From Fedora Project Wiki
(moved to FeatureAcceptedF16 - feature was approved at 2011-07-11 meeting.)
m (→‎Detailed Description: minor typo edit)
 
(24 intermediate revisions by 7 users not shown)
Line 2: Line 2:


== Summary ==
== Summary ==
This feature provides a tool 'virt-sandbox' which can be used to run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.
This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualization into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by administrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.


== Owner ==
== Owner ==
Line 10: Line 10:


== Current status ==
== Current status ==
* Targeted release: [[Releases/16 | Fedora 16 ]]  
* Targeted release: [[Releases/17 | Fedora 17 ]]  
* Last updated: (05-07-2011)
* Last updated: (13-04-2012)
* Percentage of completion: 15%
* Percentage of completion: 100%


== Detailed Description ==
== Detailed Description ==
Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.
Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.


The libvirt daemon includes an LXC driver which exposing a native Linux container virtualization capability. This includes integration with nearly all Linxu cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.
The libvirt daemon includes an LXC driver which exposes a native Linux container virtualization capability. This includes integration with nearly all Linux cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.


The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.
The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.
Line 30: Line 30:
  - libvirt
  - libvirt
     - Add sVirt support to the LXC driver
     - Add sVirt support to the LXC driver
    - Add support for multiple guest consoles
    - Add support for automatic VM death on client disconnect
     - Add support for filesystem relabelling control for filesystem passthrough
     - Add support for filesystem relabelling control for filesystem passthrough
  - virt-sandbox
  - virt-sandbox
Line 38: Line 36:
== How To Test ==
== How To Test ==


- TBD.
Upstream has a doc describing basic cases to be tested
- Broadly speaking any use of the existing 'sandbox' command should translate directly to the new 'virt-sandbox' command


<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
  http://libvirt.org/git/?p=libvirt-sandbox.git;a=blob;f=docs/testing.txt;hb=HEAD


Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
For testing an LXC based sandbox, no special hardware will be required. Testing KVM sandboxes will require x86 Intel or AMD CPUs with hardware virt.


A good "how to test" should answer these four questions:
The formal Fedora test cases are


0. What special hardware / data / etc. is needed (if any)?
# [[QA:Testcase_VirtSandbox_ExitStatus | Command exit status]]
1. How do I prepare my system to test this feature? What packages
# [[QA:Testcase_VirtSandbox_Shell | Interactive shell]]
need to be installed, config files edited, etc.?
# [[QA:Testcase_VirtSandbox_Batch | Non-interactive batch commands]]
2. What specific actions do I perform to check that the feature is
# [[QA:Testcase_VirtSandbox_Mounts | Custom mount points]]
working like it's supposed to?
# [[QA:Testcase_VirtSandbox_Network | Custom networking]]
3. What are the expected results of those actions?
-->


== User Experience ==
== User Experience ==
Line 67: Line 62:
== Contingency Plan ==
== Contingency Plan ==


In the event of the virt-sandbox command not progressing to a suitable level of development, this Feature can be postponed to Fedora 17, without any existing Fedora functionality being impacted.
In the event of the virt-sandbox command not progressing to a suitable level of development, this Feature can be postponed to Fedora 18, without any existing Fedora functionality being impacted.
Alternatively the declared scope of virt-sandbox can be reduced to cover fewer use cases, with broader uses cases introduced iteratively in later Fedora.


== Documentation ==
== Documentation ==


* TBD.
The virt-sandbox command line tool comes with a manpage:
* virt-sandbox will contain an extensive manpage
 
  # man virt-sandbox
 
This provides complete command line help and examples of usage


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
* TBD
* The 'libvirt-sandbox' RPM introduces a new command 'virt-sandbox' for running command line applications / system services in a confined environment.
* The 'virt-sandbox' command is similar in concept to the SELinux 'sandbox' command, however, it uses LXC or KVM for confinement
* The confined environment may have a custom view of the filesystem and custom networking configuration.


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/VirtSandbox]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 


[[Category:FeatureAcceptedF16]]
[[Category:FeatureAcceptedF17]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 04:39, 31 October 2013

Virtualization Sandbox

Summary

This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualization into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by administrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.

Owner

Current status

  • Targeted release: Fedora 17
  • Last updated: (13-04-2012)
  • Percentage of completion: 100%

Detailed Description

Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.

The libvirt daemon includes an LXC driver which exposes a native Linux container virtualization capability. This includes integration with nearly all Linux cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.

The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.

Benefit to Fedora

With the introduction of a 'virt-sandbox' command to support these two technologies, Fedora users will have a broader range of options for sandboxing applications which tradeoff system utilization overhead against layers of security, as best suits their security needs.

Scope

The virtualization sandbox will involve work in two areas

- libvirt
    - Add sVirt support to the LXC driver
    - Add support for filesystem relabelling control for filesystem passthrough
- virt-sandbox
    - A completely new package

How To Test

Upstream has a doc describing basic cases to be tested

 http://libvirt.org/git/?p=libvirt-sandbox.git;a=blob;f=docs/testing.txt;hb=HEAD

For testing an LXC based sandbox, no special hardware will be required. Testing KVM sandboxes will require x86 Intel or AMD CPUs with hardware virt.

The formal Fedora test cases are

  1. Command exit status
  2. Interactive shell
  3. Non-interactive batch commands
  4. Custom mount points
  5. Custom networking

User Experience

Users interested in confining applications inside sandboxes will have new options for sandboxing applications inside LXC containers, or KVM virtual machines. In future Fedora releases, this may be extended to other hypervisors supported by libvirt (VMWare, Xen, etc)

Dependencies

Completion of this feature requirements work on two projects

- The libvirt project. This has monthly releases upstream and is on track to support the neccessary functionality
- The virt-sandbox project. This is a new project maintained by the author of this Feature.

Contingency Plan

In the event of the virt-sandbox command not progressing to a suitable level of development, this Feature can be postponed to Fedora 18, without any existing Fedora functionality being impacted. Alternatively the declared scope of virt-sandbox can be reduced to cover fewer use cases, with broader uses cases introduced iteratively in later Fedora.

Documentation

The virt-sandbox command line tool comes with a manpage:

 # man virt-sandbox

This provides complete command line help and examples of usage

Release Notes

  • The 'libvirt-sandbox' RPM introduces a new command 'virt-sandbox' for running command line applications / system services in a confined environment.
  • The 'virt-sandbox' command is similar in concept to the SELinux 'sandbox' command, however, it uses LXC or KVM for confinement
  • The confined environment may have a custom view of the filesystem and custom networking configuration.

Comments and Discussion