Hacker News new | past | comments | ask | show | jobs | submit login
VirtualBox 6.0 released (virtualbox.org)
364 points by johanhammar on Dec 20, 2018 | hide | past | web | favorite | 243 comments

Avoid VirtualBox and becoming trapped in the non-free & personal use only extension by using one of the very decent open source alternatives Boxes[1] or virt-manager[2]

[1] https://wiki.gnome.org/action/show/Apps/Boxes

[2] https://virt-manager.org/

Even worse: Oracle is going around and threatening to sue enterprises that show traffic to the extensions download site from their IP blocks. Happened recently at a previous employer of mine.

Solution: null route *.oracle.com.

Any public references for this anywhere?

Personal anecdote: They came after us, since the extension phones home and they could track it to our ASN. Asked us for an audit of all installs of VB. The idea was that they wanted to then charge us big money for a corporate license.

Instead, IT banned it enterprise-wide. Which is sad, because we like it for Vagrant. We've since started moving all of our developer stuff to OpenShift, so we're not totally up a creek.

Oh, wow. They've also changed the license a couple of times in 2016 and 2017 to make it more restrictive.

Early 2016: https://web.archive.org/web/20160411070811/https://www.virtu... Late 2016: https://web.archive.org/web/20161208112443/https://www.virtu... Current, last changed July 2017: https://www.virtualbox.org/wiki/VirtualBox_PUEL

In the earlier licenses, "personal use" was just defined as the person using it being the same person as who installed it, and only one person remotely accessing the desktop at a time. So I had interpreted this as being OK for developer VMs in which the developer installs it themselves and uses it for their own development purposes. It also contained an "evaluation use" with a vaguely defined period.

The current license now defines "personal use" as explicitly non-commercial use, and adds more restrictions on client access that applies to any type of clients and not just remote desktop access, as well as explicitly defining the evaluation use period to being 30 days.

So while I didn't really have a concern about developers using VirtualBox with the extension pack previously, given the new license and the fact that they seem to be enforcing it via phoning home, it looks like it's time to set a policy of no one using it.

Luckily, we've already pretty much transitioned everything over to libvirt/KVM on Linux hosts, and people have generally been using VMWare or VMWare Fusion on Windows and Mac hosts.

I have a devops guy trying to push me to use Vagrant at the moment, but I am aware of these issues with virtualbox. I was thinking about using one of the lxc shims, but now you have me curious, how useful is openshift in that "I want to spin local vms up for testing" approach? I thought it was much more geared to server and not workstation, as opposed to vagrant.

Of course others are right, virt-manager is probably a better replacement I think.

So OpenShift (or OKD) is just Redhat's Kubernetes platform. If your dev team isn't already in a docker-like workflow, it's going to be a hard sell. I've found many devops-y people love to be able to SSH into the environment to change code as it runs, and that's not possible with an environment like this.

You can spin up KVMs in OpenShift, but I have the feeling it's not going to be quite what you're looking for. I suppose it's all going to be a matter of what workflow is most comfortable for your devops people. If you have an OpenStack install, Vagrant can control those AND they can login and poke around.

Also FYI virt-manager is deprecated in RHEL 8, and is superceded by Cockpit.

Out of curiosity, what feature in the extension pack are you using with Vagrant?

USB pass through support to drive hardware debuggers here.

PXE booting mostly.

Why not use KVM via vagrant-libvirt? It's pretty easy to set up and works like a charm. See https://news.ycombinator.com/item?id=18727059

So one problem with that is not all of our team uses Linux, we're a Mac/Linux hybrid team. Our workflow was to edit the puppet manifests locally and then Vagrant up, and we wanted something that would work across different dev machines. However, the fussiness of environment setup started to go higher the further we got from VBox; our team didn't really want to invest time into a workflow that was supposed to be an intermediate step to our "end game" development pipeline, so we just left it. Thanks for the link though!

You can have mixed provider vagrant files.

I don't know of any public references, but I can confirm this is happening to government entities as well. Oracle is being extremely aggressive and mounting what is essentially a phishing campaign against organizations that it sees accessing the extension download page. They are e-mailing employees directly and asking them to contact Oracle.

>Oracle is being extremely aggressive and mounting what is essentially a phishing campaign against organizations that it sees accessing the extension download page. They are e-mailing employees directly and asking them to contact Oracle.

You have a very broad definition of "phishing".

Spamming employees with officious emails and hoping one of them is dumb enough to respond with pertinent information that subverts them or their organization is the textbook definition of phishing. What does it mean to you?

from wikipedia:

>Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication

"using virtualbox" isn't sensitive information. I haven't read the emails, but I doubt Oracle is disguising themselves as the company's IT department or something.

If you don't think information that subjects an entity to massive legal liability is sensitive, then I really don't understand where you're coming from.

The entire point of these emails is to bypass established channels by getting random employees to leak information. If they want licensing information, there's an IT point of contact for that. Or Contracts. Or Legal. They are literally fishing for information leakage that would give them grounds to sue.

> I doubt Oracle is disguising themselves as the company's IT department or something.

They wouldn't. At this stage the point is to convey a false sense of authority without being outright fraud. You have to wrap everything in vague but threatening insinuations-- "help us or you could face fines of up to a bazillion dollars, and/or you might go to JAIL."

The key words are fraudulently and by disguising as a trustworthy entity. If they clearly identify themselves as oracle, asking about virtualbox usage, then it's not phishing.

> They are literally fishing

You can "fish for info" in a hundred ways. Only a small subset of that is "phishing".

>If you don't think information that subjects an entity to massive legal liability is sensitive, then I really don't understand where you're coming from.

The employees were already subjecting their company to legal liability when they were using unlicensed software.

>The entire point of these emails is to bypass established channels by getting random employees to leak information. If they want licensing information, there's an IT point of contact for that. Or Contracts. Or Legal. They are literally fishing for information leakage that would give them grounds to sue.

So if I'm Oracle and I'm trying to find unlicensed enterprise users, what am I supposed to do? Call up their IT/legal department and hope that they'll investigate for me, and respond with a truthful response? Is Oracle not allowed to investigate on their own for licensing infractions? I feel like the only reason people are up in arms about this is because Oracle is doing it. If some startup was doing this to discover that some big corp was not paying their licensing fees, no one would blink an eye.

>They wouldn't. At this stage the point is to convey a false sense of authority without being outright fraud. You have to wrap everything in vague but threatening insinuations-- "help us or you could face fines of up to a bazillion dollars, and/or you might go to JAIL."

Sure, but cops do the same thing (if not more). I'm not saying either is okay, but both are not "phishing".

> They are e-mailing employees directly and asking them to contact Oracle

That would certainly look a lot like phishing

In this case, I think it's actual fishing...

So 90% of cold-call recruiting/sales is also "phishing"?

I'd say "yes". If a cold-call results in anything than blacklisting the company that called you, you're setting yourself up for failure.

Those are completely different.

One is "Hi my name is XYZ at company ABC. Do you want to talk about our product DEF?" to which you instantly know it's a sales call and how to respond.

The other is specifically emailing employees asking about their use in order to build a case against their employer in the hopes of getting an enterprise agreement or lawsuit out of it. It's far more shady and the actual nature of the communication is not revealed until after the fact. For all the developer knows, it's just a support email from Oracle asking them about how they use their product.

Whether the intent is positive or negative is unrelated to whether it's phishing. You could phish someone's info and then send them a gift basket.

Let me clear it up for you:

"Hello my name is X I would like to sell you Y" is not phishing. It's not asking for any information. It's annoying, sure, but you know how to deal with it and they won't bother continuing when they know you're not interested (ie. by saying no)

"Hello my name is X, I work at Oracle, do you have a few minutes to talk about your use of VirtualBox" followed by asking questions about how you use it in order to build a case against your employer can be perceived as phishing. They are either outright not representing or misrepresenting the purpose of the conversation, and asking for information for purposes other than what you'd expect. It doesn't fit the exact definition in the dictionary, but it's close enough and uses the same sort of tactics that it can easily be considered another example of it.

I don't think the purpose of the conversation matters. It's about if/how you fake your identity and what information/access you collect.

That's why I bring up phishing personal info to send a gift basket. Despite flipping the purpose on its head, it's still phishing.

The misrepresentation of the purpose is what brings it into phishing territory. By misrepresenting the purpose, you're also misrepresenting who you are and what your intentions are.

Something that's already phishing will still be phishing even if the purpose is misrepresented. Something that isn't otherwise phishing, however, can be made into something akin to phishing by misrepresenting the purpose.

> The misrepresentation of the purpose

Incorrect. It's not about purpose. It's about misrepresenting who you are. Oracle is saying they are Oracle. If Oracle is pretending to be someone else, than it's phishing.

What you are describing is not phishing. It's just regular old fishing.

> By misrepresenting the purpose, you're also misrepresenting who you are


Maybe this got lost halfway down this comment thread, but the whole point of this being considered phishing-like is that Oracle was emailing individual developers, asking questions about their use. The developers didn't realize so that Oracle can build a case against their employer and accidentally gave away details that Oracle would then use to pressure the employer to get licenses or would outright sue.

Developers likely thought they were speaking to Support, or responding to some kind of survey/questionnaire about their use cases and how they use VirtualBox, when in reality were being misled as to the actual purpose of the conversation.

Just because they were speaking to someone from Oracle as opposed to a third party scammer does not mean that the person they were speaking with didn't misrepresent/fake who they were.

Probably not the strict definition, but they are looking for information from employees they can use as leverage or in a lawsuit against the organization.

I would definitely contact them. But they would not appreciate the reply.

My last enterprise I worked at sent out an announcement that anyone with VirtualBox had to remove it.

What amazed me was when I first started there & asked if I could install it, most everyone was clueless what it even was. So Oracle had to have done some audit that found it, because I don't believe more than 1 or 2 other people would have been using it.

Wow so those enterprises are paying massive money for consultants, Realestate, ms-office/windows, databases, CMS, ERP ... etc But don’t want to pay for using the VB extensions. The horror of it. No sympathy today

I do not understand, Virtual Box is free software, the versions distributed through most common Linux distributions does not contain any non-free components and the binaries on the site are released under the GPLv2. The extensions you mention are a separate download that you explicitly have to download and it is mentioned around the download that they are under a different license.

How exactly are you trapped by using GPL software?

From another comment it sounds like it's the Extension Pack they're going after.

> The VirtualBox Extension Pack is available under the VirtualBox Extension Pack Personal Use and Evaluation License, which is a free license for personal, educational or evaluation use, or an Enterprise License, which is a for-fee license that allows most commercial, non-distribution uses restricted by the PUEL.

Without the extension VirtualBox VMs are pretty much shit.

Extensions add "support for USB 2.0 and USB 3.0 devices, VirtualBox RDP, disk encryption, NVMe and PXE boot for Intel cards."

I'd argue the added features themselves are mostly shit. If you need hypervisor RDP or FDE there are much better solutions than VirtualBox.

I don't care much about other features either, but accessing USB devices is often invaluable.

Often? For what kind of device? Input devices don't need to be fast, and storage is usually better off with a shared folder anyway.

There’s lots of other hardware that people use. For example, the usb cable to connect to my BMW needs usb 2.0, and the software only works under Windows XP, so I have a virtual machine for that.

For tools like Vagrant, not at all. They are very useful if you want to attach USB devices directly to the VM, use the built-in webcam and so on, but I've used VirtualBox for years without installing the extension once.

USB 2.0 and 3.0 are not fully supported without the extension pack.

Which again are irrelevant for the common “just for Vagrant” use case.

I have used it for testing on different Windows browsers, to check whether https://github.com/rbanffy/3270font would install correctly, and running some Windows software from my bank. The only time I needed the extensions was when I needed to reflash my Blackberry 10 DevAlpha (whose battery, sadly, is dead - I loved that phone)

How so ? (don't confuse the extension pack with the guest addons though)

Linux only by the looks of things though.

The equivalent on macOS would leverage Hypervisor.framework, like xhyve or Veertu.



I gather that Veertu has (had?) a product called Veertu Desktop and it was open sourced, but they've wiped any mention of it from their website in favor of Anka Flow/Device/Build (commercial license only).

This looks like the source, found in a github repo of someone who works for Cisco. Maybe a former Veertu employee, or just someone who happened to fork a copy before Veertu deleted it? At any rate, I can't find an official Veertu repo anymore. https://github.com/tithomas1/vdhh

Last updates were 2 years ago and the installation instructions say "To Install Veertu Desktop on Mac, please visit veertu.com" which has deleted everything related to Veertu Desktop down to the knowledge base articles with release notes https://twitter.com/veertu_labs/status/818584467954495488

Seems like a pretty thoroughly dead product. Haven't heard of xhyve before, but between the two that's the one worth looking at.

Not only open sourced, but GPLv2'd. Ripe for forking, if one felt so inclined.

Sure but GPLv2 doesn't help you if all copies of the source code are gone, so be sure to grab a copy of that vdhh repo now in case tithomas1 removes his.

I imagine it's not in a working state on current versions of macOS, what with the security changes that Apple makes pretty much every year. But if someone wanted to try to get it going again they certainly could.

Docker for Mac has moved from VirtualBox to the built-in hypervisor.

I have the impression that causes some pain when it starts eating away battery faster than the monitor can charge the laptop.

Hmm, never noticed that; to the contrary, in my practice, Docker's VM eats CPU less aggressively than VirtualBox's.

Indeed, it's called HyperKit[0][1], and it's based straight off xhyve[2].

Also, there's docker-machine-driver-xhyve for people that prefer using docker-machine (like I do) instead of DfM.

[0]: https://github.com/moby/hyperkit

[1]: https://blog.docker.com/2016/05/docker-unikernels-open-sourc...

[2]: https://github.com/moby/hyperkit/tree/master/src/

Last time I tried, reasonably recent kernels (like 4.15 or so) failed to boot under Veertu, for no apparent reason.

Have they improved?

Xhyve looks promising, but it’s really new and at this stage it lacks all but the most basic documentation.

Exactly, I'm upvoting this to prevent poor souls stuck on Windows from looking for these nice solutions...

But can't the poor souls stuck on windows use hyper-v and RDP into the vm?

I tried Hyper-V for a while but I found the network configuration really cumbersome. Therefore I went back to Virtualbox but I should probably request my employer to buy a license for Vmware.

Is it because you switched frequently from one adapter to another (like wifi to ethernet)? Otherwise I don't think I ever had any problem with the network configuration.

In Windows 10, we provide a NAT network option by default. This should work seamlessly even if you switch between WiFi and Ethernet. So even this problem should go away for most people now.

Didn't the NAT get pulled from hyper-V?

I don’t think so. It’s only there by default on client, not server, though.

You need Windows Pro as a guest to RDP.

Not if you use the Virtualbox extension pack to VNC (that's the free/GPL extension pack, not the Oracle one). That will work with anything. Hell, it'll work with a DOS 1.0 guest.

(and yes, it's VNC, not RDP, I believe the oracle extension pack actually allows for Virtualbox to do RDP as well. But you can stay GPL-only and still support headless VNC. I believe phpVirtualbox uses it with beautiful results)


Can't you only RDP (and here is the qualifier) out-of-the-box with an "Enhanced Guest" VM, like what comes with some of the later Windows 10 builds, like 1809?

Otherwise, don't you have to do everything by hand to configured xrdp on the Linux guest?

Well technically hyper-v comes with its own terminal, but granted it kind of sucks and I wouldn't use continuously.

I think Hyper-V is Windows 8+ (or similar generations of Windows Server), isn't it?

Much of the Windows world is still on Windows 7, and it would be rather ironic if they were updating because of concerns about software phoning home...

Hyper V requires a Windows Pro license last time I checked. That’s significantly more expensive that VirtualBox.

I use hyper-v and rdp every day, very happy with both. I even run Linux VMs in hyper-v.

I've had nothing but issues trying to run Ubuntu in Hyper-V. Even the Windows Ubuntu LTS image that comes with the quick-create didn't work for very long.

Not sure what I'm doing wrong, but I've never has success with non-windows OS's.

What host version? I'm running 18.04 on Server 2016, for reference, did absolutely nothing special or unique, downloaded the iso, built the machine and loaded it and it's up running dns & unifi controller 24/7 for my home network with no issues.

Can you run singularity-container or docker in your Linux guest?

I haven't had reason to try, but I can't imagine a good reason why one couldn't.

I would hope so, as that is what the Win10 version of Docker-for-Windows does.


Hyper-V only works on the Pro versions of Windows.

WSL has supplanted VirtualBox for actually all of my use cases.

To be clear, VirtualBox and Guest Additions are open source. It is only the Extension Pack which is licensed. No?

Until today I had never even heard of the Extension pack, and have never had any need to use it.

You are correct. It is of note that the extesions pack has a lot of useful add-ons, but you did have to explicitly install it.

We use virt-manager to virtualize servers on servers with joy, however I use VBox to virtualize Windows hosts with hardware acceleration if possible.

How is the state of KVM's support about 3D acceleration, sound, drag'n drop and like?

If you have on the host system a graphics card that you can fully dedicate to the guest system, you can then do pci-passthrough and let the guest system have nearly-full access to that graphic card with nearly full performances.

Also, kvm has some nice features that AFAIK virtual box does not have. For example you can have gnu/linux and windows guests use the balloon memory driver, that basically allocates and deallocates memory from the host system. Imagine having a guest vm where you can say "this vm should have 2GB ram, but it might burst up to 24GB if needed, and then go back to 2GB when the need is satisfied". Can't do that with VBox (AFAIK - and it works on windows too!)

Regarding sound, if you are virtualizing windows, imho you're better off connecting via rdp (avoid remmina, use rdesktop) and using local speakers as audio output.

> you can then do pci-passthrough and let the guest system have nearly-full access to that graphic card with nearly full performances.

It is possible, but when it works and works well, which is not always the case. In addition, one may have to lock the card for usage with the guest only, since drivers may not be compatible with intermittent (=on/off) vfio usage.

I've had mixed experiences, depending on the hardware. my current system is 100% stable, however, I don use the card on the host (it causes instability). My previous system worked badly, and it was essentially not usable.

> If you have on the host system a graphics card that you can fully dedicate to the guest system.

Which implies a special-build system to play some odd Windows games ocassionally, akin to building an Hackintosh. For my use case it's a definitive overkill :D

> ...do pci-passthrough and let the guest system have nearly-full access to that graphic card with nearly full performances.

Again which requires a CPU and system which supports vT-d (in intel jargon), which is the only feature which my 3770K doesn't support :D

VirtualBox supports memory balooning. The interface is same with VirtIO's ballooning drivers AFAIK. The commands can be found in [0].

Since I want to virtualize Windows to play my simpler games only, rdp is not a very attractive choice. Using local speakers and sound virtualization is alright. I don't want crystal clear, high end sound. However, I'm not aware of the support level.

[0]: https://www.virtualbox.org/manual/ch09.html

How is pci-passthrough for hypervisor security? I’m speaking from a layman’s perspective, but there have been successful escapes through the GPU / GPU memory in the past right?

Somewhat better than OpenGL passthrough, whose security can be summarized as between "basically none" and "absolutely none".

For sound I would recommend scream: https://github.com/duncanthrax/scream

I've been using it in my KVM PCI passthrough VM for some months and it works well.

Virgil3D enables host-gpu based acceleration for KVM, and Boxes ships with it enabled I think.

Virgil 3D is a KVM feature. Boxes is just a frontend. Fedora, CentOS and RH enables it, but it's not landed on Debian yet AFAIK.

From Boxes site:

> While virt-manager does a very good job as a virtual machine management software, it's very much tailored for system administration.

Exactly! Boxes looks really polished.

It's anything but. It's utterly useless. Just use virt-manager while it lasts. It is being deprecated though, after which you will be forced to use boxes or the other virt-manager replacement.

Having never used Boxes before, I was excited for a better VM management tool than virt-manager.

However, I just tried using it (on Debian stretch), and unfortunately I have to agree that it doesn't do much beyond look pretty.

afaict you could only go to consoles, check a few resource usage graphs, send power commands and manage snapshots. There were very few configuration options and no ability to manipulate virtual hardware on existing machines. Also, there was no way to add remote libvirt instances from the GUI, and adding them into the config file (qemu+ssh) just made boxes crash.

If virt-manager really is going to be deprecated, is there a good replacement out there?

edit: Holy crap, it also managed to hibernate all the running VMs on my dev box when it crashed!?! Glad I didn't have anything too important running on it!

It looks like Red Hat intends Cockpit (a web interface) to replace virt-manager eventually.[1]

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1659477

This is somewhat excessive. There are still valid use cases where Virtualbox comes for free - private users or professional users/companies with a relatively small number of workstations (Oracle's going after companies who use a large number of unlicensed installations).

Also, it is still possible to build a free extension pack; it would be a great project. After all, Virtualbox is GPL, and it shouldn't be underestimated the amount of work that has been, and is being, put into it.

I'll try that.

I use Virtualbox to compile CI artifacts for Ubuntu, Debian, OSX (homebrew), and Windows (msys2) by using the virtualbox executor of gitlab.

The other available gitlab-runner executors to build these artifacts cross-flatform are: virtualbox, parallels, docker, kubernetes.

Boxes and virt-manager aren't on that list, so they are out.

Parallels isn't FLOSS.

Can I use docker or kubernetes to build my desired artifacts?

I think the advantage of VB is its installer and ease of creating and spinning up desktop VMs. The last time I tried using virt manager, I decided it wasn't for me, at its then-level of polish, but this was probably back in 2011 or 2012 or something. Boxes seems promising in this regard...hopefully it gets some momentum behind it.

Thank you for providing these links. I've been looking for an alternative to VBox for quite some time (I don't like anything that Oracle touches, as Oracle is a law firm with a tech problem); these help.

Sorry but it could be (even remotely closely) to a Linux only solution.

from memory boxes has limited networking functionality though?

What VM should I use if I’m on macOS?

You make a good point, but not a good recommendation. This is a Mac OS virtualization app, and your options are Linux only. Its an oversight, at best. I get that Apples messed up their evosystem, but that’s not this conversation.

VirtualBox is a cross-platform app. The user interface looks like Java to me.

The UI is written in Qt. E.g. for older VirtualBox versions, the virtualbox-qt package was required to be installed in order to have the GUI.

The UI is Qt-based, I believe.

No, VirtualBox is Windows, Linux, MacOS

Whoops, I forgot.

Be careful about VirtualBox Extensions which is non free on commercial environments. Oracle is hunting non compliance and VB provides them with lots of telemetry.

How do you license them? I've never seen a "Buy now" link, only the text about "Free for personal use" every time.

I vaguely recall that this was discussed here on HN a while ago and somebody who had actually tried to buy the necessary license reported that Oracle would not sell them the license; IIRC, the sales person told them to "just use it, we don't care", or something along those lines.

Which is very problematic, of course, without something in writing, and given Oracle's reputation.

If you live in a one-party state, secretly record them and then if Oracle threatens to sue, show them the recording and remind them of promissory estoppel.


Not really promissory estoppel, which can enforce a promise if you detrimentally relied on it. It's not really to your detriment to use the product for free, so it's not a perfect fit (unless maybe your company hired someone to administer the VMs, specifically based on his VirtualBox experience?).

Some other possibilities would be the parol evidence rule (verbal exchanges between the contracting parties and their effect on contract interpretation) and possibly laches (no equitable remedy for folks who know about an infringement on their rights and do nothing about it... but money damages isn't an equity claim).

(IAAL but I don't practice in this area, so same grain of salt applies)

I think amyjess is right.

From the Restatement Second:

§ 90. Promise Reasonably Inducing Action or Forbearance

(1) A promise which the promisor should reasonably expect to induce action or forbearance on the part of the promisee or a third person and which does induce such action or forbearance is binding if injustice can be avoided only by enforcement of the promise. The remedy granted for breach may be limited as justice requires.

If Oracle says "go ahead and use it" and then sues you for having used it, they lose. If they sue you to stop using it going forward, they win.

I can understand how you'd think that, reading the text of the rule in the Restatement. However, at common law - and as shown in the examples if you'd keep reading - there has to be some detrimental reliance. Being able to use a product isn't in an of itself to your detriment. However, hiring someone based on that understanding might be.

A, knowing that B is going to college, promises B that A will give him $ 5,000 on completion of his course. B goes to college, and borrows and [[[spends more than $ 5,000 for college expenses.]]] When he has nearly completed his course, A notifies him of an intention to revoke the promise. A's promise is binding and B is entitled to payment on completion of the course without regard to whether his performance was “bargained for” under § 71.

(detrimental reliance in triple square brackets)

I have a hard time imagining a case being granted summary judgment for the defendant just because Oracle's customer sales rep told him "we don't really care."

In all honesty, the legal issue is more likely to be whether the person on the phone had apparent authority to grant a license. Even if a promissory estoppel theory would work, the person speaking to you would still have to be in some position (or appear to be in some position) to bind Oracle to a promise he/she made.

...and this is why I'm not a lawyer.

Thank you!

In Germany, it is illegal to record phone conversations without the consents of the other party.

Also, I don't think Oracle is going to sue over something like this. They really seem not to care. But they could change their mind tomorrow.

> In Germany, it is illegal to record phone conversations without the consents of the other party.

Hence, "If you live in a one-party state."

> Also, I don't think Oracle is going to sue over something like this.

Check the other comments in the thread. People are reporting that Oracle is taking IP addresses of people who access the extensions site and if the IP address belongs to a company, they contact the company and threaten to sue.

> Hence, "If you live in a one-party state."

I am sorry. In Germany, there is no such thing as a "one-party state". :-|

> People are reporting that Oracle is taking IP addresses of people who access the extensions site and if the IP address belongs to a company, they contact the company and threaten to sue.

Thank you for pointing this out. I stand corrected.

That's awkward as hell. It's sad that their offering is the only decent one out there (for my needs and with that UX) that's at least got open source options. I hope VirtualPC from Microsoft becomes cross-platform and open sourced, or at least some sort of new VM software from Microsoft, since they seem to be doing a better job at offering up MIT licensed projects lately.

I wouldn't even mind shelling out $50 for a license if I needed one, but they won't let me. It takes $5000, because they require a purchase of 100 or more at a time. It feels like they don't want to spend time on small stuff, and really don't care.

Can also buy a socket license for 1k, or buy from resellers with lower MOQ: e.g. https://m.cdw.com/product/oracle-vm-virtualbox-enterprise-li...

VMWare does the same thing. No idea why you'd think Oracle is the only competitor.

Indeed. I find VMWare Workstation to be a significantly better product as well. I hate using VirtualBox.

This was my experience 6-7 years ago (shortly after the Sun/Oracle acquisition). Couldn't get a straight answer from anyone about how to license it (despite wanting to roll out many thousands of seats using it in a commercial product).

Good question. They don't want to sell them. Just based on the website the licenses are only sold in 5000 unit blocks.

The fact that they didn't want to take my money forced me to learn KVM and libvirt. That turned out to work better and be way easier to manage remotely.

That link only shows:

"Access Denied

You don't have permission to access "http://m.cdw.com/product/oracle-vm-virtualbox-enterprise-lic... on this server."

Works for me. Are you accessing this from the US?

Just chiming in with the others. Trying from Israel, Access Denied.

It seems that it blocks ukrainian users entirely. Even in https://www.cdw.com/

Guessing it's blocking non-US users - couldn't get to it from Australia. VPN works fine, though.

Switzerland has also "Access Denied".

You go to the download page, see the link about the licence, click the FAQ link, and then click the store link, it's £36/user

Thanks! Shame it's minimum order 100 user licenses.

I appreciate you finding that. Here's the direct store link verbatim for anyone interested:


Uhm, this scares me a bit, how do you of you have the Extensions or not?

Would be nice if the Windows Subsystem for Linux started officially supporting graphical apps or a full VM.

You explicitly need to install them and accept the license

Hmm, there used to be an "ose" edition which lacked some usb patch through stuff I believe, it's not related to that? Haven't seen that in a while but it used to be 2 separate downloads...

So it's not any of that stuff you can select on the "Custom Setup" screen then...

It's a seperate download, not anything that you can get with the normal VirtualBox installer.

On an unrelated note, have you considered a third-party X server for windows, like Xming or VcXsrv, for use with your WSL apps?

Yes, it works, still doesn't really come near the experience of a full VM with dropdown terminals and sshfs in the filemanager etc.

Have you tried the "one large window" mode rather than the "multiple windows" mode? That could be closer to what you want.

See: https://i2.wp.com/www.maxtblog.com/wp-content/uploads/2017/0...

> Be careful about VirtualBox Extensions

Don't you mean: Be careful to follow the licensing for whatever products you use.

This is not necessarily straightforward. Also, Oracle has form.

On the page cited there's no reference to licence/license. Fair enough - it's a release notes page. The only sub-page (using the menu on the left) that contains any reference to licence is the Contributors page, which isn't somewhere most users would head to.

The primary page - https://www.virtualbox.org/ - has one reference to Licence - and that's as part of the assurance that VirtualBox is "an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License".

And if you read that, assumed the best, and went on your way, you'd soon be in breach.

(Yes, you should probably visit https://www.virtualbox.org/wiki/Licensing_FAQ despite the above assurance on the front page -- at which point you'd learn about the Extension pack, the PUEL, and other usage constraints.)

This is Oracle. The Extension Pack has additional features particularly valuable in an enterprise environment, BUT there is no way to actually buy a commercial license and as per some other threads Oracle salespeople are advising enterprise customers to just use it anyway.

Oracle setting a licensing trap they can spring at their whim? Perish the thought!

It is unbelieveable that a company which employs such tactics against their users can survive. I know I avoid their products like plague, Java and DB included.

The extension pack is extremely easy to download by accident: for instance, it comes in the default Chocolately installation unless you pass a flag to disable it. With Oracle actively going around and sending threatening letters to enterprises with extensions download traffic coming from their IP blocks, it's easy to accidentally get in a bad situation.

This is separate from the guest extensions ISO image, right?

What kind of functionality do the extensions discussed here cover?

Yes, this is separate from the guest extensions. Here's information on it: https://www.virtualbox.org/manual/ch02.html#intro-installing

I would love to know thw answer to above question

I'm pretty sure the GP means: Be careful not to install unlicensed proprietary software thinking it's part of the free software that has basically the same name.

sometimes you just want a simple vb ubuntu vm. however virtualbox locks copy paste from host to vm support behind extensions which are free only for personal use(which you are using but good luck proving that in court)

No. Copy-paste is not locked behind the VirtualBox Extension Pack. It requires the Guest Additions, which are completely different from the Extension Pack.

Extension Pack gives things such as USB passthrough.

It's kinda weird that VirtualPC way back when is the only VM software I recall using that had copy-paste without guest extensions. Granted, it just typed text into the keyboard, but it was really handy none the less.

I've taken to a macro that automatically "types" the contents of the clipboard when I hit a hotkey. Super useful with VMs and remote access.

does that work fine with lag? No dropped characters?

That is indeed a problem :-) I had to bump up the delay between characters and particularly slow connections or serial consoles still can bite me. Mostly I still consider it worth using though, since fixing a few small typos is less work than typing the whole thing by hand.

If you're using virtualbox together with vagrant, you're highly unlikely to need the extension pack anyway.

Sorry. I have never heard of this. I switched to VB earlier this year for simple home use testing apps and working with large data sets. VMWare Fusion just caused me to many problems.

Can you explain how I need to protect myself?

You switched to VB because VMWare Fusion was problematic?

That sounds like exchanging a Toyota for an Edsel.

Well when Fusion doesn’t run, vm’s become corrupt and VMWare answers your support query with “your new MacBook Pro must have a hardware issue”. Yes, I did switch. They lost my $80/year for upgrades and I have been a user since v3.

And Virtual Box has been more reliable than Fusion ever was for me.

If you’re a home user, and you’re sitting behind an IP address provided by a residential ISP, Oracle isn’t going to be bothering you.

So they are only looking for the gross level violators.

Block telemetry.

Can you share?

I guessed it was a just a checkbox/config option. If not this would be very dubious.

Too bad none of these two bugs has been fixed:



(cannot use `sendfile` in nginx inside a virtualbox, due to an eight year old bug)

Yeah it's crazy that it's not fixed yet. About 5 years when I was using VMs for my development environment I remember that bug causing all sorts of issues with assets not loading correctly.

It's also why I recommend people avoid Docker Toolbox like the plague since it uses VirtualBox under the hood. Either use Docker for Windows (if you have Windows 10 Pro), or roll your own VMWare Player (free) VM which doesn't have that bug, has way better I/O performance in the end and isn't much harder to set up.

This might surprise you but neither of these 2 are bugs.

VirtualBox shared folders simply don't offer the guarantees of a local filesystem. They are not a local filesystem, they are network drives mounted as NFS, with the abysmal support and quirk that comes with that.

sendfile() doesn't work on network drives. it never did. the host is not aware of changes made to the remote filesystem from another host. it cannot see updated files unless it checks for remote changes.

> They are not a local filesystem, they are network drives mounted as NFS, with the abysmal support and quirk that comes with that.

They’re actually not, which is exactly the problem. vboxsf is its own “real” filesystem. The code is super simple (too simple, perhaps): https://www.virtualbox.org/browser/vbox/trunk/src/VBox/Addit...

It contains many shortcuts with reporting free inodes and whatnot.

But from our point of view (the end user), it feels like a bug with VirtualBox because this problem doesn't exist when using VMWare or Hyper-V.

I used a VMWare Player driven VM as a primary Linux development environment for full time web development for literally 4 years straight and I encountered the issue 0 times, but with VirtualBox I encountered the issue in 1 day.

Maybe it's not technically a bug with VirtualBox, but it is something that makes VirtualBox unsuitable as a dev environment for web development.

You're right that it's a major UX hurdle. But it's not a bug in an advertised feature. Not a technical oversight, not a glitch.

Yes, vboxfs is very restrictive, but then again, the whole cross platform virtualization is a very thin curtain of magic over the nasty differences behind.

According to the change log, the guest to host escape vulnerability with the e1000 networking driver was not fixed, or at least it is not listed as being fixed. Is this correct that it is not fixed?


Oracle has an arcane policy of not mentioning any security fixes for any of their managed products, except for once a quarter. The flaw has been fixed as of 5.2.22, but the VirtualBox devs are not allowed to mention it until sometime in January I think.

Virtualbox is not your only option if you want to use Vagrant. Vagrant has decent plugins for qemu (vagrant-libvirt) and lxd (vagrant-lxd)

Make sure you get your KVM, Qemu and libvirt setup right and run:

    vagrant plugin install vagrant-libvirt
    vagrant init generic/ubuntu1804
    vagrant up --provider=libvirt
You can export VAGRANT_DEFAULT_PROVIDER=libvirt to avoid passing --provider=libvirt to vagrant all the time.

vagrant-lxd is less mature but just as useful, especially when you need to run stuff with erratic RSS graphs.

You can also put

In your Vagrantfile to force a specific provider to always be used for that Vagrantfile.

> Added support for using Hyper-V as the fallback execution core on Windows host, to avoid inability to run VMs at the price of reduced performance

Any comparisons between hyper-v and virtual box performance? I would have assumed hyper-v would be more performant.

In a straight up VirtualBox vs Hyper-V scenario the I/O performance on Hyper-V is a lot better, and that's not based on contrived benchmarks either.

I've used both for full time development. It only took about a day of using VirtualBox with sync'd folders to look for alternative solutions due to how bad it was about 4 years ago (not sure about today). Also, VMWare Player is / was so much faster than VirtualBox, and is on par with Hyper-V's performance.

Currently I use Hyper-V today because it's the back-end for Docker for Windows. I couldn't be happier with the performance.

Tested them quite a bit about 18 month ago and hyper-v was slightly faster in the benchmarks I ran (especially when it came to IO), but was a laggy stuttering mess when trying to use a Linux desktop.

Out of curiosity, why do you have a presumption that hyper-v would have better performance?

This may be completely wrong, but as I understand it when you enable hyper-v it sits above your Windows install, and runs your windows as a hyper-v VM. So, rather than running a userland vbox process that has OS overhead (especially around disk IO) it can run much closer to the metal.

If I remember correctly, Hyper-V is not strictly a type 1 hypervisor ("runs your windows as a hyper-v VM") but comes close. The VMs still run pretty close to the metal, but your host OS is mostly free from hypervisor interference.

Because it’s a well known fact that VirtualBox has been dodgy slow for years. Especially around I/O, it’s been the laggard.

VB has lagged in support for good hardware acceleration, it's been an issue for years.

I really wish VMware would support this. I'm surprised Virtualbox has a technical advantage here.

Is there anyone who could explain to me why virtualbox is still being developed? I don't mean that as an attack on the developers or the software but Oracle ruined pretty much all of Sun's software with VBox being one of the only two exception along with Java.

I've always assumed Oracle deeply depends on VirtualBox internally, and the amount of feedback they receive via public channels is far cheaper than keeping it closed source and having to internally test the tool.

Define “ruined” to you. By my definition, oracle took something that was “ok’ish, especially when you didn’t want to pay and just had basic needs” product and have slowly chipped away anything that could be considered good for most.

They ruined OpenOffice and Hudson. Luckily those were hard forked by the communities.

↑ this sounds like a pretty good definition of ruined.

Exactly my thoughts, but GP claimed that Vbox wasn’t ruined.

Is anyone using VirtualBox on the desktop? Specifically, to run Linux/macOS/Windows guests on a macOS host?

Would you recommend it? Or is the best option VMware Fusion, Parallels, or something else?

I recently got a Mac and wanted to avoid the cost of Parallels, so I tried VirtualBox first. It was insanely slow. Like, I would be typing text into a VM and I would type a line, then wait and watch the characters appear. This happened on a 2018 Macbook Pro host with 32GB RAM. This happened on both Windows and Ubuntu guests.

So, I tried Parallels and it was so fast I can't really tell the difference between the host and guest in terms of speed. I highly recommend Parallels.

I tried VirtualBox first. It was insanely slow

Colleague of mine has Windows running on VMWare on OSX and it's not much better. Also, but this might be because of the keyboard/OS/VMWare settings he uses, but when my muscle memory gets to work and starts using basic key combinations it feels like half of the time they are intercepted by OSX and do funny things, opening apps I don't want or switching desktops or whatever etc. No joy. All in all, of all non-commandline development experiences I ever encountered it's probably the worst. Parallels on the other hand was indeed more 'just works, get shit done'.

Is there anything as fast as Parallels on Windows? I've just switched back to Windows (dislike the new MBP keyboards yada yada), and Hyper-V on my 2018 X1 feels ridiculously slow compared to Parallels even on my Mid-2012 Mac.

Parallels is great. I like it so much that I bought the subscription, and I don't even use my Windows VM all that much.

However, sadly, third-party software that spins up VMs tends to avoid supporting Parallels. I recall Vagrant having a sub-par Parallels provider (compared to the paid VMware Fusion support), and even minikube went with VMware Fusion instead. https://github.com/kubernetes/minikube/issues/220

I use VB on several different macs of various vintages and it runs Ubuntu and Win10 guests just fine. Be sure to install the Guest Additions in the guest OS, they provide a bunch of vital drivers - like video, which sounds like what might have been bogging you down.

How much RAM did you allocate to the guest? From my experience the defaults are inadequate for desktop virtualisation. You need to allocate ~4GB of RAM and a couple of cores to get a smooth desktop.

I’ve had Fedora and Ubuntu guests running on a 2015 Mac Mini with no issues.

I had to run VB on Mac host, with linux guest. No issues, but every time I need to create a VM, I set different settings than the default ones (more ram, 2 cpu cores instead of one, 3d acceleration + more video memory).

Same experience here with a MBP 15'' 2015 with 16gb of ram

I routinely run my "home" Linux desktop on a macOS host.

Pretty nice for me: I got a full-res retina screen (needs a command from host on a VM restart), changed the dpi to taste, and now have compact and crisp UI under Xfce.

I use the open-source guest additions installed by my distro's package manager (void linux), and not the Oracle-provided extensions. They work fine for time sync, clipboard sharing, file sharing, and for hi-res screen (I run 1:1 pixels, no scaling, obviously).

Saving machine state and then restoring it in 10-15 seconds is pretty nice, comparable to normal laptop hibernation mode.

What does not work well is OpenGL acceleration. That is, it sort of works, but sometimes produces visual problems that only a reboot of the VM can fix. So I run with GL acceleration disabled, and thus many nice compositor effects turned off for performance.

I use VirtualBox in combination with gitlab-runner[0] to run macOS guests for ArchMac[1] CI package building, which works great. I also use it with docker-machine instead of Docker for Mac, for performance reasons.

For actually using a virtualised desktop I favour VMware Fusion which I found is the best between features, performance, and reliability (Comparison also includes Parallels which I'm not a fan of)

[0]: https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs...

[1]: https://archmac.org

I haven't used Parallels in a few years due to the cost and that it stops working every time you upgrade MacOS, but it was always significantly faster for me than virtualbox.

I've used Parallels before and found it amazing - fast, simple and easy.

It's not worth the cost unless you use it very frequently though.

Parallel Desktop Lite is free for all guests except Windows.

I use it run a Windows VM on my Linux desktop - works pretty well for years.

No usage of hypervisor.framework... so never mind.

I've been using Parallels Desktop Lite which is free for Linux and MacOS X guests.

I've switched our development environment years ago to VMWare (OSX) from VirtualBox because it didn't work well with fixed IPs, would change the IPs and I couldn't pin them - worked for some time then changed the IP. Has this changed?

But the true hacker uses QEMU.

'MacOS Guest Additions: initial support'

I thought that with a dozen hacks it already worked? What did they add? Official support?

> Major rework of user interface with simpler and more powerful application and virtual machine set-up

Anyone found out yet what that’s supposed to mean? Looks all the same to me except colors and icons and animations nobody needs.

Using this release with Vagrant and the ubuntu/bionic64 (20181214.0.0) box resulted in a very slow boot process which caused Vagrant to abort due to the boot timeout.

It looks like this was caused by a workaround I had implemented for the exact same issue on previous releases:

  vb.customize ["modifyvm", :id, "--uartmode1", "disconnected"]
After removing this line the box boots up normally again.

The VMSVGA for linux guests sounds awesome, since they previously removed 3D support for "linux guests using Wayland".. ie. Ubuntu 18.10.

Can any linux experts here explain briefly what is required to get this VMSVGA support? (win 10 host, Ubuntu guest)

Do I have to grab additional drivers or "guest additions" from VMware? Or will Ubuntu 18.10 have 3D support out of the box if I run in with VB6 ?

I love how the website has been keep basically unchanged through the years. Its design is clear and easily navigable.

I hope it doesn't change.

I think (guessing) that's because this site is 90% just-a-slightly-themed Trac install. It's admirable that the design for that tool has stayed so consistent.


It's nice when things that work don't get change for changing's sake.

I'm sure there are more useful changes but honestly I'm just happy that it finally supports my HiDPI screen.

I'm unable to find anything about the vboximg-mount utility in the documentation, except in the release notes.


But I wonder why the section 6.11 about vboximg-mount is missing on the .org version of the manual:


"You are already running the most recent version of VirtualBox." -VirtualBox 5.2.22

> iSCSI: In cases where there is no ambiguity, the LUN of an iSCSI target is automatically determined, for targets with non-zero LUNs

Any SAN/Storage admins care to comment on if this is really great or really scary?

What virt solution on win10 has 3d acceleration functional on Ubuntu? The Unity Ubuntu desktop is dead slow on VirtualBox...

Since this is Oracle, I'm most interested to hear if there have been any changes in the license.

Still no Solaris USB fixes after more than five years of busted / non-working USB pass-through. Good work, great job...

Holy cow, what an ugly user interface. I mean, it wasn't exactly a Matisse before, but it's just hideous now on macOS.

Who thought "easy to use" rhymed with "make the icons look like nearly identical and somewhat indistinguishable blue squares"? Who decided that an already rather unprofessional drawing of Tux needed to be transformed into Baby's First Vector Drawing™?

And why, when previous versions already did a semi-respectable job of at least _pretending_ to look like a native Cocoa app on macOS, does version 6 not only regress its implementation of the Aqua theme down to everything-is-grey but do so by getting rid of the gradient that emulated NSToolbar on most settings windows whilst then _adding_ ugly gradients to the list of VM settings on the main window in place of the vastly more functional rounded rectangles with separate headers of previous versions?

You see, if it's possible to regress the user interface so badly _when it was already fine_, I don't hold much hope for the rest of the technology. Call me a snob, but it reeks of sloppiness.

Exactly the kind of nitpicking negativity I expected to see when I opened the thread. It’s an app for running VMs, not a piece of consumer software, it’s not being marketed based on how it looks. Say what you will about oracle’s business practises, but it’s a crying shame that this is the top comment.

Edit: was top comment. Crying shame averted.

>> It’s an app for running VMs, not a piece of consumer software

On Macs, Fusion and Parallels are arguably consumer software. In the early days of x86 on Mac, they were the carrot to lure a lot of non-technical people who used Windows at work to get a Mac.

Since there are a lot of people who gravitate towards "free as in beer" software, you can't not expect a Mac user to at least look at VirtualBox as a consumer app. There are probably plenty of Mac oriented listicles that recommend VirtualBox as a free option for running Windows VMs on Mac.

Yep. We're in the edu space, and we regularly recommend VBox to Mac users who want to run a single Windows application on their Mac. Fusion and Parallels are both better, but for intermittent use, free VBox wins out over $80-$100 Fusion/Parallels.

What a load of rubbish. If an app has a GUI that __was perfectly fine__, there’s no legitimate reason for it to regress.

Somehow, VMware and Parallels managed to understand and act this for the past decade in their macOS _and_ Windows offerings for consumers, so I expect a big company like Oracle to not screw up the basics of user interface design, regressions of any kind, and treating a major platform and its users with a minimal amount of respect.

>not a piece of consumer software

What is it then?

I just downloaded/updated it for macOS and then set up a fresh Debian Stretch VM on it. Wow, you weren't kidding, it's still a hideous UI and it looks like they haven't even tried to make it look anything like a native app.

> Call me a snob, but it reeks of sloppiness.


The utility of the application far outweighs the aesthetics.

I really rally against people who think user interface design is __just__ aesthetics. How software looks and how software _feel_ are intimately linked, and go a long way to how much people get out of said software.

What use is utility when that utility is locked away behind regressions in usability?

I like how it looks on Windows. It looks cleaner, more modern, Not super modern with those animated gradients but nicer than it was.

I agree with you.

More than that, drawing is bugged, and sometimes it won't fill out empty spaces in the window.

Or, another times, it draws too much and sometimes it covers buttons on the toolbar, so I see a beautiful grey rectangle instead of the toolbar.

It's slow as hell. I wish it was done in Electron, then it would be faster.

Scrolling through the VM log is very slow.

Let me guess you code in ruby and use a macbook air.

Swift and Typescript on a 27” iMac. What does that have to do with it?

ipad pro

Is the link down for anyone else?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact