From Fedora Project Wiki
m (→‎Detailed Description: minor typo edit)
 
(5 intermediate revisions by 4 users not shown)
Line 2: Line 2:


== Summary ==
== Summary ==
This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualiation into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by adminsitrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.
This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualization into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by administrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.


== Owner ==
== Owner ==
Line 11: Line 11:
== Current status ==
== Current status ==
* Targeted release: [[Releases/17 | Fedora 17 ]]  
* Targeted release: [[Releases/17 | Fedora 17 ]]  
* Last updated: (04-05-2012)
* Last updated: (13-04-2012)
* Percentage of completion: 95%
* Percentage of completion: 100%


== Detailed Description ==
== Detailed Description ==
Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.
Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.


The libvirt daemon includes an LXC driver which exposing a native Linux container virtualization capability. This includes integration with nearly all Linxu cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.
The libvirt daemon includes an LXC driver which exposes a native Linux container virtualization capability. This includes integration with nearly all Linux cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.


The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.
The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.
Line 76: Line 76:
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
* TBD
* The 'libvirt-sandbox' RPM introduces a new command 'virt-sandbox' for running command line applications / system services in a confined environment.
* The 'virt-sandbox' command is similar in concept to the SELinux 'sandbox' command, however, it uses LXC or KVM for confinement
* The confined environment may have a custom view of the filesystem and custom networking configuration.


== Comments and Discussion ==
== Comments and Discussion ==

Latest revision as of 04:39, 31 October 2013

Virtualization Sandbox

Summary

This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualization into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by administrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.

Owner

Current status

  • Targeted release: Fedora 17
  • Last updated: (13-04-2012)
  • Percentage of completion: 100%

Detailed Description

Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.

The libvirt daemon includes an LXC driver which exposes a native Linux container virtualization capability. This includes integration with nearly all Linux cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.

The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.

Benefit to Fedora

With the introduction of a 'virt-sandbox' command to support these two technologies, Fedora users will have a broader range of options for sandboxing applications which tradeoff system utilization overhead against layers of security, as best suits their security needs.

Scope

The virtualization sandbox will involve work in two areas

- libvirt
    - Add sVirt support to the LXC driver
    - Add support for filesystem relabelling control for filesystem passthrough
- virt-sandbox
    - A completely new package

How To Test

Upstream has a doc describing basic cases to be tested

 http://libvirt.org/git/?p=libvirt-sandbox.git;a=blob;f=docs/testing.txt;hb=HEAD

For testing an LXC based sandbox, no special hardware will be required. Testing KVM sandboxes will require x86 Intel or AMD CPUs with hardware virt.

The formal Fedora test cases are

  1. Command exit status
  2. Interactive shell
  3. Non-interactive batch commands
  4. Custom mount points
  5. Custom networking

User Experience

Users interested in confining applications inside sandboxes will have new options for sandboxing applications inside LXC containers, or KVM virtual machines. In future Fedora releases, this may be extended to other hypervisors supported by libvirt (VMWare, Xen, etc)

Dependencies

Completion of this feature requirements work on two projects

- The libvirt project. This has monthly releases upstream and is on track to support the neccessary functionality
- The virt-sandbox project. This is a new project maintained by the author of this Feature.

Contingency Plan

In the event of the virt-sandbox command not progressing to a suitable level of development, this Feature can be postponed to Fedora 18, without any existing Fedora functionality being impacted. Alternatively the declared scope of virt-sandbox can be reduced to cover fewer use cases, with broader uses cases introduced iteratively in later Fedora.

Documentation

The virt-sandbox command line tool comes with a manpage:

 # man virt-sandbox

This provides complete command line help and examples of usage

Release Notes

  • The 'libvirt-sandbox' RPM introduces a new command 'virt-sandbox' for running command line applications / system services in a confined environment.
  • The 'virt-sandbox' command is similar in concept to the SELinux 'sandbox' command, however, it uses LXC or KVM for confinement
  • The confined environment may have a custom view of the filesystem and custom networking configuration.

Comments and Discussion