Maximising Student Exposure to Unix Networking using FreeBSD Virtual Hosts Grenville J. Armitage Centre for Advanced Internet Architectures. Technical Report 030320A Swinburne University of Technology Melbourne, Australia [email protected] Abstract- A Remote Unix Lab Environment (RULE) is being additional cost (in time and salary) of re- developed at Swinburne University of Technology, allowing imaging/rebooting machines between Windows and a students access to networked unix hosts for their coursework unix system just for our IP networking classes. Building and research projects. This paper describes our first generation a dedicated unix lab (machines, desk space, seating) was solution using FreeBSD's “jail” functionality to emulate many considered an expensive last-resort. FreeBSD hosts on a small handful of physical machines in a Our solution is the Remote Unix Lab Environment rack. Our primary constraint is to minimise the incremental (RULE). RULE provides multiple networked unix hosts, infrastructure cost. The student front-end to the unix hosts will but does not require additional dedicated unix lab space. leverage pre-existing Windows-based PC labs scattered around The existing campus PC labs are used as terminals campus and inter-connected by a 100Mbit/sec IP network. The through which students access their assigned RULE FreeBSD hosts themselves are mini-ITX motherboards on a hosts. Because access is via the campus IP network, rack in a small room or closet, minimising their impact on students can also engage in project work from home or scarce University lab space. This paper will describe our from their laptops via our campus 802.11 network. requirements, trade-offs, available tools, and how specific RULE itself is housed in a regular 19 inch rack and FreeBSD features are being utilized to create multiple virtual tucked away in a corner of a small room, meeting our hosts on each physical machine. Our current implementation is goal of minimal additional infrastructure cost (Figure 1). based on FreeBSD 4.7. Keywords- Teaching, IP, Networking, FreeBSD, Unix, Virtual Hosts, Students I. INTRODUCTION Towards the end of 2002 our Telecommunications and Networking group faced the challenge of providing Windows dial-up users, more hands-on IP networking experience for our PC Labs other OSes students while working within the confines of a pre- existing, strongly Windows-centric environment. We already had special labs established for components of CCNA, CCNP, and MCSE certifications (a substantial Figure 1 Remote Unix Lab Environment accessible from investment in Cisco equipment and Microsoft Windows- Windows machines around the campus network based PC labs). Unfortunately this provided our students The most interesting and critical part of RULE is our with a fairly specific experience in IP networking and IP use of FreeBSD [3]. It is a robust, well-support and client/server environments. freely available implentation of unix (making it quite attractive from a recurring costs perspective). Most We also wanted our students to get their 'hands dirty' importantly, FreeBSD has kernel support, through the installing and using free, unix-based server, client, and “jail” functionality, for instantiating multiple virtual middlebox applications. For example, we wanted to unix hosts on a single PC motherboard. This multiples expose them to open-source web servers like Apache the number of students we can support with a limited set [1], alternative Windows file server such as Samba [2], of physical hardware (or conversely, FreeBSD allows us DNS servers such as named, web crawlers/indexers, web to keep RULE small and hidden in the corner of a proxies,... the list goes on. Not only would our students room). Our first generation of RULE is based on learn how to use these applications, they would be able FreeBSD 4.7 (the version current in late 2002). to modify and rebuild the applications they were learning about. The rest of this paper describes the technological tradeoffs and solutions we are pursuing to implement In common with many small universities we work our vision for RULE. with less-than-ideal facilities and funding constraints. Our existing PC labs run Microsoft's Windows operating II.THE REMOTE UNIX LAB ENVIRONMENT system, and are frequently booked solid for classes run by a variety of departments. Our plan was to avoid the RULE needs to simultaneously meet the following goals: CAIA Technical Report 030320A March 2003 [email protected] page 1 of 6 Provide students with self-directed access to open- OpenSSH consortium [4] has pointers to free and source internet applications (e.g. clients, servers, commercial implementations, including those for and/or proxies) that they can compile, install, trial, Microsoft Windows. PuTTY [5] is our preferred and modify/recompile with minial supervision. Windows SSH client, because it works well and the Allows students to access RULE from anywhere on licensing conditions allow free use in our sort of the campus intranet. environment. We also use Pscp, a companion to PuTTY, for secure file transfers between hosts using ssh. PuTTY Protect the rest of the university from student requires minimal changes to the default software context activities inside the RULE. of our Windows-based campus PC labs, and is easily Utilize off-the-shelf components and free software installed by students who choose to use our campus and minimise reliance on closed, commercial 802.11b network from their personal laptops. solutions. Ssh provides a security wrinkle known as 'port We chose an open-source unix platform so users can forwarding'. An ssh login from desktop or laptop to a build, run, modify, and rebuild many popular and useful RULE host can also be configured to provide one or networked applications without necessarily needing more TCP-over-ssh tunnels from the RULE host to the 'administrator' rights and/or commercial compilers and rest of the campus network. Whether or not this is debuggers. A Microsoft Windows environment does not tolerable depends on ones goals. For now we impose on meet this goal. Any of the Linux distributions, FreeBSD, students the requirement of responsible use - port OpenBSD, or NetBSD would be suitable. We've chosen forwarding is a conscious act, and they will be traced if FreeBSD for two reasons. First, FreeBSD's clean things go hay-wire. Port forwarding is also extermely 'packages' and 'ports' mechanisms (for installing useful for supporting X11 clients running on jail hosts. applications in pre-compiled and compiled-as-needed If the student runs an X11 server on their desktop or forms) provides students with a number of ways to laptop, they can use ssh to automatically tunnel X11 experiment with hundreds of common networked- sessions out from their RULE host to their local X11 applications. Second, FreeBSD's facilities for creating server/display. virtual hosts. (As a small bonus, many application Given our limited budget, it is also important to build binaries compiled under Linux also run directly under RULE out of common yet small components. We cannot FreeBSD, and most such applications can be recompiled afford to be 'bleeding edge' in our choice of hardware. under FreeBSD if needed.) Although RULE begins with a homogenous collection of hardware, over time the initial motherboards will Host 1 Host 2 Host 3 become unavailable and incremental repairs will result in a heterogenous collection of hardware. FreeBSD runs on a range of x86-based hardware, from old 486-based Campus RULE machines up to the latest Pentium 4s, ensuring that LAN LAN RULE will survive motherboard upgrades and changes. We have built the first version of RULE around VIA Firewall Host 5 Host 4 Technologies' EDEN embedded system processor (ESP) series, specifically the ESP 5000 released in 2002 [6]. The RULE firewall protects the outside This low-power motherboard comes in a mini-ITX form network from RULE hosts factor (170mm x 170mm), has an embedded fanless Figure 2 RULE hosts are clustered behind a firewall to 500MHz Celeron-equivalent processor, can support up protect the outside world to 1GB of PC133 SDRAM, onboard 10/100 Mbit/sec Not surprisingly, RULE security is about protecting ethernet interface, onboard COM, PS/2, USB, Printer, the campus network from RULE, rather than the other VGA, and sound ports, two ATA100/66 IDE sockets, way around (Figure 2). The RULE firewall (another and takes standard ATX power. They are also quite FreeBSD machine) allows external clients to initiate cheap (around $200AUD at the end of 2002). Adding a contact with applications (servers) inside RULE but not power supply, RAM, and hard-drive was enough for a the other way around. For example, a student might running system. A CDROM drive is temporarily deploy an Apache web server inside RULE and access attached to the second IDE port when installing it from their desktop or laptop. For special projects the FreeBSD. firewall can be re-configured to allow out traffic The small form factor allows us to pack a number of originating from within RULE, but only if the these devices into limited rack space. While the video, destination is a host within the campus LAN (and audio, printer and PS/2 interfaces are unnecessary for excluding things like our campus web proxy to the RULE applications, we make use of the serial ports for outside world). The last thing we want are 'interesting' console server access to each motherboard, and the USB projects on RULE reaching out and annoying people ports are used to power small “Alloy NC-05c” Ethernet around the Internet in an uncontrolled manner. hubs [7] that form part of the RULE's internal network Secure Shell (ssh) is the remote access protocol for (minimising the wiring and power supply complexity RULE hosts so that student's communication with their within the rack, Figure 3).