cdeccio / cougarnet Goto Github PK

I have gotten way more invested in the internals of Cougarnet this semester than I probably should have lol... Here are some thoughts I have had on solving security and development issues by running the code in a Docker container instead of in a VM. I figured they may come in useful for future iterations of CS460. Feel free to disregard if uninterested.

• Cougarnet runs a lot of dangerous code (forking and sudoing, etc). These parts of the program would be easy for an attacker to abuse.
  • Docker containers run in their own chrooted space and in a very stripped down namespace, (almost) entirely eliminating the risk of harming your system.
• Running in a VM is expensive and hard to setup
  • docker run is so much easier.
• Updating Cougarnet causes problems sometimes
  • docker pull cdeccio/cougarnet:latest
• Development in a VM is a horrible experience
  • Native development tools can be used here, just attach a volume with Docker's -v option
• Different hypervisors have unique problems at times.
  • Docker should eliminate this issue
• Hard to clean up VM (unless you are smart and take snapshots)
  • Cleanup of a container is quick and easy
• Non-Python dependencies must be manually setup
  • Just add a couple apt install lines to your Dockerfile and students won't have to worry about it

Challenges with docker:

• Lack of GUI: where would the terminals go?
  • Possible solution: multiple logs, watch them with tail -f
  • Possible solution: multicolored output, docker run in foreground
• Lack of the extra level of isolation (can interact easily with other docker containers network ports, which frequently are pretty trusting within that network)
  • Tricky to solve this problem. I guess just tell everyone to run other containers at their own risk while Cougarnet is up.

That's all I could think of at the moment, but I may edit this with future details.

Again, feel free to disregard this if you're not interested, but I think Docker might be a good way to lift some of the overhead of getting Cougarnet running especially at the beginning of future classes. If you are interested, I can try and get a Docker version of it going to see if it would even work, I am sure there are tons of challenges that would come up along the way that may prevent this from being viable.

The openvswitch-switch package is needed in Cougarnet, so it should be installed as part of setup.py. This might be tricky because the installation procedure is OS-specific, so it may be better to just add it to the documentation somewhere.

How to reproduce

Run cougarnet in guest vmshare folder (ex. '/home/username/host') with files host.py scenario1a.cfg

~/host$ cougarnet --display --disable-ipv6 scenario1a.cfg

outcome

The new host fails to run without the host.py file

nor does the user have permission to change into the vmshare folder on the created host (which is odd..)

conflict

students won't be able to develop their code on the host OS and run cougarnet on the guest OS

In README.md it says it depends on lxde-terminal, but the correct package name on Debian 11 is lxterminal. The example wasn't working for me until I installed that package but it works fine after. I think it would also be good to add lxterminal as one of the packages to install in cdeccio/byu-cs460-f2021/hw-link-layer/README.md

Here's my terminal output:

cameron@cs460:~/cougarnet-example
$ cougarnet simple-net.cfg 
rm: cannot remove '/run/netns/h2': No such file or directory
Traceback (most recent call last):
  File "/usr/local/bin/cougarnet", line 4, in <module>
    __import__('pkg_resources').run_script('cougarnet==0.0.0', 'cougarnet')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 651, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1455, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python3.9/dist-packages/cougarnet-0.0.0-py3.9.egg/EGG-INFO/scripts/cougarnet", line 5, in <module>
  File "/usr/local/lib/python3.9/dist-packages/cougarnet-0.0.0-py3.9.egg/cougarnet/virtualnet.py", line 740, in main
  File "/usr/local/lib/python3.9/dist-packages/cougarnet-0.0.0-py3.9.egg/cougarnet/virtualnet.py", line 589, in start
  File "/usr/local/lib/python3.9/dist-packages/cougarnet-0.0.0-py3.9.egg/cougarnet/virtualnet.py", line 177, in start
  File "/usr/lib/python3.9/subprocess.py", line 951, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib/python3.9/subprocess.py", line 1823, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'lxterminal'
cameron@cs460:~/cougarnet-example
$ sudo apt install lxterminal
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  lxterminal
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 95.6 kB of archives.
After this operation, 604 kB of additional disk space will be used.
Get:1 http://192.168.23.122/debian bullseye/main amd64 lxterminal amd64 0.4.0-1 [95.6 kB]
Fetched 95.6 kB in 0s (8,496 kB/s)
Selecting previously unselected package lxterminal.
(Reading database ... 168449 files and directories currently installed.)
Preparing to unpack .../lxterminal_0.4.0-1_amd64.deb ...
Unpacking lxterminal (0.4.0-1) ...
Setting up lxterminal (0.4.0-1) ...
Processing triggers for desktop-file-utils (0.26-1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1) ...
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for mailcap (3.69) ...
Scanning processes...                                                           
Scanning linux images...                                                        

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.
cameron@cs460:~/cougarnet-example
$ cougarnet simple-net.cfg   
Ctrl-c to quit