By Michael Kromer and Markus Feilner
V irtualBox [1], a tool designed for end-user desktop PCs running Linux, Windows, FreeBSD, and Solaris, is setting its sights on becoming a server-based virtualization system. In version 3.1, Sun introduced live migration for virtual machines, dubbed "Teleportation." Now that Sun has been swallowed up by Oracle and version 3.2 has been released, Oracle VM VirtualBox now also virtualizes Mac OS X on non-Apple hardware (see the "Mac OS Without a Mac" box). Additionally, version 3.2 offers configurable I/O caching and NAT, CPU hot plugging, Remote Desktop Protocol (RDP) video acceleration (unfortunately, only for Windows 7 RDP clients), as well as multiple displays.
Server-based remote desktop virtualization uses VirtualBox's version of the RDP protocol, familiar in terminal server environments. Unfortunately, RDP is only available with the commercial version of VirtualBox, but fortunately, the Personal Use and Evaluation License (PUEL) [2] gives private users and educational institutions the opportunity to use the proprietary version free of licensing charges.
One problem with server-based VirtualBox virtualization arises when using the VirtualBox Remote Desktop Protocol (VRDP) for authentication against an active virtual machine. The common approach of depending on Pluggable Authentication Module (PAM) for authentication allows only one user on a specific host, and this has to be the user who launched the virtual machine on the VirtualBox server. If the user moves to another RDP client computer, PAM authentication will not work. Administrators wanting to abstract their users from hosts, therefore, have to disable PAM and attempt to restrict access to the VRDP port with the firewall.
The inefficiencies of this approach cry out for an alternative method. The vrdp-ldap [3] project was launched in July to implement a module for Lightweight Directory Access Protocol (LDAP)-based authentication with VirtualBox. Vrdp-ldap extends an existing LDAP schema by adding an object class and a property that supports user-oriented authentication via a machine UUID. Because vrdp-ldap uses the existing PAM directory attributes, the vrdp-ldap solution provides transparent authentication against existing directory services with existing user login credentials.
| Mac OS Without a Mac |
|
As of VirtualBox 3.2, you can virtualize the Apple operating system on any hardware in a window on Linux. This is made possible by emulating the Extensible Firmware Interface (EFI) boot environment, as with KVM (Figure 1). A word of caution: Apple's Terms of Use prohibit the installation of Mac OS on non-Apple hardware, although Steve Jobs's company sells OS X without hardware in its shops. (Whether or not this prohibition would hold up in court in the country where you live is a different question.) VirtualBox makes it easy to virtualize the Apple by just creating a new VM, selecting Mac OS Server, and defining an ICH6-type hard disk controller. To boot Leopard, you now need the correct In the course of development work on Red Hat Enterprise Virtualization (RHEV), Red Hat has released more paravirtualized network and storage drivers for running Windows guest systems on KVM [4]. Additionally, Red Hat Enterprise Linux (RHEL) version 5.3 or higher automatically loads paravirtualized KVM drivers, removing the need for manual attention by the administrator. Thanks to the virtual I/O drivers on the guest system, the performance is only slightly less than the host's native access speed, whereas emulated drivers significantly slow down the system. Incidentally, Windows XP guest systems do not support paravirtualized block drivers (virtio block driver), but only network drivers. |
Ready-to-install RPM packages for openSUSE 11.2 and SUSE Linux Enterprise Server (SLES) 11 are available [4]. Administrators on other systems will need to compile the source code with configure/make/make install. The manual build currently means you need the libHX, pam-devel, openldap2-devel, and pkg-config developer packages in place. (Nearly all popular distributions provide these packages.)
The procedure for setting up a virtual machine with LDAP-based VRDP authentication comprises five steps on the VirtualBox host system:
The plugin is easily installed on openSUSE 11.2:
zypper ar http://repo.medozas.de/medozas/SUSE-11.2/medozas.repo zypper in VirtualBox-vrdp-ldap
For the VRDP library, you need to run VBoxManage to declare the compiled module as the VRDP library that matches your own version of the VirtualBox SDK (version 3.0 up to the current version 3.2.4). On 32-bit systems, the command is:
VBoxManage setproperty vrdpauthlibrary/usr/lib/virtualbox/vrdp-ldap
On 64-bit systems, you need to become root and type the following at the command line:
VBoxManage setproperty vrdpauthlibrary /usr/lib64/virtualbox/vrdp-ldap
The module name does without file extensions such as .so or .dll, which is a good because the VRDP authentication lets you use identical settings across multiple hosts and operating systems. Although no Windows module currently exists for vrdp-ldap, you can expect it to appear in the next couple of months.
Listing 1 shows the vrdp-ldap configuration file, which the administrator needs to modify to match the local LDAP server. The next step is to extend the LDAP server by adding the /usr/share/doc/packages/VirtualBox-vrdp-ldap/vbox-vrdp.schema. The fourth step, modifying the virtual machine(s), is easy if you follow the screenshot in Figure 2.
| Listing 1: /etc/vrdp-ldap.conf |
01 CHECK_UUID="yes" 02 CHECK_PAM="yes" 03 PAM_SERVICE="sshd" 04 LDAP_URI="ldap://localhost/" 05 BASE_DN="dc=company,dc=com" 06 #BIND_DN="" 07 #BIND_PW="" |
For the host system, the blueprint in Listing 2 shows a standard user in LDAP who will be given VRDP access to two virtual instances. You need a separate LDAP entry for each user and guest. The developers are thinking about implementing wildcard support, wherein an asterisk (*) gives a user access to any virtual machine.
Your choice of LDAP tool for creating the user is a matter of taste, as long as it can query the schema - that is, identify the VBoxVRDP as an object class and VBoxVRDPUUID as a property. GQ [5] or LDAP Admin [6] are both good choices.
The VBoxVRDPUUID shown in Listing 2 represents the machine UUID for the virtual machine. Unfortunately, you can only see the machine UUID in the XML files for the VM itself, or by calling VBoxManage list - not in the GUI. A feature request for viewing the UUID in the VirtualBox GUI has already been posted [7].
| Listing 2: LDAP User with VRDP Access |
01 dn: uid=mkromer,ou=users,dc=linux-magazin,dc=de
02 cn: mkromer
03 uid: mkromer
04 mail: medozas@medozas.de
05 objectClass: top
06 objectClass: person
07 objectClass: inetOrgPerson
08 objectClass: posixAccount
09 objectClass: VBoxVRDP
10 VBoxVRDPUUID: {3f7d197f-072a-4bf9-9528-aebefdfa2a2e}
11 VBoxVRDPUUID: {af4bed3e-f94e-48f8-ba1e-6c7c504b38ca}
|
The LDAP and VirtualBox virtualization team lets users use Rdesktop or any other RDP terminal client to set up a connection using their login credentials:
rdesktop -u LDAP-user -p password_or_'-'_for_prompt VirtualBox-Host-IPU:VRDP-Port
From the material presented thus far, you can set up your own VirtualBox server with vrdp-ldap. It is a good idea to use a special init script [8]. The script freezes all the virtual machines defined in the autostart file in order to save the current status when the host goes down (VBoxManage controlvm savestate). When you restart, the guest systems immediately give users their familiar environment, assuming no changes have been made to the configuration of the virtual machine itself (network interfaces, etc.) since the host system booted.
To set up an init script, you need to create a user and make that user a member of the vboxusers group. Also, you need to add the name of the defined virtual machine, including the VRDP port number and process priority (nice value), to the autostart file. Listing 3 shows the commands for openSUSE.
| Listing 3: Binding an Init Script |
01 useradd -c "VirtualBox User" -d /virt -m -r -g vboxusers virt 02 wget http://dev.medozas.de/files/VirtualBox/virtualbox.init.suse -O /etc/init.d/virtualbox 03 chmod a+x /etc/init.d/virtualbox 04 wget http://dev.medozas.de/files/VirtualBox/virtualbox.autostart.suse -O /virt/autostart 05 insserv virtualbox on |
Oracle releases a new version of VirtualBox once a month. On the basis of the new features added since version 3.1 and positive I/O test results [9], it is a safe guess that Oracle is trying to grow a hybrid between desktop and server virtualization that is capable of shouldering the load of production operations that function 24/7.
A few issues still require attention, such as the USB driver for the Blackberry or interrupt management on multiple-core systems (the IO/APIC communication of some guests pushes the host CPU load way up [10]). But overall, VirtualBox is heading places, and vrdp-ldap, the brand new doorkeeper for LDAP environments, means that VirtualBox is more ready than ever for server environments.
| INFO |
|
[1] Oracle VM VirtualBox: http://virtualbox.org
[2] VirtualBox Personal Use and Evaluation License: http://www.virtualbox.org/wiki/VirtualBox_PUEL [3] vrdp-ldap: http://vrdp-ldap.sf.net [4] SUSE RPM packages: http://repo.medozas.de/medozas [5] GQ: http://sourceforge.net/projects/gqclient/ [6] LDAP Admin: http://ldapadmin.sourceforge.net [7] Request to view the UUID in the VirtualBox GUI: http://virtualbox.org/ticket/6989 [8] Init script: http://dev.medozas.de/files/VirtualBox [9] I/O tests with VirtualBox disk images before and after version 3.2: http://virtualbox.org/ticket/4392 [10] Data corruption under heavy I/O load: http://virtualbox.org/ticket/2524 |
| THE AUTHOR |
|
Michael Kromer (http://medozas.de) is the Senior IT Consultant and Linux Engineer with Millenux GmbH in Munich, Germany. He contributes as a developer to various open source projects, including the Linux kernel, Open NX, Asterisk, VirtualBox, and ISC Bind. Michael is also a "member" of openSUSE and interested in virtualization technologies. |
