I can't say enough good things about QEMU. I run it together with KVM and pass through a dedicated GPU card and USB controllers to a Windows 10 virtual machine for basically bare metal performance. This is barely different from magic to me.
It looks like the advent calendar from 2018 had a new QEMU release on one day, so hope to see that again this year :-)
I couldn't agree more! Mix in libvirt and virt-manager (which, admittedly, are very warty in a lot of ways) and a little Spice and you get a full virtual server stack for the cost of exactly zero dollars.
Maybe I’m beings little paranoid, and I probably don’t understand how good the sandboxing of QEMU is, but am I the only one who thinks it’s a little dangerous to download and run a surprise virtual machine every day? I mean, no one would do this if it were a shell script, right?
I don't know how this is organized internally but these images are selected by "the QEMU community". I would assume if you trust QEMU (the program) then you can also trust these images.
better than modern web browsers for sure. qemu guest escapes are mostly in rarely-used peripheral devices, most recently the floppy driver. for less-trusted guests you can simply disable such devices though.
if you say "but what about the defaults", look at the number of new web interfaces though: web audio, webgpu, webusb, webgl, html5 audio/video, several media decoding interfaces... all of them with new and exciting vulnerabilities, most can be disabled but enabled by default.
Note though that QEMU's security boundary only covers running with KVM (see https://www.qemu.org/docs/master/system/security.html). So if you're running without KVM, ie using TCG emulation, you should either only run guest code that you reasonably trust to not be malicious, or run the whole QEMU itself in some kind of sandboxing.
Also you can check out the previous three editions :-)
https://www.qemu-advent-calendar.org/2018/
https://www.qemu-advent-calendar.org/2016/
https://www.qemu-advent-calendar.org/2014/
PS: See stefanha's post in this thread, if you want to contribute a disk image.
The write-up for day 1 is seriously cool: https://www.quaxio.com/bootable_cd_retro_game_tweet
Edit: previously on HN at https://news.ycombinator.com/item?id=17656299
I love the author's bio: > put the 's' in https at Facebook
QEMU Advent Calendar is still open for contributions! Check out the announcement for details on how to add your disk image:
https://www.qemu.org/2020/11/26/qemu-advent-announce/
I can't say enough good things about QEMU. I run it together with KVM and pass through a dedicated GPU card and USB controllers to a Windows 10 virtual machine for basically bare metal performance. This is barely different from magic to me.
It looks like the advent calendar from 2018 had a new QEMU release on one day, so hope to see that again this year :-)
I couldn't agree more! Mix in libvirt and virt-manager (which, admittedly, are very warty in a lot of ways) and a little Spice and you get a full virtual server stack for the cost of exactly zero dollars.
I've had it corrupt disk images. I know there's a complex system of tradeoffs you can choose from.
But I only discovered that while trying to restore a system I had improperly exited and completely hosed.
I wish the possibility (mouse like probability) of total destruction with the simple defaults was more I dunno, loud and obnoxious somehow.
These great technical achievements seem to share the usability patterns of handing you a knife when you were expecting a qtip
This looks really cool, but I hesitate.
Maybe I’m beings little paranoid, and I probably don’t understand how good the sandboxing of QEMU is, but am I the only one who thinks it’s a little dangerous to download and run a surprise virtual machine every day? I mean, no one would do this if it were a shell script, right?
I don't know how this is organized internally but these images are selected by "the QEMU community". I would assume if you trust QEMU (the program) then you can also trust these images.
better than modern web browsers for sure. qemu guest escapes are mostly in rarely-used peripheral devices, most recently the floppy driver. for less-trusted guests you can simply disable such devices though.
if you say "but what about the defaults", look at the number of new web interfaces though: web audio, webgpu, webusb, webgl, html5 audio/video, several media decoding interfaces... all of them with new and exciting vulnerabilities, most can be disabled but enabled by default.
QEMU powers clouds, and can be run KVM accelerated. You're safe. If you don't trust QEMU, stay well away from any cloud service.
Note though that QEMU's security boundary only covers running with KVM (see https://www.qemu.org/docs/master/system/security.html). So if you're running without KVM, ie using TCG emulation, you should either only run guest code that you reasonably trust to not be malicious, or run the whole QEMU itself in some kind of sandboxing.
Wow, this is super cool, and also heart warming that they do such a nice thing! :)
I like the fact that the calendar ends on Christmas Eve, as it should.