Hacker News new | comments | ask | show | jobs | submit login
Ask HN: tiny VMs
50 points by willvarfar on Sept 9, 2011 | hide | past | web | favorite | 34 comments
I've searched in vain, so I ask you folks:

Is there a tiny Linux distro aimed at running in a VM (i.e. not buckets of drivers in there for all the things the VM doesn't have; rather a very thin light kernel because its all backed by the VM)? Perhaps even set up for an external x running on the host? Ideally with a packaging system built around single-shot apps? So I can have a VM for a browser, and another for a mail app and so on, each with a tiny footprint?

Host would be Windows or Linux.

You might want to check out TinyCore Lunux. In 10Mb ISO you get a functional image with GUI and thousands of apps in the repository including Chromium and Firefox that can run in as little as 39mb of RAM.

I run multiple TinyCore VMs in VirtualBox for safe browsing in the darker corners of the Net.

Sorry for the typo - blaming my fat fingers on the iPhone and I'm past the edit time window to fix it.

Ubuntu Server edition has JeOS option ( http://en.wikipedia.org/wiki/Ubuntu_JeOS ) which is a minimal install optimized for virtualized environments.

That is a good start, but the original poster appeared to want graphical apps to run in the VM; JeOS is console only (as one would expect for a server/appliance distro). It would be interesting if there was something between "full Ubuntu with lots of widgets" and the console-only JeOS.

Yes, one could add the gui afterwards, but something minimally configured already would be a timesaver...

There are images of VMs floating of base installs of various linux distros. If this is too big, just configure JeOS with your basics and clone that image as needed.

If the original poster is looking for a VM to distribute an application, JeOS is a reasonable place to start.

On the other hand if the original poster wants to run a VM for every application he will (likely) want to look for a VM platform that dedups memory, a la ESX (though that's a bare metal server hypervisor)

If the original poster just wants a secure enivornment to run apps, something like VMware ACE may work better which allows you to lock down/filter access to USB storage, network, etc.

Disclaimer: Former VMware employee.

He wanted external X. That's already supported natively by SSH. Just install the app, and run ssh -X to have it forward the display to the local machine.


rPath's build system and rbuilder were made for this purpose.


You can spin iso's and vm images all in a web interface. (rbuilder has a flash interface. It's more powerful from teh command line but susestudio is really fast).

Red Hat/Fedora is suppose to have something (probably more than one) that's new and slick.

I'm not sure I've understood what you are requesting, but your description reminded me of Qubes OS http://qubes-os.org/ (based on Linux and Xen).

From the "Architecture" page:

<blockquote>Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.</blockquote>

(I've never used it myself though, so I can't help any further).

I was going to reply the same

I used to hand roll my own tiny VMware VMs using Busybox and uclibc. It was very tedious and time consuming, but I was able to create VMs that were less than 10MB when compressed and virtual disks of whatever desired size when uncompressed.

Gentoo Linux (if it's still around?) might be a good start since you can compile the entire world yourself and decide which features you do and do not want.

There is a tool called buildroot that builds a kernel and a root file system with uClibc and Busybox. The result size for x86_64 using default settings is a few megabytes. You can trim this down a lot by leaving out features. Using uClibc instead of glibc may affect using virtual machines (like JVM), tho.

Gentoo is still alive and kicking. It's not that difficult to use and the documentation might be the best docs I've seen in any distribution. It's also worth mentioning that with a modern CPU, the time it takes to build software is not that long.

In fact, installing a "medium sized" application (e.g. not libreoffice) is faster with Gentoo's emerge than installing a standard Windows app. It takes about as long to download the source, compile and install with automation it as it does to navigate a web browser to a software's home page, locate download link and click "Next ->" 15 times in the installer manually.

your kernel is already thin and light. if you're using a modular kernel, as most distros default to, you're only loading the modules you need and can use.

as for apps and packages, i don't care for most distros' dependency systems, but the only downside is more files on disk -- and who really cares if there's an extra 25MB of stuff you never use on there, assuming you have the space.

That's true for all practical purposes, but technically it's incorrect. For a start, statically linked modules can be packed more tightly into sections by the linker, whereas dynamically loaded modules will always have as much as 4kb of slack at the end of theirs.

There are a bunch more differences like this. If it's like userspace, in many cases the dynamically loaded symbols also involve a level of indirection in order to access them since they have no fixed address at link time, which results in a small performance hit.

Modules also include metadata which remains for as long as it is loaded, but I think this is negligible.

Why do you want to do this, anyway? Linux already isolates processes' memory from each other. With cgroups you can ensure that resources are allocated fairly, and with chroot and namespaces you can ensure that they're securely isolated from each other. Why run a whole bunch of kernels on top of other kernels? It just adds inefficiency.

It may be due to the fact that any exploited process that is also an X11 client can become a keylogger...

A couple ways to prevent X11 keylogging/screenshots/actions:

* If chrome/chromium are doing it right now, most parts of the browser should not be able to access X11 directly.

* X.org provides for two compartiments, trusted X (the default) and untrusted X (now used by ssh -X, also sux --untrusted). There are still a number of applications having issues with untrusted X (e.g. Skype doesn't work), also copy & paste don't normally work (for that you can use "xsel -o | ssh otheruser@localhost 'DISPLAY=:1 xsel -i'" or converse, bound to a key combination or panel widget), but it works well enough that I'm running Twinkle and xchat that way.

* let the apps go through VNC (Skype has issues with this, too, though, but then Skype doesn't run smoothly in a VM either (realtime audio issues))

Of course the kernel (and suid apps and apps with tempfile races etc.) are still offering a broader attack surface than a VM, so the above should be complemented with some good intrusion detection mechanism (to catch intrusions before they exploit root), for which I don't have a good suggestion.

Not exactly as requested, but Chrome OS works great in a VM: http://chromeos.hexxeh.net/vanilla.php

Take a look at http://onesis.org/ for some tool for building a small root filesystem. You'll want to have your kernel separate anyway.

You can then use the new "KVM tool" (http://lwn.net/Articles/447556/) to run your VMs. It's far, far lighter than QEMU and only provides a small set of virtio devices. If you're going to have all the applications run on the X server of the host, you'll basically just need virtio net. However, if you're doing this for security reasons, take note of what another poster mentions: any X client can sniff the keystrokes of any other X client. It's possible that Xnest (or the new hotness, Xephyr) could solve this problem for you, but I don't know for sure.

Have you seeing this one[1]?

[1] http://www.turnkeylinux.org/bootstrap

http://qubes-os.org/Home.html might be interesting

Not sure if these are small enough for you, but they are appliance based:


this might be a good start:


I use it for all kinds of 'special purpose' boxes. It's an older kernel, 2.4.20 or so.

Considering the leaps and bounds the linux kernel has progressed since the 2.4 series kernel I would seriously avoid it for performance reasons doing something the OP mentioned like web browsing.

The Damn Small Linux project is dead; there hasn't been a release in 3 years. One of the primary developers is now working on Tiny Core Linux. Tiny Core sounds like a good fit for the OP; its extension system fits the description "a packaging system built around single-shot apps".

I've actually heard this question asked a lot in a bunch of different forms, and (to me) it basically comes down to: How do I use virtualization to provide additional security to processes?

The advantage of virtualization is that it provides a very strong statement of security (if a lesser statement of performance). On the other hand Jails/Containers (see LXC) have a strong statement of performance and a lesser statment of security.

For you, I'd recommend checking out Linux Containers, because it does provide more protection than just a process, but is faster and uses less resources than a whole VM.

Well, if the VM has security issues, you'll have to update all the VMs running, never mind that I think it's possible to get to the core OS from a VM.

This is definitely a case to look at OS level virtualization[1], running a dedicated VM just for jailing a process seems a bit overengineered. SmartOS[2] might be interesting for this[2].



Have you considered something like coLinux? http://www.colinux.org/

or UML on Linux

If you're already on Linux, you could just chroot everything. But that can be a little b¤%&h to maintain. Any particular reason you need this? I use throw-away VM's that I can revert to a fresh state when I'm done testing XYZ.

Also, with the cost per MB for memory, memory shouldn't really be an issue.

(Neither RAM nor disk is that cheap for laptop users)

I'd argue the other way, but things may be different for you, depending on a lot of things. :-)

I currently have 4 running virtual machines on my Macbook Pro. Three running a pretty basic Debian install for testing (yay, Chef) and one running Ubuntu with a graphical user interface. And yet, only half of my memory is wired/active, and with expanding disk volumes, the footprint on my disk is even smaller on my memory.

macbook pro users perhaps don't have the same definition of 'cheap' as many other laptop users? ;)

There's company called Invincea that provides a browser in a VM for security (www.invincea.com).

I have no connection to the company and have not used it, just saw them at the RSA conference this year. I think there are a number of companies providing similar solutions.

Puppy Linux might fit the bill if I understand what you are seeking correctly. http://puppylinux.org/

I've been looking as well. I have a hunch we have the same goal... Would love to chat. (my email is in my profile)

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact