How does WSL[2] pose limitations on a guest linux system?

Question

As soon as I got WSL2 on my Windows PC, I installed an adapted CentOS 8.2 version. As I explored it, I found that I could read and write in the host's NTFS file system out of the box. It was also connected to the Internet but I couldn't figure out a way of managing the connection; I could install Network Manager but then I would get a Could not create NMClient object whenever I run nmcli command. I didn't find SELinux (getenforce). I installed firewalld but then firewall-cmd would throw Failed to connect to socket /run/dbus/system_bus_socket. systemctl gives an error System has not been booted with systemd... I then learned that a "Fedora Remix for WSL" was being offered, for $9.99 on the Windows app store with the note:

The following packages have been removed from the default install of Fedora Remix for WSL: grub, plymouth, kernel, sssd, linux-firmware, dracut, parted, e2fsprogs, iprutils, ppc64-utils, selinux-policy, policycoreutils, sendmail, firewalld, fedora-release, fedora-logos, and fedora-release-notes.

So, the main question: How is Linux functionality limited by WSL?

Then, what we are interested is obviously how to get around them: First worry I have: Is the connection to the Internet safe? It looks to me that there's no firewall stopping people getting into my host PC if they can connect to my WSL Linux via some service. Regarding what I wrote above: Why am I getting that error with nmcli? Is it anyhow possible to get SELinux running? Is it anyhow possible to manage units as one does with systemctl?

Answer 1

WSL2 is essentially a Linux VM using a real Linux kernel and a custom init system. This custom kernel knows how to access the Windows file system using special drivers, and it receives its internet access through a virtual network adapter.

Since you're not using the system standard init system (which is either sysvinit or systemd), you're not starting all of the services that the system would normally start, like dbus. So running systemctl won't work to start or stop services and programs which require dbus to run will need you to start it manually, or with a suitable sysvinit-style script. The latter should work on pretty much any init system.

WSL2 uses this custom init system because it makes booting almost instantaneous; otherwise, you'd have to wait for a full Linux system boot in order to make things work. Consequently, packages that set up a full Linux system or are required only for booting will not be necessary.

The firewall you use, if any, should be configured on your Windows system, not your Linux system. You probably can use nftables or iptables directly if you want to, but anything relying on systemd is right out. For similar reasons, you wouldn't use Network Manager, since your network access is controlled by Windows and will reflect whatever the Windows networking stack does.

It's unclear to me why SELinux doesn't work in WSL. It may be because the Microsoft Linux kernel doesn't build with it or enable it, it could be because other operating systems won't want SELinux (e.g., Debian and Ubuntu would prefer AppArmor) and they don't want to deal with multiple modules, or it could be that drvfs (the WSL file system) doesn't support the required features.

If you want a fully functional Linux experience, then you should install an actual Linux distro. WSL2 is great if you want to use a Windows system and develop or run applications for Linux without needing to dual-boot, or if you have to use Windows but prefer Linux, but it isn't a replacement for a full Linux system.