按:今天在群里有人说起虚拟机和沙盒,一群人纷纷表示虽然大体知道二者的不同,但说不清具体有什么区别。本文从比较概括的角度说明了二者的异同,包括微软在 Windows 10 中引入的『沙盒』应用。虽然虚拟机和沙盒依据实现的不同,不能被本文的描述一概而论,但可以作为对二者概念的入门参考。
原文链接:https://askleo.com/whats-the-difference-between-a-sandbox-and-a-virtual-machine/
Sandboxes and virtual machines share some characteristics, but they are fundamentally different technologies. I’ll look at both from a high level.
沙盒和虚拟机有一些共性,但它们其实是从根源上便大相径庭的两种技术,本文将从一个比较概括的层次进行分析。
Sandbox versus virtual machine: can you provide a brief overview on the differences, advantages, and disadvantages?
关于沙盒与虚拟机,能否对其异同和优缺点进行一下简要的说明呢?
Sandboxes and virtual machines are two different technologies that share enough characteristics to make them easily confused.
One could confuse matters further by referring to a virtual machine as the ultimate sandbox. That would be an accurate statement, but it really only stirs up the mud in what is already muddy water.
Let’s look at the three scenarios: the default case without either, a sandbox, and a virtual machine.
沙盒与虚拟机是两种不同的技术,但由于二者的共性,使得二者很容易被混淆。
也有人将虚拟机视为一种终级沙盒,从而使得二者的区别变得更加扑朔迷离。尽管这种说法在某种程度上是准确的,但同时也会将浑水搅得更加浑浊。
让我们首先来观察三种场景:二者都不存在的情况,沙盒,以及虚拟机。
First, a caveat for the knowledgeable: this is, of necessity, an over-simplification. I’m not trying to define exactly how these technologies work at a bits-and-bytes level. This is a high-level overview meant to convey the concepts for a basic understanding, nothing more.1
首先,对大聪明们先提个醒:以下是为了说明虚拟机与沙盒的区别而高度简化的模型,本意不是为了对其中的技术进行抽丝拨茧的剖析。以下解释是为了使读者对二者的概念有一个基础性的理解,仅此而已,别想太多[注1]。
Windows on its own
只有 Windows 的世界
Let’s start with a conceptual view on how Windows and Windows applications operate (at a very high level).
首先我们来从概念的层面上来分析一下 Windows 及其内运行的应用程序是如何运行的(高度概括)。
Windows: a conceptual diagram.(Windows:概念图)
Applications running in Windows interact with the machine (and with you) through Windows.
Windows manages access to the files and on-disk resources; it also manages access to the hardware through the device drivers that are installed for your machine’s specific hardware configuration.
Windows 中的应用程序是通过 Windows 来与机器(和你)进行交互的。
Windows 管理着对文件和磁盘上的资源的访问,同时也通过与你机器上硬件配置相匹配的驱动程序来管理硬件。
A sandbox under Windows
Windows 中的沙盒
In a sense, a sandbox is a container placed around an application running within Windows.
某种意义上来说,沙盒就是将在 Windows 中运行的应用程序包裹起来的一个容器。
Windows sandbox: a conceptual diagram.(Windows 中的沙盒:概念图)
One of the three applications in this example is drawn as being within a sandbox, including a portion of the “Files & Settings” used by that application.
Therein lies the magic.
上图中的三个应用程序中,其中一个被描绘成存在于沙盒中的形态,这其中也包含着被这个应用程序所使用的『文件、系统设置』的部分。
神奇的事情就发生在这里。
When you run an application inside a sandbox, it continues to have access to everything that it would were it not sandboxed. The primary difference is that anything created or changed by the sandboxed application is:
当一个应用程序运行在沙盒中的时候,它可以继续访问其它没有被沙盒化的资源。对于一个应用程序来说,锁进沙盒前后的主要区别在于:
- Not visible outside of the sandbox; other Windows applications don’t see it.(应用程序本身在沙盒外不可见,其它 Windows 应用程序看不到它)
- Not saved when the sandboxed application exits.2(沙盒化的应用程序所做的修改在其退出后不会被保存[注2])
The best example is simply that any malware that might have been downloaded and “installed” by the sandboxed application is discarded when the application exits.
一个最好的案例是,沙盒化的应用程序下载并『安装』的恶意软件,在这个(沙盒化的)应用程序退出后都会被清理掉。
A virtual machine under Windows
Windows 下的虚拟机
A virtual machine, or VM, is an application running under Windows that creates an environment simulating a completely separate computer.
虚拟机(缩写VM)是一种运行在 Windows 下的应用程序,它创造了一个模拟一台完整的、(与宿主机)相分离的计算机环境。
Windows virtual machine: a conceptual diagram.(Windows 中的虚拟机:概念图)
In this diagram, the application on the left is a VM running a completely separate copy of Windows. In a sense, it’s a “machine within a machine.” Windows running on the actual PC is often referred to as the “host” operating system, while any VMs running on it are referred to as “guest” operating systems.
Within a VM, applications continue to access the world around them through that VM’s copy of Windows. That “world” includes that VM’s own virtual hard disk, on which files and settings are stored.
The VM also includes its own set of virtual device drivers that behave as if they’re interfacing to actual hardware. In reality, they’re mimicking the presence of actual hardware and talking to the host copy of Windows to gain access to the real hardware.
Everything that happens in the VM stays within the VM. It behaves exactly as if it were a completely separate physical machine.
That implies that any downloads, changes, updates, installations created or saved within the virtual machine is only accessible from within the VM in some way.
And if you delete the VM, it’s like getting rid of a PC. Everything on the virtual hard disk is erased.
在上图中,左上角的部分是一个运行了一份独立 Windows 副本的虚拟机。某种意义上,这就是『机器里面套机器』。运行在真机上的 Windows 通常被乘坐『宿主』操作系统,而在其上运行的其它虚拟机(实例)则被称作『客户』操作系统。
在虚拟机(实例)里,应用程序通过虚拟机中运行的 Windows 副本存取周围『世界』的资源。这个『世界』包含虚拟机自己的虚拟磁盘,其中存储着(应用程序的)文件和设置。
虚拟机(实例)也拥有自己的一套虚拟设备驱动程序,其行为就好像在与真实的硬件进行交互一样。实际上,它们一边模拟着真实硬件的存在,一边与宿主机上的 Windows 系统通讯,来与真实的硬件进行沟通。
一切在虚拟机中发生的事情都停留在虚拟机里,其表现正如有一台完全不相干的物理机一样。
这就意味着任何在虚拟机环境中创建或保存的下载、修改、更新和安装操作都在某种程度上只能在虚拟机中进行存取。
并且,如果对虚拟机进行删除的话,所有存储在虚拟磁盘上的文件也将被删除。
Multiple virtual machines
多台虚拟机的情况
One of the best ways to demonstrate virtual machine technology is a scenario such as this one.
为演示虚拟机的概念,最好的方式之一是如下所述的场景。
This illustrates a single PC running three virtual machines.
上图描述了一台 PC 之上运行了3个虚拟机的情况。
- The PC itself is running Windows 7(PC 自身运行的是 Windows 7)
- One VM is running Windows XP, and would appear as a window within the host Windows 7 machine.(第一台虚拟机运行 Windows XP,并在 Windows 7 宿主机中表现为一个窗口)
- One VM is running another copy of Windows 7, and would appear as a window within the host Windows 7 machine.(第二台虚拟机运行了另一个 Windows 7 副本,并在 Windows 7 宿主机中表现为一个窗口)
- One VM is running Ubuntu Linux, and would appear as a window within the host Windows 7 machine.(第三台宿主机运行 Ubuntu Linux,并在 Windows 7 宿主机中表现为一个窗口)
One physical machine runs three different virtual machines simultaneously.
Each virtual machine is completely separate — as if it was on completely separate hardware — except that it’s not.
This is actually more common than you might imagine. For example, so-called “cloud servers” are nothing more than virtual machines. As I write this, the Ask Leo! website is hosted on a modest virtual machine on a virtual hosting provider. I have no idea what the underlying hardware actually is; the virtual machine can’t look “out” to its host. My assumption is that it’s a fairly beefy piece of hardware on which several virtual machines are hosted.
一台物理机同时运行着三台不同的虚拟机。
每台虚拟机都是独立的,就好像是各自运行在互不相关的硬件上一样,而实际情况又并非如此。
上述情况实际上比你想象的更为常见。例如,所谓的『云服务器』不过就是虚拟机罢了。就在撰写本文之际,Ask Leo! 网站(译注:本文原文所在的网站)就在某家虚拟主机提供商上的一台小小的虚拟机上运行着。我不知道这台虚拟机的底层硬件是什么,因为虚拟机不能『穿越』出来观察它的宿主机。我估计宿主机 应该是一台性能相当强劲的机器,上面跑着好些个虚拟机的样子。
Pros and Cons
孰优孰劣
Sandbox
沙盒
Sandboxing doesn’t require much in the way of additional RAM or disk space, and is fairly easy to set up and use. I say “fairly” because there are complexities, most notably about how to preserve desired changes outside of the sandbox.
For example, if your browser is sandboxed (the most common scenario), getting a downloaded file that you want to use outside the sandbox may take a few extra steps. Other changes you might want to preserve while you’re in the sandbox can also be slightly complicated to retain.
沙盒在内存或磁盘空间方面不需要太多的资源,并且通常可以很方便地设置和使用。之所以说『通常』是因为难点也是存在的,主要体现在如何将所需的修改保留到沙盒之外。
例如,如果你的浏览器是沙盒化的(这是最常见的场景),将下载下来的文件保存到沙盒之外可能需要几步额外的操作。其它一些你在沙盒中做出的变动如果想要保留的话,可能也会稍微有点复杂。
Virtual Machine
虚拟机
Virtual machines can be resource hungry. Among other things, you’ll need to allocate disk space to the virtual hard drive and choose how much of your computer’s RAM to dedicate to the VM while it’s running.
When discussing the characteristics of a virtual machine, the phrase that keeps coming up is “just as if it were a separate physical machine”. And when looking at what a VM can and cannot do, and what it takes to set one up, that’s the best rule of thumb to remember.
Setting up a VM typically involves installing an OS from scratch. In the multiple-VM example above, each virtual machine would need to be set up — just as if they were separate physical machines.
A virtual machine and its host are effectively isolated from each other. A common way to copy files to and from the virtual machine is to set up network access on that machine — just as if it was separate physical machine.
As you can see, a VM is perfect if you want a completely isolated “virtual” second (or third, or fourth) machine. It’s also perfect if you want that machine to run a different operating system than its host. For example, I no longer have a physical machine that has Windows XP installed on it, but I have a virtual machine I can fire up at will on my primary desktop (currently running Windows 10) that provides me a copy of Windows XP to work with.
虚拟机可能会消耗大量的资源。包括其它类型的资源在内,你需要为虚拟磁盘分配(宿主机的)磁盘空间,以及将机器(宿主机)的部分内存划给虚拟机专属使用。
讨论虚拟机的特征时,经常出现的一类描述是『就好像是一台独立的物理机一样』。而当分析虚拟机能做什么、不能做什么、需要哪些资源才能创建一台虚拟机时,这也是最需要记住的一点。
创建一台虚拟机通常包括从零开始安装(虚拟机的)操作系统。在上述多虚拟机的案例中,每台虚拟机都需要依次进行配置——就像它们各自都是独立的物理机一样。
虚拟机(的客户机)与其宿主机有效地隔离开来。通常情况下,要向虚拟机存入、或从其中取出文件的方式是配置其网络连接——就好像它是一台独立的物理机一样。
综上所述,如果你需要第二(三、四…)台完全隔离的『虚拟』电脑,那么虚拟机方案对你来说是最合适的。对于想在同一台电脑上(同时)运行另一个不同的操作系统的情况,虚拟机也很合适。例如,我已经不再保留运行 Windows XP 的物理机了,但我的主力机(目前运行 Windows 10)上有一台安装了 Windows XP 的虚拟机,这样当需要时就能随时取用。
Specific Tools
具体到工具
One of the most popular sandboxing tools is called “Sandboxie“. Originally developed as a Sandbox for IE (hence the name), it’s grown into a powerful and flexible general purpose sandboxing solution. Unfortunately, it’s not free.
These days I use VirtualBox, a free and open-source VM solution for both Windows and Mac. I have clean installs of Windows 10 Home, Pro, Windows 7, and as mentioned above, Windows XP, that I can run as needed on my primary machine (which itself runs Windows 10 pro).
For many years, I used Parallels Desktop to run many of those same incarnations of Windows on my Mac Pro.
Finally, VMWare is another popular VM provider. There are many pre-configured VMWare “appliances” you can download and run. For example, you can download a ready-to-run VMWare appliance that is Ubuntu Linux without having to go through the steps of setting up the operating system.
最为常见的沙盒工具之一是 Sandboxie,原本是为了将 IE(译注:Internet Explorer)进行沙盒化而研发的(也是其名字的由来),后来逐渐成长为一个强大的、通用的沙盒解决方案。不过很不幸,它不是免费软件。
现如今我使用的是 VirtualBox,一款免费且开源的虚拟机解决方案,可以运行在 Windows 和 Mac(OS)上。我在其中安装了干净的 Windows 10 Home Pro、Windows 7,以及上面提到的 Windows XP 副本,以便在我的主力机(运行的是 Windows 10 Pro)上随时取用。
多年以来,我也使用过 Parallels Desktop 来在我的 Mac Pro 上运行各种版本的 Windows(虚拟机)。
最后,VMWare 也是流行的虚拟机解决方案之一。有许多已经预先配置好的 VMWare『容器』可以下载来使用。例如,可以下载一份 VMware Ubuntu Linux 容器开箱即用,而不需要经手安装操作系统的流程。
Microsoft confuses terminology — again
微软混淆了术语——这是第几次了
Some editions of Windows 10 now include a feature called a “sandbox”. Naturally, it’s not a sandbox as I’ve described above. While not a full-fledged virtual machine, it’s close. When you run the Windows 10 sandbox, you’re running a lightweight but separate instance of Windows itself.
It’s convenient, since other than enabling the feature in Windows and running the tool, there’s little to set up.3 It can be a quick way to set up a safe environment to test items in isolation from your primary operating system.
某些版本(译注:目前只有专业版和企业版提供)的 Windows 10 提供了一个叫『沙盒』的功能。自然,这个功能与本文讨论的『沙盒』是两码事。尽管它不是完整的虚拟机,但也很接近。当你运行 Windows 10 沙盒的时候,实际上就运行了一个轻量化、而又与(宿主机)Windows 相分离的实例。(译注:Windows 10 沙盒是在当前运行的系统的基础上动态创建的实例,与传统的全功能虚拟机有一定不同,具体请自行查询相关文献)
这个功能的确方便,因为除了启用功能然后运行之外[注3],基本上没有什么好配置的。Windows 10 沙盒可以用作一个安全环境,用于在与本机系统隔离的情况下进行测试工作。
Next steps
总结
Full-blown virtual machines such as VirtualBox aren’t for everyone. However, if you know it’s what you need and you have the hardware to support it, it’s incredibly cool technology. I use it almost every day.
Sandboxing tools are easier to use, and many people swear by them. Particularly if your Windows 10 edition supports it and your computer meets the hardware requirements, the Windows 10 sandbox might be worth investigating as an additional tool in your security toolbox.
全功能的虚拟机(例如 VirtualBox)并不适合所有人。不过,如果你了解自己的需求,并且硬件也支持的话,那么虚拟机还是非常强大的。我基本上每天都在用。
沙盒技术使用相对比较简单,并且许多人都对其推崇备至。如果你运行的 Windows 10 版本支持沙盒功能、并且你的硬件满足需求的话,那么 Windows 10 沙盒或许也值得一试,为你的安全工具箱再添一项得力助手。(译注:但还是不要将 Windows 10 沙盒与传统意义上的沙盒混为一谈比较好?)
注释
1: In other words, no nit-picking, please.
注1:换句话说,就是请不要鸡蛋里面挑骨头。
2: Specific sandbox implementations may provide mechanisms to transfer or save data out of the sandbox, but the important concept here is that, unless such steps are taken, any changes made by the sandboxed application are lost.
注2:有些沙盒的实现可能会提供从沙盒中传输或导出数据的机制,但更重要的是,除非特意进行了这类操作,否则沙盒化应用程序做出的任何修改都(应当)会丢失。
3: Unfortunately, it does seem to conflict with VirtualBox.
注3:不幸的是,(Windows 10 沙盒功能)它似乎与 VirtualBox 有冲突(译注:Windows 10 沙盒需要开启 Hyper-V)。