BSDCan2017 - 0722d

BSDCan 2017
The Technical BSD Conference

Reyk Floeter
Day Talks #2 - 10 June - 2017-06-10
Room DMS 1140
Start time 10:00
Duration 01:00
ID 861
Event type Lecture
Track Hacking
Language used for presentation English

The OpenBSD virtual machine daemon

The design and implementation of vmd(8)

This talk introduces vmd(8) and the concepts of running virtual machines under OpenBSD. It gives a brief introduction of OpenBSD's vmm(4) hypervisor, that was written by Mike Larkin, but focusses on the userland part that is implemented in the vmd(8) and vmctl(8) tools. It will illustrate my work on the design and implementation of the daemon, and its security concepts to run VMs in a sandboxed and "pledged" environment to mitigate VM escapes.

Some time ago, when Mike Larkin showed me the kernel's dmesg of a first proof-of-concept vmm(4) implementation, I got all excited and tried to persuade him to release it for OpenBSD. We made a deal that I will take care of a virtual switch implementation and help with the userland bits of vmm(4). After he finally imported the first version of vmd(8) and vmctl(8) into OpenBSD, I quickly jumped on it and turned it into to a privilege-separated, OpenBSD-style daemon with a proper configuration.

Both vmd(8) and vmm(4) are still work in progress but the version in 6.1 is ready for general usage. vmd(8) does not support a BIOS or any other operating system except OpenBSD yet, but it got many improvements in reliability, configuration, and basic functionality. I implemented a simple bootloader to load OpenBSD kernels from the disk image, improved networking and configuration, added the concept of virtual switches, and implemented the vmmci(4) guest services device among many other improvements to make it ready for prime time.

So why do we need another implementation of a hypervisor? We like diversity and the process of designing and implementing it in a way that fits into OpenBSD and aligns with our ideas. If you intend to run "Firefox VMs" on a laptop, or many virtual machines on a powerful server, vmd(8) will give you the ability to run them in a secure and OpenBSD-style way.