Slashdot Mirror
Ask Slashdot: Safe Learning Environment For VMs?
First time accepted submitter rarkian writes "I am the teacher in this story. I teach Python and C++ to high school students: grades 9-12. I use CentOS 6 with DRBL to run my computer lab. Some of my students have become Linux experts. Next year I'm planning on allowing students to create and run their own VMs in a segregated LAN. Any advice on which virtualization technology to use and security concerns with allowing students to be root in a VM?"
for each of the students and don't allow any interface between them...and certainly no main network/internet access.
The whole point of a VM is that being root isn't a safety concern.
No sig today...
No matter what you use, unless it's hard to install and configure the slack-jawed neckbeards of Slashdot won't bless it with their magic wand.
Just get some flavor of VMware and move on with your life.
Vagrant is a wrapper for Virtualbox and VMWare Workstation that accelerates the deployment of development environments.
http://www.vagrantup.com/
I don't think you need to worry about OS security, since that is the point of using VMs. However, the "key" to this question is the definition of "segmented." There are host of nefarious and simple mistakes you can make to completely trash the network of the of the VMs. I would recommend disabling multicast.
Banning the use of fork() can't hurt either.
Virtual Box is lightweight and it won't matter if they are root. A VM eliminates all that trouble.
"Oh you crashed the hell out of that machine, didn't you? oh well, reinstall."
Since you are segregating the network they will have no outside access and no re...WTF am I saying?...VLANs
"That's right...I said it."
virtual box is great. its free/open-source well supported on windows mac and linux. itis easy to set up. has the ability to take snapshots on the vm to roll back at a moments notice. good documentation don't know what else you could need here.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
The fact that your using VM's is largely moot and goes back to the line of thought that VM's are somehow not 'real' computers. VM's run the same operating systems, software, have the same bugs, vulnerabilities and everything else as a physical computer. You need to patch them just like any other computer and you need to license them just like a regular computer. The fact that they are VM's really only makes two differences practical differences that matter, fist is that is easy to roll them back and second is that your aren't running on bare metal.
In other words you have a core issue that needs addressed of giving students root access to a computer. In an isolated environment this isn't necessarily a bad thing. Understand that they exploit root and see what they can do with it, however they are there to learn and if you can do so safely and without disruption of what your trying to teach then let them. Your focus needs to be on making it safe for those around them and that means making sure your VLAN and any related Internet access are properly setup. The lab is a lab and as long as you can make sure they aren't getting access to anyone persons computer than let them have at it.
A good rule of thumb is to roll your sessions back prior to the start of every single class. This always gives a fresh machine and the students will quickly learn how to set their VM just the way they want it.
Make sure you have SELinux enabled (and enforcing!) on the VM host, and keep the VMM software updated... there sometimes are security holes in VMM software which can be exploited. SELinux can help contain a breached VMM.
Just in case anyone gets a bit... shall we say "Adventurous" and tries to use their root access boxen to attack something they shouldn't, it might be worth isolating the VMs on their own VLAN away from the rest of the network, if you haven't already.
Next year I'm planning on allowing students to create and run their own VMs
Running their own VM's is straightforward. Allowing the students to create their own VM's implies that they'll be root on the hypervisor.
Do you intend to run the hypervisor on the client machines of the DRBL system, or run a single hypervisor on the server and deploy the VM's there as DRBL clients?
To satisfy your requirements you probably want to run the hypervisor on the clients so they students can each have their own root on the hypervisor. This would require a hypervisor compatible with DRBL. I don't know how it works, but just from reading the description on the webpage, it sounds like it's geared to PXE booting a host OS.
If you go with Xen, you'll have to probably separately PXE boot Xen and then DRBL boot the Dom0. Which would probably work fine and get you decent performance, but it will expose the students to DRBL (is this what you want?)
If you go with KVM, the performance is a bit slower, but for a student shop that's probably OK, and you'll be able to DRBL-deploy the hypervisor and then let the students create their own non-DRBL (or DRBL) guests. This probably fits your model the best unless you have old hardware that KVM does not support - then you might need to go with the Xen-PXE-Boot model (because it can paravirtualize without hardware assistance).
You could also use VirtualBox, and while it offers a nice GUI, it's probably too simple for teaching your students about virtualization (it just feels like an app).
BTW, it sounds like you're doing great work based on that article. Kudos on your accomplishments and being an inspiration for others in your field.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You can NAT the network off and and don't do port forwarding to the out side also have a quick kill where you just need to pull a cable to cut the VM's off from the rest of the network.
Don't let the higher-ups know you're running a rebel operating system, you might just get canned. What use is running Linux in school anyway, when the students should be learning REAL job skills (I.E. Microsoft Office)? /sarcasm
(Sorry, I have been tainted by the education "industry" when it comes to anything Linux in school).
It is pitch black. You are likely to be eaten by a grue.
I see this as being similar to when we needed to have all of our developers in my company working in an environment that absolutely matched the production environment. Just use VMWare on each individual machine, run an Ubuntu image in that and best of all use a Puppet script to customize it and give 'em the goodies they need. The beauty of this is once the kids screw it up (and let's hope they do, they're learning after all) then you can rebuild this back to a pristine machine in no time. Good luck!
No, stop!
NAT is not the correct solution to this nor would it help. NAT does not stop anyone scanning outward, the NAT router will setup the address translation just as it should. VLANS are the correct answer. Pulling physical cables is too much work, and cannot be done remotely.
First, you're going to want to set a segregated network that cannot talk to the main network (A DMZ), your router accomplishes this in most cases.
Second, there's 2 big options for you to look at: VMWare ESXi & Xen both are hypervisors that run on server hardware and can host as many VMs as the hardware can handle. Hyper-V may also be an option if you're part of the MSDN alliance. Install and configured chosen host software.
Third, set up individual VMs, you're on a DMZ, so giving root is fine, the main network cannot be reached. You should be able to create a template and spawn the rest of the VMs off that.
Fourth, have the students remote into their VMs.
You could also look at it like this. If your students can crack their VM environment and run wild, hacking away, changing grades, and setting up Paypal fraud websites, then you have taught them very well and they will go on to a long and prosperous career, hopefully working for the good guys.
sudo make me a sandwich
SmartOS is pretty amazing. You can create virtual environments that share a kernel space, meaning that YOUR os is running directly on the hardware, making it _extremely_ fast with almost no overhead. The file system (ZFS) is also 'shared' using zones and pools so there's almost no cost there either. Migration a vm between SmartOS hosts is also a pretty amazing thing. You can also create virtual NICs and route/bond/segment/tapdance. SmartOS has it's roots in Solaris, so it's a little different than Linux, but for the most part anyone with Unix experience can figure it out.
Depending on your equipment and the time you want to spend, oVirt might be an answer.
Although it is still fairly new and is in development, it runs on CentOS6, is free, can handle multiple guest OSes, can create VM's from a template, and has a power users portal page where trusted students/employees can create their own VM from supplied templates. This way, no student would have access to the host OS, but could create a VM as needed. The downside is that it can get quite complicated to set up the system, and could take a bit of time to learn and set it up properly. Since it is free, you are also dependent upon community support.
You can access more info here.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
ESXi. Its free, powerful, and offers a lot of pre-built appliances. I don't see any safety concerns if the network is segregated. If you have specific VM's that you want the students to learn within, keep screenshots of those so that you may roll anything back that gets damaged. This is great because it allows them do pretty much anything they want without creating a maintenance headache for you.
If you want to teach them about specific technologies using VMs that go hand and hand with programming (like source control, bugzilla, configuring web servers, etc), turnkeylinux.org offers many free linux appliances that will make your job easy.
Meow
Pulling physical cables is a quick and fast way to know they are not on the network and that is more of a way to backup to remote control. What about a firewall box on the link from the switch the VM's are on to the rest of the network?
Thanks for going the extra mile with your students.
As AC said, a separate LAN or VLAN, or multiple separate LANs/VLANs handles most of what's posted below. For example, a rogue DHCP server would only be visible on that VLAN.
Red Hat has a Virtualization Security section in their manual:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-Virtualization-Security_for_virtualization.html
CentOS/RHEL includes comprehensive support for KVM with virt-manager. While VirtualBox et al are fine for running one or two virtual machines on your desktop, for many VMs, with new ones created and removed each semester, the enterprise level support of KVM built into the distro is more appropriate. That support includes creating VLANs within the same management interface, for example, and integrates with the built in storage stack administration tools. Again, VirtualBox may be simpler to set up for one or to two machines, so I'm not saying it's not good - it's just not the best tool in this particular scenario. In this type of scenario, the KVM / virt-manager / virsh stack that RH baked in is probably a better match to the needs.
You can NAT the network off and and don't do port forwarding to the out side also have a quick kill where you just need to pull a cable to cut the VM's off from the rest of the network.
If you were joking, I got a pretty solid LOL out of it.
Oracle Virtualbox and VmWare. I use VirtualBox, which is free.
It is not fast nor quick at 2am. Which is when one bored kid is going to try to find out how much fun he can have with an arp black hole or other such silliness.
What about it? Should there be one? Of course it should probably even limit traffic to just http and other services they absolutely must have, there should also be an IDS on their network segment. That does not change the fact that VLANing off these folks is the best practice and that NAT offers nothing extra for this. You would not be trying to protect the VMs, but be protecting others from them.
Even VLANs allow for DoS attacks - the VLAN runs on the host, not the guest, and bypass the limits you set on the guest. A malicious user controlling one or more VMs can flood the VLAN(s) and cause the host to slow down (or worse).
Other ways to attack a host or other guests from a VM apart from networking include (but are not limited to) shared resources like USB, CD/DVD, serial, disk (sync flood!) and perhaps most of all, hardware accelerated graphics.
If you really have to protect the host and other VMs from each other, you need to turn off all shared resources, and run the VM hypervisor/manager under SELinux and configured(!) cgroups, preferably with each VM having its own disk.
Actually I was suggesting not sharing NICs and using VLANs on a managed switch, if at all possible. So each VM has its own NIC and VLAN. They would not be allowed to talk to each other.
I should have made my proposal more clear.
They can start each class with a fresh snapshot. In effect they would be restoring from backups. The configuration files from some other networked storage or their thumb drives and the applications themselves from the repositories. I've done something similar, but on bare metal, and after about half a dozen times they don't notice -- it had become such second nature to install and restore applications. Heck you might even have them practice installing the whole system from scratch. If you go that route, they can become quite proficient with installation and resource allocation. PXE booting a netinstall image helps there.
However, once you start to load packages from the net things can really slow down unless you prepare. The best way is to have a cache like APT-Cacher or Squid on your LAN or host system and have them configure their systems to use it for APT. For the cache to be most effective, you have to pre-load it before each class. That's easy and can be done while doing other things. It only takes time not attention. But once you have the cache loaded, installation will fly and can be done in 15 - 20 minutes. After that they weren't shy about installing on their own computers at home or helping their friends.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
So far, I see lots of advice about VM breakouts and network isolation. If this were a production datacenter where uptime was a criteria, this is all well and good. I suspect that this isn't what you need to hear, however.
I see three things you could be attempting to protect:
1) The larger school network.
2) The VM host infrastructure.
3) The VMs themselves.
1) A student on a VM is no more dangerous to the network than one who can connect to the school wireless with a laptop or smartphone. If the lab uplinks to the same network as the broader access, your risk profile is unchanged.
2) Make sure the VMs can't route to the host and keep it patched. If a student managed to break out of a VM in a patched hosting environment, do some forensics and find the bug then sell it. It's probably worth more than you make in a year. Seriously, if they can do this, they deserve to win. You might as well worry about protecting against nation-state sponsored attacks.
3) Make sure that the class work is backed up (a git server, perhaps) and then don't worry about it. Seriously, just throw the VMs away after each class (or every night, etc) and start with a clean one the next time they log in. Don't spend time trying to outsmart a classroom full of bored highschoolers. Instead, make it so it doesn't matter when they break something.
Excellent advice.
KVM is commercial-grade, and works amazingly well with Centos.
If some of your better students are up to the challenge, you can get them to co-operate with some large-scale VM management tools like OpenStack. They might even set-up the management systems to make it easy for you to repeat the process for your next batch of students! OpenStack is largely written in Python, so they can get extra creative.
I would have killed for this in high school. Kudos to you, what a great job.
Not themselves - each other. And who else may be using the host machine.
Allowing the students to create their own VM's implies that they'll be root on the hypervisor.
No, it doesn't. Virsh only requires to be told to let you manage VMs, done via group membership. There are also several web-based VM management tools so they don't even have to have shell access.
Also, you have heard of sudo, right? And limited command shells?
There's a lot of underwear-ringing here by people who have no fucking clue what they're talking about.
Please help metamoderate.
the answer was prox mox, and the question has lost luster
There are a lot of good answers here to your direct question, but I'd like to step back and look into solutions that are recently available for the more general problem you are facing.
I have to wonder what it's costing the school district to acquire and maintain the hardware to run your classes. On top of that, you're having to worry about the overhead of securing/patching and maintaining backups.
(Disclaimer: I work for Google on Compute Engine.)
Have you evaluated whether an IaaS service like Google Compute Engine would be more convenient and cost-effective? Security, backups, and persistent storage are all taken care of for you. Google's base VMs are 13.2 cents per hour. For a class of 30, that's about $4 per class session. There are about 180 days in a school year, so that's $720 per class for the entire year. If you have 4 classes a day, that's about $3,000 for the entire year, assuming your VMs are all running the entire time every class session. In practice, if I were teaching the class, I'd lecture for 3 days a week and have VM time 2 days a week, with the option of the students being able to access their VMs outside of class from home, so the actual cost will probably be lower.
As far as hardware is concerned, Chromebooks are $250 each. I bet you're spending significantly more than that per machine in your labs. You can use the terminal tab in ChromeOS to SSH into the VM instances.
Have you considered an IaaS provider? If not, I'm curious to hear how the current offerings out there in the market fall short of the solution you're looking into now.
Point your students at VirtualBox's download page and give them a pre-created image for your lab. Let them learn how to setup the software, configure the image, etc. It would be a good lesson for them in visualization and your work would be minimal.
You could pre-setup the security in the image with a generic user, firewall access as needed, maybe a home folder on NFS. If they have problems, they can just start the image over again.
So, I co-wrote this book on virtual security and am a former VMware Cloud Solutions Architect. And I'll preface this advice by saying that, if you want to talk more in depth, feel free to ping me. First initial, last name at gmail will work. (The email I have attached to slashdot I glance at occasionally, but it gets almost purely spam and so I'd likely miss anything.)
From my perspective, the first question is which hypervisor to use:
- VMware is mature, you can get a free license for the base hypervisor (which is quite feature rich; this is no trial product) for up to 32GB per physical box, is widely used. If VMware remains as relevant in the future as it is now, it's actually a very solid skillset to have.
- If you have physical hosts over 32GB, VMware ceases to be free
- Some features require more advanced VMware stuff, including vCenter server, which isn't free - for example, VMware's live vm migration feature (vMotion)
- VMware is almost entirely closed on the internals; hypervisor is closed source (other than a not-useful-for-your-purposes "open source" bundle that contains their modified GPL code only); they have a bunch of APIs for internal functions (ie, tracking changed blocks on the virtual iscsi devices, for example), but those are generally restricted to partners; so if your students want to actually hack the virtualization layer, they can't. Then again, letting them do so wouldn't really be safe.
- On the other hand, VMware layers do have nice APIs that are reasonably accessible for doing non-internals stuff; things like powering VMs on and off, changing their allocated RAM and cpus, etc
- VMware has a nice set of tools, including CLI tools, which work well even with the free versions, that can allow you to move virtual machines in and out of specific hypervisors (not while the VMs are powered on), and into and out of VMware's desktop products (Workstation for Windows and Linux, Fusion for Mac). (google ovftool for the cross-platform CLI tool, for example; it can import/export to/from ESX, vCenter Server, Workstation, Fusion, and vCloud instances)
- VMware has a nice set of tools for snapshots and backups, even on the base hypervisor; for example, I have a personal ESX box at a provider and I use this tool to back up the VMs back and forth, which can be done from outside the OS without powering the VM down, and it's free.
- I found using some things I'd think of as mandatory for a lab environment (ie, thin provisioning) were just built-in on the VMware side and required a fair bit of extra work and added extra wrinkles
The virtual networking on VMware is dramatically more mature from my experience; my experience with Xen & KVM is now dated (it's been 2 years since I was in the thick of writing that book, which was the last time I was really in the thick of exploring the open-source hypervisor networking bits). I found that depending on the version of the hypervisor OS, which hypervisor, which kernel, which guest, etc, you could fall into all sorts of traps. I had some examples in the book where I showed, for example, generating and applying ebtables configurations to the host OS (the Xen Linux hypervisor OS) to block forged frames from coming across the bridge from one of the guest Linuxes, for example.
Compare that to the VMware side, you could in theory wire up everything to dumb hubs, even, and enforce network separation at the hypervisor layer with VLAN tags applied to the portgroups where you attach VMs. (Warning: not suggesting you blindly do that; but VLAN enforcement on the VMware side is fairly rigid if configured in a good way.)
My own book is a fun read for some of these concerns, although Haletky's book is probably the canonical work on the subject. (Although it is -slightly- dated from bein
Another thing to add to this - my enterprise VM knowledge is pretty much limited to VMware, and I do know that if you use VMware, you can use the VMware Distributed Switch (VDS) which supports PVLANs. Place each individual set of VM's that belong to a given student into a community PVLAN, and make your default gateway a promiscuous PVLAN.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
It's not really VLAN's that are the issue here.. It's "Broadcast domain" isolation. Separate sub-net and broadcast domain is required (usually accomplished using a VLAN on a managed switch, but not always). NAT is also somewhat useful depending on where you put the WAN connection in your network. But, you are correct, you *really* need a firewall/Router that manages the external network access to the *MINIMUM* necessary in *BOTH* directions and a NAT only works in one direction.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
KVM is the virtualization technology that works the best with Linux.
http://hak5.org/episodes/episode-820
They set up a server cluster for hacking competitions. It may well be worth your time too look at what they did.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
You have a couple of options;
1) Use a container type environment without virtualisation like http://opensource.com/education/12/8/harvard-goes-paas-selinux-sandbox
2) Run your VM's on a RHEL based hyper visor with KVM and get the benefits of sVirt ( http://selinuxproject.org/page/SVirt ) isolation for free via libvirt.
3) Look at something more like OpenShift Origins to do PaaS with mandatory access control.
Either way, a huge kudos to you. I know I failed IT in high school because I disagreed with java>all and I am excited to see at least one educational institution heading in a much more promising direction.
Cheers,
Kahn
libvirt, as used by CentOS, also has virtual switches. The libvirt virtual switches can do IP masquerading NAT, routing mode, or complete isolation mode.
http://wiki.libvirt.org/page/VirtualNetworking
I would suggest vmware KVM or XEN.
NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
Since each student will probably only need 1 or 2 vms virtual box from oracle would be just fine and free. It also works well with a developer / system admin practice tool call vagrant... Which allows one to spin up, roll back, and destroy virtual machines at will via command shell as if one was SSHed into thier vm. (Will force your students to learn how to manage thier machines without a GUI) and if they break something developing or just brick themselves administering its as easy as typing vagrant destroy and then vagrant up and back in business. As far as root access: Yes they should be given the power on their vm to root and then discouraged to use it. They should be encouraged to set up appropriate user/groups and permissions on their vm as consistent with Linux/unix best business practices and appropriately manage their sudoers file. They can elevate themselves when necessary via the sudo command, and disable telnet completely and disable root login through SSH. All this will start good hygiene and practices for day 1.