Paranoid Penguin - Running Network Services under User-Mode Linux, Part III
If you patched your UML host's kernel with the SKAS patch, you've already got reasonably good assurance that an attacker who compromises a UML guest won't be able to do much, if anything, on the host system. However, I'm not one to argue against paranoia, so I also recommend you chroot your UML guest system. This is described in detail on the UML Wiki (see Resources). And, what about shell access to your UML guests? There are various ways to access “local consoles”. You get one automatically when you start your UML guest from a UML host shell manually—after your UML kernel loads, you'll be presented with a login prompt.
That doesn't do you much good if you start your UML guest automatically from a script, however. The “Device Inputs” page on the User-Mode Linux home page (see Resources) describes how to map UML guest virtual serial lines to UML host consoles. For me, however, it's easiest simply to install SSH on my UML guest system, configure and start its SSH dæmon, and create a firewall rule that allows connections to it only from my UML host.
Generally speaking, you want to use the same security controls and tools on your UML guest (tripwire, chrooted applications, SELinux, tcpwrappers and so on) as you would on any other bastion server.
Describing in detail the process of building your own root filesystem image from scratch would require its own article (one which I may yet write). Suffice it to say, the process is all but identical to that of creating your own bootable Linux CD or DVD, without the final step of burning your image file to some portable medium. There are three major steps:
Create an empty filesystem image file with dd.
Format the image file.
Mount it to a directory via loopback.
Install Linux into it.
The first three steps are the easiest. To create a 1GB ext3 image file, I'd run the commands shown in Listing 3 as root.
Listing 3. Making and Mounting an Empty Filesystem Image
dd if=/dev/zero of=./mydebroot bs=1024K count=1000 mkfs.ext3 ./mydebroot mkdir /mnt/debian mount -o loop ./mydebroot /mnt/debian
Installing Linux into this directory gets a bit more involved, but if you've got a SUSE host system, the Software module in YaST includes a wizard called “Installation into Directory”. Like other YaST modules, this is an easy-to-use GUI.
Similarly, if you run Debian, you can use the command debootstrap. See Michael McCabe and Demetrios Dimatos' handy article “Installing User Mode Linux” for detailed instructions on using debootstrap to populate your root filesystem image.
See the UML Wiki for some pointers to similar utilities in other distributions. The Linux Bootdisk HOWTO (see Resources), although not specific to UML, is also useful.
I hope you're well on your way to building your own virtual network servers using User-Mode Linux! The two most important sources of UML information are the UML home page and the UML Wiki (see Resources). Those and the other Web sites mentioned in this piece should help you go much further with User-Mode Linux than I can take you in an introductory series of articles like this. Have fun, and be safe!
Resources for this article: /article/9457.
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
- Readers' Choice Awards 2013
- AIDE—Developing for Android on Android
- Best. Cake. Ever.
- Two Pi R
- The Geek's Guide to the Coolest 2013 Holiday Gifts
- Non-Linux FOSS: Let's Make Music Together
- A Handy U-Boot Trick
- Raspberry Pi: the Perfect Home Server
- RSS Feeds
- Tech Tip: Really Simple HTTP Server with Python
27 sec ago
- Thanks for clearing that up.
5 hours 23 min ago
- Nice coding on the cake. I
16 hours 55 min ago
- Baker's identity
21 hours 45 min ago
- Uber jealous
1 day 2 hours ago
- Reality is disapointing
1 day 13 hours ago
- Máy sấy quần áo
1 day 16 hours ago
- Services on GlusterFS
1 day 16 hours ago
- Reply to comment | Linux Journal
1 day 17 hours ago
- Definitely cool stuff here
1 day 18 hours ago