It’s got great documentation. See the kernel.org documentation here: https://www.kernel.org/doc/Documentation/virtual/uml/UserMod... and a write up from the creator Jeff Dike (which includes a lot of technical detail on the inner workings) here: https://lwn.net/2001/features/OLS/pdf/pdf/uml.pdf (from 2001!)
slirp is the only _purely usermode_ way to do networking, but UML also supports TUN/TAP for something a little more sane. UML does a bunch of pretty crazy things in order to work, including a dedicated thread whose job it is to ptrace every other process for syscall and signal emulation (and, as a bonus, it even ptraces external debuggers to make them think they’ve successfully ptraced a process that’s already being traced!), and a full emulation of physical/virtual memory translation with paging (done by giving every virtual process under UML its own virtual address space).
All in all, a super impressive project, and definitely one worth trying out.
Is it theoretically possible I could run an entire linux kernel instead with this? Is there any setup on the host system that is required which needs administrative privileges?
Turned out: It basically worked, but it was a bit painful to setup and to manage.
I used it on a server where I was not root to be able to launch docker containers.
It had students exploit a setuid binary to get root for an assignment. Done on UML so we could run the thing as our regular users.
What we decided was to go with option 3 - we implemented a Linux system call interface within our own kernel to give us 'native' support. This, of course, is exactly what the first version of WSL did, many years later. Plus ça change...
Joyent as well for SmartOS.
Is it Sun? Why use more than 20 words to (probably) mean "for Sun"?
Seriously though, it's bad writing. Not a crime as bad as starting an off-topic subthread, but still...
And it would be Oracle chasing the commenter for an NDA breach, I suppose.
Back in 2003 or 2004, I threw together a "virtual hosting" platform using UML. It had a web form accepting payment, and a few minutes later you'd have a fully running virtual machine. I put this together in a couple weeks leading up to PyCon, where we launched it. But we didn't really have the business savvy to take it anywhere, we never had more than a few hundred VMs.
We eventually moved to other technologies: VMWare, Xen, Proxmox (KVM). But UML was my favorite. (Xen was my least favorite :-)
After that, it would make sense to try WINE.
In 2001 this mentions SMP support is possible. First thing tomorrow I need to check if it was ever implemented. Perhaps it’s late and I’m tired but somehow this seems to be much better than containers for a number of problems, or maybe the performance hit is too much.
Also loads super fast, which is an exception these days.
I am trying to run this on the latest Ubuntu but getting the below error:
root@kit:~/uml/furry-happiness# docker run --rm -it xena/docker-uml
[WARN tini (7)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
Core dump limits :
soft - NONE
hard - NONE
Checking that ptrace can change system call numbers...ptrace: Operation not permitted
check_ptrace : expected SIGSTOP, got status = 9
Very little "just worked".
I think there's huge potential there, however, as an architectural building block, just like containers are.
Could someone clarify this for me - there must be some way of pulling data from UML back into the host system?
Does this mean the UML system can utilize many cores well and SMP was eventually implied?
I used to run it myself, way back when. For isolation, it is going to be better than a container or jail, but not as good as a full VM, though I was using it for testing personal stuff so wasn't really concerned with isolation from a security point of view. One key con is that it can perform pretty badly in some respects, particularly for loads that ned to talk to the kernel much at all, including processes that perform much IO. It "felt" less cumbersome than full VMs (IIRC I was playing with a mix of VirtualBox and VMWare' Player & Server for that sort of thing at the time), in terms of my automation and to some extent in terms of host resource use (though I didn't test that with any scientific rigour, and if I did any good tests back then the results would not be relevant today anyway as they were pre VT-x and other CPU support which UML can't use but a modern hypervisor can and will).
In terms of isolation it is "pretty good". The guest has their own kernel, and you can run it as an ordinary user. Add a chroot jail and you can have 50-150 different UML instances running on a single host, each under their own UID. They can't talk to each other, and if they do manage to exploit the kernel they're only gonna get the access to the host which you restrict with chroot, and standard things.
It's less of a risk to run isolated things than this than have lots of containers share the same kernel. An escape there means container-A can view/poke container-B AND the host.
Of course there is overhead, and most people moved on from UML to Xen/KVM when they became available - both have better performance thanks to virtio, and both have more flexibility for networking, block devices & etc.