Apache Virtual Computing Lab Capstone

hamburgerfensuckedSecurity

Nov 20, 2013 (3 years and 9 months ago)

69 views

Apache Virtual
Computing Lab

Capstone








T h e U n i v e r s i t y o f
P i t t s b u r g h a t B r a d f o r d

3 0 0 C a mp u s D r i v e
B r a d f o r d P a, 1 6 7 0 1

8 1 4
-
3 6 2
-
7 6 6 0

1/1 6/2 0 1 2

Aar on Br yant




Apache Virtual Computing Lab

Capstone

1


Introduction:

A VCL Server is

an open
-
source system used to
dynamically provision and broker remote
access to a dedicated compute environment for an end
-
user.



This project is a pilot project that may be used by the University of Pittsburgh at Bradford
to allow students to connect into virtual computers on campus
. Students will use their
University of Pittsburgh student credentials to log into the VCL (Virtual Computing Lab)
Server and will then be brokered remote access to an open virtual computer. I used two
identical servers in the process. Each has a one ter
abyte HD and a limited four gigabytes
of RAM. This is adequate for testing purposes but will be replaced before being put into
operation.

The first server will be used as the management node, controlling the virtual computers
on the second server. The ma
nagement node server will be created using Fedora 15 as
the operating system and the Apache VCL software to do the managing. The second
server will use VMware virtualization to hold the virtual images of each machine.


Setup:

To make the setup as secure and safe as possible during testing, the testing environment
will be enclosed behind a router and private IP addresses will be used for all components.
Even though these servers are only being used for testing, security is of t
he utmost
importance. Without protection, they could be compromised during any part of the
Apache Virtual Computing Lab

Capstone

2

testing process. Once infected, they would be able to affect the rest of our system after
deployment.
Directly behind the router, I have placed a gigabyte switch
to allow ample
connections.



History:

The VCL project was created by two departments at NCSU, to meet a demand for
students to access resources on campus. In 2008, the project was accepted into the
Apache Software Foundation as an incubator project. Fo
r more information on the
project’s history, visit the link below.

http://vcl.ncsu.edu/vcl
-
history


Technologies Utilized:


Body of Paper:

I began the initial stages of installing operating systems and programs. It was decided
ahead of time that Wes Milli
ron would be working with the VMware side of the project
while I build the VCL server. I started by downloading and installing Fedora 15 on the
server. I decided that it would be best to do a basic installation with only Apache HTTP
Apache Virtual Computing Lab

Capstone

3

Server without any ad
d
-
ons, such as MySQL. This was decided because later on,
programs will need to be compiled together and would be much easier to do from
scratch.

Once the installation was complete, I downloaded the Apache VCL source code with the
wget

command and extracte
d the files. I then moved on to installing MySQL Server.
Once installed, it was set to start automatically. I checked that there was nothing blocking
port 3306 which is used to pass traffic between the management node and MySQL
daemon.

With the initial
configuration done, I created a database for the VCL. My background in
SQL Server made this process much easier. The database from the downloaded VCL
server files was then imported into the MySQL database just created.

The next step was to optionally ins
tall phpMyAdmin. I chose to do this to make to
process of managing the database easier. Cwiki also has a guild on installing
this
. At this
point the VCL server database has been created and imported. The next step will be to
install and configure the
web components.

Since I installed Apache HTTP along with the Fedora install, there was no need to do so at
this step. I then began to install the required Linux packages and PHP modules. I used a
yum install

to gather the required packages and modules.
The only problem I occurred at
this step was that one of the PHP packages would not install and therefore crashed the
script. I did some searching online and found another place to get the required module.
Apache Virtual Computing Lab

Capstone

4

After the manual installation, I ran the yum inst
all again and finished the rest of the
required packages and modules. Once it was all installed, I configured the HTTPD server
daemon to start automatically at levels 3, 4, and 5 and started the daemon.

Now that the HTTPD web server daemon has been config
ured it is time for the VCL
frontend web code to be configured and installed. There is a web frontend that comes
with the VCL software located in the extracted source code. I proceeded to copy the web
frontend code to the /var/www/html/vcl/ folder. Once

all files were extracted to the
html folder the software was patched. A simple wget command was used to download
the patch and then it was installed. Inside the vcl/.ht
-
inc folder are two PHP files used to
hold the secure information about the VCL datab
ase and private passwords. The secrets
-
default.php was copied to secrets.php and then edited. Once this was configured, I
copied and configured conf.php. There is a section marked with things that need
modified.

The last thing to do for this
section

was

to try to log in to the web front end. When I
configured the PHP files, I used the IP address, so I tested the site by accessing it through
the IP address. VCL has a built
-
in test PHP site which I accessed. It runs scripts to test that
things are confi
gured properly. Unfortunately my test failed.
The next step will be to
address this problem and continue

onto the Management Node

configuration
.



Apache Virtual Computing Lab

Capstone

5

My first attempt to run the TestSetup

PHP page was unsuccessful. Under the test page, it
reads that there is a missing PHP extension: sysvsem. After some quick Google searching,
I found that the simple answer was to run an administrative
yum install

of the missing
PHP extension. Therefore

to fix the problem,
I ran
:


sudo yum install php
-
sysvsem


Once the install was complete, I restarted the Apache HTTPD daemon and reran the
TestSetup PHP script. This time all extension tests were successful.

I then accessed the index.php page by the IP Ad
dress. Since the index.php file was
located inside the VCL folder, the address was http://192.168.0.2/vcl/index.php. This
was a success and the login page displayed properly in the web browser. I entered the
default administrator username and password
as a local account and was granted access
to the rest of the user interface. Once logged in, the default password for the
administrator can be changed under User Preferences. At this point, it was time to add
the management node to the database.

I began

by clicking the Management Nodes link on the left. I then clicked Add and
proceeded to fill in the required fields. When I came to Hostname, I chose to use vcl
-
server.upb.pitt.edu. Although this isn’t going to work at this point in the process, it will

be
used later instead of the IP Address in the web browser. For my testing environment, I
will need to build a DNS server to lookup this hostname. Later on I will also need to add
additional local accounts. This isn’t necessary at this point for my tes
ting.

Apache Virtual Computing Lab

Capstone

6

Also available in this configuration is LDAP authentication. It will be necessary for me to
enable the management node server to bind with the universities LDAP authentication
server to allow students to login with their university credentials. At
this point, the
configuration was done and I submitted. The final step was to add the management node
to the management node grouping using the link on the left.


(Picture completing web components)

The first step in installing and configuring the managem
ent node was to use the already
downloaded Apache VCL source files to copy the management node directory. I chose to
place it in the typical /usr/local/vcl directory. Once this was done, it was time to install
the required Linux packages and Perl modules
. Built inside the VCL management node
source files is a Perl script that does most of the work for us. When I tried this, my script
failed at Perl module: Object::InsideOut. After some Google searches, I found some
promising material and tried it. I u
sed the following code to install the module:

yum search perl
-
Object
-
InsideOut

yum install perl
-
Object
-
InsideOut.noarch

yum info perl
-
Object
-
InsideOut.noarch


Once I ran this code to install the needed Perl module, I reran the built in Perl script to
install the rest of the modules successfully. The next step is to configure the vcld.conf file
inside the /etc/vcl directory. To do this, I first made the /etc/vc
l directory, then copied
the default vcld.conf file to the directory, and finally edited the file to fit my network
Apache Virtual Computing Lab

Capstone

7

setup. In this file, a FQDN is requested. I again used vcl
-
server.upb.pitt.edu even though I
haven’t created an entry for this.

At this po
int, the VMware server has been setup and two test machines have been
created: Fedora 15, and Windows 7. They have had nothing configured on them, only a
base install of the operating system and systems updates. This is when I started to be
confused by t
he Apache Incubator documentation. The process of creating a base image
on the VMware server is slightly confusing to get to. It isn’t in the normal installation but
in a category of its own. The biggest problem that I have with the documentation is tha
t
they don’t describe anything they are doing, making problems much harder to address.

In the base image creation documentation, they describe how to create a base image for
VMware in general, but then become even more specific inside that documentation.
Inside the windows 7 base image documentation is where I found the software that I
need to configure the SSH between the VMware image and the management node. The
Cygwin software that needs to be configured on the windows virtual machine is a Linux
type e
nvironment for windows. This allows Linux software to be ported to Windows
machines.

Before I got too involved into configuring the SSH, It was about time to create a DNS
server. I created a Windows Server 2008 virtual machine on the VMware server to hos
t
the DNS for the test network. After this was done, I added a reference for the Apache VCL
server’s IP address to vcl
-
server.upb.pitt.edu. Once this was done, I went through the
Apache Virtual Computing Lab

Capstone

8

configuration files for the server and made them all reflect the new name.

Additionally, I
created the hostname of vsphere.upb.pitt.edu for the VMware server.

The next step was to configure the SSH client on the management node. When I
attempted to open the SSH configuration file, it was empty. I then went into the file and
ad
ded the necessary lines. Now it was time to install and start the VCL daemon service. I
copied the service script from the source directory out into the init.d/vcld directory. The
service was then added to the chkconfig and configured to start at run ti
me. I came
across a problem at this point when I started the service and checked the VCL daemon log
file.

“Unable to retrieve management node information from database”

After checking some of the configuration files, I was made aware that I had originally

made some of the files reference localhost and others vcl
-
server.upb.pitt.edu. I changed
them all to the new hostname and the log file read out correctly.

At this point in the project, I have everything configured and it is time to configure the
virtual
machines. As I mentioned before, I have a Windows 7 virtual machine and a
Fedora 15 virtual machine created. For my testing, I’m going to work to get the windows
machine working and then move to the Fedora machine. The first step as mentioned last
week
is configuring Cygwin on the machine. The reason for Cygwin on the Windows VM
is to allow SSH key authentication between the management node and the VM.

Apache Virtual Computing Lab

Capstone

9

To allow the script to run correctly, an administrator account needs to be created on the
VM named “ro
ot”. Once created and logged on as “root”, I installed Cygwin as
administrator and followed the directions to the letter. The instructions include installing
Cygwin for all users, deleting the install files on the desktop, and installing packages. The
f
irst package that is installed is the editor vim. I prefer to use nano as my personal editor,
so I installed both to satisfy my needs and those that will be administering with me. The
next package was openssh. This is the actual package we will be using

to do the SSH
between the machines. The last package is the wget command. This command will be
used to gather a necessary script.

Now that Cygwin has been successfully installed, it is time to gather the script that will
eventually configure the SSH ide
ntity key. I used the installed wget package to get the
script from the Apache site and use the chmod command to make it executable. Finally, I
run the script with the root password encased in single quotes appended to the end.
Cygwin SSHD is now succes
sfully started.

The next step was to access the management node and again use the wget command to
gather the server side script from the Apache site. Once finished, I made the script
executable and ran it with the IP address of the Windows 7 VM. When pro
mpted, I
entered the root password, but the script read access denied. After some
troubleshooting, I discovered that my mistake came when I created the “root” account on
the VM. Instead of entering “root” as the username, I typed “Root”. This type of mi
stake
makes all the difference in Linux. Instead of chancing having problems down the road, I
Apache Virtual Computing Lab

Capstone

10

created the proper account and deleted the other. Windows wouldn’t allow the creation
of another account with such a similar name so I was forced to create a th
ird account to
use as an intermediary between creating and deleting “root” accounts.

Once the unnecessary accounts were deleted and the proper “root” account was created,
I reran the script from the management node and it was successful. I tested the
conn
ection with the suggested script and connected using the SSH key authentication
without problems. The management node and VM have both been configured and are
ready to create a base image in the VCL server.

Critique:


Capstone Experience:









Apache Virtual Computing Lab

Capstone

11

Acknowledgements:

Don Lewicki

My academic adviser and head of the CIST major
.

He g
ave me this
opportunity and provided funds.


Robert Ellison

Senior Technical Analyst at CTM Services.
He provided extensive support with
the pearl scripts and database
portion of the project. He also gave general help
with various problems.


Steve Ellison

Technical Analyst II at CTM Services.
Provided
several counts of assistance when
dealing with the Linux operating systems and getting the software to run.


Wes Millir
on

Coworker. Gave general support to the project and worked mainly with the
VMware server.


















Apache Virtual Computing Lab

Capstone

12

Work Cited:


http://vcl.ncsu.edu/vcl
-
history

http://incubator.apache.org/vcl/

https://cwiki.apache.org/VCL/