Virtualization and NFS

There is no real link between the two topics Virtualization and NFS (Network File System) other than pedagogical. Virtualization is about creating other machines within your machine and NFS is about accessing the file system of a server from a separate client machine. Virtualization will give us the two machines we need to set up NFS.

Virtualization

The goal of virtualization is to provide a software platform consisting an instance of an operating system running as a virtual machine within the existing machine. A system which supports virtualization is called the host and a virtual machine is called a guest. There are a number of software tools called hypervisors, which serve as the virtualization software, including KVM, XEN, VmWare, VirtualBox, etc. Ubuntu focuses on the KVM (Kernel-based Virtual Machine) software which requires that the CPU has a hardware virtualization extension.

The main benefit for us is the ability to set up a "test bed" for trying out software and networking features without using other physical computers. One can use this virtualization to install multiple versions of Linux in order to evaluate and compare them. From a security perspective, we can use virtual machines as "attack targets" for security software testing. In an enterprise setting a virtual machine can be a lightweight specialized "server" which is optimized to perform one service task.

Enable Virtualization in the BIOS

This is how to do so for the Lab computers. Start by rebooting the machine. You have to catch it before it boots the operating system. Type F12 repeatedly as we did for the installation.
  1. Select: Enter Setup
  2. Go to the Advanced tab, select CPU Setup.
  3. Select Intel (R) Virtualization Technology [Disabled]. Enter
  4. Select Enabled. Enter.
  5. Type F10 to save and exit.

Software Installation

Install the necessary packages:
$ sudo apt-get install kvm qemu virt-manager virt-viewer libvirt-bin
You must add yourself to the libvirtd group to use the tools (it may already have been added by the installation):
$ sudo adduser LOGIN libvirtd
If you want to operate from the shell, this should be sufficient to recognize your belonging to the libvirtd group.
$ newgrp libvirtd
$ newgrp LOGIN
A more comprehensive approach is to log out/log in so that non-shell based tools recognize your belonging to this group.

Our guest machine's network will be attached to the virtual bridge interface virbr0, which has been generated for you by the libvirt-bin installation. Check it out by:
$ ifconfig virbr0
We will use the Virtual Machine Manager (VMM) tool which is like other virtualization software in that it can install a variety of guest systems on your machine which is the host. We are suggesting that you create a dedicated folder for ISOs which you may want to install as virtual machines, e.g.
$ sudo mkdir /usr/local/Isos
VMM needs to get access to this path, so best to make it public like this.

The installation software used in this document will be the Ubuntu 14.04 server from an ISO file. Retrieve the file from the CS FTP site:
$ wget ftp://www.cs.wcupa.edu/pub/rkline/gradlinux/ubuntu-14.04-server-amd64.iso 
$ sudo mv ubuntu-14.04-server-amd64.iso /usr/local/Isos/

Build the VM

Locate VMM in your window manager and start it. If you can't find it, run it from the shell:
$ virt-manager &
You should see the line (anything other than that means something is wrong).
localhost (QEMU)
Our virtual machine's name will be vm1. Click the top left button to start creating a new machine:
  1. Name and installation type
    Name: 
    
     Local install media ...
    
  2. Installation media and OS
     Use ISO image:
        
    
    OS type: 
    Version: 
    

    Use the Browse button. Click Browse Local at the bottom left of the dialog and navigate to the ISO file.
  3. RAM, CPUs: take the defaults. 1GB is plenty of RAM for Ubuntu server. Keep in mind that RAM given to active guests is effectively taken away from the host.
  4. Virtual Storage. Either choice is OK for our purposes.
     GB
     Allocate entire disk now
    

  5. Final options (this is important). Open the Advanced Options section:
    
     Bridge name: 
    

    Keep the other Advanced settings as they are.

Server Installation

During installation, don't click the mouse in the virtual machine window. The keyboard works fine. If you get stuck it's "Ctrl-Alt" that breaks you out. Go through a series of pages, taking the defaults for Keyboard and Languages. The choices start here:
  1. Hostname: vm1
  2. User full name: Use your Full Name on MACHINE
  3. Username: LOGIN
  4. Password: your LOGIN password on MACHINE
  5. Encrypt: No (default)
  6. Timezone: America/New_York (default)
  7. Partition: Guided - use entire disk and set up LVM (default). Enter.
  8. Select disk to partition: only one (default). Enter
  9. Write changes: Yes
  10. Amount of volume group: (default) Continue.
  11. Write changes: Yes
  12. HTTP proxy information: empty (default), Continue.
  13. Configuring tasksel: For our purposes, the default is OK. For real, "Install security updates automatically" is probably better.
  14. Software selection: OpenSSH server (select with space bar), Continue.
  15. Install GRUB: (default)
  16. Finish installation: Continue (default)

Using two machines

After completion of the setup, the virtual machine will boot. Now you have two machines. We will do all operations through the shell. In the descriptions that follow, you have to which machine to use to apply the operations which is depicted by the prompts:
[MACHINE] $ command-on-MACHINE 
and
[vm1] $ command-on-vm1

Set a static IP address

Our goal is to work as little as possible directly on the machine. Instead we want to do all our work through an SSH-connected shell. You have to login in the virtual machine window to find the dynamic IP address assigned:
[vm1] $ clear
[vm1] $ ifconfig eth0
The information for "inet addr" should be 192.168.122.XXX, a dynamic address. Anything else means the setup we want has not been achieved. Open a shell on MACHINE and SSH in to the virtual machine via the address which showed up:
[MACHINE] $ ssh 192.168.122.XXX
From here we want to set a static IP address. Edit the file

/etc/network/interfaces
...
auto eth0
iface eth0 inet dhcp
Change the iface setting as indicated (the last 4 lines are indented, but the amount is irrelevant):

/etc/network/interfaces
...
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
    address 192.168.122.11
    gateway 192.168.122.1
    netmask 255.255.255.0
    dns-nameservers 192.168.122.1
Save the changes and reboot the virtual machine:
[vm1] $ sudo shutdown -r now
This will be the fastest reboot you've ever seen. Test to make sure:
[MACHINE] $ ping 192.168.122.11
If OK, assign a name to this IP address. Edit /etc/hosts, adding this line:
192.168.122.11   vm1
Then go in from SSH:
[MACHINE] $ ssh vm1

Access and control of the guest

It is very easy to stop/start from VMM with the green (run) and red (stop) buttons. The shell you used for installation can be closed and then easily invoked by double-clicking the virtual machine line in VMM. Try closing VMM. It will not stop the virtual machines. You can also use the shell-based virsh tool. For example, use this to see the running virtual machines:
[MACHINE] $ virsh list
Try stopping and starting with virsh. First shutdown:
[MACHINE] $ virsh shutdown vm1
Then starting it:
[MACHINE] $ virsh start vm1 
$ ping vm1
A few seconds after the pings come alive you can SSH in. Used without any arguments, virsh acts like a command shell in its own right if you activate it without parameters
[MACHINE] $ virsh
virst # help
Although we prefer SSH access, the virt-viewer command is yet another way to access a running virtual machine without network access.
[MACHINE] $ virt-viewer vm1

Root access and updates

We want to be able to access our guest machine from the host through ssh as root. Start by setting the root password in the guest machine:
[vm1] $ sudo passwd root
[sudo] password for LOGIN:  your-password
Enter new UNIX password:  your-password
Retype new UNIX password:  your-password
passwd: password updated successfully
Test access on the host machine:
[MACHINE] $ ssh root@vm1 ls
It will fail. Why? This is a security measure built into Ubuntu server. Password root access is disabled by default; one can only get in by using a cryptographic key. In general you want to maintain this setting, but we'll change it allow password access to illustrate the point (and skip the details of creating the key).

On vm1, edit /etc/sshd/sshd_config. Look for the line:
PermitRootLogin without-password
Modify the file by commenting out the line and making a replacement:
#PermitRootLogin without-password
PermitRootLogin yes
Then restart ssh:
[vm1] $ sudo service ssh restart
Now observe successful root ssh access:
[MACHINE] $ ssh root@vm1 ls

Initial update of guest

Send collected packages to guest to make update faster, avoiding the package download:
[MACHINE] $ cd /var/cache/apt/archives/
[MACHINE] $ sudo rsync *.deb vm1:/var/cache/apt/archives/
Then do the updates:
[vm1] $ sudo su
[vm1] # aptitude update && aptitude upgrade
[vm1] # shutdown -r now

NFS

We are going to make our machine an NFS server and serve the /home directory to the virtual machine. Recent Ubuntu systems default to NFS version 4 which seems to needs way too much tinkering to get it right, so we'll stick with the older version 3.

Server setup

  1. Install the server package:
    [MACHINE] $ sudo apt-get install nfs-kernel-server
    
  2. Export the entire /home file system. Edit the file /etc/exports in MACHINE, adding this line:
    /home 192.168.122.0/24(rw,sync,no_subtree_check)
    
  3. Restart the NFS service and verify the exports:
    [MACHINE] $ sudo service nfs-kernel-server restart
    [MACHINE] $ sudo exportfs
    

Client Setup

  1. Install the client software:
    [vm1] $ sudo apt-get install nfs-common
    [vm1] $ exit
    
    If you have any other shells logged in to [vm1], log out of them as well.
  2. Come in as root and mount the /home directory
    [MACHINE] $ ssh root@vm1 
    [vm1] # mount -o vers=3 192.168.122.1:/home /home
    [vm1] # exit
    
  3. Come back in as you and see your host's home directory.
    [MACHINE] $ ssh vm1 
    [vm1] $ ls -l
    [vm1] $ touch HELLO
    
The directory you see on the guest is the home directory on the server. You can access and use it. The ability to do so is a coincidence because your login id and group id are 1000 on both, being the first user created on both systems.

Now see what happens when you try to be do something within the mounted file system as root:
[vm1] $ sudo touch AGAIN
touch: cannot touch ‘AGAIN’: Permission denied
Why? I thought I was root! Turns out your not root as far as /home is concerned, you're nobody. This is the effect of the default security measure call "root squash" in that root turns into the user nobody for the exported file systems unless a special flag (which should generally be avoided) is set in /etc/exports:
/home 192.168.122.0/24(rw,sync,no_subtree_check,no_root_squash)

Set up NFS mount on boot

You want /home to be mounted on boot. Edit the file /etc/fstab and add this line at the end
192.168.122.1:/home   /home   nfs  nfsvers=3   0  0
You can, of course, actually do this change as root because /etc/fstab is not within a mounted file system.

NFS/LDAP CLient

You need to have gone through the LDAP document to be able to complete this .

In generally, we want to avoid replicating the user password information on the client, and so making our NFS client be an LDAP client as well is a common way to deal with this issue. Install the basic LDAP client-side login access package on the guest:
[vm1] $ sudo apt-get install libnss-ldap ldap-utils
Make these choices in the configurator:

LDAP server: ldap://192.168.122.1 (not the default)
Distinguished name base: dc=MACHINE (not the default)
LDAP version: 3 (the default)
Make local root Database admin? No (not the default)
Does the LDAP database
require login?
No (the default)

Create the setup that allows system clients to authenticate against LDAP:
[vm1] $ sudo auth-client-config -t nss -p lac_ldap
Finally, run this command to establish LDAP authentication within PAM:
[vm1] $ sudo pam-auth-update
Tab to OK and Enter. Then reboot the virtual machine:
[vm1] $ sudo shutdown -r now
On reentry, give aperson a home directory on the host if you haven't already done so:
[MACHINE] $ sudo cp -r /etc/skel /home/aperson
[MACHINE] $ sudo chown -R aperson:apserson /home/aperson
Then to test, log into the guest as aperson:
[MACHINE] $ ssh aperson@vm1
If you've forgotten the password you created for aperson, you can always change it by:
[MACHINE] $ python ~/workspace/ldap/changePwd.py 

LDAP utils on virtual machine

If you want to use the ldap-utils (ldapsearch, etc.), you have to modify /etc/ldap/ldap.conf as follows:
BASE    dc=spock
URI     ldap://192.168.122.1
You can test:
[vm1] $ ldapsearch -x


© Robert M. Kline