Puppies love lguest!

Lguest: Frequently Asked Questions


Q: Lguest stops after "Starting periodic command scheduler: crond."
A: You need to edit your image to tell it to run a getty on /dev/hvc0 (the lguest console). This is usually in /etc/inittab or /etc/event.d/.
Q: hwclock segmentation faults!
A: This is normal: hwclock tries to program the hardware clock which it can't reach, and fails.
Q: What kernel is lguest in?
A: It is 2.6.23 and above.
Q: Why don't I have a console when I boot my image?
A: Most images are set up to create a console virtual consoles (/dev/tty0 etc), but the lguest console is /dev/hvc0: look for a line like "1:2345:respawn:/sbin/getty 38400 tty1" in /etc/inittab and change "tty1" to "hvc0".
Q: Is the guest isolated from the host?
A: Lguest aims to isolate the guest so it cannot reach outside to the host (except for virtual devices supplied by the host of course), even if the guest is malicious. However, a malicious guest kernel can currently pin host memory (up to the amount of memory allowed to the guest).
Q: Is lguest secure?
A: I hope so and it's fairly simple, but there can be no guarantees. If isolation fails in some way (ie. there are bugs) it's possible that the guest could crash the host kernel, or even cause an overflow. A bug in device emulation might allow the guest to control the launcher, which runs as root. A little more security could be gained by having the launcher drop root privileges after opening /dev/lguest and the tun/tap device.
Q: What's the difference between lguest and KVM?
A: Kvm requires hardware virtualization support (most recent Intel and AMD chips have it), but it can run almost any Operating System since it does full virtualization. It also has 64-bit support. Lguest doesn't do full virtualization: it only runs a Linux kernel with lguest support.
Q: What's the difference between lguest and Xen?
A: Xen is similar, in that it doesn't need hardware virtualization support (although it can use it), but Xen supports an extensive range of features such as PAE (ie. lots of memory), SMP guests, 64-bit. You have to boot your kernel under the Xen hypervisor; you can't simply modprobe when you want to create a guest.
Q: What's the difference between lguest and User Mode Linux?
A: User Mode Linux is a port of Linux to userspace: guests are specially-compiled "UML" kernels. They run on just about any host, and do not require VT support. lguest uses the same kernel image (compiled with CONFIG_LGUEST) as host and guest.
Q: Why would I want to use lguest?
A: Maybe you don't! Lguest is designed to be simple to use and modify, with the aim of keeping the codebase small. Currently it's around 5000 lines including userspace utility, whereas kvm is over 10 times that size, and Xen is around 10 times bigger again (of course, both have far more features).
Q: Would lguest be good for running CPU-intensive virtualized jobs in a cluster?
A: Once suspend and resume are implemented, it could be a decent fit. You could then migrate jobs around to balance load. Unfortunately, migration can be hard for reasons not specific to lguest (TCP connections, filesystems), so it might not be trivial depending on what you're doing.
Rusty Russell: rusty@rustcorp.com.au.