top | item 2978173

Ask HN: tiny VMs

50 points| willvarfar | 14 years ago | reply

I've searched in vain, so I ask you folks:

Is there a tiny Linux distro aimed at running in a VM (i.e. not buckets of drivers in there for all the things the VM doesn't have; rather a very thin light kernel because its all backed by the VM)? Perhaps even set up for an external x running on the host? Ideally with a packaging system built around single-shot apps? So I can have a VM for a browser, and another for a mail app and so on, each with a tiny footprint?

Host would be Windows or Linux.

34 comments

[+] TY|14 years ago|reply

You might want to check out TinyCore Lunux. In 10Mb ISO you get a functional image with GUI and thousands of apps in the repository including Chromium and Firefox that can run in as little as 39mb of RAM.

I run multiple TinyCore VMs in VirtualBox for safe browsing in the darker corners of the Net.

[+] TY|14 years ago|reply

Sorry for the typo - blaming my fat fingers on the iPhone and I'm past the edit time window to fix it.

[+] onenine|14 years ago|reply

http://wiki.rpath.com/wiki/Conary

rPath's build system and rbuilder were made for this purpose.

http://susestudio.com/

You can spin iso's and vm images all in a web interface. (rbuilder has a flash interface. It's more powerful from teh command line but susestudio is really fast).

Red Hat/Fedora is suppose to have something (probably more than one) that's new and slick.

[+] froseph|14 years ago|reply

Ubuntu Server edition has JeOS option ( http://en.wikipedia.org/wiki/Ubuntu_JeOS ) which is a minimal install optimized for virtualized environments.

[+] mwexler|14 years ago|reply

That is a good start, but the original poster appeared to want graphical apps to run in the VM; JeOS is console only (as one would expect for a server/appliance distro). It would be interesting if there was something between "full Ubuntu with lots of widgets" and the console-only JeOS.

Yes, one could add the gui afterwards, but something minimally configured already would be a timesaver...

[+] al3xbio|14 years ago|reply

I'm not sure I've understood what you are requesting, but your description reminded me of Qubes OS http://qubes-os.org/ (based on Linux and Xen).

From the "Architecture" page:

<blockquote>Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.</blockquote>

(I've never used it myself though, so I can't help any further).

[+] alcuadrado|14 years ago|reply

I was going to reply the same

[+] EmmEff|14 years ago|reply

I used to hand roll my own tiny VMware VMs using Busybox and uclibc. It was very tedious and time consuming, but I was able to create VMs that were less than 10MB when compressed and virtual disks of whatever desired size when uncompressed.

Gentoo Linux (if it's still around?) might be a good start since you can compile the entire world yourself and decide which features you do and do not want.

[+] exDM69|14 years ago|reply

There is a tool called buildroot that builds a kernel and a root file system with uClibc and Busybox. The result size for x86_64 using default settings is a few megabytes. You can trim this down a lot by leaving out features. Using uClibc instead of glibc may affect using virtual machines (like JVM), tho.

Gentoo is still alive and kicking. It's not that difficult to use and the documentation might be the best docs I've seen in any distribution. It's also worth mentioning that with a modern CPU, the time it takes to build software is not that long.

In fact, installing a "medium sized" application (e.g. not libreoffice) is faster with Gentoo's emerge than installing a standard Windows app. It takes about as long to download the source, compile and install with automation it as it does to navigate a web browser to a software's home page, locate download link and click "Next ->" 15 times in the installer manually.

[+] unshift|14 years ago|reply

your kernel is already thin and light. if you're using a modular kernel, as most distros default to, you're only loading the modules you need and can use.

as for apps and packages, i don't care for most distros' dependency systems, but the only downside is more files on disk -- and who really cares if there's an extra 25MB of stuff you never use on there, assuming you have the space.

[+] forgotusername|14 years ago|reply

That's true for all practical purposes, but technically it's incorrect. For a start, statically linked modules can be packed more tightly into sections by the linker, whereas dynamically loaded modules will always have as much as 4kb of slack at the end of theirs.

There are a bunch more differences like this. If it's like userspace, in many cases the dynamically loaded symbols also involve a level of indirection in order to access them since they have no fixed address at link time, which results in a small performance hit.

Modules also include metadata which remains for as long as it is loaded, but I think this is negligible.

[+] littledanehren|14 years ago|reply

Why do you want to do this, anyway? Linux already isolates processes' memory from each other. With cgroups you can ensure that resources are allocated fairly, and with chroot and namespaces you can ensure that they're securely isolated from each other. Why run a whole bunch of kernels on top of other kernels? It just adds inefficiency.

[+] aidenn0|14 years ago|reply

It may be due to the fact that any exploited process that is also an X11 client can become a keylogger...

[+] ryanpetrich|14 years ago|reply

Not exactly as requested, but Chrome OS works great in a VM: http://chromeos.hexxeh.net/vanilla.php

[+] jff|14 years ago|reply

Take a look at http://onesis.org/ for some tool for building a small root filesystem. You'll want to have your kernel separate anyway.

You can then use the new "KVM tool" (http://lwn.net/Articles/447556/) to run your VMs. It's far, far lighter than QEMU and only provides a small set of virtio devices. If you're going to have all the applications run on the X server of the host, you'll basically just need virtio net. However, if you're doing this for security reasons, take note of what another poster mentions: any X client can sniff the keystrokes of any other X client. It's possible that Xnest (or the new hotness, Xephyr) could solve this problem for you, but I don't know for sure.

[+] davidcollantes|14 years ago|reply

Have you seeing this one[1]?

[1] http://www.turnkeylinux.org/bootstrap

[+] meastham|14 years ago|reply

http://qubes-os.org/Home.html might be interesting

[+] rookadook|14 years ago|reply

Not sure if these are small enough for you, but they are appliance based:

http://www.turnkeylinux.org/

[+] 0x12|14 years ago|reply

this might be a good start:

http://www.damnsmalllinux.org/

I use it for all kinds of 'special purpose' boxes. It's an older kernel, 2.4.20 or so.

[+] gravitronic|14 years ago|reply

Considering the leaps and bounds the linux kernel has progressed since the 2.4 series kernel I would seriously avoid it for performance reasons doing something the OP mentioned like web browsing.

[+] sciurus|14 years ago|reply

The Damn Small Linux project is dead; there hasn't been a release in 3 years. One of the primary developers is now working on Tiny Core Linux. Tiny Core sounds like a good fit for the OP; its extension system fits the description "a packaging system built around single-shot apps".

[+] ajray|14 years ago|reply

I've actually heard this question asked a lot in a bunch of different forms, and (to me) it basically comes down to: How do I use virtualization to provide additional security to processes?

The advantage of virtualization is that it provides a very strong statement of security (if a lesser statement of performance). On the other hand Jails/Containers (see LXC) have a strong statement of performance and a lesser statment of security.

For you, I'd recommend checking out Linux Containers, because it does provide more protection than just a process, but is faster and uses less resources than a whole VM.

[+] mhd|14 years ago|reply

Well, if the VM has security issues, you'll have to update all the VMs running, never mind that I think it's possible to get to the core OS from a VM.

This is definitely a case to look at OS level virtualization[1], running a dedicated VM just for jailing a process seems a bit overengineered. SmartOS[2] might be interesting for this[2].

[1](http://en.wikipedia.org/wiki/Operating_system-level_virtuali...)

[2](http://smartos.org/)

[+] bonyt|14 years ago|reply

Have you considered something like coLinux? http://www.colinux.org/

or UML on Linux

[+] vegardx|14 years ago|reply

If you're already on Linux, you could just chroot everything. But that can be a little b¤%&h to maintain. Any particular reason you need this? I use throw-away VM's that I can revert to a fresh state when I'm done testing XYZ.

Also, with the cost per MB for memory, memory shouldn't really be an issue.

[+] willvarfar|14 years ago|reply

(Neither RAM nor disk is that cheap for laptop users)

[+] pge|14 years ago|reply

There's company called Invincea that provides a browser in a VM for security (www.invincea.com).

I have no connection to the company and have not used it, just saw them at the RSA conference this year. I think there are a number of companies providing similar solutions.

[+] clickbrain|14 years ago|reply

Puppy Linux might fit the bill if I understand what you are seeking correctly. http://puppylinux.org/

[+] unknown|14 years ago|reply

[deleted]

[+] secos|14 years ago|reply

I've been looking as well. I have a hunch we have the same goal... Would love to chat. (my email is in my profile)