Virtual Machines and Security
Christopher Rodriguez
Colorado State University Global
22SC-CSC300-1: Operating Systems and Architecture
Dr. Jonathan Vanover
2022-06-19
Virtual Machines and Security
The assignment was to create a virtual network with three virtual machines (one running Windows 10, one running Ubuntu, and one running Kali Linux). It was suggested to use Virtualbox for this task, however, I instead used libvirt et al as they are a more up-to-date set of tools for virtualization on my chosen platform (GNU Guix).
Setting Up the Network
The first process was enabling support on GNU Guix for virtualization. This largely consisted of adding the correct packages and services to my system-wide configuration, which is included in appendix A on page for appendix A. The most important parts of this configuration are the inclusion of the libvirt package in the packages field, and the inclusion of the libvirt-service-type in the services field. Also important was adding my user account to the kvm group, because we are using the “Kernel-Based Virtual Machine” module of the Linux kernel.
Once this was complete, I was able to reboot and use libvirt as intended. This began with opening virt-manager, as seen in figure 1 on page for figure 1. The installation process for each OS was very similar and straightforward; the most important differences were the settings for the networks. The process went something like this:
-
1. Begin Creating a New Virtual Machine, as in figure 2 on page for figure 2.
-
2. Specify a Boot Image to act as the installer, as in figure 3 on page for figure 3. I had pre-downloaded all three installation ISOs, which made this step easy.
-
3. Choose How Much Memory and How Many CPU Cores to Partition to this Virtual Machine While in Use, as in figure 4 on page for figure 4. It’s important to remember that You should avoid partitioning more than You have, and if You are also doing things like writing a paper, keep some resources for the Host OS as well.
-
4. Create a Virtual Drive to Act as Storage for this VM, as in figure 5 on page for figure 5. Here is where I ran into an issue with my Host OS; as GNU Guix keeps most System Directories on a Read-Only Filesystem, the default location for Storage is inside of root’s /.local folder. Obviously, this is undesirable for myriad reasons, but also my normal user cannot see that directory…so instead I choose “Select or create custom storage” and manually make a qcow2 disk in the globally-accessible /var/lib/libvirt/images/pool directory instead. (If privacy is a goal, the current user’s home directory is just as usable for this.)
-
5. With the basics out of the way, we can move on to the interesting bit: Configuring the Virtual Networks. On the confirmation screen, make sure to select “Configure Before Installation”. A window looking similar to figure 6 on page for figure 6 will appear. We are interested in configuring the NIC, so change to the NIC panel as in figure 7 on page for figure 7.
I had some networks pre-created (using Edit > Connection Details > Virtual Networks), and chose to allow all of the machines to initially use a NAT connection, so that they might update themselves post-install (and so I might install neofetch for a more pleasant OS-identification experience). This network is shown in figure 9 on page for figure 9. I also made sure to have a “Host-Only” Network set up at this step, as in figure 8 on page for figure 8, for ease of use later.
-
6. Install to OS as normal. There are no special VM-centric concerns here. Also ensure all needed updates are applied, and any user-needed packages (neofetch) are installed.
-
7. Finally, Go Into Each VM and configure the NIC to use the appropriate network. The Assignment had Windows 10 and Ubuntu on “Host-Only” networks, and Kali Linux on a NAT network. The final settings for each VM are shown in figures 13 to 15 on pages for figure 13 to figure 15.
Results
I was able to ping all three VMs, regardless of which virtual network they were on. This output is shown in figure 16 on page for figure 16. I am confident this fulfills the needs of this assignment.
A My System Configuration, with Virtualization Enabled.
;;; jory.scm ;;; ;;; This is the system-config file for Jory, my Purism Librem 14 Laptop ;;; ;;; Author: Christopher Rodriguez ;;; Created: 2022-04-10 ;;; Last Released: 2022-06-09 ;;; Contact: yewscion@gmail.com ;;; (use-modules (gnu) (srfi srfi-1) (ice-9 textual-ports) (guix modules)) (use-service-modules admin avahi base databases desktop docker games mail mcron networking ssh virtualization web xorg ) (use-package-modules admin certs databases emacs games package-management ssh tls version-control xdisorg ) (define %ming-pubkey (plain-file "ming_id.pub" (string-append "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDvbir" "/LAxFP2O7WPCxX2BL5YIbb4yTPbnmJlooQaM7H5L0Dx" "WAC0/3Q+XXqb6xDGrHmoJHTp3YHD30W1JNWQiKtKuEK" "gYzYypiTWHU2MbZ4ahuQN7v2Bc1KM720MFaHKjDd8ru" "rTya3cOd6PTXOKyhZIMjt1H6OgwYULX92oaYGVdEn+e" "bSlR3xaSMyPXSJ5yPAWcZlHYrQysz7b2KtulTRvsaE0" "gq3muCxFdIXqAlbAcCPScLoDWygEDMLSKN/gjV+4b45" "3oiG21KnmKMhkbczu9YpbUdB46lLH6eb6twe+CNcaDZ" "l/TNIA55l7UtaM9GMxesCQXIsTg0sFV9PZW2zpI4i8/" "6vpAqr++t/1TQVOZjvxxv+5UWMbKVPJqawIXonOaN1I" "z9svDuacMij2cBnyNxcBq5BsOjHO6ch2IYnflapFseP" "fysve5Z3UVVOJJeCanp+nSGSrwDOckreVWnU8G2D0Mu" "V5HNMNaghoI72uBVi5s3GmH2utl0RSh/x81byQ8iyb6" "g8m2XiwwoxDGDu6sePVJOJ9iEUYmLWX4TcA4CVLhdFq" "D1R/9/VE7w+RgvFmzNrufxZEaP3dXJVdIctyeCntGl9" "eZreVc65GpHesIANJj/cDmeNPk8vyfPJpwHgLAZpGY4" "NgbR8hXFnyrZRd+XcTvpkZcJc51OKo7kOQ== "))) (define updatedb-job ;; Run 'updatedb' at 3AM every day. Here we write the ;; job's action as a Scheme procedure. #~(job '(next-hour '(3)) (lambda () (execl (string-append #$findutils "/bin/updatedb") "updatedb" "--prunepaths=/tmp /var/tmp /gnu/store")))) (define %my-keyboard-layout (keyboard-layout "us,apl" #:options '("ctrl:swapcaps_hyper" "compose:rctrl" "grp:toggle"))) (define %my-desktop-services (modify-services %desktop-services (delete elogind-service-type))) (define %my-service-addons (append (list (service gnome-desktop-service-type) (service openssh-service-type (openssh-configuration (password-authentication? #f) (authorized-keys `(("ming" ,%ming-pubkey) ("git" ,%ming-pubkey))))) (service postgresql-service-type (postgresql-configuration (postgresql postgresql-10))) (service gmnisrv-service-type) (service wesnothd-service-type) (service docker-service-type) (service qemu-binfmt-service-type (qemu-binfmt-configuration (platforms (lookup-qemu-platforms "arm" "aarch64" "risc-v")))) (simple-service 'my-cron-jobs mcron-service-type (list updatedb-job)) (set-xorg-configuration (xorg-configuration (keyboard-layout %my-keyboard-layout))) (elogind-service #:config (elogind-configuration (handle-power-key 'ignore))) (service libvirt-service-type (libvirt-configuration (unix-sock-group "libvirt") (tls-port "16555"))) (service virtlog-service-type)) %my-desktop-services)) (define %my-services (modify-services %my-service-addons (guix-service-type config => (guix-configuration (inherit config) (authorized-keys (append (list (local-file "/etc/cdr255/frostpine.pub")) %default-authorized-guix-keys)))))) (define %my-packages (list "nss-certs" "xorg-server-xwayland" "emacs" "openssh" "openssl" "rxvt-unicode" "git" "libvirt" "openjdk" "stumpwm" "ncurses" "guile")) (operating-system (locale "en_US.utf8") (timezone "America/New_York") (keyboard-layout %my-keyboard-layout) (host-name "jory") (users (cons* (user-account (name "ming") (comment "Christopher Rodriguez") (group "users") (home-directory "/home/ming") (supplementary-groups '("wheel" "netdev" "audio" "video" "docker" "libvirt" "kvm"))) (user-account (name "git") (group "git") (home-directory "/home/git") (comment "For Use With Git") (system? #t)) %base-user-accounts)) (groups (cons* (user-group (name "git") (system? #t)) %base-groups)) (packages (append (map (compose list specification->package+output) %my-packages) %base-packages)) (services %my-services) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets (list "/dev/nvme0n1")) (keyboard-layout keyboard-layout))) (swap-devices (list (swap-space (target (uuid "0fd9015c-34ca-4d05-843b-584fa94796d3"))))) (file-systems (cons* (file-system (mount-point "/") (device (uuid "ada80f5c-de9b-4a3b-b25d-cd4518d2a8f7" 'ext4)) (type "ext4")) (file-system (mount-point "/home") (device (uuid "0ee6f458-e0d7-4bc3-b449-b368901c70fd" 'ext4)) (type "ext4")) %base-file-systems)))
