Should my "daily use" Mint run within a VM?

[AMRoberts]

Newish Linux user, upgrading to a new-for-me laptop that will actually have the resources to run VMs. My first goal is to convert my WinXP and Win7 physical machines (still hanging around for a couple of applications I need to use) into guests and retire the old hardware. I've found some guidance on physical-to-virtual conversion, so I (hopefully) know the path to follow there.

What I haven't found yet is any thinking on whether I should run my day-to-day Mint activities directly on the machine, or also create a VM, install Mint, and carry out the bulk of my use within that VM? The argument I've seen in favor is security, kinda-sorta. If you fall victim to ransomware it is likely to be confined to the VM, and provided you have good backups of the VM and your data it is a fast recovery to dump the damaged VM, restore a snapshot, restart and recover data. I'm unclear to what extent this notion is "Windows Think" that has little/no value for Linux. Argument against comes from a (disk I/O-heavy) developer friend who has to make extensive use of VMs for all his work-related builds. He says he really feels the performance impact on VMs compared to his host, even with capable hardware.

Are there any posts/articles/etc. detailing prior experiences and consensus on this subject? If so pointers so I can read further would be appreciated, along with any comments.

Thanks,
Alan

[coffee412]

Hello Alan,

I run Virtualbox for my VM software manager. I do not have any problems with it and its somewhat easy to work with. I cannot comment on other VM software.

I do not know of any articles and such. However, I can comment on my own real world experiences. I run several VMs - One for Website development and a Ubiquiti Unifi controller software, The other for Invoices via invoice-ninja that depends on a webserver to run.

I do not run my daily driver in a VM because when I do things like plug in a USB stick I have to go thru the extra steps of setting it up in Virtualbox or making shares to access files/directories ect...

Where I do use VMs with my clients is where I have calendar/email software being accessed by about 12 workstations. IMHO, Backing up the VM - which VB calls "Exporting an appliance" is the way to go in case everything goes foobar on me. I can just kill the VM and restore from the exported one. So, In some cases it works out well because restoring is somewhat quick depending on the size of your VM. Then within that VM I have my daily backups or just restore from a backup drive.

I do not have much of a performance hit because I am not doing anything really graphic intensive and with todays hard drives like NVMe's they are pretty quick. However, I am running this on an AMD x1800 processor with 16 virtual cores and 32 gigs ram. So, I have plenty of resources. Where I do bog down a bit is in hard drive access. I am using a SSD drive for the operating system and two mechanical 4 tb (raid 1 setup) drives for my /home partition. Because VB VM's are stored in my home directory, If I have a VM doing something disk intensive it will slow down everything a bit. However, Using a NVme drive probably negates that a lot.

In closing, I think running your daily driver in a VM is a bit overkill except for the fact that restoring is somewhat easier. On a laptop I would think it might bog down a bit because laptops are not as powerful as a desktop. Of course, I do not know the specs of your laptop.

I hope I helped a bit?

[AMRoberts]

... However, I am running this on an AMD x1800 processor with 16 virtual cores and 32 gigs ram. So, I have plenty of resources. Where I do bog down a bit is in hard drive access. I am using a SSD drive for the operating system and two mechanical 4 tb (raid 1 setup) drives for my /home partition. ...

... In closing, I think running your daily driver in a VM is a bit overkill except for the fact that restoring is somewhat easier. On a laptop I would think it might bog down a bit because laptops are not as powerful as a desktop. Of course, I do not know the specs of your laptop.

I hope I helped a bit?

Appreciate it coffee412, it does. The laptop is only a 4 virtual core I7, 16GB of RAM, entirely SATA3 SSD, so it isn't as resource-rich as yours. Also I've never (knock wood) had a security problem with my previous Mint laptop in over a year of use. I did have a couple of upgrades that broke Wine applications, but TimeShift made recovery from those glitches easy.

With this platform upgrade I anticipate trying to move the majority of my "daily real life" content (e.g., financial planning, medical information, remaining consulting work, continuing education classes, other personal records) to Mint, leaving only what cannot migrate on legacy Windows platforms. Thus I'm trying to make a solid plan with respect platform security and reliability.

You've got me leaning towards majority of daily use on the native host, and only launching VMs for legacy platform use.

Off-topic for this forum, but do you sandbox your browsers? Trying to get my head wrapped around that as well.

Thanks,
Alan

[AndyMH]

With this platform upgrade I anticipate trying to move the majority of my "daily real life" content (e.g., financial planning, medical information, remaining consulting work, continuing education classes, other personal records) to Mint, leaving only what cannot migrate on legacy Windows platforms.

I started dual boot but after about a year went with mint as the primary OS. I run a win7 VM for the windows stuff, when I was working this was mainly MS office. Performance was adequate on an i5-3320M with 8GB RAM (I gave the VM half). I used to have some very large spreadsheets. I would say an SSD is essential otherwise you are into long load times for the VM.

[coffee412]

Off-topic for this forum, but do you sandbox your browsers? Trying to get my head wrapped around that as well.

Not really. I do not do anything special except load up some extensions - Facebook Container, Adblocker Ultimate, Cookie Autodelete, Decentraleyes, HTTPS everywhere. Thats the extent of my precautions for Firefox.

I have four cores donated to each VM and 8 gigs ram. I think two cores will work though. Mine might be a bit overkill but I have the resources for that.

[RIH]

If you are worried about security then sandboxing is a good idea.

I run VirtualBox but my daily driver of Mint 20.2 hosts that.
I do have Mint guests but I use them for 'throw away experimentation' rather than anything else.

In saying that the VirtualBox snapshot system does make system restoring almost instantaneous.
However if you are going to use that on a daily driver then you need to very carefully plan when you are going to take if you don't want to have to reload a lot of updating after a restore..

[MikeNovember]

Hi,

The danger comes from internet. There are several possibilities:

- Sandbox your internet applications (browser, mail client). For this you can use these apps as flatpaks, snaps, or use Firejail.

- Use a virtual machine: guest OS will be run isolated from your main host OS. Virtual machine software can be Virtual Box or VMware Workstation Player. Host is your favorite Mint distribution, guest is a lightweight Linux one. You use browser and mail client of the guest. Downloads can be transferred from the guest to the host through shared folders.

- You use a "bare metal hypervisor" as main install, for example Proxmox. Once installed, you create in Proxmox two containers, one for your favorite distro, one for a lightweight one, dedicated to internet.

- You can separate different uses (work, private, internet, banking...) by grouping apps in compartments using Qubes.

Sandboxing is the easiest way. You can find some tutorials in this forum:
* Thunderbird as a flatpak viewtopic.php?f=42&t=358185
* Chromium as a flatpak viewtopic.php?f=42&t=358979
* AnonFirefox, an equivalent of TorBrowser as a flatpak viewtopic.php?f=42&t=358889 (you can also use this tutorial simply for Firefox as a flatpak)
* Firejail sandboxing viewtopic.php?f=42&t=240157

Regards,

MN

[taylorkh]

Hello Alan,

I have been doing this for several years although I got into it for a different reason. When I was running Ubuntu 9.10 and later CentOS 6 I had my two monitor workstation setup with "separate X screens" so that each monitor was ALMOST a separate machine. I could no longer do this with CentOS 7 so I decided on a different scheme. I was already running VMWare Player so I created a CentOS 7 VM which I park on the right monitor - always on visible workspace - and then I DO have two separate machines. The host on the left monitor and the VM on the right.

I have more recently been using Mint VMs. I have one dedicated to my Proton email, one for my Schwab investment account which I only spin up when I need to access that site, one for some day to day use to get familiar with Mint and some other Mint, Ubuntu and even a couple of Windows VMs which I call up for specific purposes.

I am wanting to upgrade CentOS 7 on the host as it is getting somewhat out of date. I HATE the thought of installing a new host OS, setting up all my disk encryption, application installations, custom launchers etc. etc. So... I am building a Mint VM with everything I want to run. I will then clone it for both monitors as my daily driver. I may keep other copies of it for specific tasks such as Python programming, testing applications etc. In this case the host operating system would be rather irrelevant.

The idea is to keep some isolation between things. For example if I get a link in an email on my ProtonMail VM I never open it there. I copy the link to my day to day Mint VM and open it on that machine. I do need to make a "scratch" that I do not care if something bad happens to it. It would have no critical data and I could simply flush it and restore from my archive.

I am currently working on my hardening and isolation strategy. I need to get another machine and install Qubes OS which is designed to do this but... I am retired and this stuff is still a hobby

Ken

[acerimusdux]

I'd think it's not worth using the VM for everything. If you want the snapshot and restore capability, I'd just use timeshift for that. It maybe is a good idea though to use either flatpaks, firejail, or a VM for programs that access the internet. And maybe just have one VM for sensitive things like banking. I think there'd be a bit of a performance hit with the VM using it for everything. Maybe not too noticable, but for things like watching Neflix or Youtube, I'd rather be on my host.

And, a lot of the time I want access to all my files. But I don't want to give the VM access to everything. So, maybe this is still even overkill, but you could maybe do one VM for anything especially sensitive, another for anything especially risky, then sandboxing for ordinary internet stuff, and the host machine for running only software installed through official repositories or other well trusted sources.

But I've mostly only used the VM for testing out different distributions and DEs.

[meower68]

I am using a Linux VM as my "work daily driver" for one simple reason. My employer provides a laptop loaded with Win10 and I am not allowed to wipe the OS and install Linux. I have used VirtualBox in the past, running various incarnations of Mint. The latest machine came with Hyper-V and they prefer that I use it, over VirtualBox, so that's what I've been using most recently.

I do not have admin rights on the machine so I'm limited in what software I can install. Since Hyper-V is already installed, and creating a VM is not locked down (for some things, it's even encouraged), I created a Mint 18.3 VM which I've been using for about 3 years. The laptop has an i5 with 4 virtual cores and 16 GB of RAM; I routinely assign 3 cores and 12 GB of RAM to the VM, using the Win10 host for little more than hosting the VM and the occasional video conference.

If I network the company laptop with my personal PC (which happens anytime I plug it into my home network for connectivity, when I WFH), I can run the VM "headless" (exit the GUI and Alt-F1 to get to text mode, login and trigger an xterm with a display variable set for my PC) and use my personal PC (with a much larger screen and better keyboard) as a thin client. I have to use the command-line to start all my apps but I've populated my .bashrc with various aliases which make that easy peasy. The apps and the data, pertaining my employer, all stay on the employer machine but I don't have to put up with its limited keyboard and display. If I need to take the laptop and use it somewhere else, it's not a problem running the VM on the laptop stand-alone. Company data is never stored on my personal machine; it always stays on the company machine. Because I have root access to my VM, I can install whatever I want on there. That gets me around the "no local admin rights" issue and, as others have mentioned, the VM is sandboxed so, if it gets infected, it's limited in the amount of damage it can do to the host. That hasn't been needed but ... it's there.

On a prior occasion, I tried putting my entire VM disk image, along with a backed-up copy of the VM configuration, on a USB3 stick; that way, if I needed to move to a new laptop or back to a desktop machine, I could just move the USB stick, with the data and the VM setup, to the new machine and I've lost a minimum of time. Also, USB3 is faster than a spinning disk (poor man's SSD). That worked for a year, or so, until the wear caused stuff to start failing on the stick and I ended up with a corrupted VM image. I don't recommend doing that

For 3 years, it's been Mint Mate 18.3 on a Hyper-V VM running on the spinning disk. 18.3 is EOL so I'm in the process of setting up a new, Mint Mate 20.3 VM.

[Petermint]

VM is a big overhead. People who switch from an old machine to a new machine with a VM do not notice it because it is still faster. People used to the new machine speed will notice the loss of responsiveness when a VM is added.

How do you use your machine? VMs, as opposed to dual boot and other options, let you run multiple incompatible applications at the same time but then you use the maximum resources running three operating systems, the base, the VM, and the VM client at the same time. I found that far worse than just sitting in a VM clicking away at one application.

What are the disk options on your machine? Could you add an SSD for the system? You could put your system and home directory on a medium size SSD and keep the rotating rust for big data directories.

My choice was dual boot with just a small shared NTFS partition. Dual boot fitted the work I was doing and kept the bulk of my files safe from Windows without a VM. Back then I had only 4 GB on my notebook. The need to dual boot died when ProjectLibre replaced M$ Project as the industry standard.

A previous post about using VMs for client projects is an excellent idea.