Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Safe Learning Environment For VMs?

timothy posted about a year ago | from the first-do-no-harm dept.

Virtualization 212

First time accepted submitter rarkian writes "I am the teacher in this story. I teach Python and C++ to high school students: grades 9-12. I use CentOS 6 with DRBL to run my computer lab. Some of my students have become Linux experts. Next year I'm planning on allowing students to create and run their own VMs in a segregated LAN. Any advice on which virtualization technology to use and security concerns with allowing students to be root in a VM?"

Sorry! There are no comments related to the filter you selected.

Set up VLANs (4, Insightful)

Anonymous Coward | about a year ago | (#43841605)

for each of the students and don't allow any interface between them...and certainly no main network/internet access.

Re:Set up VLANs (2, Insightful)

ttucker (2884057) | about a year ago | (#43841957)

for each of the students and don't allow any interface between them...and certainly no main network/internet access.

VLANs are not for security! Any two things plugged into the same switch, whether virtual or real, can talk to each other if sufficiently motivated.

Re:Set up VLANs (0)

Anonymous Coward | about a year ago | (#43842231)

VLANs are not for security! Any two things plugged into the same switch, whether virtual or real, can talk to each other if sufficiently motivated.

This is simply not true. You're probably referring to 802.1q tag hopping attacks, which are not particularly difficult to prevent.

Re:Set up VLANs (0)

Anonymous Coward | about a year ago | (#43842263)

Well, depending on the switch you might also be able to run timing attacks or DOS.

Re:Set up VLANs (1)

Anonymous Coward | about a year ago | (#43842473)

VLANs are not for security! Any two things plugged into the same switch, whether virtual or real, can talk to each other if sufficiently motivated.

I don't think you understand VLANs or switching as well as you think you do.

Re:Set up VLANs (1)

Anonymous Coward | about a year ago | (#43841965)

...and certainly no main network/internet access.

This is Linux were talking about. What could you possibly teach them without an internet connection? The only use I see is teaching shell scripting or something, since other tasks like package management, and sane server configuration kinda require an active internet connection. Assuming these are wiped on exit, (and they should be) I see no problem with giving them root and network access. Probably the worst they could do is a ping scan or attempt to screw with other hosts by changing local ip addresses, all of which can be handled by having the instructor watch what the students are doing, or kicking them off the campus network.

VLANs, RH Virtualization Security manual, virt-man (5, Informative)

raymorris (2726007) | about a year ago | (#43842095)

Thanks for going the extra mile with your students.

As AC said, a separate LAN or VLAN, or multiple separate LANs/VLANs handles most of what's posted below. For example, a rogue DHCP server would only be visible on that VLAN.

Red Hat has a Virtualization Security section in their manual:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-Virtualization-Security_for_virtualization.html

CentOS/RHEL includes comprehensive support for KVM with virt-manager. While VirtualBox et al are fine for running one or two virtual machines on your desktop, for many VMs, with new ones created and removed each semester, the enterprise level support of KVM built into the distro is more appropriate. That support includes creating VLANs within the same management interface, for example, and integrates with the built in storage stack administration tools. Again, VirtualBox may be simpler to set up for one or to two machines, so I'm not saying it's not good - it's just not the best tool in this particular scenario. In this type of scenario, the KVM / virt-manager / virsh stack that RH baked in is probably a better match to the needs.

Re:VLANs, RH Virtualization Security manual, virt- (1)

Anonymous Coward | about a year ago | (#43842453)

Excellent advice.

KVM is commercial-grade, and works amazingly well with Centos.

If some of your better students are up to the challenge, you can get them to co-operate with some large-scale VM management tools like OpenStack. They might even set-up the management systems to make it easy for you to repeat the process for your next batch of students! OpenStack is largely written in Python, so they can get extra creative.

Safety? (1)

Joce640k (829181) | about a year ago | (#43841607)

The whole point of a VM is that being root isn't a safety concern.

Re:Safety? (2, Interesting)

Anonymous Coward | about a year ago | (#43841679)

Unless they take down the network, e.g. running a rogue DHCP server. Or they use it to hack other systems on the network, e.g. password-sniffing the other student's credentials when they log in from their VMs.

Re:Safety? (0)

Anonymous Coward | about a year ago | (#43841709)

Being root doesn't make you domain admin.

Re:Safety? (1)

Anonymous Coward | about a year ago | (#43841809)

The examples I gave do not require you to be domain admin. Just root.

Re:Safety? (1)

NatasRevol (731260) | about a year ago | (#43842059)

Not even root on some of your examples.

Re:Safety? (1)

Baton Rogue (1353707) | about a year ago | (#43842111)

Unless they take down the network, e.g. running a rogue DHCP server.

Put the lab in a separate network, where this would not be an issue.

Or they use it to hack other systems on the network

Block access from the lab to the rest of the network, and/or get a separate DSL/cable internet for just the lab.

password-sniffing the other student's credentials when they log in from their VMs.

Use SSH for remote logins, and this will not be an issue. Even if a student does guess another student's VM account password, all they can do is screw up (or copy) someone else's work

Re:Safety? (3, Interesting)

Joce640k (829181) | about a year ago | (#43842435)

Unless they take down the network, e.g. running a rogue DHCP server. Or they use it to hack other systems on the network, e.g. password-sniffing the other student's credentials when they log in from their VMs.

So... nothing they couldn't do much easier/more safely by just pulling the network cable out of the physical machine and connecting it to their netbook?

Re:Safety? (2)

fwice (841569) | about a year ago | (#43841697)

if the VM has a full root account, with a network address on the global network at large, then it has the ability to, for example, run a priviledged NMAP scan on the entire network. Which can expose open ports or vulnerabilities on another machine that can then be used to leverage access.

Re:Safety? (1)

denmarkw00t (892627) | about a year ago | (#43841741)

and run their own VMs in a segregated LAN

Sounds like they'll be on their own little LAN

Re:Safety? (2)

Nerdfest (867930) | about a year ago | (#43841909)

They can always plug in their own laptop and do that anyway.

Re:Safety? (3, Informative)

Archangel Michael (180766) | about a year ago | (#43842009)

Which is why they need to setup their own VLAN to isolate the VMs to the classroom. VM traffic is isolated to non-routing VLANS. They call this setup a "sandbox", and it is generally a good practice for classroom work.

As for which VM technology to use ... VMWare, or ZEN or even Microsoft's version are usable. VMWare is sort of free, Xen definitely is. I'm not familiar with pricing on Microsoft's versions but schools tend to get steep discounts for server licenses. Look at OpenStack for management, I hear it is decent when it works.

Re:Safety? (1)

Joce640k (829181) | about a year ago | (#43842529)

if the VM has a full root account, with a network address on the global network at large, then it has the ability to, for example, run a priviledged NMAP scan on the entire network. Which can expose open ports or vulnerabilities on another machine that can then be used to leverage access.

Try reading the third line of the summary again. The bit where is says "segregated LAN" might interest you...

Re:Safety? (1)

Anonymous Coward | about a year ago | (#43841733)

He means that if you give root access to a machine on an unprotected network all kinds of fun things can happen:
- user changes his IP address to be that of the gateway, or the file server
- user sniffs packets of unprotected network protocols (the windows file sharing servers don't seem to encrypt traffic)
- send strange packets that cause loops in routers etc.

So he want to create isolated networks where the kids can really play and not worry about breaking something important.

Re:Safety? (2)

Joce640k (829181) | about a year ago | (#43842503)

You know how I know you didn't even read the summary...?

Re:Safety? (0)

Anonymous Coward | about a year ago | (#43841735)

Still, never log into a student's VM while using your real password.

Re:Safety? (1)

Joce640k (829181) | about a year ago | (#43842387)

Why would you have an account on a student's VM?

Re:Safety? (1)

h4rr4r (612664) | about a year ago | (#43841793)

Only if you think your VM software is perfect.

I think all the popular products have at one time had exploits that allowed a guest root user to muck with the virt kernel or other guests.

Heck, if you are not smart enough to limit how much resources one VM can take a nice fork bomb is a good way to slow down the whole shebang.

Re:Safety? (1)

Joce640k (829181) | about a year ago | (#43842461)

All of that applies to non-virtual machines, too.

Re:Safety? (1)

h4rr4r (612664) | about a year ago | (#43842475)

Indeed. I am not suggesting otherwise.
I am only pointing out that VM software is not magic. It does the best it can, but cannot be relied upon to be infallible.

VMware (1)

Anonymous Coward | about a year ago | (#43841609)

No matter what you use, unless it's hard to install and configure the slack-jawed neckbeards of Slashdot won't bless it with their magic wand.

Just get some flavor of VMware and move on with your life.

Re:VMware (1)

ttucker (2884057) | about a year ago | (#43842005)

No matter what you use, unless it's hard to install and configure the slack-jawed neckbeards of Slashdot won't bless it with their magic wand.

Just get some flavor of VMware and move on with your life.

Yep, I love ESXi, it is fast and easy to install. It is also free. Just, if you plug it in to the school network, make sure to have it connected as its own zone to the firewall machine.

BLARG (-1)

Anonymous Coward | about a year ago | (#43841617)

BLAH

Vagrant (4, Informative)

Pinhedd (1661735) | about a year ago | (#43841639)

Vagrant is a wrapper for Virtualbox and VMWare Workstation that accelerates the deployment of development environments.

http://www.vagrantup.com/ [vagrantup.com]

Re:Vagrant (0)

Anonymous Coward | about a year ago | (#43841915)

Vagrant isn't just for kids!! Vagrant and Chef/Puppet will change your life!

Re:Vagrant (0)

Anonymous Coward | about a year ago | (#43842195)

Hark, a vagrant!

Good job Mr. Ark! (0)

Anonymous Coward | about a year ago | (#43841655)

Congratulations on your success!

Network Security (1)

Anonymous Coward | about a year ago | (#43841671)

I don't think you need to worry about OS security, since that is the point of using VMs. However, the "key" to this question is the definition of "segmented." There are host of nefarious and simple mistakes you can make to completely trash the network of the of the VMs. I would recommend disabling multicast.

Banning the use of fork() can't hurt either.

Re:Network Security (2)

ttucker (2884057) | about a year ago | (#43842025)

I don't think you need to worry about OS security, since that is the point of using VMs. However, the "key" to this question is the definition of "segmented." There are host of nefarious and simple mistakes you can make to completely trash the network of the of the VMs. I would recommend disabling multicast.

Banning the use of fork() can't hurt either.

Yes, banning fork() can hurt, because how else are you supposed to learn about it. Also, running a forkbomb in a VM would have no effect at all on the VM host.

Re:Network Security (1)

NatasRevol (731260) | about a year ago | (#43842107)

running a forkbomb in a VM would have no effect at all on the VM host.

Well, if all the VMs run a forkbomb it might. Students do plan things like that once in a while. Like right before the start of class.

Re:Network Security (1)

Anonymous Coward | about a year ago | (#43842403)

Banning the use of fork() can't hurt either.

How do you expect the shell (or make) to spawn a new process without fork()?

Or rather, how do you expect sshd to spawn the shell, when the students try to log in?

Wait, scratch that... How do you expect sshd to fork() a new sshd process when the students connect?

No, wait... How do you expect init to do anything useful without fork()?

(Captcha: ponders)

VirtualBOX (1)

CheshireDragon (1183095) | about a year ago | (#43841675)

Virtual Box is lightweight and it won't matter if they are root. A VM eliminates all that trouble.
"Oh you crashed the hell out of that machine, didn't you? oh well, reinstall."
Since you are segregating the network they will have no outside access and no re...WTF am I saying?...VLANs

Re:VirtualBOX (1, Insightful)

h4rr4r (612664) | about a year ago | (#43841875)

Incorrect.

A nice forkbomb in a single VM can cause headaches for the rest of the environment. There have also been exploits to allow one to interfere with either the host kernel or other guests, we have no reason to suspect all those bugs are crushed. VirtualBox is a fine desktop VM software, it is not however suited to this task.

Re:VirtualBOX (3, Informative)

Archangel Michael (180766) | about a year ago | (#43842123)

Forkbomb is only successful if you don't have limits on your VM environment. You have put limits on your environment, right?

Re:VirtualBOX (0)

h4rr4r (612664) | about a year ago | (#43842341)

I do, but this joker might not.

Re:VirtualBOX (2)

NatasRevol (731260) | about a year ago | (#43842127)

A nice forkbomb in a single VM can cause headaches for the rest of the environment.

Then it's a very poor environment.

We're talking about one or many classes of students. If it's not built out to handle several VMs using their max CPU concurrently, then it's a very poor environment.

Heck, everyone compiling at the same time would shut things down if the environment is built poorly.

Re:VirtualBOX (1)

h4rr4r (612664) | about a year ago | (#43842217)

It has nothing to do with handling several servers or not. It has to do with the fact that if one VM can access all the CPUs it can keep them all busy.

The disk is the same thing, if you do not limit a VM to a fixed amount of IO it can simply tie up all access to the disk for another easy DOS attack. This goes for any and all shared resources. Not very hard to soak a 1Gb network link just to be a jerk.

Virtualbox (1)

lister king of smeg (2481612) | about a year ago | (#43841689)

virtual box is great. its free/open-source well supported on windows mac and linux. itis easy to set up. has the ability to take snapshots on the vm to roll back at a moments notice. good documentation don't know what else you could need here.

Re:Virtualbox (3, Informative)

h4rr4r (612664) | about a year ago | (#43841841)

And is utter trash for anything that needs to be scalable.

It is fine for a desktop VM system, but it simply does not offer the management interfaces that other solutions have. Basically the options here are VMware and KVM. The first if you want a shiny GUI the latter if you are ok without one. Both will let you script everything they do, which will be very handy when you need to reset 100 VMs for the next batch of students.

Re:Virtualbox (1)

Anonymous Coward | about a year ago | (#43841975)

And is utter trash for anything that needs to be scalable.

It is fine for a desktop VM system, but it simply does not offer the management interfaces that other solutions have. Basically the options here are VMware and KVM. The first if you want a shiny GUI the latter if you are ok without one. Both will let you script everything they do, which will be very handy when you need to reset 100 VMs for the next batch of students.

I run my entire local area network using VirtualBox VMs running on two physical servers which run Debian GNU/Linux. The various services are segregated into their own VirtualBox VMs such as DNS, DCHP, web server (externally acessible), web server (internal-only access), NFS, remote SSH access, etc. I manage all these VMs from the command-line and refuse to pussy around with any unnecessary GUI. Everything is scripted from VM creation to management. Stop this reliance upon point-and-click GUIs and teach the students to think and not be afraid of the GNU/Linux command-line.

Re:Virtualbox (1)

h4rr4r (612664) | about a year ago | (#43842169)

Then you should be using KVM or Xen.
Virtualbox is not meant for that use and it shows it.

Re:Virtualbox (2)

Anonymous Coward | about a year ago | (#43842379)

Wow, two whole servers. However did you scale so high?

Re:Virtualbox (0)

ttucker (2884057) | about a year ago | (#43842047)

VirtualBox is a slow turd.

How down and dirty do you want to get them? (0)

Anonymous Coward | about a year ago | (#43841727)

Does it have to be a linux based solution, or is this more of a broad generalized VM option?

Many of the big names have free versions available if you want something setup more like an enterprise deal (VMware offers the vSphere ESXi hypervisor for free (limited to 1 physical CPU and IIRC 32GB RAM for the 5.0 and 5.1 versions.. I think version 4.x didnt' have those restrictions?)

Xen is freely available and Citrix also has a version of theirs available for free.

etc on down the list

Recursion (0)

Anonymous Coward | about a year ago | (#43841739)

Well, obviously, you can set up a VM to isolate a safe environment for...

Oh.

VM is irrelevant (4, Interesting)

onyxruby (118189) | about a year ago | (#43841747)

The fact that your using VM's is largely moot and goes back to the line of thought that VM's are somehow not 'real' computers. VM's run the same operating systems, software, have the same bugs, vulnerabilities and everything else as a physical computer. You need to patch them just like any other computer and you need to license them just like a regular computer. The fact that they are VM's really only makes two differences practical differences that matter, fist is that is easy to roll them back and second is that your aren't running on bare metal.

In other words you have a core issue that needs addressed of giving students root access to a computer. In an isolated environment this isn't necessarily a bad thing. Understand that they exploit root and see what they can do with it, however they are there to learn and if you can do so safely and without disruption of what your trying to teach then let them. Your focus needs to be on making it safe for those around them and that means making sure your VLAN and any related Internet access are properly setup. The lab is a lab and as long as you can make sure they aren't getting access to anyone persons computer than let them have at it.

A good rule of thumb is to roll your sessions back prior to the start of every single class. This always gives a fresh machine and the students will quickly learn how to set their VM just the way they want it.

Re:VM is irrelevant (4, Informative)

Archangel Michael (180766) | about a year ago | (#43842193)

VMs have one advantage that non-virtualized systems don't have. The ability to put several machines in their own sandboxed network, all managed by a single student who needs to demonstrate cooperating systems. Give every student a template of needed machines and a VM server and you have a small lab on every computer. One that is easily setup, cleared and re-setup for every class, and as needed.

VMs are a perfect solution for advanced computer systems management training.

APT-Cacher, Squid (3, Interesting)

SgtChaireBourne (457691) | about a year ago | (#43842277)

A good rule of thumb is to roll your sessions back prior to the start of every single class. This always gives a fresh machine and the students will quickly learn how to set their VM just the way they want it.

They can start each class with a fresh snapshot. In effect they would be restoring from backups. The configuration files from some other networked storage or their thumb drives and the applications themselves from the repositories. I've done something similar, but on bare metal, and after about half a dozen times they don't notice -- it had become such second nature to install and restore applications. Heck you might even have them practice installing the whole system from scratch. If you go that route, they can become quite proficient with installation and resource allocation. PXE booting a netinstall image helps there.

However, once you start to load packages from the net things can really slow down unless you prepare. The best way is to have a cache like APT-Cacher or Squid on your LAN or host system and have them configure their systems to use it for APT. For the cache to be most effective, you have to pre-load it before each class. That's easy and can be done while doing other things. It only takes time not attention. But once you have the cache loaded, installation will fly and can be done in 15 - 20 minutes. After that they weren't shy about installing on their own computers at home or helping their friends.

Re:VM is irrelevant (1)

petermgreen (876956) | about a year ago | (#43842361)

The fact that they are VM's really only makes two differences practical differences that matter, fist is that is easy to roll them back and second is that your aren't running on bare metal.

The third is that the VM soloution is essentially an operating system in it's own right. Like any other operating system it can suffer from privilage escalation exploits.

Amazon EC2 (0)

Anonymous Coward | about a year ago | (#43841753)

They have a free usage tier [amazon.com] .

SELinux on the host (3, Interesting)

hpa (7948) | about a year ago | (#43841769)

Make sure you have SELinux enabled (and enforcing!) on the VM host, and keep the VMM software updated... there sometimes are security holes in VMM software which can be exploited. SELinux can help contain a breached VMM.

Re:SELinux on the host (1)

CaptainJeff (731782) | about a year ago | (#43841959)

This is true...
...if you have a valid policy set up for SELinux to enforce. This can be very difficult to construct, especially when you're trying to control the behavior of something like a VM.

For a student lab environment, this is likely to be overkill; if you have students in grades 9 thru 12 finding and exploiting holes in a VMM, you've got much bigger problems.

Re:SELinux on the host (1)

Anonymous Coward | about a year ago | (#43842045)

if you have students in grades 9 thru 12 finding and exploiting holes in a VMM, you've got ...

... really smart kids.

Re:SELinux on the host (1)

Anonymous Coward | about a year ago | (#43842057)

I highly doubt this is true. The last VM exploit I saw gave ring 0 on the host processor. SELinux is worthless at that point.

VLANs are your friend (2)

StoneyMahoney (1488261) | about a year ago | (#43841789)

Just in case anyone gets a bit... shall we say "Adventurous" and tries to use their root access boxen to attack something they shouldn't, it might be worth isolating the VMs on their own VLAN away from the rest of the network, if you haven't already.

Keep it modern (0)

Anonymous Coward | about a year ago | (#43841815)

Keep it simple, keep it modern, tour the old school vm tech in class; KVM on linux, HyperV on windows for the actual uses, QEMU, VirtualBox

For the grand tour look at the order in history; vmware, xen and don't neglect the licensing models, power license versus core licenses, free versus freemium

The remote management concepts I would handle entirely separately, and pay special attention to how they make their profits, where the cost sinks are.

Also don't neglect the models of vm, including CPU architecture virtualization, QEMU before it was thought of as a tool kit, QEMU emulating Mips, SPARC, AMD64, EMT64

Include a section on history of storage containers; VMDK, IMG, VHD and their limitations (2TB) and why versus "Synthetic" volume management (VM management to create larger than 2 TB volumes ) software RAID, network block devices.

One of the strongest inventions influencing the choice of a VM I think is the package management system of the host OS - (rpm or msi) with Linux you can use yum or rpm to install everything you need, without a custom kernel these days; with windows pretty much the same thing.

The third party value scenario of "orchestration" suites to manage large clusters of vhosts was and is where the cost sinks are, and at the moment have little influence on the small fry personal clouds of a desktop. But at scale, you either have to consider buy or build, or learn how to manage lots of "lillipad" ponds of vhosts.

Notice how I skipped around the redundancy and high availablity issues of the vmotion "like" aspects of vm farms or clouds. Huge topics there and I think more appropriate for a second semester or advanced 102 course on the material.

Deployed in prisons (0)

Anonymous Coward | about a year ago | (#43841835)

I worked at deploying linux systems in prisons for a local college. The key points of my system were:

Used a server w centralized Zentyal for ldap, mail, httpd, quotas etc.
Added nfs to Zentyal.
Had dumb clients w immutable disk VMs running on them
Deleted the gnome session and added GDM sessions for each VM
Used the local disk mapping in Virtualbox to map to their dir in the NFS export.

So, once a student auths to a client and selects an X VM session, VirtualBox starts in its always-pristine state. If the users want to store data then they have a dir mapped to the desktop which holds all their files.

There have been security issues w bridged networks and interfaces that can be promiscuous. Other than this, just disallow all recourse to the underlying OS and you should be good.

'Create' is the tricky part (4, Informative)

bill_mcgonigle (4333) | about a year ago | (#43841837)

Next year I'm planning on allowing students to create and run their own VMs

Running their own VM's is straightforward. Allowing the students to create their own VM's implies that they'll be root on the hypervisor.

Do you intend to run the hypervisor on the client machines of the DRBL system, or run a single hypervisor on the server and deploy the VM's there as DRBL clients?

To satisfy your requirements you probably want to run the hypervisor on the clients so they students can each have their own root on the hypervisor. This would require a hypervisor compatible with DRBL. I don't know how it works, but just from reading the description on the webpage, it sounds like it's geared to PXE booting a host OS.

If you go with Xen, you'll have to probably separately PXE boot Xen and then DRBL boot the Dom0. Which would probably work fine and get you decent performance, but it will expose the students to DRBL (is this what you want?)

If you go with KVM, the performance is a bit slower, but for a student shop that's probably OK, and you'll be able to DRBL-deploy the hypervisor and then let the students create their own non-DRBL (or DRBL) guests. This probably fits your model the best unless you have old hardware that KVM does not support - then you might need to go with the Xen-PXE-Boot model (because it can paravirtualize without hardware assistance).

You could also use VirtualBox, and while it offers a nice GUI, it's probably too simple for teaching your students about virtualization (it just feels like an app).

BTW, it sounds like you're doing great work based on that article. Kudos on your accomplishments and being an inspiration for others in your field.

Re:'Create' is the tricky part (0)

Anonymous Coward | about a year ago | (#43842535)

"Create" is easy with oVirt User Portal, power users, and quotas.

"Create" is also easy with OpenNebula Self Service portal.

"Create" gets more difficult with programmatic APIs like EC2, CloudStack, and OpenStack, but "create" is what they're there for.

You can NAT the network off and and don't forwardi (1)

Joe_Dragon (2206452) | about a year ago | (#43841853)

You can NAT the network off and and don't do port forwarding to the out side also have a quick kill where you just need to pull a cable to cut the VM's off from the rest of the network.

Re:You can NAT the network off and and don't forwa (1)

h4rr4r (612664) | about a year ago | (#43841937)

No, stop!

NAT is not the correct solution to this nor would it help. NAT does not stop anyone scanning outward, the NAT router will setup the address translation just as it should. VLANS are the correct answer. Pulling physical cables is too much work, and cannot be done remotely.

Re:You can NAT the network off and and don't forwa (1)

Joe_Dragon (2206452) | about a year ago | (#43842041)

Pulling physical cables is a quick and fast way to know they are not on the network and that is more of a way to backup to remote control. What about a firewall box on the link from the switch the VM's are on to the rest of the network?

Re:You can NAT the network off and and don't forwa (1)

h4rr4r (612664) | about a year ago | (#43842139)

It is not fast nor quick at 2am. Which is when one bored kid is going to try to find out how much fun he can have with an arp black hole or other such silliness.

What about it? Should there be one? Of course it should probably even limit traffic to just http and other services they absolutely must have, there should also be an IDS on their network segment. That does not change the fact that VLANing off these folks is the best practice and that NAT offers nothing extra for this. You would not be trying to protect the VMs, but be protecting others from them.

Re:You can NAT the network off and and don't forwa (1)

arth1 (260657) | about a year ago | (#43842167)

Even VLANs allow for DoS attacks - the VLAN runs on the host, not the guest, and bypass the limits you set on the guest. A malicious user controlling one or more VMs can flood the VLAN(s) and cause the host to slow down (or worse).

Other ways to attack a host or other guests from a VM apart from networking include (but are not limited to) shared resources like USB, CD/DVD, serial, disk (sync flood!) and perhaps most of all, hardware accelerated graphics.
If you really have to protect the host and other VMs from each other, you need to turn off all shared resources, and run the VM hypervisor/manager under SELinux and configured(!) cgroups, preferably with each VM having its own disk.

Re:You can NAT the network off and and don't forwa (1)

h4rr4r (612664) | about a year ago | (#43842185)

Actually I was suggesting not sharing NICs and using VLANs on a managed switch, if at all possible. So each VM has its own NIC and VLAN. They would not be allowed to talk to each other.

I should have made my proposal more clear.

Re:You can NAT the network off and and don't forwa (0)

Anonymous Coward | about a year ago | (#43842563)

A malicious user controlling one or more VMs can flood the VLAN(s) and cause the host to slow down (or worse).

Why do we care about protecting the students from themselves? This is about the teacher protecting his jobs by sandboxing his students.

Re:You can NAT the network off and and don't forwa (1)

ttucker (2884057) | about a year ago | (#43842103)

You can NAT the network off and and don't do port forwarding to the out side also have a quick kill where you just need to pull a cable to cut the VM's off from the rest of the network.

If you were joking, I got a pretty solid LOL out of it.

Doubtful (0)

Ashenkase (2008188) | about a year ago | (#43841873)

Some of my students have become Linux experts.

Proficient... believable. Experts... doubtful

Re:Doubtful (0)

Anonymous Coward | about a year ago | (#43842399)

I've been using and developing software for Linux for almost two decades. I don't consider myself an expert. My grandmother would. Does this prove your Linux ignorance?

Linux in school?? (1)

TheDarkener (198348) | about a year ago | (#43841883)

Don't let the higher-ups know you're running a rebel operating system, you might just get canned. What use is running Linux in school anyway, when the students should be learning REAL job skills (I.E. Microsoft Office)? /sarcasm

(Sorry, I have been tainted by the education "industry" when it comes to anything Linux in school).

Just use the native hypervisor (0)

Anonymous Coward | about a year ago | (#43841885)

If you're running CentOS you already have both KVM and Xen at your finger tips. Both are excellent choices and are well suited for what you are looking to accomplish. Personally, I really really enjoy KVM w/ libvirt. A simple kickstart script is all you need to create a "baseline" that you can easily script a classroom refresh before or after each class. It's super easy. You can also teach deployments from an environment like this; that's very useful in the real world. I've seen a a few comments suggesting put the VMs in their own network, and I agree with that. I would probably NAT the whole classroom behind the instructor machine and then not worry about anything. Good luck and thanks for teaching Linux!

VMWare, Ubuntu and Puppet (2)

i_want_you_to_throw_ (559379) | about a year ago | (#43841887)

I see this as being similar to when we needed to have all of our developers in my company working in an environment that absolutely matched the production environment. Just use VMWare on each individual machine, run an Ubuntu image in that and best of all use a Puppet script to customize it and give 'em the goodies they need. The beauty of this is once the kids screw it up (and let's hope they do, they're learning after all) then you can rebuild this back to a pristine machine in no time. Good luck!

Re:VMWare, Ubuntu and Puppet (1)

i_want_you_to_throw_ (559379) | about a year ago | (#43841899)

Ubuntu worked for us but of course you could use CentOS as well.

If you're on CentOS, you can use Xen or KVM (0)

Anonymous Coward | about a year ago | (#43841893)

VirtualBox is a Type 2 hypervisor, which needs to run on top of another OS (Win/Mac/Linux), so it is ideal if your students have those other operating systems to boot into from the start. But if you use a Type 1 hypervisor, such as KVM or Xen, you can spin up any number of servers or desktop VMs in your own private cloud and isolate them from your other environments using vLANs. It depends on how complex an environment you want to build out for your classroom laboratory. Since you're emphasizing open source solutions, you might even want to let your students play around with OpenStack and other infrastructure tools to give them an even bigger advantage in the competitive workforce of cloud computing, which is definitely going to become more important in the next few years.

Apache VCL (0)

Anonymous Coward | about a year ago | (#43841897)

Have a look at Apache VCL: http://vcl.apache.org/ [apache.org] - it is a cloud computing system developed specifically for use in the education space.

Straightforward (1)

Synerg1y (2169962) | about a year ago | (#43841947)

First, you're going to want to set a segregated network that cannot talk to the main network (A DMZ), your router accomplishes this in most cases.

Second, there's 2 big options for you to look at: VMWare ESXi & Xen both are hypervisors that run on server hardware and can host as many VMs as the hardware can handle. Hyper-V may also be an option if you're part of the MSDN alliance. Install and configured chosen host software.

Third, set up individual VMs, you're on a DMZ, so giving root is fine, the main network cannot be reached. You should be able to create a template and spawn the rest of the VMs off that.

Fourth, have the students remote into their VMs.

VM in a javascript sandbox (0)

Anonymous Coward | about a year ago | (#43841949)

Fabrice Bellard also put up a nice website on how to run a vm of a linux kernel booting in a web browser window using javascript as the vhost. That's pretty impressive. And makes a good demonstration.

Provisioning is also often overlooked. H. Peter Anvin's Syslinux toolkit is often over looked, even though its used to replace or augment about every bootloader system since DOS and Linux came on the scene. Plus he's gone out of his way to make it adaptable to some of the oldest and weirdest hardware every created. It even supports iSCSI using the former GPXE, iPXE projects.

iSCSI versus traditional SANS or DAS would make an interesting topic; heck even just discussion the SCSI protocol which has outlasted the hardware.

Stateless Linux, Stateless Windows; versus Portable Windows and Live Linux instances would also be of interest, in a VM environment; how and when do you decide to store and maintain state?

If you could get an Amazon S3 or Microsoft Azure team member to visit and lecture your class would be cool. Google and Apple datacenter and vm chiefs would be cool.. but doubt you could get them.

Alternate perspective (1)

Sparticus789 (2625955) | about a year ago | (#43841963)

You could also look at it like this. If your students can crack their VM environment and run wild, hacking away, changing grades, and setting up Paypal fraud websites, then you have taught them very well and they will go on to a long and prosperous career, hopefully working for the good guys.

pay attention to network resources (0)

Anonymous Coward | about a year ago | (#43841977)

A VM is just another machine on the network. A user with root can become any user.

If the VM can access shared storage, then users with root can access that shared storage as any user. They can send email from any account. Lots of other tricks they can pull.

Your best bet is to put the VMs on an isolated network that can only access resources that don't need protection.

SmartOS, allows for advanced virtual networking (1)

exabrial (818005) | about a year ago | (#43841979)

SmartOS is pretty amazing. You can create virtual environments that share a kernel space, meaning that YOUR os is running directly on the hardware, making it _extremely_ fast with almost no overhead. The file system (ZFS) is also 'shared' using zones and pools so there's almost no cost there either. Migration a vm between SmartOS hosts is also a pretty amazing thing. You can also create virtual NICs and route/bond/segment/tapdance. SmartOS has it's roots in Solaris, so it's a little different than Linux, but for the most part anyone with Unix experience can figure it out.

oVirt (2)

knarfling (735361) | about a year ago | (#43841981)

Depending on your equipment and the time you want to spend, oVirt might be an answer.

Although it is still fairly new and is in development, it runs on CentOS6, is free, can handle multiple guest OSes, can create VM's from a template, and has a power users portal page where trusted students/employees can create their own VM from supplied templates. This way, no student would have access to the host OS, but could create a VM as needed. The downside is that it can get quite complicated to set up the system, and could take a bit of time to learn and set it up properly. Since it is free, you are also dependent upon community support.

You can access more info here. [ovirt.org]

Re:oVirt [SECONDED] (0)

Anonymous Coward | about a year ago | (#43842425)

oVirt is definitely what you want to be using...

ESXi (2)

meowgoesthecat (2872191) | about a year ago | (#43842011)

ESXi. Its free, powerful, and offers a lot of pre-built appliances. I don't see any safety concerns if the network is segregated. If you have specific VM's that you want the students to learn within, keep screenshots of those so that you may roll anything back that gets damaged. This is great because it allows them do pretty much anything they want without creating a maintenance headache for you.

If you want to teach them about specific technologies using VMs that go hand and hand with programming (like source control, bugzilla, configuring web servers, etc), turnkeylinux.org offers many free linux appliances that will make your job easy.

Check this post a few days ago (0)

Anonymous Coward | about a year ago | (#43842013)

http://ask.slashdot.org/story/13/05/26/1813216/ask-slashdot-which-100-user-virtualization-solution-should-i-use

Very similar to what you want.

I am the teacher in this story (0)

Anonymous Coward | about a year ago | (#43842061)

And I don't have a lot of faith in you having to ask these questions on slashdot.

VM as a special sort of Process or Thread (0)

Anonymous Coward | about a year ago | (#43842081)

A lot of the tech surrounding vm tech is all about transfer of knowledge from one system admin generation to the next. But more accurately the "lack of conceptual knowledge and communications".

Reinventing the Wheel, or Not invented here.. have become accepted Mantra's in the Computer Engineering field.. to be distinguished from the Computer Science field as those who actually "implement a class" as opposed to those who merely "declare a class".

A key thing is a VM has a bootloader.. which appears about as useful as a vestigal appendicts on the whole of it.

But vm's are all about the "illusion" of control and "independence" its a overhead we accept so we do not have to learn more about system resources, so that we are portable and hardware platform agnostic.

As muchb as we'd like to think we're "smarter" and "better" than the last generation, we are not, we merely have gone the way.. that requires the least of the last generation and threatens their pre-eminence the least.. while they retire and go down with the sinking "Big Iron" of their day. MicroComputers buried the Macro.. Nano and Quantum will bury them.

I'm aware of two popular VM's (1)

CosaNostra Pizza Inc (1299163) | about a year ago | (#43842135)

Oracle Virtualbox and VmWare. I use VirtualBox, which is free.

Air gap (0)

Anonymous Coward | about a year ago | (#43842249)

Ignore all these suggestions and put them on a completely separate network. There's absolutely no need for this to be on the same network as the rest of the school, so why even bother? The best way to guarantee that stuff on one network is protected from another? Don't connect them.

Do it like governments do (0)

Anonymous Coward | about a year ago | (#43842271)

This is not a technical problem. Anyone caught hacking and doing damage will be failed. Period. That should be the most important security you setup. After that, do some due diligence setting up these other things.

It depends on what you're trying to protect (3, Interesting)

dankney (631226) | about a year ago | (#43842297)

So far, I see lots of advice about VM breakouts and network isolation. If this were a production datacenter where uptime was a criteria, this is all well and good. I suspect that this isn't what you need to hear, however.

I see three things you could be attempting to protect:

1) The larger school network.
2) The VM host infrastructure.
3) The VMs themselves.

1) A student on a VM is no more dangerous to the network than one who can connect to the school wireless with a laptop or smartphone. If the lab uplinks to the same network as the broader access, your risk profile is unchanged.

2) Make sure the VMs can't route to the host and keep it patched. If a student managed to break out of a VM in a patched hosting environment, do some forensics and find the bug then sell it. It's probably worth more than you make in a year. Seriously, if they can do this, they deserve to win. You might as well worry about protecting against nation-state sponsored attacks.

3) Make sure that the class work is backed up (a git server, perhaps) and then don't worry about it. Seriously, just throw the VMs away after each class (or every night, etc) and start with a clean one the next time they log in. Don't spend time trying to outsmart a classroom full of bored highschoolers. Instead, make it so it doesn't matter when they break something.

Re:It depends on what you're trying to protect (0)

Anonymous Coward | about a year ago | (#43842501)

1) A student on a VM is no more dangerous to the network than one who can connect to the school wireless with a laptop or smartphone. If the lab uplinks to the same network as the broader access, your risk profile is unchanged.

Depends what they're doing. If they are learning about DHCP, then it's likely they'll accidentally run a DHCP server. They're less likely to _accidentally_ do that on a smartphone or laptop. Make sure your LAN is configured correctly, to filter out DHCP responses from rogue servers. This is a standard feature in most managed switches nowadays, but make sure you turn it on! (I have accidentally brought down several corporate LANs that way in the past).

Proxmox is another open solution (0)

Anonymous Coward | about a year ago | (#43842499)

Have a look at Proxmox as a virtualiztion solution. It would allow your students to access their VMs via a web browser. For network security, you could connect all the VMs together with a virtual LAN that isn't connected outside the server.

Promox? (0)

Anonymous Coward | about a year ago | (#43842531)

All this talk about VirtualBox and nobody talks about Proxmox?

You can do OpenVZ/KVM from the same bare metal.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?