Ask Slashdot: Safe Learning Environment For VMs?

First time accepted submitter rarkian writes "I am the teacher in this story. I teach Python and C++ to high school students: grades 9-12. I use CentOS 6 with DRBL to run my computer lab. Some of my students have become Linux experts. Next year I'm planning on allowing students to create and run their own VMs in a segregated LAN. Any advice on which virtualization technology to use and security concerns with allowing students to be root in a VM?"

Set up VLANs

for each of the students and don't allow any interface between them...and certainly no main network/internet access.

Re:Set up VLANs

[TheCarp]

> This is Linux were talking about. What could you possibly teach them without an internet
> connection? The only use I see is teaching shell scripting or something, since other tasks like
> package management, and sane server configuration kinda require an active internet connection.

Well Python, that is what he said he wanted to teach them :)

Beyond that, you are right, I say, the key is not security but recovery. Template boxes so that a new VM can be spun up effortlessly, then let them have at it. Segment the lab off from the rest of the network, maybe let the lab out to the internet, but not to the schools internal network.

However the key is, you can always blow away a machine and reimage it to get class moving, so there is no real danger in letting them play. Hell, I took a class that taught us administration and hacking eachother's machines was explicitly allowed, as long as it stayed in the lab. (we were also required to create a guest account as one of the exercises)

Gives the advanced kids who are bored with the class something to do that lets them learn too; I certanly had fun.

Re:Set up VLANs

[LordLimecat]

Not if they are on private VLANs (still not clear if it is a standard or not). VMWare supports this; the idea is roughly analogous to AP isolation on a wifi AP-- "isolated" nodes can all talk to the gateway (the community / public node), but cannot talk to each other.

And VLANs actually are for security, and can provide far superior security than ACLs, since unless you have a trunk port or layer 3 switches, it is impossible for two devices on different VLANs to communicate, short of a switch misconfiguration. Its probably second to air-gapping in terms of security-- its sort of a logical implementation of "air gapped switches", except that they CAN be joined together if someone gets onto the switch.

Vagrant

[Pinhedd]

Vagrant is a wrapper for Virtualbox and VMWare Workstation that accelerates the deployment of development environments.

http://www.vagrantup.com/

VM is irrelevant

[onyxruby]

The fact that your using VM's is largely moot and goes back to the line of thought that VM's are somehow not 'real' computers. VM's run the same operating systems, software, have the same bugs, vulnerabilities and everything else as a physical computer. You need to patch them just like any other computer and you need to license them just like a regular computer. The fact that they are VM's really only makes two differences practical differences that matter, fist is that is easy to roll them back and second is that your aren't running on bare metal.

In other words you have a core issue that needs addressed of giving students root access to a computer. In an isolated environment this isn't necessarily a bad thing. Understand that they exploit root and see what they can do with it, however they are there to learn and if you can do so safely and without disruption of what your trying to teach then let them. Your focus needs to be on making it safe for those around them and that means making sure your VLAN and any related Internet access are properly setup. The lab is a lab and as long as you can make sure they aren't getting access to anyone persons computer than let them have at it.

A good rule of thumb is to roll your sessions back prior to the start of every single class. This always gives a fresh machine and the students will quickly learn how to set their VM just the way they want it.

Re:VM is irrelevant

[Archangel+Michael]

VMs have one advantage that non-virtualized systems don't have. The ability to put several machines in their own sandboxed network, all managed by a single student who needs to demonstrate cooperating systems. Give every student a template of needed machines and a VM server and you have a small lab on every computer. One that is easily setup, cleared and re-setup for every class, and as needed.

VMs are a perfect solution for advanced computer systems management training.

'Create' is the tricky part

[bill_mcgonigle]

Next year I'm planning on allowing students to create and run their own VMs

Running their own VM's is straightforward. Allowing the students to create their own VM's implies that they'll be root on the hypervisor.

Do you intend to run the hypervisor on the client machines of the DRBL system, or run a single hypervisor on the server and deploy the VM's there as DRBL clients?

To satisfy your requirements you probably want to run the hypervisor on the clients so they students can each have their own root on the hypervisor. This would require a hypervisor compatible with DRBL. I don't know how it works, but just from reading the description on the webpage, it sounds like it's geared to PXE booting a host OS.

If you go with Xen, you'll have to probably separately PXE boot Xen and then DRBL boot the Dom0. Which would probably work fine and get you decent performance, but it will expose the students to DRBL (is this what you want?)

If you go with KVM, the performance is a bit slower, but for a student shop that's probably OK, and you'll be able to DRBL-deploy the hypervisor and then let the students create their own non-DRBL (or DRBL) guests. This probably fits your model the best unless you have old hardware that KVM does not support - then you might need to go with the Xen-PXE-Boot model (because it can paravirtualize without hardware assistance).

You could also use VirtualBox, and while it offers a nice GUI, it's probably too simple for teaching your students about virtualization (it just feels like an app).

BTW, it sounds like you're doing great work based on that article. Kudos on your accomplishments and being an inspiration for others in your field.

VLANs, RH Virtualization Security manual, virt-man

[raymorris]

Thanks for going the extra mile with your students.

As AC said, a separate LAN or VLAN, or multiple separate LANs/VLANs handles most of what's posted below. For example, a rogue DHCP server would only be visible on that VLAN.

Red Hat has a Virtualization Security section in their manual:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-Virtualization-Security_for_virtualization.html

CentOS/RHEL includes comprehensive support for KVM with virt-manager. While VirtualBox et al are fine for running one or two virtual machines on your desktop, for many VMs, with new ones created and removed each semester, the enterprise level support of KVM built into the distro is more appropriate. That support includes creating VLANs within the same management interface, for example, and integrates with the built in storage stack administration tools. Again, VirtualBox may be simpler to set up for one or to two machines, so I'm not saying it's not good - it's just not the best tool in this particular scenario. In this type of scenario, the KVM / virt-manager / virsh stack that RH baked in is probably a better match to the needs.