INTRODUCTION: WHAT IS UML?

User Mode Linux (UML) is a virtual Linux machine that runs on
Linux. Technically, UML is a port of Linux to Linux. Linux has been
ported to many different processors, including the ubiquitous x86,
Sun’s SPARC, IBM and Motorola’s PowerPC, DEC’s (then Compaq’s
and HP’s) Alpha, and a variety of others. UML is a port of Linux in
exactly the same sense as these. The difference is that it is a port to the
software interface defined by Linux rather than the hardware interface
defined by the processor and the rest of the physical computer.
UML has manifold uses for system administrators, users, and
developers. UML virtual machines are useful for test environments
that can be set up quickly and thrown away when no longer needed,
production environments that efficiently use the available hardware,
development setups that can make it much more convenient to test
software, plus a surprising number of other things.

COMPARISON WITH OTHER VIRTUALIZATION TECHNOLOGIES
UML differs from other virtualization technologies in being more of a
virtual operating system (OS) rather than a virtual machine. In spite of
this, I will stick to the common terminology and call UML a virtual
machine technology rather than a virtual OS, which would be somewhat
more accurate.

Technologies such as VMWare really are virtual machines. They
emulate a physical platform, from the CPU to the peripherals, well
enough that any OS that runs on the physical platform also runs on the
emulated platform provided by VMWare. This has the advantage that
it is fairly OS-agnostic—in principle, any OS that runs on the platform
can boot under VMWare. In contrast, UML can be only a Linux guest.
On the other hand, being a virtual OS rather than a virtual machine
allows UML to interact more fully with the host OS, which has advantages
we will see later.
Other virtualization technologies such as Xen, BSD jail, Solaris
zones, and chroot are integrated into the host OS, as opposed to UML,
which runs in a process. This gives UML the advantage of being independent
from the host OS version, at the cost of some performance.
However, a lot (maybe all) of this performance can be regained without
losing the flexibility and manageability that UML gains from being in
userspace.
As we will see later, the benefits of virtualization accrue largely
from the degree of isolation between users and processes inside the virtual
machine or jail and those outside it. Most of these technologies
(excluding Xen and VMWare) provide only partial virtualization and,
thus, partial isolation.
The least complete virtualization is provided by chroot, which
only jails processes into a directory. In all other respects, the processes
are unconfined. Even then, on Linux, chroot can’t confine a process
with root privileges, since its design allows superuser processes to
escape.
BSD jail and vserver (a Linux-based project with roughly the
same properties) provide stronger confinement. They confine processes
to a subset of the filesystem and don’t allow them to see processes outside
the jail. A jail is also restricted to using a single IP address, and it
can’t manipulate its firewall rules. Jailed processes are not restricted
in their use of CPU time or I/O. The jails on a system are implemented
within the system’s kernel and therefore share the kernel, along with

the bugs and security holes it contains. The inability to change firewall
rules is a consequence of incomplete virtualization, as is the requirement
to share the kernel with the host.
Solaris zones are much closer to full-blown virtual machines and
complete isolation. Processes within a zone can’t see outside files or
processes, as is the case with a jail. Zones have their own logical
devices, with some restrictions on their access to the network. For
example, raw access to packets isn’t allowed. A zone can be assigned a
certain number of shares within the global fair share scheduler, limiting
the share of CPU that the processes within a zone can consume. We
will see this concept later in the form of virtual processors in a multiprocessor
virtual machine. Zones, like the other technologies described
so far, are implemented within the kernel and share the kernel version
and configuration with each other and the host.
Finally, technologies such as VMWare, Xen, and UML implement
full virtualization and isolation. They all have fully virtualized devices
with no restrictions on how they may be used. They also confine their
processes with respect to CPU consumption by virtue of having a certain
number of virtual processors they may use. They also all run separate
instances of the OS, which may be different versions (and even a
completely different OS in the case of VMWare) than the host.