[K12OSN] teaching kids sys admin with VM's

Les Mikesell les at futuresource.com
Fri Jan 18 00:03:58 UTC 2008 

Robert Arkiletian wrote:
> On 1/17/08, Les Mikesell <les at futuresource.com> wrote:
>> Network wise, vmware can look like a separate box bridged to the NIC(s)
>> on the host (separate IP's on the same subnet) or the host can NAT so it
>>   only uses the host IP externally.
> 
> So I would prefer NAT to eth1 or bridged to eth0. So no service runs
> on outside network. Can I as root restrict this choice? Or can they
> choose since they are the owner of the VM.

You configure on the host side which NIC(s) to bridge and/or nat.  Then 
these appear as virtual interfaces to the guest OS.  The guest only sees 
the interfaces that you pre-configured on the host when you ran the 
vmware-configure.pl script (which you have to do when you ugrade the 
vmware software or the host kernel).  There is also an option of 'host 
only' networking so the guests can see themselves and the host only like 
an isolated subnet which normally isn't useful for anything but testing. 
  If you want tighter control you could use only that with iptables nat 
forwarding for anything you want to get out.

To go through the motions of installing a vmware guest, just have a copy 
of the install DVD iso image downloaded on the host, and when creating 
the new VM, connect the machine's CD to the iso image and boot from it. 
The default new machine bios will boot from the virtual hard drive first 
if it is bootable, but on the first boot that will fail and you'll boot 
from the install image.  After an install makes the virtual HD bootable, 
you'll have to go into the virtual bios (hit f2 during boot just like a 
real machine...) and make the CD first in the boot order.

>   One thing to watch security-wise is
>> that if you have NFS-exported home directories, anyone who can become
>> root on a client machine can impersonate anyone else and access their
>> files over NFS.
>>
> 
> Rats! Forgot about that.  It's okay with my current setup since I
> don't run a separate nfs server. But instead of running everything on
> the server I was thinking about switching from ltsp to a diskless
> client setup (100% local apps)
> Since ddr2 ram is so cheap now and a c2d celeron e1200 is $55, one can
> buy a nice cheap diskless client today. Problem is a diskless client
> would need to mount home over nfs. Which rules out having a VM since
> kids could change their uid in the VM.

It might be useful to also mount the home directories into the vmware 
machines - and/or some common space with pre-downloaded RPM's, etc. but 
you can do that with cifs, limiting it to only a single user's 
permissions established with a password at mount time.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the K12OSN mailing list