Difference between revisions of "Private Virtual Machines"

From CsWiki
Jump to: navigation, search
(Additional info)
 
Line 15: Line 15:
  
 
There is a couple of pre installed VMs with some addition to integrate with the CS environment:
 
There is a couple of pre installed VMs with some addition to integrate with the CS environment:
* rundeb9: A Debian 9 VM.
+
* rundeb10: A Debian 10 VM.
 
* runubuntu1804: An ubuntu 18.04 VM.
 
* runubuntu1804: An ubuntu 18.04 VM.
  
 
== Basic Usage ==
 
== Basic Usage ==
  
To run the pre-installed debian 9 VM:
+
To run the pre-installed debian 10 VM:
  
<pre>rundeb9</pre>
+
<pre>rundeb10</pre>
  
 
The default user is csuser (a sudoer). To know the password for csuser or for
 
The default user is csuser (a sudoer). To know the password for csuser or for
 
root, run:
 
root, run:
  
<pre>rundeb9 -h</pre>
+
<pre>rundeb10 -h</pre>
  
 
The virtual machine will take half the memory and half the CPUs of the host
 
The virtual machine will take half the memory and half the CPUs of the host
 
machines. To change it, use the '''-mem''' and '''-cpu''' options. E.g.:
 
machines. To change it, use the '''-mem''' and '''-cpu''' options. E.g.:
  
<pre>rundeb9 -mem 1024 -cpu 0.25</pre>
+
<pre>rundeb10 -mem 1024 -cpu 0.25</pre>
  
 
This will use 1G memory and 1/4 of the available CPUs.
 
This will use 1G memory and 1/4 of the available CPUs.
Line 38: Line 38:
 
== Saving changes ==
 
== Saving changes ==
  
rundeb9 creates a temporary copy (snapshot) of a debian machine. All changes
+
rundeb10 creates a temporary copy (snapshot) of a debian machine. All changes
 
inside it '''will be lost'''.
 
inside it '''will be lost'''.
  
Line 45: Line 45:
 
e.g.:
 
e.g.:
  
<pre>rundeb9 -cow /cs/labs/<supervisor>/<user>/my-deb9.qcow2</pre>
+
<pre>rundeb10 -cow /cs/labs/<supervisor>/<user>/my-deb10.qcow2</pre>
  
This will create the my-deb9.qcow2 file which will save the changes.
+
This will create the my-deb10.qcow2 file which will save the changes.
  
 
After a qcow2 image is created and all relevant software is installed, it
 
After a qcow2 image is created and all relevant software is installed, it
Line 53: Line 53:
 
accidentally corrupted by an unintended installation:
 
accidentally corrupted by an unintended installation:
  
<pre>rundeb9 -cow /cs/labs/<supervisor>/<user>/my-deb9.qcow2 -snapshot</pre>
+
<pre>rundeb10 -cow /cs/labs/<supervisor>/<user>/my-deb10.qcow2 -snapshot</pre>
  
 
== Console and GUI ==
 
== Console and GUI ==
  
 
The machine will open a graphical view which is usually not necessary. To work
 
The machine will open a graphical view which is usually not necessary. To work
directly from the shell where rundeb9 was run (the serial console of the
+
directly from the shell where rundeb10 was run (the serial console of the
 
machine) use the '''-serial''' option:
 
machine) use the '''-serial''' option:
  
<pre>rundeb9 -serial</pre>
+
<pre>rundeb10 -serial</pre>
  
 
'''Note''': The ''-serial'' console will be multiplexed with the ''qemu''
 
'''Note''': The ''-serial'' console will be multiplexed with the ''qemu''
Line 74: Line 74:
 
To open the graphical window in addition to the serial console:
 
To open the graphical window in addition to the serial console:
  
<pre>rundeb9 -serial -graphics</pre>
+
<pre>rundeb10 -serial -graphics</pre>
  
  
Line 80: Line 80:
 
redirection, use the '''-xterm''' option:
 
redirection, use the '''-xterm''' option:
  
<pre>rundeb9 -xterm</pre>
+
<pre>rundeb10-xterm</pre>
  
 
This implies the ''-serial'' option. The ''-xterm'' option is good when a GUI
 
This implies the ''-serial'' option. The ''-xterm'' option is good when a GUI
Line 93: Line 93:
 
'''-bind''' option:
 
'''-bind''' option:
  
<pre>rundeb9 -bind /cs/labs/<supervisor>/<user></pre>
+
<pre>rundeb10 -bind /cs/labs/<supervisor>/<user></pre>
  
 
Due to permission issues, it's best to also add the CS user inside the VM when
 
Due to permission issues, it's best to also add the CS user inside the VM when
 
accessing local filesystems. This can be done with the '''-user'''
 
accessing local filesystems. This can be done with the '''-user'''
option:<pre>rundeb9 -user</pre>
+
option:<pre>rundeb10 -user</pre>
  
 
The ''-user'' option implies "-bind ~" which will bind the home directory
 
The ''-user'' option implies "-bind ~" which will bind the home directory
Line 106: Line 106:
 
or ''-serial'':
 
or ''-serial'':
  
<pre>rundeb9 -user -xterm -bind /cs/labs/<supervisor>/<user></pre>
+
<pre>rundeb10 -user -xterm -bind /cs/labs/<supervisor>/<user></pre>
  
 
'''Note''': Adding the user to the virtual machine changes some of the users
 
'''Note''': Adding the user to the virtual machine changes some of the users
Line 120: Line 120:
 
To run a script within the VM, use '''-batch''':
 
To run a script within the VM, use '''-batch''':
  
<pre>rundeb9 -batch myscript.sh</pre>
+
<pre>rundeb10 -batch myscript.sh</pre>
  
 
The script will be copied and run on the serial console (implies the
 
The script will be copied and run on the serial console (implies the
Line 127: Line 127:
 
To run a single line, use '''-run''':
 
To run a single line, use '''-run''':
  
<pre>rundeb9 -user -run 'echo "********************"; echo hello; echo "********************"; sleep 30'</pre>
+
<pre>rundeb10 -user -run 'echo "********************"; echo hello; echo "********************"; sleep 30'</pre>
  
 
The line will be wrapped by /bin/bash script and will run as with the ''-batch''
 
The line will be wrapped by /bin/bash script and will run as with the ''-batch''
Line 136: Line 136:
 
instead, use the '''-root''' option e.g.:
 
instead, use the '''-root''' option e.g.:
  
<pre>rundeb9 -root -run 'echo "********************"; id; echo "********************"; sleep 30'</pre>
+
<pre>rundeb10 -root -run 'echo "********************"; id; echo "********************"; sleep 30'</pre>
  
 
When using ''-xterm'', ''-serial'', ''-batch'' or ''-run'', the VM will
 
When using ''-xterm'', ''-serial'', ''-batch'' or ''-run'', the VM will
 
shutdown after exiting. To keep it alive use the '''-no-shutdown''' option:
 
shutdown after exiting. To keep it alive use the '''-no-shutdown''' option:
  
<pre>rundeb9 -xterm -no-shutdown</pre>
+
<pre>rundeb10-xterm -no-shutdown</pre>
  
 
= Creating new virtual machine =
 
= Creating new virtual machine =
Line 157: Line 157:
 
<pre>qemu-system-x86_64 -m 16G -smp 4 /cs/labs/<supervisor>/<user>/my-image.qcow2</pre>
 
<pre>qemu-system-x86_64 -m 16G -smp 4 /cs/labs/<supervisor>/<user>/my-image.qcow2</pre>
  
In some cases, the ''rundeb9'' utility can be used to run the image:
+
In some cases, the ''rundeb10'' utility can be used to run the image:
<pre>rundeb9 -cow /cs/labs/<supervisor>/<user>/my-image.qcow2</pre>
+
<pre>rundeb10-cow /cs/labs/<supervisor>/<user>/my-image.qcow2</pre>
'''Note''': Not all ''rundeb9'' options will be available, but generic run
+
'''Note''': Not all ''rundeb10'' options will be available, but generic run
 
options like ''-snapshot'', ''-cpu'', or ''-mem'' will work. ''-serial'' might
 
options like ''-snapshot'', ''-cpu'', or ''-mem'' will work. ''-serial'' might
 
work, but might need additional configuration from within the VM.
 
work, but might need additional configuration from within the VM.
Line 175: Line 175:
  
 
* man qemu-system
 
* man qemu-system
* rundeb9 -h
+
* rundeb10 -h
 
* [https://www.qemu.org/documentation/ Qemu user manual]
 
* [https://www.qemu.org/documentation/ Qemu user manual]
 
* [[Containers]]
 
* [[Containers]]

Latest revision as of 18:43, 1 December 2020

Virtual Machines let users have a completely isolated environment with more control inside. Virtual machines emulate a complete computer which gives more control to the user, but has large resources overhead (CPU, memory and disk space) and limited access to shared resources within the CS system.

On the CS linux machines, users can use the qemu hypervisor for private virtual machines with user network stack. Users can use these VMs to test programs "natively" before trying to install them properly on the CS system.

Imporant: These virtual machines require lots of resources (cpu, memory, disk space), and should not be used for heavy runs or for production systems.

Pre installed virtual machines

There is a couple of pre installed VMs with some addition to integrate with the CS environment:

  • rundeb10: A Debian 10 VM.
  • runubuntu1804: An ubuntu 18.04 VM.

Basic Usage

To run the pre-installed debian 10 VM:

rundeb10

The default user is csuser (a sudoer). To know the password for csuser or for root, run:

rundeb10 -h

The virtual machine will take half the memory and half the CPUs of the host machines. To change it, use the -mem and -cpu options. E.g.:

rundeb10 -mem 1024 -cpu 0.25

This will use 1G memory and 1/4 of the available CPUs.

Saving changes

rundeb10 creates a temporary copy (snapshot) of a debian machine. All changes inside it will be lost.

To save changes for the virtual machine, a location with enough storage needs to be used. This location can be specified with the -cow option, e.g.:

rundeb10 -cow /cs/labs/<supervisor>/<user>/my-deb10.qcow2

This will create the my-deb10.qcow2 file which will save the changes.

After a qcow2 image is created and all relevant software is installed, it might be good idea to add the -snapshot option so that the image won't be accidentally corrupted by an unintended installation:

rundeb10 -cow /cs/labs/<supervisor>/<user>/my-deb10.qcow2 -snapshot

Console and GUI

The machine will open a graphical view which is usually not necessary. To work directly from the shell where rundeb10 was run (the serial console of the machine) use the -serial option:

rundeb10 -serial

Note: The -serial console will be multiplexed with the qemu monitor. This means two things:

  1. To get the qemu monitor, press <ctrl> + a. In the qemu monitor, the command quit will quit the VM.
  2. To use <ctrl> + a in the VM console (e.g. to get to the start of the line), <ctrl> + a needs to be pressed twice.

Note: With -serial, to close the VM forcibly, run the "quit" command in the qemu monitor (accessible with <ctrl> + a)

Note: The default serial console size doesn't always match the window size. As such, it is sometimes best to run resize inside the console to set up the terminal properly.

To open the graphical window in addition to the serial console:

rundeb10 -serial -graphics


To open an xterm in the current window manager with DISPLAY redirection, use the -xterm option:

rundeb10-xterm

This implies the -serial option. The -xterm option is good when a GUI program is required but when the entire graphical interface is not needed. It also simplifies the copy and paste between the host and the virtual machine.

Note: The -xterm option has some limitation and will not always work.

Filesystem access and permissions

To access local file systems from within the virtual machine, use the -bind option:

rundeb10 -bind /cs/labs/<supervisor>/<user>

Due to permission issues, it's best to also add the CS user inside the VM when accessing local filesystems. This can be done with the -user

option:
rundeb10 -user

The -user option implies "-bind ~" which will bind the home directory inside the VM.

The graphical interface will still be for csuser, but xterm or serial will run under your own user. So it's best to use the -user option with -xterm or -serial:

rundeb10 -user -xterm -bind /cs/labs/<supervisor>/<user>

Note: Adding the user to the virtual machine changes some of the users databases inside the VM. As such, if you need to install things using root, it's best to start the machine without the -user option for the installation process, and restart the machine later with -user.

Note: While the user and groups will be available inside the VM, password authentication will not work.

Automation

To run a script within the VM, use -batch:

rundeb10 -batch myscript.sh

The script will be copied and run on the serial console (implies the -serial option).

To run a single line, use -run:

rundeb10 -user -run 'echo "********************"; echo hello; echo "********************"; sleep 30'

The line will be wrapped by /bin/bash script and will run as with the -batch option (so -serial is also implied).

The -serial, -xterm, -run and -batch run by default with csuser. To run with your own user add the -user option. To run as root instead, use the -root option e.g.:

rundeb10 -root -run 'echo "********************"; id; echo "********************"; sleep 30'

When using -xterm, -serial, -batch or -run, the VM will shutdown after exiting. To keep it alive use the -no-shutdown option:

rundeb10-xterm -no-shutdown

Creating new virtual machine

The qemu can be used directly to create you own virtual machine. First a disk image needs to be created. E.g. for a 50G harddisk:

qemu-img create -f qcow2 /cs/labs/<supervisor>/<user>/my-image.qcow2 50G

Then some installation cd needs to be obtained from somewhere. For most linuxes, a netinstall is usually the best option. To start a machine with 4 cpus and 16G RAM for installation:

qemu-system-x86_64 -m 16G -smp 4 /cs/labs/<supervisor>/<user>/my-image.qcow2 -cdrom <netinstall.iso>

Afterwards, qemu needs to be run without the -cdrom option:

qemu-system-x86_64 -m 16G -smp 4 /cs/labs/<supervisor>/<user>/my-image.qcow2

In some cases, the rundeb10 utility can be used to run the image:

rundeb10-cow /cs/labs/<supervisor>/<user>/my-image.qcow2

Note: Not all rundeb10 options will be available, but generic run options like -snapshot, -cpu, or -mem will work. -serial might work, but might need additional configuration from within the VM.

Limitations

  • The qemu VM runs under the user space. As such it cannot access any resources that the user cannot access.
  • The VM is run behind a user space NAT'ed network stack:
    • Any connection into the machine will be blocked by default. While this can be somewhat mitigated, it's a security risk.
    • The network has some overhead and should not be used for intensive networking jobs.
    • Two VMs cannot see each other without some complicated ssh tunneling.
  • The current setup requires hardware support (KVM). Old machines do not have these capabilities, and some machines have it disabled in the BIOS. If it doesn't work on a specific machine, please contact system@cs.huji.ac.il to see how to solve it.

Additional info