Ask Slashdot: Safe Learning Environment For VMs? 212
First time accepted submitter rarkian writes "I am the teacher in this story. I teach Python and C++ to high school students: grades 9-12. I use CentOS 6 with DRBL to run my computer lab. Some of my students have become Linux experts. Next year I'm planning on allowing students to create and run their own VMs in a segregated LAN. Any advice on which virtualization technology to use and security concerns with allowing students to be root in a VM?"
Vagrant (Score:5, Informative)
Vagrant is a wrapper for Virtualbox and VMWare Workstation that accelerates the deployment of development environments.
http://www.vagrantup.com/ [vagrantup.com]
'Create' is the tricky part (Score:5, Informative)
Next year I'm planning on allowing students to create and run their own VMs
Running their own VM's is straightforward. Allowing the students to create their own VM's implies that they'll be root on the hypervisor.
Do you intend to run the hypervisor on the client machines of the DRBL system, or run a single hypervisor on the server and deploy the VM's there as DRBL clients?
To satisfy your requirements you probably want to run the hypervisor on the clients so they students can each have their own root on the hypervisor. This would require a hypervisor compatible with DRBL. I don't know how it works, but just from reading the description on the webpage, it sounds like it's geared to PXE booting a host OS.
If you go with Xen, you'll have to probably separately PXE boot Xen and then DRBL boot the Dom0. Which would probably work fine and get you decent performance, but it will expose the students to DRBL (is this what you want?)
If you go with KVM, the performance is a bit slower, but for a student shop that's probably OK, and you'll be able to DRBL-deploy the hypervisor and then let the students create their own non-DRBL (or DRBL) guests. This probably fits your model the best unless you have old hardware that KVM does not support - then you might need to go with the Xen-PXE-Boot model (because it can paravirtualize without hardware assistance).
You could also use VirtualBox, and while it offers a nice GUI, it's probably too simple for teaching your students about virtualization (it just feels like an app).
BTW, it sounds like you're doing great work based on that article. Kudos on your accomplishments and being an inspiration for others in your field.
Re:Virtualbox (Score:4, Informative)
And is utter trash for anything that needs to be scalable.
It is fine for a desktop VM system, but it simply does not offer the management interfaces that other solutions have. Basically the options here are VMware and KVM. The first if you want a shiny GUI the latter if you are ok without one. Both will let you script everything they do, which will be very handy when you need to reset 100 VMs for the next batch of students.
Re:Safety? (Score:4, Informative)
Which is why they need to setup their own VLAN to isolate the VMs to the classroom. VM traffic is isolated to non-routing VLANS. They call this setup a "sandbox", and it is generally a good practice for classroom work.
As for which VM technology to use ... VMWare, or ZEN or even Microsoft's version are usable. VMWare is sort of free, Xen definitely is. I'm not familiar with pricing on Microsoft's versions but schools tend to get steep discounts for server licenses. Look at OpenStack for management, I hear it is decent when it works.
VLANs, RH Virtualization Security manual, virt-man (Score:5, Informative)
As AC said, a separate LAN or VLAN, or multiple separate LANs/VLANs handles most of what's posted below. For example, a rogue DHCP server would only be visible on that VLAN.
Red Hat has a Virtualization Security section in their manual:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-Virtualization-Security_for_virtualization.html
CentOS/RHEL includes comprehensive support for KVM with virt-manager. While VirtualBox et al are fine for running one or two virtual machines on your desktop, for many VMs, with new ones created and removed each semester, the enterprise level support of KVM built into the distro is more appropriate. That support includes creating VLANs within the same management interface, for example, and integrates with the built in storage stack administration tools. Again, VirtualBox may be simpler to set up for one or to two machines, so I'm not saying it's not good - it's just not the best tool in this particular scenario. In this type of scenario, the KVM / virt-manager / virsh stack that RH baked in is probably a better match to the needs.
Re:VirtualBOX (Score:4, Informative)
Forkbomb is only successful if you don't have limits on your VM environment. You have put limits on your environment, right?
Re:VM is irrelevant (Score:5, Informative)
VMs have one advantage that non-virtualized systems don't have. The ability to put several machines in their own sandboxed network, all managed by a single student who needs to demonstrate cooperating systems. Give every student a template of needed machines and a VM server and you have a small lab on every computer. One that is easily setup, cleared and re-setup for every class, and as needed.
VMs are a perfect solution for advanced computer systems management training.
Re:Set up VLANs (Score:5, Informative)
Not if they are on private VLANs (still not clear if it is a standard or not). VMWare supports this; the idea is roughly analogous to AP isolation on a wifi AP-- "isolated" nodes can all talk to the gateway (the community / public node), but cannot talk to each other.
And VLANs actually are for security, and can provide far superior security than ACLs, since unless you have a trunk port or layer 3 switches, it is impossible for two devices on different VLANs to communicate, short of a switch misconfiguration. Its probably second to air-gapping in terms of security-- its sort of a logical implementation of "air gapped switches", except that they CAN be joined together if someone gets onto the switch.
Re:Set up VLANs (Score:3, Informative)
VLANs are not for security! Any two things plugged into the same switch, whether virtual or real, can talk to each other if sufficiently motivated.
This is simply not true. You're probably referring to 802.1q tag hopping attacks, which are not particularly difficult to prevent.
Do you really think tag hopping is the only attack on VLAN? Perhaps you should read what Cisco says about the matter, if your job depends on it: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml [cisco.com] . They point out that with an adequately secure switch, and good configuration practices, that the security is adequate. Without all of the correct practices, VLANs provide a very dangerous false sense of security.