If chrome/chromium are doing it right now, most parts of the browser should not be able to access X11 directly.

* X.org provides for two compartiments, trusted X (the default) and untrusted X (now used by ssh -X, also sux --untrusted). There are still a number of applications having issues with untrusted X (e.g. Skype doesn't work), also copy & paste don't normally work (for that you can use "xsel -o | ssh otheruser@localhost 'DISPLAY=:1 xsel -i'" or converse, bound to a key combination or panel widget), but it works well enough that I'm running Twinkle and xchat that way.

* let the apps go through VNC (Skype has issues with this, too, though, but then Skype doesn't run smoothly in a VM either (realtime audio issues))

Of course the kernel (and suid apps and apps with tempfile races etc.) are
still offering a broader attack surface than a VM, so the above should be
complemented with some good intrusion detection mechanism (to catch intrusions
before they exploit root), for which I don't have a good suggestion.

------
ryanpetrich
Not exactly as requested, but Chrome OS works great in a VM:
<http://chromeos.hexxeh.net/vanilla.php>

------
jff
Take a look at <http://onesis.org/> for some tool for building a small root
filesystem. You'll want to have your kernel separate anyway.

You can then use the new "KVM tool" (<http://lwn.net/Articles/447556/>) to run
your VMs. It's far, far lighter than QEMU and only provides a small set of
virtio devices. If you're going to have all the applications run on the X
server of the host, you'll basically just need virtio net. However, if you're
doing this for security reasons, take note of what another poster mentions:
any X client can sniff the keystrokes of any other X client. It's possible
that Xnest (or the new hotness, Xephyr) could solve this problem for you, but
I don't know for sure.

------
davidcollantes
Have you seeing this one[1]?

[1] <http://www.turnkeylinux.org/bootstrap>

------
meastham
<http://qubes-os.org/Home.html> might be interesting

------
rookadook
Not sure if these are small enough for you, but they are appliance based:

<http://www.turnkeylinux.org/>

------
0x12
this might be a good start:

<http://www.damnsmalllinux.org/>

I use it for all kinds of 'special purpose' boxes. It's an older kernel,
2.4.20 or so.

~~~
gravitronic
Considering the leaps and bounds the linux kernel has progressed since the 2.4
series kernel I would seriously avoid it for performance reasons doing
something the OP mentioned like web browsing.

------
ajray
I've actually heard this question asked a lot in a bunch of different forms,
and (to me) it basically comes down to: How do I use virtualization to provide
additional security to processes?

The advantage of virtualization is that it provides a very strong statement of
security (if a lesser statement of performance). On the other hand
Jails/Containers (see LXC) have a strong statement of performance and a lesser
statment of security.

For you, I'd recommend checking out Linux Containers, because it does provide
more protection than just a process, but is faster and uses less resources
than a whole VM.

~~~
mhd
Well, if the VM has security issues, you'll have to update all the VMs
running, never mind that I think it's possible to get to the core OS from a
VM.

This is definitely a case to look at OS level virtualization[1], running a
dedicated VM just for jailing a process seems a bit overengineered. SmartOS[2]
might be interesting for this[2].

[1]([http://en.wikipedia.org/wiki/Operating_system-
level_virtuali...](http://en.wikipedia.org/wiki/Operating_system-
level_virtualization))

[2](<http://smartos.org/>)

------
bonyt
Have you considered something like coLinux? <http://www.colinux.org/>

or UML on Linux

------
vegardx
If you're already on Linux, you could just chroot everything. But that can be
a little b¤%&h to maintain. Any particular reason you need this? I use throw-
away VM's that I can revert to a fresh state when I'm done testing XYZ.

Also, with the cost per MB for memory, memory shouldn't really be an issue.

~~~
willvarfar
(Neither RAM nor disk is that cheap for laptop users)

~~~
vegardx
I'd argue the other way, but things may be different for you, depending on a
lot of things. :-)

I currently have 4 running virtual machines on my Macbook Pro. Three running a
pretty basic Debian install for testing (yay, Chef) and one running Ubuntu
with a graphical user interface. And yet, only half of my memory is
wired/active, and with expanding disk volumes, the footprint on my disk is
even smaller on my memory.

~~~
willvarfar
macbook pro users perhaps don't have the same definition of 'cheap' as many
other laptop users? ;)

------
pge
There's company called Invincea that provides a browser in a VM for security
(www.invincea.com).

I have no connection to the company and have not used it, just saw them at the
RSA conference this year. I think there are a number of companies providing
similar solutions.

------
clickbrain
Puppy Linux might fit the bill if I understand what you are seeking correctly.
<http://puppylinux.org/>

------
secos
I've been looking as well. I have a hunch we have the same goal... Would love
to chat. (my email is in my profile)

