Documentation


Viewing posts for the category Omarine User's Manual

Building a fault-tolerant firewall system with virtual machines: Configuring X to use qxl video driver

Now we work on the fw-1 virtual machine. First let's try to see with the -vga qxl definition, which video driver qemu will give us in the kernel. You run this command:

Building a fault-tolerant firewall system with virtual machines: Accessing remote virtual machine

We are working on a remote physical machine named ngoc at 192.168.0.12. This machine acts as a client to access virtual machine fw-1 on host machine omarine at 192.168.0.3. The communication port is 3001, which we configured when setting up the fw-1 virtual machine in the previous post.
The access command is as follows:

Building a fault-tolerant firewall system with virtual machines: Creating virtual machine with qemu

For secure purpose, do not run qemu as root. However, there are situations where the virtual machine creation process is forced to use root privileges. This should be controlled and considered empowering decision-making for the admin and  the security policy.
When qemu runs the bridge helper program to create tap devices that require root privileges, which defaults to the binary /usr/libexec/qemu-bridge-helper, this binary can be run as root because it is set uid root

The snapshot above shows that only users in the kvm group can use the helper program. Furthermore, the helper program can only run if the administrator configuring to allow access for the corresponding bridge devices in the /etc/qemu/bridge.conf configuration file.
It's not enough. In terms of security, the qemu-bridge-helper binary has the type virt_bridgehelper_exec_t. It will run in the virt_bridgehelper_t domain and is able to open /dev/net/tun only if the following rule is included in the security policy:

Building a fault-tolerant firewall system with virtual machines: Creating disk image

Each virtual machine needs a disk image containing the operating system. We have three virtual machines so we need three disk images. However, just create one image and then make copies of the other two.

Creating partitions and filesystem on disk
An operating system generally needs one root partition and one swap partition. We practice on a USB stick or a USB hard disk. Assuming the device name is /dev/sdb. The commands below create a 10G root partition (exactly, minus the first 1M on disk) and a 2G swap partition, and create the root filesystem on the root partition

Building a fault-tolerant firewall system with virtual machines: Creating bridge devices and tap interfaces

The tap network backend is the most appropriate configuration option in qemu for us to create network interfaces for virtual machines because virtual ethernet interfaces created in such a way are considered as normal ethernet devices without any restriction. We also need bridge devices to connect the interfaces in the networks.
By design, a bridge device is used to attach ethernet interfaces at its bridge ports. The bridge device then becomes a logically large ethernet interface consisting of a bunch of attached ethernet interfaces. The bridge is addressed instead of the ethernet interfaces participating in the bridge. In this case the bridge becomes a gateway to the network of the participating ethernet interfaces. But our firewall system does not use such functionality.

Non-grounding bridge solution