From Fedora Project Wiki

Revision as of 17:05, 27 January 2012 by Rbergero (talk | contribs) (Moved to FeatureAcceptedF17 - feature was accepted at 2012-01-23 meeting.)

Virtualization Sandbox

Summary

This feature provides a new application development library (libvirt-sandbox) to facilitate the embedding of virtualiation into applications. In addition there will be a command line tool 'virt-sandbox' which can be used by adminsitrators to directly run applications inside a sandbox built with one or more of the libvirt virtualization drivers. It will allow sandboxing applications inside an LXC container, or a QEMU/KVM virtual machine. The interface and capabilities are intended to be broadly similar to the existing SELinux 'sandbox' command, simply using a different sandboxing technique.

Owner

Current status

  • Targeted release: Fedora 17
  • Last updated: (06-01-2012)
  • Percentage of completion: 85%

Detailed Description

Existing Fedora releases ship with the "sandbox" command line tool. This allows applications to be run, strictly confined/isolated by SELinux policy. It can optionally make use of some kernel filesystem namespace features to provide a custom view of the filesystem.

The libvirt daemon includes an LXC driver which exposing a native Linux container virtualization capability. This includes integration with nearly all Linxu cgroups controllers and nearly all Linux namespace features. This can be leveraged to provide a means to sandbox individual applications inside a container. To escape the sandbox, applications would have to break out of the Linux container and the SELinux policy.

The libvirt daemon also includes QEMU driver which provides KVM accelerated full machine virtualization. This recently gained the ability to support passthrough of filesystems from the host OS. With this new capability, it becomes pratical to sandbox individual applications inside a full virtual machine, without the overhead of maintaining an additional OS installation image. To escape the sandbox, applications would have to break out of the guest Linux kernel, the host virtualization hypervisor and the host sVirt SELinux policy.

Benefit to Fedora

With the introduction of a 'virt-sandbox' command to support these two technologies, Fedora users will have a broader range of options for sandboxing applications which tradeoff system utilization overhead against layers of security, as best suits their security needs.

Scope

The virtualization sandbox will involve work in two areas

- libvirt
    - Add sVirt support to the LXC driver
    - Add support for filesystem relabelling control for filesystem passthrough
- virt-sandbox
    - A completely new package

How To Test

Upstream has a doc describing basic cases to be tested

 http://libvirt.org/git/?p=libvirt-sandbox.git;a=blob;f=docs/testing.txt;hb=HEAD

This will be fleshed out into a number of 'virt-sandbox' commands that should be executed, under either LXC or KVM.

For testing an LXC based sandbox, no special hardware will be required. Testing KVM sandboxes will require x86 Intel or AMD CPUs with hardware virt.


User Experience

Users interested in confining applications inside sandboxes will have new options for sandboxing applications inside LXC containers, or KVM virtual machines. In future Fedora releases, this may be extended to other hypervisors supported by libvirt (VMWare, Xen, etc)

Dependencies

Completion of this feature requirements work on two projects

- The libvirt project. This has monthly releases upstream and is on track to support the neccessary functionality
- The virt-sandbox project. This is a new project maintained by the author of this Feature.

Contingency Plan

In the event of the virt-sandbox command not progressing to a suitable level of development, this Feature can be postponed to Fedora 18, without any existing Fedora functionality being impacted. Alternatively the declared scope of virt-sandbox can be reduced to cover fewer use cases, with broader uses cases introduced iteratively in later Fedora.

Documentation

The virt-sandbox command line tool comes with a manpage, generated from embedded POD comments

 http://libvirt.org/git/?p=libvirt-sandbox.git;a=blob;f=bin/virt-sandbox.c;hb=HEAD

Furthermore there will be a series of blog posts describing its usage & capabilities, and a presentation at FOSDEM 2012

 http://berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/

Release Notes

  • TBD

Comments and Discussion