Libvirt Sandbox: Frequently Asked Questions

General questions

What license is the code distributed under?

In common with other libvirt projects, Libvirt Sandbox is made available under the terms of the LGPL version 2 or later

What is the release naming scheme ?

Each Libvirt Sandbox release is named after a desert somewhere in the world. Sandbox -> Sand -> Desert. Get it :-) There are enough deserts in the world to keep us going for a while. After that, we’ll start naming releases after Cactus species.

What operating systems does libvirt sandbox run on?

At this stage of development, libvirt sandbox is only targeting Linux distributions. The current virt-sandbox-service code only works with RPM based distros, but should be easy to port to other package managers

What virtualization technology does libvirt sandbox support?

The libvirt sandbox code understands how to create sandboxes for LXC, QEMU or KVM. Extending it to support other hypervisors is mostly a matter of figuring out the initial boot sequence and how todo filesystem passthrough

Does libvirt sandbox require systemd?

The virt-sandbox-service command is designed to facilitate the creation of sandboxes for systemd services. It is, however, still possible to use a number of its capabilities in non-systemd environments. The virt-sandbox command has no dependency on systemd at all. The libvirt-sandbox API includes classes for setting up systemd services in sandboxes, however, it is not mandatory to use those APIs. Other APIs are available to setup services without using systemd, or to setup interactive sandboxes.

What does Libvirt Sandbox use SELinux for?

The Libvirt Sandbox code doesn’t directly use SELinux itself. When creating LXC, QEMU or KVM guests though, it will instruct libvirt to enable its sVirt functionality, using SELinux as its driver. This will add a second line of defense around the sandbox, beyond that provided by the virtualization technology itself

Does Libvirt Sandbox support AppArmour?

While the Libvirt Sandbox APIs and tools are designed to be agnostic about the sVirt driver used, at this time, they have only been written to use SELinux. Some porting work will be requried to enable use of AppArmour as an alternative.

Does Libvirt Sandbox use Linux namespaces?

Namespaces are a Linux kernel feature that allow isolation of key system resources. They are an enabling technology used by the Libvirt LXC driver to construct containers. Thus Libvirt Sandbox project does not directly use namespaces itself, rather they are used on its behalf by libvirt LXC.

Does Libvirt Sandbox use Control Groups?

Control groups are a Linux kernel feature that allows for management of resources for process groups. They are an enabling technology used by the Libvirt LXC driver to construct containers. Thus Libvirt Sandbox project does not directly use namespaces itself, rather they are used on its behalf by libvirt LXC.

Can Libvirt Sandbox be used to run a full OS in a container?

The Libvirt Sandbox tools are addressing the use case of running/confining individual commands / services / applications. The running of complete operating systems is a use case delegated to the existing tools that are available in this area. In particular the combination of the following commands can run Fedora 19 in a LXC guest

# yum -y --releasever=19 --nogpg --installroot=/var/lib/libvirt/filesystems/mycontainer `
          --disablerepo='*' --enablerepo=fedora install \
          systemd passwd yum fedora-release vim-minimal openssh-server procps-ng
# echo "pts/0" >> /var/lib/libvirt/filesystems/mycontainer/etc/securetty
# chroot /var/lib/libvirt/filesystems/mycontainer /bin/passwd root
# virt-install --connect lxc:/// --name mycontainer --ram 800 \
              --filesystem /var/lib/libvirt/filesystems/mycontainer,/

It expected that future enhancements to the virt-install tool will simplify this use case further to just a single command.