Embed Size (px)
Citation preview
Modeling NetworksAnd
Services with VirtualBox
Alan WhineryU. Hawaii ITS
Personal Network Modeling● I'm ignoring VMWare, Microsoft, etc, not
because they aren't great things● But because they require money and
paperwork● You can do a lot with cost-free virtualization● VirtualBox is feature-rich, and easy to use● There are many options, free and otherwise●
VirtualizationVirtualization
Free-of-charge Virtualization (x86,x86-64)● VirtualBox – Innotek/Sun/Oracle (Guests: Various)
● Hosts: Linux, Windows MacOS X+,Solaris● Xen (Guests: Various)
● Hosts: NetBSD, Linux, Solaris● KVM (Guests: Linux)
● Hosts: FreeBSD, Linux, Solaris, Windows● QEMU (Unices, Windowses)
● Hosts: Linux, FreeBSD, OpenBSD, Solaris, Windows● DosBox (DOS)
● Linux, Windows, Mac OS classic, Mac OS X, BeOS, FreeBSD, OpenBSD, Solaris, QNX, IRIX, MorphOS, AmigaOS, Maemo, Symbian
● Many Others
Alternatives● “Peaceful Co-existence” Schemes
● FreeBSD Jail● Linux vServer● User Mode Linux
● Complete Emulation● Pear PC (PowerPC Emulation)
– Guests:Mac OS X, Darwin, Linux– Hosts: Linux/Windows
Oracle VM VirtualBox● Originally Start-Up Innotek
● Bought by Sun– Bought by Oracle
● Originally came in Open Source and Non-Open-Source versions● Now comes in one version; closed source stuff in
“extension pack”● Extension Pack Includes
– USB 2.0– Remote Desktop Protocol– PXE (Boot from network)– PCI pass-through (Linux only)
Oracle VM Virtualbox● Runs On Linux*, Windows, Solaris, Mac OSX● Reasonably fast● Reasonably efficient/lightweight● Versatile beyond the GUI (which is not needed)● Easy way to try Live-CD images from ISO files● Install from ISO images
● To virtual hard drive or physical● Boot from existing hard drives or partitions● Or other VM's virtual drive images (VMWare,
*Vbox Linux Driver Declared Tainted● ~ October 11th 2011, Linux Kernel developers
marked VirtualBox Linux module as “tainted_crap”, because of the number of issues reported
● I used it daily for 8 months last year on my office desktop to keep a Windows XP guest running on my Ubuntu Desktop, and didn't have any problems
● YMMV● This has no reported relevance to Vbox use on
a Windows, Mac OS X or Solaris host
*Vbox Linux Driver Declared Tainted● If you want to set up virtual servers on a
Hypervisor and control them with Linux, use Xen
● If you want to build a cloud, use Xen● Xen is not (yet) the on-the-desktop tool for our
scenario● If you want to try VBox on Linux, you may or
may not have problems● Otherwise, KVM and Qemu offer alternative
paths to enlightenment
LiveCD VMs● Many LiveCD instances (Knoppix, Slax) allow
you to keep persistent changes on USB or hard drive
● Useful if HDD space is short, and RAM is plentiful (the opposite of normal)
● LiveCDs can have slower performance than installed systems, but offer low impact trials of useful “appliance” style systems
Some LiveCD VM Suggestions● Ubuntu 11.10 (or whatever you have)
● Offers “Install” versus “Try” (LiveCD Mode)● Good if you just need a GUI Desktop for a browser test
● BackTrack● Security-oriented Linux
– KDE based LiveDVD ISO– Gnome based VMWare image (which you can import)
● Slax – Modular, custom LiveCD● slackware based
● Internet2 Network Performance Toolkit ● Knoppix – The Mother Of Most Linux LiveCDs● http://en.wikipedia.org/wiki/Comparison_of_Linux_distributions#Live_media
● http://en.wikipedia.org/wiki/List_of_live_CDs
Terms: Network Address Translation(NAT)
● A “NAT device” translates addresses in packets that travel through it
● Common “one-to-many” NAT obscures the presence of multiple devices on a network, making them appear as one IP address from the point of view of “the Internet”
● NAT is often used as a way of using several computers with a single “real” IP address
Terms: Network Address Translation(NAT)
Simple VNet
VirtualBox Networking Modes● Bridged● NAT● Host-Only● Internal● Generic
VBox Networking: NAT● Default mode
● Virtual Machine has an interface connected to a virtual NAT, which is a service on your host system
● Addressing, routing, DNS taken care of, IF the VMOS is configured for DHCP (most will be)
● Two concurrently running VMs are on different NATs, and cannot communicate with one another
● VMs cannot communicate with the Host machine● Useful/Easy in the single VM universe● Capability for port-forwarding● Can't add routes; internal net is one layer deep
Vbox Networking: Bridged● Uses a physical interface on the physical box● Appears as a separate host on the real network● If your local segment has DHCP, it can use real
DHCP, and access the Internet as a regular host
● Does not require physical interface to be configured for IP, or have an address
VBox Networking: Internal Net● Can create multiple segments● No connectivity to the Host Machine● VMs can communicate on Internal segments● Solely for inter-VM communication● A third party observer on an Internal segment
sees everything, as it would on a hub, or coax segment
VBox Networking: Host-Only● Can create multiple segments● Each has an interface on the Host Machine● VBox will supply a DHCP service per segment● VMs can communicate on H-O segments
● With each other● With Host Machine
● A third party sniffer on an H-O segment sees multicast/broadcast only
Vbox Networking: Generic● Seldom used● UDP Tunnel (Linux Host only)● VDE (Virtual Distributed Ethernet)
● Need to compile VBox from source● (GRE) – alternative to Generic for direct peering
between VMs on different Hosts● If they're on the same segment, just use
Ethernet
Vbox Net Modes
Creating A VM
Creating A VM
Creating A VM
VM Attributes
Cloning
Cloning
Cloning
>>
Cloning● For the Ubuntu 11 server case –● To make Ethernets start over at “eth0”
● /etc/udev/rules.d/70-persistent-net.rules● Delete all Ethernet entries
● Edit /etc/hostname● Regenerate OpenSSH keys
● /bin/rm /etc/ssh/ssh_host_*● dpkg-reconfigure openssh-server
● Reboot
Cloning● The Cloning Process is essentially the same
thing as:● Copying the VDI file that holds the VHardDisk● Creating a new VM ● Choosing “use existing disk” and specifying the
copy● Just in case you want to move a copy to a new
machine● You can also export machines, which is
probably better to share them with others
Indexing Your MAC AddressesHere I set the last 4 digits (or 2 bytes) of Routie3's “net01” interface to “0301”
Windows Interface Names
Terms: Routing● Refers to information kept by every device on the
Internet, about where to send packets● 99.9999999% of devices have two routes:
– The connected IP “subnet” (automatic if interface is up)– “Default route”, or “everything else is that-away” (DHCP,Manual)
● 0.0000001% need more– Biology net is down the hall to the right– Engineering net is the other way, downstairs, and left
● DHCP normally installs a default route for you.● In manual addressing, you have to type it in, in the
form of a “gateway” IP address
Terms: Routing● A NAT device interrupts routing, and tells its
internal and external nets what they need to hear to get the job done
● NAT may introduce difficulties if your VNet needs to be part of the Internet
● NAT can work well, if you only need Internet access for package/update management
Making A Router● Step-by-step process to make a Linux instance into
a router:1) echo 1 > /proc/sys/net/ipv4/ip_forward2)echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
● The rest of what “real routers” do is all about obtaining and maintaining a list of routes
● Unless you're specifically interested in the operation of routing protocols, and dynamic re-routing, and stuff like that, you should probably just set static routes
● Your OS will set a route for each of its attached networks automatically
● DHCP clients will almost always get a default route via DHCP
How To View/Set/Delete Routes● Linux/MacOS/BSD/Solaris
routie1:~$ sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 172.25.1.1routie1:~$ route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 128.171.6.5 0.0.0.0 UG 100 0 0 eth0128.171.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0172.25.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2192.168.2.0 172.25.1.1 255.255.255.0 UG 0 0 0 eth2192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Routie1:~$ sudo route del -net 192.168.2.0 netmask 255.255.255.0 gw 172.25.1.1
Changing Default:
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.25.1.1ORsudo route add -net default gw 172.25.1.1
How To View/Set/Delete Routes● Linux(probably others) ipv6
routie01:~$ route -A inet6 -nKernel IPv6 routing tableDestination Next Hop Flag Met Ref Use If2607:f278:4101:11::/64 :: UAe 256 0 8 eth0fe80::/64 :: U 256 0 0 eth1fe80::/64 :: U 256 0 0 eth0fe80::/64 :: U 256 0 0 eth2::/0 fe80::222:55ff:fe49:d2c1 UGDAe 1024 0 1 eth0::/0 :: !n -1 1 14 lo::1/128 :: Un 0 1 7 lo2607:f278:4101:11:a00:27ff:fe2a:9712/128 :: Un 0 1 0 lofe80::a00:27ff:fe00:102/128 :: Un 0 1 0 lofe80::a00:27ff:fe00:103/128 :: Un 0 1 0 lofe80::a00:27ff:fe2a:9712/128 :: Un 0 1 2 loff00::/8 :: U 256 0 0 eth1ff00::/8 :: U 256 0 0 eth0ff00::/8 :: U 256 0 0 eth2::/0 :: !n -1 1 14 lo
Routie01:~$ sudo route -A inet6 add 3ffe::/32 gw 2607:f278:4101:11:21e:68ff:fe57:acd3
How to ping ipv6● Linux (and similar Unices)routie@routie01:~$ ping6 www.google.comPING www.google.com(pw-in-x67.1e100.net) 56 data bytes64 bytes from pw-in-x67.1e100.net: icmp_seq=1 ttl=53 time=75.4 ms64 bytes from pw-in-x67.1e100.net: icmp_seq=2 ttl=53 time=70.4 ms64 bytes from pw-in-x67.1e100.net: icmp_seq=3 ttl=53 time=71.0 ms^C--- www.google.com ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 70.493/72.328/75.400/2.207 ms
● Also: traceroute6
How to ping ipv6● WindowsC:\Users\Whinery>ping www.google.com
Pinging www.l.google.com [2001:4860:8004::67] with 32 bytes of data:Reply from 2001:4860:8004::67: time=71msReply from 2001:4860:8004::67: time=70msReply from 2001:4860:8004::67: time=70msReply from 2001:4860:8004::67: time=70ms
Ping statistics for 2001:4860:8004::67: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 70ms, Maximum = 71ms, Average = 70ms
● You can force v6 by using “ping -6 www.google.com”
C:\Users\Whinery>route print===========================================================================Interface List 10...8c 89 a5 32 33 01 ......Realtek PCIe GBE Family Controller 18...08 00 27 00 dc 1f ......VirtualBox Host-Only Ethernet Adapter 1...........................Software Loopback Interface 1 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2===========================================================================
IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.3.5 192.168.3.172 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.3.0 255.255.255.0 On-link 192.168.3.172 276 192.168.3.172 255.255.255.255 On-link 192.168.3.172 276 192.168.3.255 255.255.255.255 On-link 192.168.3.172 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 192.168.3.172 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.56.1 276 255.255.255.255 255.255.255.255 On-link 192.168.3.172 276===========================================================================
How To View/Set/Delete Routes● Windows
How To View/Set/Delete Routes● Windows (cont'd) Persistent Routes:
NoneIPv6 Route Table===========================================================================Active Routes: If Metric Network Destination Gateway 10 276 ::/0 fe80::222:55ff:fe49:d2c1 1 306 ::1/128 On-link 10 28 2607:f278:4101:11::/64 On-link 10 276 2607:f278:4101:11:c8e4:ef3b:3458:ac05/128 On-link 10 276 2607:f278:4101:11:e158:ed19:e90a:5791/128 On-link 18 276 fe80::/64 On-link 10 276 fe80::/64 On-link 18 276 fe80::a128:cf4d:377:db78/128 On-link 10 276 fe80::e158:ed19:e90a:5791/128 On-link 1 306 ff00::/8 On-link 18 276 ff00::/8 On-link 10 276 ff00::/8 On-link===========================================================================Persistent Routes: NoneC:\Users\Whinery>
How To View/Set/Delete Routes● Windows (cont'd)
Type “route” to get adequate help on the Windows “route” command
route add 192.168.2.0 mask 255.255.255.0 192.168.3.45route delete 192.168.2.0 mask 255.255.255.0 192.168.3.45route change 192.168.2.0 mask 255.255.255.0 192.168.3.45route add 0.0.0.0 mask 0.0.0.0 192.168.3.45route add 3ffe::/32 3ffe::1
An Oneiric Linux Building Block● Arbitrary choice for Linux-based block● Ubuntu “Server” is lighter than “Desktop”● Ubuntu Server 11.10 “Oneiric Ocelot”
● DHCPd (apt-get install isc-dhcp-server)● Apache server (apt-get install apache2)● Squid web cache/proxy (apt-get install squid)
– AdZapper– Etc
● Ubuntu tastes a lot like Debian● If you have time invested in an RHEL or Fedora,
you may like CENTOS
How to set up a Linux router with OSPF/RIP/RIPng/BGP/ISIS
● Quagga (a fork/continuation of Zebra)● sudo apt-get install quagga
● Quagga.net● Adequate treatment of this would take a whole
'nother BrownBags● Offers sort-of-like-Cisco CLI● No, you can't peer with our OSPF or BGP
Open vSwitch● Virtual Switch that runs in Linux● Implements OpenFlow switching control language● Uses “virtual” and “physical” interfaces
● Including ““physical”” interfaces on VMs. ● If you want to play with it, download the OpenFlow
demo VM and perhaps do the OpenFlow Tutorial:● http://www.openflow.org/wk/index.php/OpenFlow_Tutorial● Several commercial physical switches are OpenFlow
compatible
Really Interesting Things To Do● Move a running instance from one Vbox to
another across the network (Teleporting)● Run a VM with a real disk
● Windows requires run VBox as Administrator● Add 4 more Ethernets for total of 8
● With VBoxManage ● Incarnate A Virtual Host● Virtualize a Physical host● Use VMWare/MS VHD/ disks
Virtual Gateway for Real Host
