ADIOS Project

-- Live Linux ADIOS CD home

Welcome to ADIOS

Welcome to a short talk about the ADIOS project.

I am Neville Richter from the Faculty of Business and Informatics at Central Queensland University (CQU), Australia.

This talk is aimed at people who have started using Linux, and to those who have some experience with Linux and would like to learn more about virtual machines, linux services, linux security and trusted operating systems. Or people that have an interest in distributing the ADIOS live Linux boot CD to others users. Or even those of you who are building your own boot CD.

Here is an outline of what I'll talk about today:

• Part 1:  What is ADIOS? - Why create it, How to run it, Summary of main features, Flexible Learning Tool
• Part 2:  Menu Run Options - How to best use this boot CD, how to install it, how to save and restore files, Laboratory Options
• Part 3:  Virtual Machines - User Mode Linux (UML), uml scripts, umlconfigurator, automated virtual networks, multiple perimeter networks
• Part 4:  How does it work? - startup tools (busybox, uclibc, isolinux), ADIOS filesystem, UML filesystem, what software is on CD
• Part 5:  Trusted Operating Systems - Linux Intrusion Detection System (LIDS) and Security Enhanced Linux (SELinux)
• Part 6:  Development Kit - how to create your own boot CD, Makefile, linuxrc (startup script), kernel patches
• Part 7:  Future and References - where to from here, DVD, more features, Xen virtual machines, other trusted OSs.

So now I’ll explain, “What is ADIOS?”

The ADIOS project started in 1997 when I was looking for a simple way to download operating system images, which allowed the user to be the administrator in a laboratory environment. To be able to teach networking skills, students typically need administrator privileges on the operating systems they are using so they can install software and configure settings.  At the time, the solution was to build an operating system image on a laboratory PC then pack it up and store it on a web server. Then using simple install scripts, students downloaded these OS images to their laboratory PC.   The alternative was to use non free software such as Ghost or Rembo

But the problem has always been a lack of resources, be it bandwidth or just the number of PCs in the laboratory (not enough for all of the students). So at the end of 2001, I started working on a bootable Linux CD.  With the help of Mark Huth, ADIOS version 0.82 was built using RedHat 7.2 and released in February 2002.  This was the beginning of the ADIOS Live Linux Boot CD.

Why was a bootable CD important?:

I have been involved with teachng subjects at University in the areas of network administration, network security, network management and network services (client/server programming).  These are practical hands-on type courses/subjects in which students typically install and configure network services on Linux servers.  When laboratories for the students become scarce or students prefer to work from home a solution.  In 2002 the number of students wanting to enrol in these Networking subjects was high this emphasised the need for using off site PCs.

Subsequently, students have installed Linux at home so they can work on the practical exercises.  But most students don't have the hardware at home to support what they are doing in the laboratories on campus (an intranet with multiple Linux servers to complete networking and security exercises).  So, the three primary requirements for the ADIOS boot CD were:

1. To create an environment to enable students to use multiple virtual machines and networks from a CD image which is the same environment as used in the laboratories on campus. 
2. To enable users to run Linux from CD, or ISO image on disk, or directly from disk, or from RAM, and allow users to save changes to floppy, USB device or disk.
3. To reduce the risk of users acciendently destroying their MS Windows installation when installing Linux. 

What ADIOS is used for at University?:

• To teach Networking, IT Security and Forensic subjects (see the next section for list of software available on the CD).
• Students use the CD to run Linux from RAM (without installing onto their hard drives).
• Students use the CD to install Linux on their PCs at home.
• The ADIOS image is used to quickly download a 'clean' Linux OS image to the PCs in University laboratories.

What others are using ADIOS for?:

• As a Development tool
  • Supports programming languages: C, C++, Perl, Php, Python, Ruby, Tcl/Tk and nasm
  • Control the concurrent editing of source files with cvs
• For people who don’t want to install linux on their hard disk
  • Road warriors / mobile computing / Trainers
  • Keep your settings wherever you go
• For Kiosk Environments
  • For product demonstrations
  • Closed systems that only run one applications
• As a marketing tool
  • Configure your software and environment, create a CD and send it to your customers
    – they can run your software from the CD without having to install it on their hard disk
• As an Office Environment
  • Word Processor, Spreadsheet, Presentation software, Database
  • Web Browser, Email client
  • Graphics Editor
  • Project Management 
• Entertainment
  • music player
  • dvd player
  • games

ADIOS currently supports three languages (English, Spanish and Portuguese) . It comes with a complete Development Kit (ADK) to help you customise your own CD.

As I said before, many students want to install Linux at home.  But most students have MS Windows installed already on their home computers, so they would defer installing Linux for several weeks or months because they typically had to change the partitions on the MS Windows machine. Every semester a student would tell me a sad story of how they managed to damage their existing files while installing Linux. They also thought this was a good reason for losing assignments and applying forextensions. Ofcourse all students and some staff know that everything needs to be backed up on a regular basis. So creating a Linux that runs entirely in RAM and from CD was an attractive solution. It’s easy to use, so students can start using Linux at home in the first week.

What You'll Find on the CD:

Desktop Environment

ADIOS version 6.0 was built with Fedora Core 5 and linux kernel 2.6.17 to support 586 processors.   We selected a subset of applications and services to provide the end user with plenty of scope to learn about Linux.  The default desktop environment is KDE for all distributions.  Unfortunately software grows in size over time as more features are added.  This results in less applications being able to fit on the CDROM. 

Applications

The OpenOffice suite, web browser, email client, media players and other tools provide the user with a nice set of linux applications as well as diagnostic tools used in learning about networks. There are excellent free security tools included for firewalls, secure tunnels, network intrusion detection systems and computer forensics.

Virtual Machines

The user mode linux virtual machine software allows the user to start multiple child virtual machines which can be networked relatively easily. The virtual machines can start an X windows session using ICE windows manager, so that each virtual machine appears to have its own X windows console. The virtual machines can start with a trusted operating systems such as LIDS or SELinux.

How Do We Fit So Much on the one CD?

ADIOS version 6.0 released in July 2006 was built using Fedora Core 5 and uses Linux kernel 2.6.17.  The latest version of squashfs is used so that the CD can hold more than 2 GBytes of files. 

In the laboratory extra squashfs files (optional components) are used to enable software such as tomcat, jdk, ns (network simulator), and mono (C#).   Some of these optional components are available for download from the same site as the ISO images and if placed in the subdirectory /opt on your system, will be mounted automatically.  The ADIOS DVD version will include several of these optional components.

Reasons to use the ADIOS boot CD

There are many bootable Linux CDs available via the Internet.  However the ADIOS boot CD has some advantages that may be of interest to you.  

1. The ADIOS version 6.0 boot CD has been built using Fedora Core Linux 5.0, which supports the popular KDE desktop environment for X windows and ICEwm; 
2. The boot CD will try to automatically detect your hardware configuration and start X windows for you.   However you can also start without running X windows, that is start with a command prompt (in Linux this is called run level 3).  This is useful if you have limited RAM or if you want to configure X windows differently; 
3. The ADIOS CD has many applications and services preinstalled from the standard Fedora Core distribution and several additional software tools such as snort, openswan and nessus;
4. The Linux kernel 2.6.17 has been built with support for the squashfs filesystem loopback interface to allow the operating system to mount a squashed filesystem containing more than 2 Giga bytes of files;
5. The CD comes with User Mode Linux (UML) which allows you to run several virtual machines, which can be networked via virtual ethernet switches and hubs.  Each of the virtual machines can also be accessed via X windows; 
6. You can also install the boot CD onto a loopback filesystem which resides on a DOS FAT or Linux EXT filesystem.  This is almost as good as installing Fedora Core on its own partition;
7. There is an ADIOS development kit (ADK) available for those people who wish to tailor the software and create their own bootable CD.  The ADK Makefile requires you to have at least 10 Giga bytes of free space;
8. The original ADIOS project goal was to download operating systems for laboratory environments.  This software is included as part of the development kit environment;
9. The Linux Intrusion Detection System (LIDS) is available to both the boot CD and the UML virtual machines.  SELinux virtual machines are also available;
10. There are many boot and run options.  Options to install ADIOS to disk, to backup and restore files to floppy, USB storage devices, and disc.

The first time you use the ADIOS CD you should try run option “1” just to make sure that the kernel recognises your hardware in particular your graphics card and screen. Once the system starts login with username adios and password 12qwaszx. You can then experiment with all of the software, the more RAM you have the more tasks you can do simultaneously.

The number of run options allow the user to set the display size, run level, language, size of RAM or disc to use before you login to the system.  Scan through the menus and change these values to suit yourself.  Before using the guru options you should familiarise yourself with the ADIOS documentation.

If you wish to save and restore read-write files then you need to write information to media such as floppy, USB, disc, or even a network drive. This can be done manually once the system is up and running or via a run option.  

You can boot ADIOS from CDROM, USB or from disc (and floppy before version 4). To improve performance the ISO image can be copied or installed to disc. One option tries to maximise performance by creating a VFAT partition containing the ISO image, the read-write files and swap space.  This also has the advantage that your changes will be there the next time you restart ADIOS.

Better still you can fully install ADIOS on its own Linux disc partition, this has the advantage of allowing you to write to the whole filesystem plus if you choose to create a development partition you can build your own boot CD. 

You can also run the ADIOS boot CD within Virtual PC or VMWare.

In the Laboratory the read-write files in /var are placed on there own disc partition.  This partition is recreated each time the ADIOS system is started.

Basically the ADIOS Linux CD is a subset of Fedora Core Linux with lots of extras software related to security and network management. The CD does not need to write to your hard drive so it is independent of your existing Operating System.   By default it usually mounts all hard disc filesystems read-only.  It allows users to use Linux compilers, office tools, networking utilities, virtual machines and entertainment software.

All of the configuration files, log files and user files, which are read-write files have been moved into the /var directory tree. You need to save all files that have been changed so that they can be restored the next time the system is started. This changed information can be placed in a compressed archive and written to floppy or USB device or disk files. This has been automated as a run option.

The objective of the ADIOS project was to create an environment that is the same in the laboratory and at home. The image has optional components that did not fit on the boot CD but also work at home if you download the “sqfs” files onto your hard disk and placed them in the directory /opt.  The laboratory images downloads extra files that require the end user to login via a central authenitication server.

The ability to run virtual machines within virtual networks allows users to experiment with the network services and applications, security and management of networks.  Read the ADIOS UML documentation to see how networks are automatically setup on startup of each virtual machine.  Virtual machines are also able to start with trusted kernels such as LIDS and SELinux.

Note: Writing to NTFS filesystems is not recommended as the driver module is experimental.

The ADIOS boot CD allows a flexible learning environment in the following ways:

1. From the students point of view class exercises can be completed on the student's home or office computer, or even on their laptops with exactly the same environment as encountered in the on-campus laboratories.  Students can start learning about Linux without having to risk modifying the disc partition of their computer.   The ADIOS CD can also be run within Virtual PC or VMWare.
2. From the student/staff point of view ADIOS makes use of virtual networks whereby all class exercises can be completed on one machine.  On-campus laboratory resources are an expensive overhead. Now students only need one computer rather than a row of workstations to accomplish even advanced networking exercises such as dynamic routing, firewall configuration, email gateways, web servers, proxy servers, distributed name server, authentication server and certificate authority server implementations.  Optional components can be copied onto the users home computer to provide new services and updates when required.
3. From the laboratory administrators point of view, classes requiring Linux and networking can be offered with minimal technical support.  Classes requiring Linux can be offered in places besides the main campus (e.g. at regional campuses or overseas sites).  Previously we were dependent on the specialised laboratories.  Now classes can be offered anywhere there are computers which can boot from CD or network card.  Alternatively a specialised laboratory can be setup up quickly by using the ADIOS setup software, this provides the workstation user with the additional benefit of downloading other preconfigured operating systems such as a Linux development environment, FreeBSD, Solaris or MS Windows.
4. From a researcher's point of view new technologies can be designed, installed and tested.  For example, researchers can investigate client/server software, routing, firewall technologies and trusted systems without having to setup a large number of computers, which can prove costly.  Developers can write and test new network software within a virtual network.

One-Stop Teaching Tool

The CD contains all of the software and documentation that the students will need to complete their studies of the Linux operating system.  For example, the use of the CD allows the users to configure network services (such as web, email, file sharing and printing),  setup virtual networks, analyze network traffic, test dynamic routing protocols, and implement security and firewalls.  The CD contains it own website with a search engine to make it easier for users to find information both on CD and on the Internet.  This web site on the ADIOS distribution is a subset of the Adminstrator's Resource Kit (ARK) located at http://os.cqu.edu.au.  Access to monitoring software such as usage statistics and control of system resources via management tools such as webmin can be done via a web interface.  Extra notes and exercises can be placed into a compressed component file and copied to users home computer then when ADIOS is started it will automatically connect to the optional component and access can be setup via a secure web site.

To help students complete the practical exercises they are advised to setup their user environment as follows. Start a Web browser window to view the practical exercises; Start another Web browser window to read the manual entries or online documentation; Start an X terminal session to type in commands and display results; Start an Editor such as vi or Wordprocessor to write workbook notes; Use cut and paste from one window to the next to save typing; Use the mcopy command to save files to diskette or drag and drop files to a mounted device and remember to unmount the device; Remember to use "su -" to become superuser; Remember to change all passwords. Note: cut and paste is explained in the xterm manual entry.  To cut text, press the left mouse button at the start of the selection, hold down the button and move the mouse to the end of the selection, release the left mouse button, and the text should be highlighted on the screen.  To paste, move to the appropriate window and press the middle mouse button (if no middle button, press the left and right buttons at the same time).  If using vi remember to enter insert mode first.

The ADIOS boot CD allows a flexible learning environment in the following ways:

1. You can Use it Anywhere: Students are no longer required to complete all exercises in the on-campus laboratories.  Instead, class exercises can be completed anywhere, using a desktop or laptop computer.  The ADIOS Boot CD provides students with exactly the same environment on their PC as encountered in PCs in the on-campus laboratories.  No need to use several PCs in a laboratory or at home as ADIOS comes with virtual machines.
2. It's Easy to Use:  While students are developing their OS skills, they can run the ADIOS environment from RAM without installing Linux on their desktop or laptop.  This way they can start learning immediately about Linux and don't have to risk corrupting the partitions of their computer.  After all students need to become familar with the environment before they will want to change Operating Systems on their desktop.  Once they feel comforatble they can use the ADIOS CD to setup a multiboot system at home.  The ADIOS CD can also be run within Virtual PC or VMWare.
3. It Doesn't Require Specialised Hardware for Networking Tasks: Because ADIOS utilises virtual networks, students don't need to have an elaborate network of hardware at home to complete complex networking tasks.  The class exercises can all be completed on their one PC running ADIOS.   Now students only need one computer rather than a row of workstations to accomplish even advanced networking exercises such as dynamic routing, firewall configuration, email gateways, web servers, proxy servers, distributed name server, authentication server and certificate authority server implementations.  Any components not supplied on the ADIOS Boot CD can be copied onto the user's home computer to provide new services and updates.
4. It's Easy to Setup at Other Campuses: Classes requiring Linux and networking can be offered with minimal technical support.  Previously we were dependent on the specialised laboratories.  But now classes requiring Linux can be offered in places besides the main campus (e.g. at regional campuses or overseas sites).   All you require are computers that can boot from CD or network card.  (Alternatively a specialised laboratory can be setup up quickly by using the ADIOS setup software.  This provides the workstation user with the additional benefit of downloading other preconfigured operating systems such as a Linux development environment, FreeBSD, Solaris or MS Windows.)
5. Provides Cost Effective Testing and Research: New technologies can be easily designed, installed and tested in a cost effective way.  For example, researchers can investigate routing, firewall technologies and trusted systems without having to setup a large number of (physical) computers.

There are many run options:

Option 1 - run entirely in RAM – A 16 MB RAM disc contains the / directory. The /var directory contains all of the read-write files, that includes /etc (configuration files), /home (users files), /var/log (log files), … The kernel module devfs allows for the devices to be allocated as required, as well as allocating half of the remaining RAM to /var.

Each of the UML virtual machines (VMs) uses Copy-On-Write technology to the directory /tmp/uml and the 500MB filesystem of the UML machines only has a footprint of 24MB of RAM disc. Each child VM has only been allocated 32MB of RAM for processing, so doing the maths - 4 virtual machines will run on a 256MB machine as long as you don’t try to write large files.

Option 2 - is one of the preferred ways to run. Here you are allocated a single loopback file on a spare FAT or EXT3 filesystem to the /var directory. This means that /var is not using RAM and files are kept between reboots.

Option 20 - is a quick way to install Linux into a set of FAT or EXT3 files, this allows the user to remove the CDROM after booting.

Option 4 - run with /var on USB - this can be slow

Option 7 - run from an ISO image stored on disk

Option f - looks for an existing FAT32 filesystem otherwise create a FAT32 filesystem and copies the ISO image and creates var.img and swap.img files

Option h – display information to help get you started.

Option i – display information reminding you that this is freeware under the GNU General Public License, there is no warranty, memory and processor info

Option r - allows you to select the run level, useful if the hardware detection is not working properly or you only have 64MB of RAM

• Run level 1 is single user text console
• Run level 3 is plain text multiuser
• Run level 4 is used in labs (Xconfigurator or xf86config version 1.x)
• Run level 5 uses system-config-display ) to setup X
• Run level 7 is a locked system and runs /var/etc/rc.d/rc.lock
• Run level 8 is a locked system and runs /mnt/usb/rc.lock

Starting in run level 3 is particularly useful if your video card won’t work with the RedHat Fedora Core configuration software. You then search the NET and manually create the configuration for X windows. In the worst case you should be able to configure any graphics adaptor and screen to work with 1MB or RAM and use 800x600 screen resolution with 16 colours.

The Login X windows screen does not allow root to login, if you really want to login as root either “su –” to root or login via a virtual console using the key sequence Ctrl Alt F2. You can edit /etc/X11/xdm/kdmrc if you want to change the X windows login preferences.

• key sequence Ctrl Alt F1 only displays the console log as login has been disabled on this virtual terminal in run level 5
• key sequence Ctrl Alt F5 and above in run level 3 are used for UML virtual consoles

More run options - The number one criticism of previous releases of ADIOS was, How do I install the ADIOS boot CD on my MS Windows NTFS disk system? For a simply configured MS Windows machine with only one NTFS partition it was relatively straight forward to automate the process see run option 5. If you have multiple partitions or drives please read http://os.cqu.edu.au/adios/ntfsresizing.html.

The other major criticism was Why can’t I save my files to floppy or USB storage devices? For people who prefer to run the ADIOS boot CD without writing to hard drives then this was the solution: Option 11 saves all files changed in /var to a compressed file savestate.tgz to a floppy diskette. Option 3 does the same thing but to a USB storage device. Option 4 places the var.img on the USB storage device.

How can I experiment with trusted systems? - At the boot prompt you now only have 10 seconds to decide how the system will start. Enter lids to activate the Linux Intrusion Detection System software. More help on lids is available at http://www.lids.org and help on the implementation of LIDS on the Boot CD can be found from the ADIOS home page.

In addition to the parent system the UML virtual machines can also be started with or without LIDS or SELinux (Security Enhanced Linux) from the NSA.   IN ADIOS version 1 we used RSBAC (Rule Security Based Access Control).instead of SELinux.

Compressed loopback cloop was replaced with squashfs because we required support for multiple squashed mounted filesystems.

How do I remove the ADIOS boot CD while it is running? If you have at least 1GB of RAM then you can copy the CD into a RAM disk. Alternatively if you already have Linux installed and you have at Least 700 MB of free disk space you can copy the CD image to disk. Alternatively copy the CD iso image onto the Windows NTFS filesystem using the Windows version of dd, or similar program.  Run option 17 to run ISO from hard disk & save changes to floppy

How can I set the display resolution on startup? To simplify the startup of the boot CD the default resolution has been set to 1024x768, this can be changed with run option d

How do I select a language?

• Run option l set language (Spanish, Portuguese and the default of English).  The CD version has been limited to save space but a DVD version will support all langauges currently available by RedHat Fedora Core.

How do I protect my files from being read? An option to encrypt the /var loopback image has been implemented. Further encryption methods are still being investigated.

• Run option e AES encryption of loopback filesystem var.img has no recovery if you forget the password.

If your PC is already running Windows XP then the question is how can I run Linux without changing my system. If you run from RAM and CD then the next question is how can I save the changes I have made to the Linux system. Saving only the changes in a compressed archive to floppy, USB or CD would seem the logical choice.

Running from CD is slow. How do I run ADIOS faster? so the next improvement is to copy the ISO to your NTFS filesystem and only use the CD to boot Linux. This will provide the same performance as if you had installed linux to its own partition.  Better still copy the ISO to RAM and run everthing from RAM.

How to I execute extra commands on startup?

• Option + add extra commands which will be executed when systems boots.
• Option x uses this technique to remove X and hardware configuration files.
• Option = will display these extra commands
• Option – clears all such commands

How do I save and restore files to disk? If you would like to save files to disk then two methods come to mind, first find or create a partition to mount the read-write files, second save and restore only the changes to the read-write RAM drive.

How do I play music CDs? Check that the sound detection is working before starting your music CD using grip, kscd or xmms.

How do I watch movie DVDs? If you only have one CD/DVD drive then using a copy of the boot CD image from a disk image and using the Xine software.

• On some systems you may need to setup a link from your CD/DVD drive to /dev/dvd
  ln –s /dev/cdrom /mnt/dvd

How do I copy files to flash USB device? When saving files to disk it is a good idea to create a compressed archive first.

• tar czf files.tgz files or use better compression with
  tar cjf file.bz2 files

How do I write files to CD? To create CD image you can use the mkisofs command before using the cdrecord command.

How to undo changes? You always need a way to change things, so more commands to undo and resize files.

• Negative numbers try to remove the action of run options numbers 2, 4 and 9.
• Note: –20 does not perform a –2 operation, that is var.img is not deleted.

How to tailor filesystems? You need to change default values to make it more useable.

• Option v and s allow you set the size of the images for var amd swap files.
• Option p allows you to change the dynamic allocation of shared memory & size of /var in RAM
• Umount allows you skip partitions when looking for space to install options 2, 20 and 9. Mount just displays what is mounted, use umount to umount partitions.
• Open starts virtual consoles on function keys 2, 20 & 4 (In run level 3 virtual consoles on function keys 5 to 12 are reserved for UML consoles)

The previously hidden commands are now viewed with the more option, these commands may require some knowledge of the ADIOS installation.

These extra commands are useful such as reboot, eject and open. Some are described in other documents. Look at the source code of linuxrc for more information.

Some of the run options such as 1, 2, and 4 are available as boot options.  Boot options s1, s2 and s4 are the secure LIDS versions of the above.

Simplify ADIOS for generla use

The new startup sequence

• if you don't select the menu then
  • look for a copy of the ISO on your harddrive to use instead
• next look for /var partition on disk
• next look for loopback var.img on disk
• next look for changes stored in savestate.tgz on disk
• next look for loopbak var.img on USB
• next look for changes stored in savestate.tgz on USB 

The ADIOS version 3 kernel has lids built in.  The default to start the kernel with lids=0.  You have about 10 seconds before the run option menu will appear, so type F1 for help if you want to use boot options.

• lids starts CD with LIDS enabled (lids=1)
• 11 start using savestate.tgz from floppy
• 7 start with ISO on disk
• s4 start using var.img from USB storage with LIDS enabled
• slock start using LIDS with runlevel 7 run /etc/rc.d/rc.lock
• hda2 – boot ADIOS kernel from partition 2 (works for partitions 1 to 9)

append

• run_level = 1-8 (default is 5 for X windows)
• option = one of the many run options (ADIOS)
• resolution = 640x480, 800x600, 1024x768, …
• instance = bootcd, labsetup, labslids = 0, ramdisk=16384

Edit isolinux.cfg to create your own boot options

Run options:

• lock – runlevel 7 allows the system to start a closed system that is instead of running the normal run level scripts only executes the rc.lock script
• lockusb – runlevel 8 looks for and executes script /mnt/usb/rc.lock

These are options that we can use in the on-campus School laboratories.

When the CD is booted in the laboratory or the setup is booted from hard disc, a turnkey menu appears to allow students to decide what operating system they require to be downloaded. The menu also has additional features to allow the student to burn ISO images from a specified list.

If the disc partition has become corrupted there are scripts to rebuild the laboratory machine. The operating systems images are downloaded onto another partition or disc drive initially and only if that backup copy becomes corrupt does the software need to copy the image over the network again. Thus most of the time images are copied from disc to disc.

Since the ADIOS image has about 2GBytes of read-only files, there is no need to even copy the image, just mount it read-only. The /var read-write files are then allocated to a 512MB to 6GB filesystem which is destroyed when the user reboots the PC.

The linux loader is used to allow the user to select the operating system after it is installed. Operating System images that are currently used include Linux, VMware, MS Windows, FreeBSD and Solaris.

The User Mode Linux project has made the teaching of network administration and management more practical. In the teaching of network administration and management, usually students would have to setup an environment of several PCs to test a network configuration. Previously a student would take over 3 or more machines in the laboratory to perform the practical exercises. They were asked to work in groups of 3 since we didn’t have enough resources for each student to use 3 PCs exclusively. Now, students only need one machine to emulate a networked environment and that PC can be at home.

The UML shell script and the associated configuration file are my way to simplify the procedure of allocating resources to these virtual machines and networks. By connecting each virtual ethernet switch to every virtual machine, the end user can then create the network topology they require. The default values assume that your PC has at least 256MB of RAM, at least 128MB for /var and if possible another 256MB of real disc space for SWAP.

Users should modify the configuration file reducing the memory requirements if they have limited RAM, using no SWAP or allocating real disc space to SWAP files. Starting 4 virtual machines with an ICE desktop can be done by creating a single file /etc/uml/rc.local containing the line “startx”.

The copy-on-write (COW) feature can be turned off if you have 500MB of disc space for each virtual machine. A different UML image can be used in the laboratory to that used on the boot CD.

Change values in configuration file /etc/uml/uml.conf:

• slide bar to set maximum number of UML virtual machines from 1 to 9;
• slide bar to allocate RAM from 16MBs to 160MBs per virtual machine;
• set default run level to 3 text mode or 5 for X windows using icewm;
• type of UML machine either clone of parent or full machines;
• use swap space set to 64MB CopyOnWrite, Size of RAM or None.
• reset runs the uml --reset all command which removes all files in /tmp/uml
  and kills all processes related to UML virtual machines

UML Clone of parent is similar to parent in that /var is read-write while /usr is read-only. The clone can run KDE with uml-startkde and ICE with startx. Gnome can also be run on ADIOS version 3 clone. The ADIOS version 3 clone is limited to only 200MB of disc whereas the UML Full machine has 500MB of disc.

The Security Enhanced UML machines have been designed and tested only for UML full machines. UML clones have not been designed for trusted operating systems in mind.

X window environment

Here is view of the ADIOS boot CD parent running the KDE interface. However the ADIOS user can also select GNOME or ICE if they prefer.

The icon with the two gears is used to start the UML virtual machine. There is a command line interface with lots of options, but most of these can be put in the configuration file /etc/uml/uml.conf .

In the top right corner is an xterm for the console for the second UML child.

Just behind that is the ICE desktop for the UML child.

Within each of the UML virtual machines the Mozilla FireFox web browser is running and has made a connection to the parent web server. The web server on the parent has a search engine so that you can quickly search the 250MB of online documentation which includes The Linux Documentation Project guides, HOWTOs, manual entries and much more.

To simplify and reduce the size of the UML operating system image, many files are in fact links back to the parent system. Edit and run the script uml_unlink if you want a more complete child. However each child can be configured to start different services and connect to different virtual networks. Simply create a /etc/uml/rc.uml1 start script, which will be run from the rc.local of the child.

The ICE windows manager is smaller than KDE or GNOME desktop environments but provides most of the functionality required by most users, and it is also very easy to configure.

Virtual Network

As you can see from the diagram it is relatively easy to configure a firewall with a perimeter network between an external packet filter and an internal packet filter, this is known as a screened subnet.

In the default configuration: only 4 UML virtual machines, with each UML child connected to 4 virtual ethernet switches and 1 virtual hub. So the user decides which network interfaces are configured on or off, thus deciding the topology of the virtual network.

If you have ample memory/disk space you can change the configuration file to allow you to run even more UML virtual machines, with more virtual ethernet switches or hubs.

iptables is an excellent tool to filter incoming and outgoing packets, as well filter packets forwarding from one network interface to another.

The tc command allows the user to perform traffic flow control.

IPsec provides Virtual Private Networking through the Internet.

Using tools such as tcpdump and ethereal, a user can see what packets need to be allowed and what should be denied.

It is simple to investigate a split screened subnet by adding another ethernet switch and reconfiguring the network interfaces

Split Screened Subnet

Now all traffic must pass through the Bastion Host. IP forwarding is turned off and the Bastion Host must proxy packets for Intranet (internal network) users.

The ADIOS linux host can be configured to masquerade the virtual network thus allowing internal virtual machines access to the Internet.

The Bastion Host can be setup to be a mail gateway, web proxy server or secure tunnel to another site.

Ideally each virtual host has webmin installed so that they can be managed via a web browser, unfortunately this left for you to setup. A direct path to each virtual machine can be activated over the tap interface on the parent system.

The Network Intrusion Detection System snort can be used and tested so that security incidents could be simulated.

Other important services such as Authentication can be setup with a OpenLDAP server. File sharing using NFS and Samba, printing CUPS, routing with zebra/quagga (a CISCO clone), DNS and DHCP.

You can install software on each of the UML virtual machines using standard Fedora RedHat RPMS. Watch out for files linked from the child to the parent, you can unlink these and reinstall your software.

Multiple Perimeter Networks

using Dual Homed hosts and Screened Subnets

In this firewall each service both incoming and outgoing is on its own perimeter network. This firewall design requires setting up the internal and external firewall packet filter rules correctly with statefull rules for one service for each dual homed host/server.

The advantage of this design for a firewall is that even if one of the bastion host machines was to be compromised it would not allow the hacker to attack other services and even in the case of a denial of service attack the external packet filter could limit the bandwidth to each of the essential services.

Intrusion detection systems or software is still required to be added to make this design even more secure.

To simulate this firewall with one internal workstation, requires 7 virtual machines and 9 virtual ethernet switches. The AUTO option should allow the uml software to automatically allocate less RAM per UML virtual machine. You can also edit the /etc/uml/uml.conf file to reduce memory requirements of each virtual machine as well.

The Maximum Transfer Unit for communication between UML virtual machines is limited to 1484 bytes. The MAC addresses need to be unique.

The boot floppy is stored on the CDROM (ADIOS version 3)

The syslinux command makes this floppy bootable (alternatively use isolinux)

A 16MB initial ram disc “initrd.gz” is then uncompressed and loaded into RAM,
then the kernel file vmlinuz is uncompressed and loaded into RAM.

Next, the linuxrc script performs all of the hard work.
It needs to know if this is a bootCD or is this running in the laboratory?

If running from bootCD, then prompt for user’s requirements with the run options menu.
Else if in the laboratory, connect to the web server and download install scripts.

It also mounts filesystems to see if there is any space for storing files on disc.
Modifies configuration files before starting the system by reading inittab file.

The next task is to discover the hardware and create a configuration file so that X windows will run.
Kudzu software creates the hardware configuration file /etc/sysconfig/hwconf, while redhat-config-xfree86 (system-config-display) creates the X windows configuration file /etc/X11/XF86Config.

Next you should see a login windows with user name adios for you to login.
You then select the windows environment that suits you.

To make Linux run from CD requires a redesign of the layout of the files within the filesystem.  All of the read-write files have been placed in the directory /var.  All of the read-only files are placed in compressed filesystems.   The addition of copy-on-write unions (unionfs) it is possible to mix read-only and read-write filesystems.

/ is 16 MB RAM disc
/adios mount adios.sqfs (squashfs read-only compressed filesystem)
/usr mount usr.sqfs (squashfs read-only compressed filesystem)
/var is an extracted archive of the read-write files from var.tgz or from /adios/var
/opt/uml mount point for /opt/uml.sqfs

/ file structure
Directories for - adios, dev, initrd, mnt, proc, usr, var
SoftLinks to /adios for - bin, lib, sbin
SoftLinks to /var for - boot, etc, home, root, tmp

/adios file structure (squashfs)
Directories for - bin, lib, sbin
SoftLinks for - boot, etc, home, mnt, proc, tmp, var, usr

/var file structure (ramdisc or loopback ext3 via option k)
SoftLinks for - bin, sbin, usr, lib/rpm, lib/slocate, …

savestate.tgz is a copy of the changes in /etc, /root and /home

Note: squashfs filesystems discs do not have the right attributes to be exported filesystems using NFS, but can be shared using samba software.

The default is setting is to use copy-on-write (COW) unionfs, this means that all changes to read-only filesystems are stored in a set of COW files within /var/tmp.

Although this UML filesystem is similar to a standard Unix filesystem to support X windows and some of the larger applications and to keep the size of the UML filesystem small many files are soft links back the parent machine.

/opt/uml/root_fs – a complete linux filesystem, but to make it fit into a small space several large files have been linked back to the parent machine via /mnt/host. To find these files enter the command: less /opt/uml/bin/uml_unlink

Do not run uml_unlink with run option 1 unless you have a spare 400MB of RAM per virtual machine. It is also preferable to use non COW files before running uml_unlink. Edit the UML configuration file uml.conf first.

The copy-on-write (COW) filesystem allows the CD to use virtual machines in RAM disc space as long as you don’t start filling up too much disc space within the virtual machine.

If you have trouble installing an RPMs check the error messages it usually just a matter of either ignoring the error and installing with –nodeps or removing a soft link and copying files from the parent

List of installed packages

• rpm -qa
• other software added via tgz archives is listed on the adioskit CD

Additional Software

• autopsy – connect to http://localhost:9999/autopsy  
  • First login as root and start the server by entering autopsy &
  • Then either click on the autopsy menu button
    or start a web browser and enter http://localhost:9999/autopsy  
  • Read the manual entries for the sleuthkit file system analysis tools to run:
    dcalc, dcat, dls, dstat, ffind, file, fls, fsstat, hfind, icat, ifind, ils, istat, mactime, md5. mmls, sha1, sorter
• sleuthkit – file system analysis tools
• ipvsadm – admin of Linux cluster
• mrtg – graph utility for SNMP output
• nagios – connect to http://localhost/nagios/cgi-bin
  • See documentation at http://localhost/usr/share/nagios
    then modify configuration files in /etc/nagios
    then start service by entering service nagios start.
• nessus – report of security holes and warnings
  • First login as root and start the nessusd server by entering nessusd &
  • Then either click on the Nessus menu button or enter nessus at the command prompt
  • For user adios enter the password 12qwaszx and click on Login. The more Plugins you select the longer it will take to scan the hosts.  Before starting the scan you must enter hosts in the Target selection, at a minimum enter localhost.  For KDE click on the taskbar button to collapse the taskbar so that the Start the scan button is visible to click on.
  • For example for the localhost, in the Nessus "NG" Report, then in the Subnet menu click on the localhost, then in the Host menu click on the localhost, then in the Port menu click on a service, then in the Severity menu click on the warning, note, or hole. 
  • Next save the report to /var/www/html, using file format HTML, and filename nessus.   Then using a web browser at URL http://localhost/nessus.html view the report.
• netcat – tool for connecting services
• rinetd – redirection of port to another IP address and port
  • Read the manual entry at http://localhost/cgi-bin/man/man2html?rinetd.
  • For example edit the configuration file /etc/rinetd.conf to redirect localhost web requests to a web server at 192.168.201.1 is as follows:
    127.0.0.1  80  192.168.201.1  80
  • Then to start the redirection server enter /usr/sbin/rinetd.
• snort – network intrusion detection system
• acid – GUI interface to snort output
• webmin – system administration via web browser
  • First start the service by entering service webmin start,
  • then access webmin at URL http://localhost:10000 and login as username root with password 12qwaszx.
• ettercap – forensic software
• swish-e - web search engine
  • If you create your own web site and want a small and efficient web search engine. 
  • First modify the configuration file /etc/swish.conf to suit your web site. 
  • Then run the swish-e program, enter "swish-e -h" for list of options.
    cd /var/www/swish
    swish-e -c /etc/swish.conf  -f index.swish
  • The index files take up about 20Mbytes on the ADIOS CD.  Thus you need write access for possibly a large swish-e index.
  • You then need a write a CGI search program such as /var/www/cgi-bin/search.cgi which is freely distributed with the ADIOS CD.
• First edit the /etc/xinetd.d/imap to make sure that the service can start,
• then enter service xinetd start.  Next edit the /etc/mail configuration files to allow remote access and run the make command, then enter service sendmail start.  The web server should already be running you can check this with service httpd status. 
• Then access the squirrelmail server at URL http://localhost/webmail

Linux Intrusion Detection System

A malicious intruder who gains root access can access the whole system.

A LIDS kernel can be configured to support: a portscan detector to alert of a possible intruder; two kinds of ACLs; restrict actions that can be performed on files such as read/write/append; and restrict capabilities a process may possess such as changing network interface addresses or changing user IDs. This provides file protection even from root and process protection.

You have a whole 10 seconds at the boot option to enter lids or one of the preconfigured options s1, s2, s4, s7 to start the kernel with LIDS enabled. 

Note: not all of the LIDS capabilities are enabled check /etc/lids/lids.cap file.

You only need configuration entries for those capabilities that you have selected as enabled in the capability file lids.cap.  Look at the ADIOS the configuration file lids.conf and UML configuration file uml-lids.conf as a starting point.  For more information about LIDS go to the home page at http://www.lids.org and read the documentation there.

Once the systems starts with LIDS enabled you will have to use the lidsadm and lidsconf commands to change the access control.

To change the LIDS configuration first turn LIDS off

lidsadm -S -- -LIDS_GLOBAL       Turn off LIDS entirely and behave like a standard Linux kernel.

make your changes using lidsconf commands then turn LIDS on again

lidsconf –P     Change the default password.

lidsconf -A -s /bin/login -o /etc/shadow -j READONLY

• -A add -s subject -o object
• -j ACTION DENY, READONLY, APPEND, WRITE,
  •     GRANT grant capability to subject
  •     IGNORE ignore any permissions set on this object
  •     DISABLE disable some extension feature

lidsadm -S -- +RELOAD_CONF    Reload the LIDS configuration.

lidsadm -S -- +LIDS_GLOBAL     Turn LIDS back on.

The lidsconf command often requires you to set the file readonly first before you can grant access for example. 

Starting a UML virtual machine with SELinux permissive allows you configure the child machine. Then halt child and start with SELinux conforming. To run X windows requires sysadm rights.

Please read documents at http://www.nsa.gov/selinux/ and at the unofficial site http://www.crypt.gen.nz/selinux

The newrole command allows you change the role in permissive mode

SELinux can be setup to allow you to toggle between permissive and conforming using  the access vector cache (AVC)

The Chief Security Officer is responsible for security of the system, whereas root is responsible for systems administration such as backing up files.

The super user was created with both root and cso privileges

ADK - How can you not release a development kit?

After all, you need to remember how to recreate the CD for the next release of RedHat/Fedora. Unfortunately when making a large number of changes, documentation is often left to the last.

The released development kit is a Makefile. It assumes you have already installed RedHat with squashfs support first.

This Makefile does not contain all of the busybox and kernel rebuild information, some of which can be downloaded from the http://os.cqu.edu.au/adios site.

The Makefile allows you to unpack the CD when you type make devel. You then delete and add new packages before rebuilding with make files, and then rebuild the iso with make iso, and burn the CD with make burn.

For simple modifications, the rpm command can be used to erase and install different packages on a different “root” system. Entering make adios.sqfs will rebuild the read-only files into a compressed image.

Modifications to the system configuration is relatively straight forward as these read-write files are stored in the archive var.tgz or in adios.sqfs in directory var on the CDROM

Startup option modifications require editing of the linuxrc file inside the initial ram disc “initrd” which is in the boot floppy at /boot/adios.img

A list of the installed RPMS can be generated by entering:

rpm –root /mnt/devel –qa | sort > rpms.txt

Assuming /mnt/devel partition contains the adios development kit.

Kernel modifications require saving the modules on the adios.sqfs file and saving the kernel in the boot floppy at /boot/adios.img

ADK

Boot ADIOS then remount your Fedora RedHat Linux partition read-write.

Next copy kernel vmlinuz and initial ramdisk initrd.gz from /mnt/cdrom/boot to your boot directory, rename kernel to vmlinuz-adios and copy /adios/lib/modules to your lib/modules directory. Next edit your lilo of grub configuration to be able to boot ADIOS kernel. See example http://os.cqu.edu.au/adios/adk/grub.conf.example

Live system testing use “make rwon”, then boot live system, make changes, remember to run “make rwoff” after returning to the development mode.

ADIOS Lab Server

Dynamic allocation of IP addresses, automated download of setup and ADIOS image onto each PC in laboratory.

Locked staged systems

If system detects USB device and file rc.lock, then start linux at runlevel 7 with no login consoles, no CTRL ALT DEL shutdown and run script rc.lock. See example rc.lock in http://os.cqu.edu.au/adios/adk/rc.lock.example. The BIOS of some systems has to timeout before the bootCD is read.

Squashfs

Squash filesystems are autoloaded. This allows the image in the laboratory to be larger than the CD maximum limit of 700MBs. It also means that the same software can be used on the DVD version. The rpms.sqfs file contains all of the RedHat RPMS. Other built squashfs files are jdk.sqfs, ns.sqfs, and rfc.sqfs.

Here are some plans for future implementations:

Security of Parent system and UML virtual machines using one of the key players such as Linux Intrusion Detection System (LIDS) and SELinux has been implemented, but security using Rule Security Base Access Control (RSBAC), or GRsecurity, are being investigated.

Currently investigating management software such as Cfengine, which is popular in Europe, and other Integrated Network Management Systems available for Linux. Also looking at web based management systems, web search engines, web analysers, and support for web graphical output.

Always need to include more documentation such as all of the Request for Comments (RFCs) on DVD version.

ADIOS version 6.0 already has Linux kernel 2.6.17 with some support User Mode Linux and with more security access control features.  A complete rebuild of the kernel and its modules to experiment with Xen virtual machines.

Using the latest busybox and uclibc libraries to build a boot environment to start the bootCD.  Use of the latest syslinux/isolinux startup.

Currently using squashfs from version 1.25 onwards, (previous used cloop in version 1.01), there is of course other compressed iso software such as mkzisofs.   Look at modifying source code of squashfs to support read/write compressed filesystems and extended attributes to support SELinux.  Currently have to build an ext3 filesystem within a squashfs filesystem, this requires a double mount and a loss in the number of files that can be stored on the CD.

Why bother compressing when DVD provides 4.7Gbytes, the obvious next step is to create a full Fedora/RedHat system with a larger UML filesystem.

The ADIOS Development Kit is the first step in an attempt to automate the process for any distribution of Linux.

That’s it

The ADIOS CD was made OpenSource that is freeware using the GNU Public License from the beginning in an attempt to further the spread of Linux. It has taken a larger number of hours to and seral late nights to arrive at its current form. As the project leader I would like to thank my co-worker Mark Huth, who has built many kernels and solved more problems than even I am able to create. I would also like to thank Lynda Thater for testing, proof reading and writing web documentation.  You can thank Lynda Thater for editing and rewriting large sections of the documentation so that it easy for you to read.   I want to also thank all of the users who have given valuable feedback which has lead to several improvements and fixes.

The home page has the most recent copies of the ADIOS boot CD and documentation.  Go to http://os.cqu.edu.au/adios to read more on install scripts and where to obtain the latest copy of the ISO images.   Built from a customised Fedora RedHat installation, plus Linux Intrusion Detection System (LIDS), plus User Mode Linux virtual machines plus ICE windows manager, plus OpenSWAN, plus SNORT, plus Nessus and lots more.

Many universities and educational institutions now have a single-sign-on system, which authenticates staff and students.  It is typically used with access control and auditing features. My preference is for an OpenLDAP (Lightweight Directory Access Protocol) server with TLS (Transport Layer Security) as this can be selected with the authconfig command, which then modifies the appropriate files. However some tailoring of PAM (Pluggable Authentication Modules) may be still required.

ADIOS is now used throughout the world, it has been used by many eductional instutuions, government bodies, computer societies and in industry.  I plan to release the DVD version with support for all of the languages that the Fedora Core distribution now supports. This will enable ADIOS to be used even more widely.

Thank you for your attention.  For more information and references visit the home site.

Please feel free to contact me at n.richter@cqu.edu.au if you have any suggestions for improving this Linux live boot CD.

Footnotes:

I am looking for developers who would be willing to help maintain the ADIOS project and maintain a chat / email group with the aim to create different boot CDs. The current bootcd has a security and documentation theme for teaching network administration. Alternate themes could be based on databases, wine or even games.

I am starting a project to create other language versions of the boot CD and would be happy to hear from anyone willing to participate.

The ADIOS distribution requires more mirror sites to help with the limited bandwidth from CQU.

Written and maintained by Neville Richter and Lynda Thater, Copyright 2002-2006 GNU General Public License.