There are many technologies mentioned on this site. If you are going to become active in the whole of society response to the influence operations degrading our democracy, you or someone you work with will be using many of them. There are other things that appear here that are useful to me, but which are beyond the capabilities of the typical front line social movement working groups. I worked on corporate LANs for a decade before I made the change to ISP operations, and that was twenty five years ago. Building things for thousands of users and ensuring they can be restored after a disaster is just ingrained in me.
Three times during my technology career I built and managed customer support operations – help desks – that covered internally developed software packages. Since I moved to this mix of sense-making and social movements, doing things like that has been a biannual exercise. Like continuity planning, supportability is never far from my mind.
Today’s post is a short English introduction to two hypervisors I use that are probably a couple bridges too far for the small working groups typical of social movements. I’m going to put them in context here, so I can refer back to this post when appropriate.
Attention Conservation Notice: You can just skim this for the larger text section titles, I’ll be reposting it periodically when needed.
Hypervisor Types:
There are two types of virtualization schemes. VirtualBox is a type two hypervisor, a software package that can be loaded on all three common desktop operating systems. Type one hypervisors are “bare metal” solutions, they are the OS you load on a system first, then you build things to use on top of them. Proxmox does this by leveraging the Debian Linux distribution as its foundation, while Qubes accomplishes the same with Fedora as its starting point.
Proxmox:
I recommend VirtualBox as the virtualization system for small groups. Both Parallels for macOS and VMware workstation are things I’ve used in the past, but for supportability’s sake VirtualBox runs on all three major desktop operating systems. I used VB on a trio of workstations in my living room to build a prototype clustered system running software I developed that depended onArangoDB, Elasticsearch, and RabbitMQ. This later morphed into a trio of rack mount systems in a bunker for the pilot phase. As a rule if you can’t go sit in front of a piece of a single machine, or if you’re trying to herd multiple systems, VB will become a burden.
Early in 2023 I encountered someone who spoke highly of Proxmox. I was unfamiliar with it, but after about twenty minutes of reading I pulled my spare workstation out of a closet and installed it. Having four years of hands on experience with Elasticsearch, there were many new things to explore, but how to use it in a clustered environment was intuitively obvious to me.
These days my living room workstation has a dozen Open Semantic Search instances and half a dozen other systems running on it. There was a Proxmox cluster on that trio of rack mounts, but I don’t have a business case for running them at the moment, so they’re powered off, awaiting a new client that will float the boat.
The strengths of Proxmox are that it’s shell/web manageable, so no graphical display access needed, it can be scaled horizontally by adding compute and storage resources, and migration tasks I dread doing with VirtualBox are accomplished with a couple mouse clicks. If you don’t have work that requires dedicated hardware in excess of a single system hosted in a telco bunker, you don’t need to spend another minute thinking about this.
Qubes:
Ten years ago there was a secure systems triumvirate. TAILS Linux, short for Totally Amnesiac Incognito Live System, could be booted, access the internet via the Tor anonymizing network overlay, and when turned off it retained no information about what had happened. It doesn’t get along with the elderly Toshiba laptop in my closet, but I do keep it as a VirtualBox VM and I probably fire it up once a week when I need to go wade around in some digital cesspool for the sake of initial recon.
The Whonix Linux distro is a dual virtual machine system that offers a hardened user workstation and a headless gateway. Separating the computer you use from the gateway that handles network traffic is the next natural step after TAILS. I had already created something akin to this for myself so I haven’t used it much, but it’s still in active development.
Qubes bills itself as a “reasonably secure operating system”. This Xen virtualizaton based single user system takes the thinking behind the two VM Whonix architecture to the extreme. It is built from the ground up to treat everything you use as a separate VM. The Vms do not trust each other, so a successful subversion of one VM does not provide the attacker with a way to pivot to others. The single user bit is important – it is objectively impossible for multiple users to share a system that can be considered secure. Unlike the other desktop OSes, there is no provision for multiple “accounts” on a Qubes machine. My experience with Unix began in the mid-1980s, I’ve been using Linux since the mid-1990s, I have advanced networking skills, and I’ve had periodic encounters with Qubes for the last ten years. If you have neither used Whonix, nor built something like it for yourself, you should probably avoid attempting Qubes.
Conclusion:
I think it’s unlikely that readers here are going to implement a Proxmox system, they’re much more likely to rent VPS services from existing providers. Advanced operators may find Qubes to their liking, but being an accomplished Linux admin is a minimum to be met before even attempting to employ it. Simply being aware that this is the next level will be sufficient for most of you.
However ... I am asking via the Support page for enough Amazon gift cards to acquire the $188 worth of hardware I need to easily dual boot my desktop between Ubuntu and Qubes. I do have work tasks that send me wading into digital cesspools, as I mentioned earlier, and I want to make sure I don’t track any of their odure back into this environment.