In Fedora 11, the VM viewer application that's tied to the
distribution's virt-manager tool now supports guest consoles at display
resolutions of up to 1,024 by 768, compared to 800 by 600 in previous
versions. Also, the VM creation tool now configures guests with a
virtual USB tablet as an input device, which results in improved--but
not perfect--tracking between your host machine's pointer and the
cursor of the virtual machine you're controlling. This isn't much of a
problem with the virtualization tools from VMware or VirtualBox, and
it's an area in which Fedora's virtualization setup shows its
Fedora's virtualization implementation relies on the VNC remote
desktop protocol for accessing the consoles of guest machines. While
popular and supported by many clients, VNC has lacked secure
authentication support, which the Fedora team has added in Version 11
by extending VNC with SASL (Simple Authentication and Security Layer)
When deployed alongside a Kerberos server, such as Red Hat's FreeIPA
server, this SASL functionality can allow for encrypted, authenticated,
single-sign-on-enabled remote access to VMs.
Fedora 11 taps its SELinux security framework to enforce isolation
of running VMs, using the framework's MCS (Multi Category System)
policy. This support builds on the MCS-based isolation between guest
and host that debuted in Fedora 10.
During tests, I created a pair of VMs on my Fedora 11 test box, and
could see in my process monitor that the security context information
for each running VM process included unique category attributes, as did
the virtual disk image files that corresponded to each VM.
Fedora's SELinux support, which matures and spreads further through
the distribution with each new release, is an important differentiator
for Fedora and for Red Hat. With that said, SELinux can be a bit of
pain to work with. For instance, I was having trouble creating new VMs
in certain circumstances, and the error messages that virt-manager
presented didn't specify the problem.
After consulting some log files, I saw that SELinux labeling issues
were to blame. In one case, I was trying to install from an iso image
stored on an NTFS file system, on which SELinux couldn't apply its
labels. Fedora includes an SELinux troubleshooter tool that can prompt
you about these sorts of errors, but during my tests, the troubleshooter didn't appear until I opened it from Fedora's Applications menu. This behavior may be related to to the fact that the service on which the troubleshooter relies has been switched to an "on-demand" service in Fedora 11 to speed boot time.
For the rest of my tests, I re-enabled the troubleshooting service
and set SELinux to permissive mode, in which it would prompt me about
errors but not block any operations.
Fedora 11's KVM implementation adds support for assigning to VMs
exclusive access to physical PCI devices on the host machine. This
feature, which I did not test, requires processors with either Intel's
VT-d or AMD's IOMMU functionality.
Executive Editor Jason Brooks can be reached at firstname.lastname@example.org.