Slashdot Mirror
Ask Slashdot: Safe Learning Environment For VMs?
First time accepted submitter rarkian writes "I am the teacher in this story. I teach Python and C++ to high school students: grades 9-12. I use CentOS 6 with DRBL to run my computer lab. Some of my students have become Linux experts. Next year I'm planning on allowing students to create and run their own VMs in a segregated LAN. Any advice on which virtualization technology to use and security concerns with allowing students to be root in a VM?"
for each of the students and don't allow any interface between them...and certainly no main network/internet access.
The whole point of a VM is that being root isn't a safety concern.
No sig today...
No matter what you use, unless it's hard to install and configure the slack-jawed neckbeards of Slashdot won't bless it with their magic wand.
Just get some flavor of VMware and move on with your life.
Vagrant is a wrapper for Virtualbox and VMWare Workstation that accelerates the deployment of development environments.
http://www.vagrantup.com/
Congratulations on your success!
I don't think you need to worry about OS security, since that is the point of using VMs. However, the "key" to this question is the definition of "segmented." There are host of nefarious and simple mistakes you can make to completely trash the network of the of the VMs. I would recommend disabling multicast.
Banning the use of fork() can't hurt either.
Virtual Box is lightweight and it won't matter if they are root. A VM eliminates all that trouble.
"Oh you crashed the hell out of that machine, didn't you? oh well, reinstall."
Since you are segregating the network they will have no outside access and no re...WTF am I saying?...VLANs
"That's right...I said it."
virtual box is great. its free/open-source well supported on windows mac and linux. itis easy to set up. has the ability to take snapshots on the vm to roll back at a moments notice. good documentation don't know what else you could need here.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Does it have to be a linux based solution, or is this more of a broad generalized VM option?
Many of the big names have free versions available if you want something setup more like an enterprise deal (VMware offers the vSphere ESXi hypervisor for free (limited to 1 physical CPU and IIRC 32GB RAM for the 5.0 and 5.1 versions.. I think version 4.x didnt' have those restrictions?)
Xen is freely available and Citrix also has a version of theirs available for free.
etc on down the list
Well, obviously, you can set up a VM to isolate a safe environment for...
Oh.
The fact that your using VM's is largely moot and goes back to the line of thought that VM's are somehow not 'real' computers. VM's run the same operating systems, software, have the same bugs, vulnerabilities and everything else as a physical computer. You need to patch them just like any other computer and you need to license them just like a regular computer. The fact that they are VM's really only makes two differences practical differences that matter, fist is that is easy to roll them back and second is that your aren't running on bare metal.
In other words you have a core issue that needs addressed of giving students root access to a computer. In an isolated environment this isn't necessarily a bad thing. Understand that they exploit root and see what they can do with it, however they are there to learn and if you can do so safely and without disruption of what your trying to teach then let them. Your focus needs to be on making it safe for those around them and that means making sure your VLAN and any related Internet access are properly setup. The lab is a lab and as long as you can make sure they aren't getting access to anyone persons computer than let them have at it.
A good rule of thumb is to roll your sessions back prior to the start of every single class. This always gives a fresh machine and the students will quickly learn how to set their VM just the way they want it.
They have a free usage tier.
Make sure you have SELinux enabled (and enforcing!) on the VM host, and keep the VMM software updated... there sometimes are security holes in VMM software which can be exploited. SELinux can help contain a breached VMM.
Just in case anyone gets a bit... shall we say "Adventurous" and tries to use their root access boxen to attack something they shouldn't, it might be worth isolating the VMs on their own VLAN away from the rest of the network, if you haven't already.
Keep it simple, keep it modern, tour the old school vm tech in class; KVM on linux, HyperV on windows for the actual uses, QEMU, VirtualBox
For the grand tour look at the order in history; vmware, xen and don't neglect the licensing models, power license versus core licenses, free versus freemium
The remote management concepts I would handle entirely separately, and pay special attention to how they make their profits, where the cost sinks are.
Also don't neglect the models of vm, including CPU architecture virtualization, QEMU before it was thought of as a tool kit, QEMU emulating Mips, SPARC, AMD64, EMT64
Include a section on history of storage containers; VMDK, IMG, VHD and their limitations (2TB) and why versus "Synthetic" volume management (VM management to create larger than 2 TB volumes ) software RAID, network block devices.
One of the strongest inventions influencing the choice of a VM I think is the package management system of the host OS - (rpm or msi) with Linux you can use yum or rpm to install everything you need, without a custom kernel these days; with windows pretty much the same thing.
The third party value scenario of "orchestration" suites to manage large clusters of vhosts was and is where the cost sinks are, and at the moment have little influence on the small fry personal clouds of a desktop. But at scale, you either have to consider buy or build, or learn how to manage lots of "lillipad" ponds of vhosts.
Notice how I skipped around the redundancy and high availablity issues of the vmotion "like" aspects of vm farms or clouds. Huge topics there and I think more appropriate for a second semester or advanced 102 course on the material.
I worked at deploying linux systems in prisons for a local college. The key points of my system were:
Used a server w centralized Zentyal for ldap, mail, httpd, quotas etc.
Added nfs to Zentyal.
Had dumb clients w immutable disk VMs running on them
Deleted the gnome session and added GDM sessions for each VM
Used the local disk mapping in Virtualbox to map to their dir in the NFS export.
So, once a student auths to a client and selects an X VM session, VirtualBox starts in its always-pristine state. If the users want to store data then they have a dir mapped to the desktop which holds all their files.
There have been security issues w bridged networks and interfaces that can be promiscuous. Other than this, just disallow all recourse to the underlying OS and you should be good.
Next year I'm planning on allowing students to create and run their own VMs
Running their own VM's is straightforward. Allowing the students to create their own VM's implies that they'll be root on the hypervisor.
Do you intend to run the hypervisor on the client machines of the DRBL system, or run a single hypervisor on the server and deploy the VM's there as DRBL clients?
To satisfy your requirements you probably want to run the hypervisor on the clients so they students can each have their own root on the hypervisor. This would require a hypervisor compatible with DRBL. I don't know how it works, but just from reading the description on the webpage, it sounds like it's geared to PXE booting a host OS.
If you go with Xen, you'll have to probably separately PXE boot Xen and then DRBL boot the Dom0. Which would probably work fine and get you decent performance, but it will expose the students to DRBL (is this what you want?)
If you go with KVM, the performance is a bit slower, but for a student shop that's probably OK, and you'll be able to DRBL-deploy the hypervisor and then let the students create their own non-DRBL (or DRBL) guests. This probably fits your model the best unless you have old hardware that KVM does not support - then you might need to go with the Xen-PXE-Boot model (because it can paravirtualize without hardware assistance).
You could also use VirtualBox, and while it offers a nice GUI, it's probably too simple for teaching your students about virtualization (it just feels like an app).
BTW, it sounds like you're doing great work based on that article. Kudos on your accomplishments and being an inspiration for others in your field.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You can NAT the network off and and don't do port forwarding to the out side also have a quick kill where you just need to pull a cable to cut the VM's off from the rest of the network.
Some of my students have become Linux experts.
Proficient... believable. Experts... doubtful
Don't let the higher-ups know you're running a rebel operating system, you might just get canned. What use is running Linux in school anyway, when the students should be learning REAL job skills (I.E. Microsoft Office)? /sarcasm
(Sorry, I have been tainted by the education "industry" when it comes to anything Linux in school).
It is pitch black. You are likely to be eaten by a grue.
If you're running CentOS you already have both KVM and Xen at your finger tips. Both are excellent choices and are well suited for what you are looking to accomplish. Personally, I really really enjoy KVM w/ libvirt. A simple kickstart script is all you need to create a "baseline" that you can easily script a classroom refresh before or after each class. It's super easy. You can also teach deployments from an environment like this; that's very useful in the real world. I've seen a a few comments suggesting put the VMs in their own network, and I agree with that. I would probably NAT the whole classroom behind the instructor machine and then not worry about anything. Good luck and thanks for teaching Linux!
I see this as being similar to when we needed to have all of our developers in my company working in an environment that absolutely matched the production environment. Just use VMWare on each individual machine, run an Ubuntu image in that and best of all use a Puppet script to customize it and give 'em the goodies they need. The beauty of this is once the kids screw it up (and let's hope they do, they're learning after all) then you can rebuild this back to a pristine machine in no time. Good luck!
VirtualBox is a Type 2 hypervisor, which needs to run on top of another OS (Win/Mac/Linux), so it is ideal if your students have those other operating systems to boot into from the start. But if you use a Type 1 hypervisor, such as KVM or Xen, you can spin up any number of servers or desktop VMs in your own private cloud and isolate them from your other environments using vLANs. It depends on how complex an environment you want to build out for your classroom laboratory. Since you're emphasizing open source solutions, you might even want to let your students play around with OpenStack and other infrastructure tools to give them an even bigger advantage in the competitive workforce of cloud computing, which is definitely going to become more important in the next few years.
Have a look at Apache VCL: http://vcl.apache.org/ - it is a cloud computing system developed specifically for use in the education space.
No, stop!
NAT is not the correct solution to this nor would it help. NAT does not stop anyone scanning outward, the NAT router will setup the address translation just as it should. VLANS are the correct answer. Pulling physical cables is too much work, and cannot be done remotely.
First, you're going to want to set a segregated network that cannot talk to the main network (A DMZ), your router accomplishes this in most cases.
Second, there's 2 big options for you to look at: VMWare ESXi & Xen both are hypervisors that run on server hardware and can host as many VMs as the hardware can handle. Hyper-V may also be an option if you're part of the MSDN alliance. Install and configured chosen host software.
Third, set up individual VMs, you're on a DMZ, so giving root is fine, the main network cannot be reached. You should be able to create a template and spawn the rest of the VMs off that.
Fourth, have the students remote into their VMs.
Fabrice Bellard also put up a nice website on how to run a vm of a linux kernel booting in a web browser window using javascript as the vhost. That's pretty impressive. And makes a good demonstration.
Provisioning is also often overlooked. H. Peter Anvin's Syslinux toolkit is often over looked, even though its used to replace or augment about every bootloader system since DOS and Linux came on the scene. Plus he's gone out of his way to make it adaptable to some of the oldest and weirdest hardware every created. It even supports iSCSI using the former GPXE, iPXE projects.
iSCSI versus traditional SANS or DAS would make an interesting topic; heck even just discussion the SCSI protocol which has outlasted the hardware.
Stateless Linux, Stateless Windows; versus Portable Windows and Live Linux instances would also be of interest, in a VM environment; how and when do you decide to store and maintain state?
If you could get an Amazon S3 or Microsoft Azure team member to visit and lecture your class would be cool. Google and Apple datacenter and vm chiefs would be cool.. but doubt you could get them.
You could also look at it like this. If your students can crack their VM environment and run wild, hacking away, changing grades, and setting up Paypal fraud websites, then you have taught them very well and they will go on to a long and prosperous career, hopefully working for the good guys.
sudo make me a sandwich
A VM is just another machine on the network. A user with root can become any user.
If the VM can access shared storage, then users with root can access that shared storage as any user. They can send email from any account. Lots of other tricks they can pull.
Your best bet is to put the VMs on an isolated network that can only access resources that don't need protection.
SmartOS is pretty amazing. You can create virtual environments that share a kernel space, meaning that YOUR os is running directly on the hardware, making it _extremely_ fast with almost no overhead. The file system (ZFS) is also 'shared' using zones and pools so there's almost no cost there either. Migration a vm between SmartOS hosts is also a pretty amazing thing. You can also create virtual NICs and route/bond/segment/tapdance. SmartOS has it's roots in Solaris, so it's a little different than Linux, but for the most part anyone with Unix experience can figure it out.
Depending on your equipment and the time you want to spend, oVirt might be an answer.
Although it is still fairly new and is in development, it runs on CentOS6, is free, can handle multiple guest OSes, can create VM's from a template, and has a power users portal page where trusted students/employees can create their own VM from supplied templates. This way, no student would have access to the host OS, but could create a VM as needed. The downside is that it can get quite complicated to set up the system, and could take a bit of time to learn and set it up properly. Since it is free, you are also dependent upon community support.
You can access more info here.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
ESXi. Its free, powerful, and offers a lot of pre-built appliances. I don't see any safety concerns if the network is segregated. If you have specific VM's that you want the students to learn within, keep screenshots of those so that you may roll anything back that gets damaged. This is great because it allows them do pretty much anything they want without creating a maintenance headache for you.
If you want to teach them about specific technologies using VMs that go hand and hand with programming (like source control, bugzilla, configuring web servers, etc), turnkeylinux.org offers many free linux appliances that will make your job easy.
Meow
http://ask.slashdot.org/story/13/05/26/1813216/ask-slashdot-which-100-user-virtualization-solution-should-i-use
Very similar to what you want.
Pulling physical cables is a quick and fast way to know they are not on the network and that is more of a way to backup to remote control. What about a firewall box on the link from the switch the VM's are on to the rest of the network?
And I don't have a lot of faith in you having to ask these questions on slashdot.
A lot of the tech surrounding vm tech is all about transfer of knowledge from one system admin generation to the next. But more accurately the "lack of conceptual knowledge and communications".
Reinventing the Wheel, or Not invented here.. have become accepted Mantra's in the Computer Engineering field.. to be distinguished from the Computer Science field as those who actually "implement a class" as opposed to those who merely "declare a class".
A key thing is a VM has a bootloader.. which appears about as useful as a vestigal appendicts on the whole of it.
But vm's are all about the "illusion" of control and "independence" its a overhead we accept so we do not have to learn more about system resources, so that we are portable and hardware platform agnostic.
As muchb as we'd like to think we're "smarter" and "better" than the last generation, we are not, we merely have gone the way.. that requires the least of the last generation and threatens their pre-eminence the least.. while they retire and go down with the sinking "Big Iron" of their day. MicroComputers buried the Macro.. Nano and Quantum will bury them.
Thanks for going the extra mile with your students.
As AC said, a separate LAN or VLAN, or multiple separate LANs/VLANs handles most of what's posted below. For example, a rogue DHCP server would only be visible on that VLAN.
Red Hat has a Virtualization Security section in their manual:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-Virtualization-Security_for_virtualization.html
CentOS/RHEL includes comprehensive support for KVM with virt-manager. While VirtualBox et al are fine for running one or two virtual machines on your desktop, for many VMs, with new ones created and removed each semester, the enterprise level support of KVM built into the distro is more appropriate. That support includes creating VLANs within the same management interface, for example, and integrates with the built in storage stack administration tools. Again, VirtualBox may be simpler to set up for one or to two machines, so I'm not saying it's not good - it's just not the best tool in this particular scenario. In this type of scenario, the KVM / virt-manager / virsh stack that RH baked in is probably a better match to the needs.
You can NAT the network off and and don't do port forwarding to the out side also have a quick kill where you just need to pull a cable to cut the VM's off from the rest of the network.
If you were joking, I got a pretty solid LOL out of it.
Oracle Virtualbox and VmWare. I use VirtualBox, which is free.
It is not fast nor quick at 2am. Which is when one bored kid is going to try to find out how much fun he can have with an arp black hole or other such silliness.
What about it? Should there be one? Of course it should probably even limit traffic to just http and other services they absolutely must have, there should also be an IDS on their network segment. That does not change the fact that VLANing off these folks is the best practice and that NAT offers nothing extra for this. You would not be trying to protect the VMs, but be protecting others from them.
Even VLANs allow for DoS attacks - the VLAN runs on the host, not the guest, and bypass the limits you set on the guest. A malicious user controlling one or more VMs can flood the VLAN(s) and cause the host to slow down (or worse).
Other ways to attack a host or other guests from a VM apart from networking include (but are not limited to) shared resources like USB, CD/DVD, serial, disk (sync flood!) and perhaps most of all, hardware accelerated graphics.
If you really have to protect the host and other VMs from each other, you need to turn off all shared resources, and run the VM hypervisor/manager under SELinux and configured(!) cgroups, preferably with each VM having its own disk.
Actually I was suggesting not sharing NICs and using VLANs on a managed switch, if at all possible. So each VM has its own NIC and VLAN. They would not be allowed to talk to each other.
I should have made my proposal more clear.
Ignore all these suggestions and put them on a completely separate network. There's absolutely no need for this to be on the same network as the rest of the school, so why even bother? The best way to guarantee that stuff on one network is protected from another? Don't connect them.
This is not a technical problem. Anyone caught hacking and doing damage will be failed. Period. That should be the most important security you setup. After that, do some due diligence setting up these other things.
They can start each class with a fresh snapshot. In effect they would be restoring from backups. The configuration files from some other networked storage or their thumb drives and the applications themselves from the repositories. I've done something similar, but on bare metal, and after about half a dozen times they don't notice -- it had become such second nature to install and restore applications. Heck you might even have them practice installing the whole system from scratch. If you go that route, they can become quite proficient with installation and resource allocation. PXE booting a netinstall image helps there.
However, once you start to load packages from the net things can really slow down unless you prepare. The best way is to have a cache like APT-Cacher or Squid on your LAN or host system and have them configure their systems to use it for APT. For the cache to be most effective, you have to pre-load it before each class. That's easy and can be done while doing other things. It only takes time not attention. But once you have the cache loaded, installation will fly and can be done in 15 - 20 minutes. After that they weren't shy about installing on their own computers at home or helping their friends.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
So far, I see lots of advice about VM breakouts and network isolation. If this were a production datacenter where uptime was a criteria, this is all well and good. I suspect that this isn't what you need to hear, however.
I see three things you could be attempting to protect:
1) The larger school network.
2) The VM host infrastructure.
3) The VMs themselves.
1) A student on a VM is no more dangerous to the network than one who can connect to the school wireless with a laptop or smartphone. If the lab uplinks to the same network as the broader access, your risk profile is unchanged.
2) Make sure the VMs can't route to the host and keep it patched. If a student managed to break out of a VM in a patched hosting environment, do some forensics and find the bug then sell it. It's probably worth more than you make in a year. Seriously, if they can do this, they deserve to win. You might as well worry about protecting against nation-state sponsored attacks.
3) Make sure that the class work is backed up (a git server, perhaps) and then don't worry about it. Seriously, just throw the VMs away after each class (or every night, etc) and start with a clean one the next time they log in. Don't spend time trying to outsmart a classroom full of bored highschoolers. Instead, make it so it doesn't matter when they break something.
oVirt is definitely what you want to be using...
Excellent advice.
KVM is commercial-grade, and works amazingly well with Centos.
If some of your better students are up to the challenge, you can get them to co-operate with some large-scale VM management tools like OpenStack. They might even set-up the management systems to make it easy for you to repeat the process for your next batch of students! OpenStack is largely written in Python, so they can get extra creative.
Have a look at Proxmox as a virtualiztion solution. It would allow your students to access their VMs via a web browser. For network security, you could connect all the VMs together with a virtual LAN that isn't connected outside the server.
All this talk about VirtualBox and nobody talks about Proxmox?
You can do OpenVZ/KVM from the same bare metal.
A malicious user controlling one or more VMs can flood the VLAN(s) and cause the host to slow down (or worse).
Why do we care about protecting the students from themselves? This is about the teacher protecting his jobs by sandboxing his students.
I suggest you look at Cloudstack, you will be able to let your student use their own VLANs and full root VM (KVM).
but using oVirt and OpenNebula will expose his students to an entirely new class of technology
I would have killed for this in high school. Kudos to you, what a great job.
Not themselves - each other. And who else may be using the host machine.
Allowing the students to create their own VM's implies that they'll be root on the hypervisor.
No, it doesn't. Virsh only requires to be told to let you manage VMs, done via group membership. There are also several web-based VM management tools so they don't even have to have shell access.
Also, you have heard of sudo, right? And limited command shells?
There's a lot of underwear-ringing here by people who have no fucking clue what they're talking about.
Please help metamoderate.
the answer was prox mox, and the question has lost luster
There are a lot of good answers here to your direct question, but I'd like to step back and look into solutions that are recently available for the more general problem you are facing.
I have to wonder what it's costing the school district to acquire and maintain the hardware to run your classes. On top of that, you're having to worry about the overhead of securing/patching and maintaining backups.
(Disclaimer: I work for Google on Compute Engine.)
Have you evaluated whether an IaaS service like Google Compute Engine would be more convenient and cost-effective? Security, backups, and persistent storage are all taken care of for you. Google's base VMs are 13.2 cents per hour. For a class of 30, that's about $4 per class session. There are about 180 days in a school year, so that's $720 per class for the entire year. If you have 4 classes a day, that's about $3,000 for the entire year, assuming your VMs are all running the entire time every class session. In practice, if I were teaching the class, I'd lecture for 3 days a week and have VM time 2 days a week, with the option of the students being able to access their VMs outside of class from home, so the actual cost will probably be lower.
As far as hardware is concerned, Chromebooks are $250 each. I bet you're spending significantly more than that per machine in your labs. You can use the terminal tab in ChromeOS to SSH into the VM instances.
Have you considered an IaaS provider? If not, I'm curious to hear how the current offerings out there in the market fall short of the solution you're looking into now.
Maybe it's just me, but as a student I loved finding security holes in the software we used, and I constantly used my knowledge to mess around with stuff I shouldn't have. One day, a teacher gave me the admin password to all the machines (I already knew what it was thanks to rainbow tables, but it was being trusted to me). I never did anything destructive/malicious/harmful on that computer system again.
Just my $0.02
Sneaker net only. It's not convenient for you but once everything is setup as a self contained unit then unplug the uplink to the rest of the world.
Point your students at VirtualBox's download page and give them a pre-created image for your lab. Let them learn how to setup the software, configure the image, etc. It would be a good lesson for them in visualization and your work would be minimal.
You could pre-setup the security in the image with a generic user, firewall access as needed, maybe a home folder on NFS. If they have problems, they can just start the image over again.
Instead of VMs and all the overhead have you considered implementing Raspberry PIs or something? I don't know what kind of funding or economic level your district is, but a $35 lab fee to provide every kid with their very own Raspberry PI might be a better way to approach this experiment. And they get to take them home ever day and they get to keep them when the class is over.
They could still be used on a segregated LAN, or wireless, or whatever. You would have to provide HDMI jacks and USB hubs at each seat in your lab for the PI though.
Just an idea.
I just spent a bunch of time messing with free AWS instances. It was a great way to larn up on Linux stuff.
I'm a software engineer; not a Linux sysadmin, so I needed to learn a lot (still do).
The AWS stuff was enough to get me to the point where I spun up a Linode VPS, and I've been setting up my "real" server there.
As an educator, you could probably get a deal on some kind of cloud server arrangement. Maybe Amazon, maybe Rackspace. There's a few of them out there, but they tend to end up resolving to these two.
That way, all the grunt work is SEP.
It is...
Open
Free
Runs KVM
Can isolate students easily via vlans or using open vswitch (my preference)
Provides NAT to virtual nets so the student instances aren't naked on the Internet
Works on all major distros. I
know of a well really known company that conducts technical training by providing OpenStack provisioned VMs to students. The students all have root access.
Thanks for going the extra mile with your students.
Go even further: ask your students to help design the lab.
-Intentional breakage is reduced by giving students some ownership of the problem.
-Unintentional breakage is reduced by getting direct insight into the mistakes they've made.
So, I co-wrote this book on virtual security and am a former VMware Cloud Solutions Architect. And I'll preface this advice by saying that, if you want to talk more in depth, feel free to ping me. First initial, last name at gmail will work. (The email I have attached to slashdot I glance at occasionally, but it gets almost purely spam and so I'd likely miss anything.)
From my perspective, the first question is which hypervisor to use:
- VMware is mature, you can get a free license for the base hypervisor (which is quite feature rich; this is no trial product) for up to 32GB per physical box, is widely used. If VMware remains as relevant in the future as it is now, it's actually a very solid skillset to have.
- If you have physical hosts over 32GB, VMware ceases to be free
- Some features require more advanced VMware stuff, including vCenter server, which isn't free - for example, VMware's live vm migration feature (vMotion)
- VMware is almost entirely closed on the internals; hypervisor is closed source (other than a not-useful-for-your-purposes "open source" bundle that contains their modified GPL code only); they have a bunch of APIs for internal functions (ie, tracking changed blocks on the virtual iscsi devices, for example), but those are generally restricted to partners; so if your students want to actually hack the virtualization layer, they can't. Then again, letting them do so wouldn't really be safe.
- On the other hand, VMware layers do have nice APIs that are reasonably accessible for doing non-internals stuff; things like powering VMs on and off, changing their allocated RAM and cpus, etc
- VMware has a nice set of tools, including CLI tools, which work well even with the free versions, that can allow you to move virtual machines in and out of specific hypervisors (not while the VMs are powered on), and into and out of VMware's desktop products (Workstation for Windows and Linux, Fusion for Mac). (google ovftool for the cross-platform CLI tool, for example; it can import/export to/from ESX, vCenter Server, Workstation, Fusion, and vCloud instances)
- VMware has a nice set of tools for snapshots and backups, even on the base hypervisor; for example, I have a personal ESX box at a provider and I use this tool to back up the VMs back and forth, which can be done from outside the OS without powering the VM down, and it's free.
- I found using some things I'd think of as mandatory for a lab environment (ie, thin provisioning) were just built-in on the VMware side and required a fair bit of extra work and added extra wrinkles
The virtual networking on VMware is dramatically more mature from my experience; my experience with Xen & KVM is now dated (it's been 2 years since I was in the thick of writing that book, which was the last time I was really in the thick of exploring the open-source hypervisor networking bits). I found that depending on the version of the hypervisor OS, which hypervisor, which kernel, which guest, etc, you could fall into all sorts of traps. I had some examples in the book where I showed, for example, generating and applying ebtables configurations to the host OS (the Xen Linux hypervisor OS) to block forged frames from coming across the bridge from one of the guest Linuxes, for example.
Compare that to the VMware side, you could in theory wire up everything to dumb hubs, even, and enforce network separation at the hypervisor layer with VLAN tags applied to the portgroups where you attach VMs. (Warning: not suggesting you blindly do that; but VLAN enforcement on the VMware side is fairly rigid if configured in a good way.)
My own book is a fun read for some of these concerns, although Haletky's book is probably the canonical work on the subject. (Although it is -slightly- dated from bein
If you're trying to teach your students about routing, and various network setups and topologies, I can't think of a better tool than the CORE Virtual Machine Image.
http://cs.itd.nrl.navy.mil/work/core/
You can set up full fledged networks inside the Virtual environment, complete with BGP, OSPF, DHCP, DNS, FTP, and whatever other servers you want, all in a SINGLE VIRTUAL MACHINE image. If they get really adventurous, CORE instances can even be linked together for group projects.
It even has support for wireless emulation using EMANE.
The networks can be (and usually are) completely contained in the (virtual) machine running the CORE software. No worrying about VLANS, or any of that, because the packets never leave the VM at all.
The REALLY cool thing about it for education is the networks are self contained, with all the configuration in a single save file. (Daemon configurations, along with all the various node configurations and network topologies). So, you would be able to create assignments based on the environment, and have the kids open them up, to play with them themselves. It can also randomly generate certain topologies for you.
I use the system for testing various network changes in a testbed before taking them live on a real network. It works VERY well.
I think it would work great for you, and I suggest you give it a look.
Jonathan
Another thing to add to this - my enterprise VM knowledge is pretty much limited to VMware, and I do know that if you use VMware, you can use the VMware Distributed Switch (VDS) which supports PVLANs. Place each individual set of VM's that belong to a given student into a community PVLAN, and make your default gateway a promiscuous PVLAN.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
It's not really VLAN's that are the issue here.. It's "Broadcast domain" isolation. Separate sub-net and broadcast domain is required (usually accomplished using a VLAN on a managed switch, but not always). NAT is also somewhat useful depending on where you put the WAN connection in your network. But, you are correct, you *really* need a firewall/Router that manages the external network access to the *MINIMUM* necessary in *BOTH* directions and a NAT only works in one direction.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Are you trying to turn them off programming or just show them how bad it can really get? Trial by fire?
KVM is the virtualization technology that works the best with Linux.
http://smartos.blueprint.org/home/why-smartos-in-my-lab
http://hak5.org/episodes/episode-820
They set up a server cluster for hacking competitions. It may well be worth your time too look at what they did.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
You have a couple of options;
1) Use a container type environment without virtualisation like http://opensource.com/education/12/8/harvard-goes-paas-selinux-sandbox
2) Run your VM's on a RHEL based hyper visor with KVM and get the benefits of sVirt ( http://selinuxproject.org/page/SVirt ) isolation for free via libvirt.
3) Look at something more like OpenShift Origins to do PaaS with mandatory access control.
Either way, a huge kudos to you. I know I failed IT in high school because I disagreed with java>all and I am excited to see at least one educational institution heading in a much more promising direction.
Cheers,
Kahn
Segregated networks went out with the 50's ... you may want to think some more on this before instituting segregation of your students.
libvirt, as used by CentOS, also has virtual switches. The libvirt virtual switches can do IP masquerading NAT, routing mode, or complete isolation mode.
http://wiki.libvirt.org/page/VirtualNetworking
I would suggest vmware KVM or XEN.
NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
Since each student will probably only need 1 or 2 vms virtual box from oracle would be just fine and free. It also works well with a developer / system admin practice tool call vagrant... Which allows one to spin up, roll back, and destroy virtual machines at will via command shell as if one was SSHed into thier vm. (Will force your students to learn how to manage thier machines without a GUI) and if they break something developing or just brick themselves administering its as easy as typing vagrant destroy and then vagrant up and back in business. As far as root access: Yes they should be given the power on their vm to root and then discouraged to use it. They should be encouraged to set up appropriate user/groups and permissions on their vm as consistent with Linux/unix best business practices and appropriately manage their sudoers file. They can elevate themselves when necessary via the sudo command, and disable telnet completely and disable root login through SSH. All this will start good hygiene and practices for day 1.