Fedora 11's Biggest Improvements Are in Virtualization, eWEEK Labs Finds

In Fedora 11, the VM viewer application that's tied to the distribution's virt-manager tool now supports guest consoles at display resolutions of up to 1,024 by 768, compared to 800 by 600 in previous versions. Also, the VM creation tool now configures guests with a virtual USB tablet as an input device, which results in improved--but not perfect--tracking between your host machine's pointer and the cursor of the virtual machine you're controlling. This isn't much of a problem with the virtualization tools from VMware or VirtualBox, and it's an area in which Fedora's virtualization setup shows its immaturity.

Fedora's virtualization implementation relies on the VNC remote desktop protocol for accessing the consoles of guest machines. While popular and supported by many clients, VNC has lacked secure authentication support, which the Fedora team has added in Version 11 by extending VNC with SASL (Simple Authentication and Security Layer) support.

When deployed alongside a Kerberos server, such as Red Hat's FreeIPA server, this SASL functionality can allow for encrypted, authenticated, single-sign-on-enabled remote access to VMs.

Fedora 11 taps its SELinux security framework to enforce isolation of running VMs, using the framework's MCS (Multi Category System) policy. This support builds on the MCS-based isolation between guest and host that debuted in Fedora 10.

During tests, I created a pair of VMs on my Fedora 11 test box, and could see in my process monitor that the security context information for each running VM process included unique category attributes, as did the virtual disk image files that corresponded to each VM.

Fedora's SELinux support, which matures and spreads further through the distribution with each new release, is an important differentiator for Fedora and for Red Hat. With that said, SELinux can be a bit of pain to work with. For instance, I was having trouble creating new VMs in certain circumstances, and the error messages that virt-manager presented didn't specify the problem.

After consulting some log files, I saw that SELinux labeling issues were to blame. In one case, I was trying to install from an iso image stored on an NTFS file system, on which SELinux couldn't apply its labels. Fedora includes an SELinux troubleshooter tool that can prompt you about these sorts of errors, but during my tests, the troubleshooter didn't appear until I opened it from Fedora's Applications menu. This behavior may be related to to the fact that the service on which the troubleshooter relies has been switched to an "on-demand" service in Fedora 11 to speed boot time.

For the rest of my tests, I re-enabled the troubleshooting service and set SELinux to permissive mode, in which it would prompt me about errors but not block any operations.

Fedora 11's KVM implementation adds support for assigning to VMs exclusive access to physical PCI devices on the host machine. This feature, which I did not test, requires processors with either Intel's VT-d or AMD's IOMMU functionality.

Executive Editor Jason Brooks can be reached at jbrooks@eweek.com.