
OpenBSD vmm enabled - transpute
http://undeadly.org/cgi?action=article&mode=expanded&sid=20161012092516
======
notaplumber
And of course, being OpenBSD, it's privsep and sandboxed from the very
beginning.. cool.

[https://marc.info/?l=openbsd-
cvs&m=144702840931345&w=2](https://marc.info/?l=openbsd-
cvs&m=144702840931345&w=2), [https://marc.info/?l=openbsd-
cvs&m=147578652321303&w=2](https://marc.info/?l=openbsd-
cvs&m=147578652321303&w=2)

Man pages:

[http://man.openbsd.org/vmm.4](http://man.openbsd.org/vmm.4)

[http://man.openbsd.org/vmd.8](http://man.openbsd.org/vmd.8),
[http://man.openbsd.org/vm.conf.5](http://man.openbsd.org/vm.conf.5)

[http://man.openbsd.org/vmctl.8](http://man.openbsd.org/vmctl.8)

~~~
snvzz
However, it is still a boring type-2 hypervisor, just like bhyve, vmware or
kvm; no real progress whatsoever.

I'm keeping an eye at seL4's VMM support, it looks promising, with the
microkernel actually guaranteeing isolation, whereas the VMM runs with minimum
privileges as a user process.

~~~
andreiw
VMware ESXi is a Type 1 hypervisor.

~~~
allanjude
Is it really though? It is running on top of a stripped down version of
Redhat.

~~~
yellowapple
No it's not. Once upon a time, ESXi (when it was still called ESX) shipped
with a stripped-down Linux in a role similar to a Dom0 on Xen; nowadays, ESXi
doesn't even use Linux in _that_ capacity.

------
0xcde4c3db
Just to get out in front of this, as someone who is a quasi-fan of OpenBSD:
yes, Theo had a scathing rant years ago about virtualization being terrible
[1]. But it should be noted that that was well before virtualization on x86
was mature, and in response to an assertion that the use of VMs would increase
security.

[1] [https://marc.info/?l=openbsd-
misc&m=119318909016582](https://marc.info/?l=openbsd-misc&m=119318909016582)

~~~
sverige
I know people like to point out Theo's "rants" for some reason (that was _nine
years ago_ , for goodness' sake), but is it a rant, or is it just unvarnished
truth delivered in a style that is more concerned with truth than people's
precious feelings?

I've read a lot of Theo's emails in the lists, and frankly I find it
refreshing that he says what he thinks.

And what I really find refreshing is that he gives a shit about whether code
is correct, secure, and readable. There's a lot of lip service to those goals,
but OpenBSD actually works really hard to deliver it with not a lot of money
and precious little thanks.

Now, what was inaccurate about his assessment of VM from nine years ago that
wasn't true? Or is it just that he seems so darn mean?

~~~
riffraff
> I find it refreshing that he says what he thinks.

you can rephrase that email in a nicer way, while still expressing what you
think. For example, you can drop the first paragraph, and no information is
lost. You can also remove "if not stupid" and the informational content stays
the same.

I am an OpenBSD fan in many ways, but you can generally express what you think
while still being kind.

~~~
geocar
I don't always agree. Rhetoric has a lot of forms that are useful tools in
argument, and while we will not admonish someone for asking "have you stopped
beating your wife yet" (or in this case, "Virtualization seems to have a lot
of security benefits.") we are too quick to ignore the very valid point in
response because it wasn't friendly enough. Derailing the conversation that
way prevents us from dealing with what I think is the bigger issue:

When someone says something stupid like "have you stopped beating your wife"
(or "Virtualization seems to have a lot of security benefits"), we may need to
tell them it is stupid, because stupidity has this way of spreading when it
sounds nice and helpful (yes, beating your wife is bad; yes security benefits
are good), but it's still a stupid statement.

Virtualization is extremely popular, but it isn't secure, and it's actually
(and when you're thinking clearly, obviously) _less secure_ than other,
existing systems. Security has to be a complete holistic effort, and not an
abstraction layer, which is something most people in our industry ignore.
Calling out someone as stupid for saying stupid things seems to me to be the
best defence, after all, you're not going to convince _them_ that they're
stupid, but you might convince someone else.

~~~
david-given
This is the standard apologia for rudeness. The problem is that people don't
work like that. If you say something in an aggressive manner, they will tend
to assume a confrontational posture and won't work with you. It's just how
people are wired.

Consider two possible responses I could have to your comment:

(a) You're full of shit.

(b) In my experience, that's not actually true.

Chances are you're going to respond better to (b) than to (a). So, if I
actually want to engage you in conversation, _or work with you in the future_
, I should say (b). Routine courtesy is part of the standard toolkit of
effective communication skills. It may be cathartic to be rude to someone, but
it doesn't lead to long-term progress.

> Calling out someone as stupid for saying stupid things seems to me to be the
> best defence...

...or you could simply explain why you think they're _mistaken_ , without
using personal insults, and so win them over to your side of the debate? As it
is, you're not just driving them away, but you're also sending a message to
everybody else reading the conversation that you're intolerant and difficult
to work with, which is not going to help the project.

I actually remember that particular conversation, as that was the point when I
gave up on OpenBSD, unsubscribed from -misc, and switched to Debian Linux (and
never went back). It simply wasn't worth my time to wade through the insults
and abuse to get things done any more.

Of course, in those days, Theo de Raadt had the reputation for being an angry
jerk, and Linux Torvalds had a reputation for being moderate and easy to work
with. How times have changed.

~~~
4ad
> You're full of shit.

If you said that, I would have respected you, even though we disagreed.

> In my experience, that's not actually true.

Now I know you're just PC police, and that I have nothing to gain by further
engaging with you. I have no respect for you.

So no, you are wrong. People don't work like that. Or at least people worth
talking to are not like that. People see through all the PC bullshit, and
respond accordingly.

> It simply wasn't worth my time to wade through the insults and abuse to get
> things done any more.

Yeah, this kind of PC attitude it's not worth my time. People who can't, just
discuss PC politics, while people who can, just do, and don't care about any
of this stuff.

~~~
jerf
"Now I know you're just PC police, and that I have nothing to gain by further
engaging with you."

That's not PC police. This is How To Win Friends And Influence People stuff,
not PC stuff.

You are free to be rude, but you'll pay the consequences, quite needlessly.

I'm in a position where I with some frequency have to contradict people (being
a code reviewer for a significant internal shared library has that result),
but I try to make it clear in my words and tone that it's in the spirit of
working with them and obtaining the best solution. I'm pretty sure it's not
100% successful, because some people to some extent can't process being
contradicted in any way as anything less than hostility (and I put both
"somes" in that sentence on purpose), no matter how polite you are about it,
and on my side, I'm absolutely sure I'm not perfect about it, but I am sure
I'm better off than I would be if I was always being as blunt as possible
without even trying.

------
ysleepy
Surprised that it's not a port of bhyve.

I also found some slides from the authors of vmm/vmd:

[http://bhyvecon.org/bhyvecon2016-Mike.pdf](http://bhyvecon.org/bhyvecon2016-Mike.pdf)

[http://bhyvecon.org/bhyvecon2016-Reyk.pdf](http://bhyvecon.org/bhyvecon2016-Reyk.pdf)

(found on [https://wiki.freebsd.org/bhyve](https://wiki.freebsd.org/bhyve))

~~~
ams6110
OpenBSD and FreeBSD diverged long enough ago that a port might not be
straightforward, or in alignment with the objectives of the project.

~~~
derefr
Bigger things have been ported across wider gaps. Illumos has a "port" of
Linux's KVM!

~~~
4ad
Yeah, and the KVM in illumos comes from a now obsolete Linux, and the pf in
FreeBSD and Solaris comes from a now obsolete OpenBSD.

If anything, this should teach us _not to port_ unportable things from
different operating systems, because the maintenance cost is untenable.

~~~
allanjude
iianm, Solaris has a port of IPF, not pf. Oracle is working on trying to port
pf now.

~~~
4ad
The pf has been ported and it shipped already in Solaris 11.3. It is based on
OpenBSD 5.5 code.

------
ams6110
From the thread: _Currently this is limited to Intel hosts. We would like to
get AMD also supported, but that requires some more work._

Still very cool -- happy to have an option other than qemu.

------
sigjuice
Will this run nested inside VMWare Fusion? I don't have a spare computer to
try this out.

~~~
dijit
typically not, once you use a virtualisation instruction on the CPU it cannot
be passed to the guests.

Nested virtualisation typically uses emulation without hardware acceleration.

~~~
wila
Hyper-V runs under Fusion, Qubes OS and Xen also work. Have not tested others,
but this is one area where Fusion excels. Yes it will be slower, but for
testing the concept that is usually fine.

~~~
sigjuice
I needed Xen for some experimentation. I had trouble running alpine-xen-3.4.4
in Fusion. XenServer 7 seems to work in Fusion, but I don't like it. I finally
managed to get alpine-xen running inside KVM (Ubuntu 16.04) inside Fusion.

